Decent Free Folder Directory Monitor

Discussion in 'other anti-malware software' started by EASTER.2010, Dec 28, 2006.

Thread Status:
Not open for further replies.
  1. EASTER.2010

    EASTER.2010 Guest

    I been years trying to find something as simple as a plain Folder Monitor (standalone) or other, where i might keep tabs on say Local Settings\TEMP and Windows\System32

    Monidir is lacking severely and old and outdated. FileChangeAlarm i had used but needed 2 running instances of it to be of any use even though it comes close to being worthy enough to alert to Folder/File changes with audible alarms (wav files) and a pop up.

    Does anyone know a freeware Directory Monitor floating the internet that at least covers a few areas of Folders & guarding file changes?

    I'm at a lost why some developer someplace hasn't experimented with devising such a program to help keep a watch when a dropper lands or some modification is created where you can at least review what's happening in those areas to investigate.

    Thnaks for any finds you like to share on this.
     
  2. Texcritter

    Texcritter Registered Member

    Joined:
    May 6, 2005
    Posts:
    1,985
    Location:
    Teesside, North East England
  3. spindoctor

    spindoctor Registered Member

    Joined:
    Feb 28, 2006
    Posts:
    83
  4. EASTER.2010

    EASTER.2010 Guest

    Thanks for some links to proggy's to check out.

    This one is nearly perfect if only it was developed some more but as-is worthy of recognition and dependable in monitoring.

    FILE.CHANGE.ALARM
     
  5. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Hi Easter,

    I'm curious, under what condititions you would expect a dropper to land? Judging from your security, I wouldn't think a dropper would have a chance of getting in!

    regards,

    -rich

    ________________________________________________________________
    "Talking About Security Can Lead To Anxiety, Panic, And Dread...
    Or Cool Assessments, Common Sense And Practical Planning..."
    --Bruce Schneier​
     
  6. EASTER.2010

    EASTER.2010 Guest

    You're quite right Rmus. Greets buddy.

    I don't expect a dropper of any sorts to bypass my HIPS but hypothetically speaking lets suppose a corruption of some sort affected the HIPS, well in my case there would be a few to bypass :D but what i'm really getting to in mentioning it is there are several writes consistently being made to files in System32 just by XP alone, such as Security System Restore and by following FileChangeAlarm witnessed Modem.txt being modified (updated) etc.
    As recently as maybe a year ago while web surfing for sound files a virus file downloader slipped right past AVG and if it had not been for Kerio 2.15 identifying it as trying to access an outbound connection, i would never known it landed in the C:\ section unannounced, ready to bring in all sorts of who knows what.
    There is an old program named FileMappbyBB that just recently in my own local testings reported a hidden rootkit file even though it went invisible immediately after landing in System32 folder. Another indication that something forcefully intruded there if only noticed for an instance.

    For a very long time i been highly suspicious of what is going on courtesy of Windows writing to various files and why, plus it's of interest to me personally to be instantly alerted to anything being modified or created in these XP Directories. Sure they can be easily detected AFTER they've had time to wreak some havoc, but time can be of the essence when something (file) such as .tmp,.exe,.dll,.ocx) etc. is entered there that has some malicious intent to disrupt your system.

    It still puzzles me today why a simple FOLDER/FILE alert program is been relatively ignored all these many years that could help suppliment any security program to alert & inform an end user what exactly is going on in those Directories and why.

    So hope this offers you a little better understanding behind my reasoning for concern over a simple Folder Monitor of some sort. Some will argue that's what HIPS are for and i agree with that to a point, but personally i feel much safer for my units when i can be alerted when files are being written to by XP or at worse, something is able to drop into Local Settings/TEMP as a .tmp or other association, or Windows, System32 to spread a germ(s) across the system.
     
  7. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Hi Easter,

    What if it did? Wouldn't a reboot have ShadowUser clear everything?

    I don't understand how an executable could forcfully intrude with the HIPS stuff you have.

    With your SU, nothing written will stick on reboot, if I understand it correctly. Same here with Deep Freeze: Windows can write all it wants but the system reverts to previous state on reboot.

    Wouldn't any executable be blocked by your HIPS from entering? I don't understand your concern here...

    Isn't that why you have SU - to revert to previous state in case something does get by?

    regards,

    -rich

    ________________________________________________________________
    "Talking About Security Can Lead To Anxiety, Panic, And Dread...
    Or Cool Assessments, Common Sense And Practical Planning..."
    --Bruce Schneier​
     
  8. herbalist

    herbalist Guest

    You can make rules with SSM for specific folders that would cover executables, drivers, etc that are in that folder.
     
  9. EASTER.2010

    EASTER.2010 Guest

    I reverted back to Version 568 with SSM because for one thing they changed the registry section which appeared too confusing compared to the simplicity of the List of registry paths/keys/values in 568 & before.
    Also noted it was taxing the system heavier than i prefer. CyberHawk is done similarly after several earlier beta's which performed magnificiently only to stuff it full of extras that make it a bit too feature rich for my taste. Like others, i prefer simple and light but strong & formidable. Chances increase the likelihood of stability issues and clashes with other security apps the more the vendors pile into them. Seems that's the norm these days.

    The thing i do admire BEST about a standalone program like Filechangealarm is it is no poller, it instantly alerts to any entry or modification to any existing file along with a time stamp right down to the second of motion.

    Guess i'm old fashion when it comes to this but then on 98SE you were mostly always able to find just what you were looking for to suppliment popular security apps.
     
  10. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,086
    What OS are you running on ?
     
  11. herbalist

    herbalist Guest

    I haven't seen any increase in system load with the newer versions of SSM, free version. It might behave differently on my old box. As for the registry module, for me it's a secondary defense layer. DOS batch files are my main registry protection, so I haven't done that much with the registry module.

    Most of the file and folder monitoring software I'm familiar with is either polling or on-demand. I run several of these.
    FileMap by BB at startup.
    Filechecker and MoniDir 2000 at regular intervals.
    NIS filecheck, Tiny Watcher, and Sentinel on demand.
    I've looked at several others, but they're pretty much more complicated versions of the same thing.

    As much as I'd like to have a real time file and folder monitoring program, I don't think it's really necessary. Even if a file gets dropped into a folder undetected, I don't see how it could execute without being detected by SSM.
    Is there a specific instance or activity you're referring to or is this about what happens during normal usage? I assume you run an install monitor like Inctrl5 during installs and updates and keep records of which unstall or update is responsible for specific files, and that you keep your security apps running whether the installer wants you to or not. For anything more than a minor change, I make a system backup and a separate registry backup, then take a snapshot with inctrl5, then run the on-demand file checkers. I leave all security apps on during the install/update process. When it's done, I run Inctrl5 again, along with the file checkers. Yes, this can be a major pain. I installed Microsoft .NET Framework 2.0 on a test unit yesterday. Don't even want to guess how many promts from SSM I had to answer.

    I don't have any other ideas for your XP unit, but for your 98SE box, there's a couple items you could check into. I picked up a copy of Inctrl4. I haven't had time to check it out to any degree yet, but it has a "real time" mode that works on the older systems, not on the NT systems.
    From its help file:
    Another item that might interest you is a DOS utility called XCLONE.EXE. Available here. It's like XCOPY on steroids. It can copy entire drives and works with long file names. I'm going to experiment with using it in my startup batch files and see if it will replace the windows folders from a CD copy, effectively replacing all of windows during a reboot.
    Rick
     
  12. EASTER.2010

    EASTER.2010 Guest

    Thanks RICK:

    As you know i always admire your insight knowing you have dealt with far more problems than myself with 98 although i've experienced my fair share of some doosies myself also and now XP is added to some of those grey hairs. o_O

    NIS filecheck & Tiny Watcher i only recently added but file mapp is been a life saver for years and still is a worthy tradition!

    With HIPS like SSM i agree the percentages are now more in our favor than ever. Still it's puzzling for me in one respect why developers (freelance/commercials) have evaded/avoided compiling a good, quick, directory monitor something like you point out that now HIPS have done. I can direct that same confidence in the direction of a CyberHawk that not only intercepts a possible behavior intrusion but WILL TERMINATE! without assistance of Killbox or another file breaker of sorts requiring a reboot to release. By the way in case you missed this, just found a FORMIDABLE bad file TERMINATOR FileAssassin 2.0 now

    Mostly normal usage on XP since it carries services it also needs to write to logs and update the configs/registers but what interests me is when and where a new install chooses to start out at and with what. I seen a lot of TMPS files used for that and other purposes. I am no specialist in Micro codes by any stretch, or would want to be :eek: but seen enough of normal windows activities monitored to develop a healthy respect to guard every end of the spectrum possible. The simplest it would seem would be to Monitor C:\, Windows, System32, Local Settings\TEMP, and a few choice other locations.
    HIPS effectively suspends activity allowing the user a choice of course, and you got to enjoy that, like 2 magnets of the same poles in opposition where only the right selected choice gets to proceed and the other implodes.

    Appreciate that find. Will come in handy on my 98SE boxes for sure. If only Microsoft would have rebuilt the 98/Me kernel and remade explorer from suffering so many errors we might today be experiencing a real Microsoft renaissance. I would name it Windows 98.6 :thumb:
    Ok, so much for that wishful thinking but still rather nice to imagine what might would have been then what is. But then again it's not our reputation at stake, they're the ones running out of ideas instead of leading into the computer age in a strong creativity fashion.

    Back at Topic, thanks everyone for sharing your finds and offering your suggestions.

    Rick & SpinDoctor, special thanks for bringing Sentinel on demand to attention as your personal favorites. It looks i'm sold on it too, monitors great and is light. Thanks again.
     
    Last edited by a moderator: Dec 31, 2006
  13. herbalist

    herbalist Guest

    Thanks. That's appreciated.
    I've noticed that, especially with M$ updates and other installs of theirs. The last ones I worked with made a WUTemp directory on my "F" drive, which is the data partition of my external drive. Why it chose such a location, I'd like to know. Windows and log files are a headache all their own. It amazes me just how many worthless log files there are in windows. Some keep getting used even when you instruct the system not to keep a log file. The modem log on my system comes to mind. Windows kept updating it even when I used the no log option. I ended up using notepad to delete the files contents, then made the file read only to stop it's being written to. Almost half of the scheduled Eraser tasks on my box are for log files. Anymore, I find I'm more concerned with what M$ is changing on my system than I am about what malware might do. After WGA, I don't think I'm that far off.

    For the temp and temporary internet files folders, I added rules to SSM for these and several other folders, blocking executables, libraries and drivers from them. This is probably a lot easier to keep up with on my 98 box than it would be on XP. Besides, most of these folders get erased multiple times per day.
    Why does this have to come from M$? 98 is a long way from dead.
    kernel update project
    Open Source 98?
    I've spent the last few days upgrading a lot of my system from this site. All kinds of good stuff there. WMP9 runs good on this old box, once you get past the artificial incompatibility M$ tried to add.
    Rick
     
Loading...
Thread Status:
Not open for further replies.