Main Area and Open Discussion > General Software Discussion

Alert on File/Folder Access

<< < (2/3) > >>

mouser:
and should not allow the action to complete.
--- End quote ---

this requirement may take this tool from easy to hard, and i'm not sure it's critical to the idea, at least from my standpoint.

my idea was that the monitored file is more like a canary in the mine -- detecting an attempt to access it is to help alert you that a rogue process may be scanning (modifying) your files, and that you should investigate the possibility of some kind of malware/ransomeware.

actually preventing the test file from being modified has little value in this case.

identifying the PROCESS that tried to access the file would be important though..

MilesAhead:
This looks like it comes pretty close for the monitoring part.  Presumably if something sneaks onto your system it will run as the user who was active when it snuck on, or as SYSTEM.

NirSoft utilities are well done.  I would experriment with monitoring all of C: to find out if this will bog the system.  An alternative may be something like ToolWiz Time Freeze.  All writes to the system partition are redirected to a cache file using Shadow Copy Service of Windows.  When you reboot the changes are gone.  Of course this doesn't save you from tracking cookies as they exist until you reboot.  But it does stop them from continually accumulating.

mouser:
Presumably if something sneaks onto your system it will run as the user who was active when it snuck on, or as SYSTEM.
--- End quote ---

identifying what USER the process is running under is not so important -- but identifying the PROCESS is.

MilesAhead:
Presumably if something sneaks onto your system it will run as the user who was active when it snuck on, or as SYSTEM.
--- End quote ---

identifying what USER the process is running under is not so important -- but identifying the PROCESS is.
-mouser (November 28, 2015, 08:15 AM)
--- End quote ---

I'm not arguing that but I wonder if any process that gets around security is going to use high level api calls rather than some sector by sector sneaky techniques.  I would think if the monitor could log it security could stop it.  But av type things are not my forte. :)

I do know that large scale monitoring for file folder change using the apis will bog things badly.  Utilities that do it well probably roll their own techniques.

mouser:
The thing to remember is that stopping an application from accessing that one file is not going to help you much because all your other files are vulnerable.
The only thing that might help is if you somehow triggered some emergency protocol that locked down all files on the computer, but that seems especially hard to get right and avoid triggering on some harmless process.
That's why i'm thinking the best way to think of this is just as an early warning system -- unlikely to save you from much harm but perhaps able to give you a very early heads up that you've got a problem.

A possible compromise defensive mechanism might be a mode that when it sees a process trying to access the test file, immediately KILLS that process and puts it on a list of processes to be killed instantly if they restart.. The only danger there is false alarming on a legit process.

Navigation

[0] Message Index

[#] Next page

[*] Previous page