Main Area and Open Discussion > General Software Discussion

Alert on File/Folder Access

<< < (3/3)

MilesAhead:
Unless you suspect the malware is going to masquerade as a system file I don't know how you would guess a filename that would lure out the malware.  If it is wholesale deleting stuff I guess both ends of the alphabet may be a good idea.  Otherwise the goat file may be at the end of the list.

I still think making use of VSS is a better approach.  The utility is free.  Where it would not work well is wholesale file creation scenarios.  In that case the system may hang.  But for generic user protection it seems as good as any.

Ath:
The only viable attack to be detected would be from network access to a file, when trying to modify/delete it, though I'm not sure if that would be identifiable as originating from a network-source. And then I'd expect any AV to detect that kind of attack. But maybe that's too optimistic :huh:

Nzyme:
Presumably if something sneaks onto your system it will run as the user who was active when it snuck on, or as SYSTEM.
--- End quote ---

identifying what USER the process is running under is not so important -- but identifying the PROCESS is.
-mouser (November 28, 2015, 08:15 AM)
--- End quote ---

I think identifying the user along with process, time, type of operation (read, write, open, etc.) is equally important. Think about it, you are browsing the internet or listening to music and you see an alert for file/folder access. You know that you are not the one trying to access it but would want to know who initiated it (system access which was genuine or hacker who sneaked in the system logged in under your name). If you see that a access alert under your name is trying to access, you can take action on that immediately.

I think the program SpyShelter Firewall comes very close to what I need. For any type of access, it alerts me and I can either allow, reject or terminate the action but not sure if someone sneaks in my PC, will it prompt me with an alert.

Stoic Joker:
Think about it, you are browsing the internet or listening to music and you see an alert for file/folder access.
-Nzyme (November 30, 2015, 08:38 AM)
--- End quote ---

Any halfway decently written malware isn't going to show its hand by touching the file system until after its gotten control of the system. So the net effect of running something to obscure for it to know to kill/bypass is most likely just going to be a front row seat to a horror show.

This kind of security is for human-slow direct access attempts, which is what auditing object access is designed to handle. User and logon type (service/network/interactive) are both recorded in the audit log, so watch for failure events, see who's failing to access what, and respond accordingly. Because if something is setoff in session with you - Computers being way faster than humans... - there is no way you will be able to react fast enough to anything other than be the first one on scene with a mop..

MilesAhead:
Computers being way faster than humans... - there is no way you will be able to react fast enough to anything other than be the first one on scene with a mop..
-Stoic Joker (December 01, 2015, 06:41 AM)
--- End quote ---

Heh heh.  Like the "duck and cover" defense against nuclear attack.  Get in the doorway, grab your ankles etc..   :Thmbsup:

Navigation

[0] Message Index

[*] Previous page