Event Monitor Service

Discussion in 'other anti-malware software' started by novirusthanks, Mar 24, 2017.

  1. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    755
    Location:
    Italy
    What is Event Monitor Service?

    event-monitor-service.jpg

    We released a new version:
    http://www.novirusthanks.org/products/event-monitor-service/

     
  2. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    3,995
    Location:
    Europe then Asia
    You create many nice tools, maybe pack them all under one "monitoring" application will be cool
     
  3. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    2,884
    Location:
    Mexico
    I was looking at those many nice tools and then I had same thoughts about unity. Honestly it's kind of inconvenient to install and maintain them separately.
     
    Last edited: Mar 26, 2017
  4. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    3,995
    Location:
    Europe then Asia
    Exactly ;)
     
  5. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    2,878
    Btw.: Event Monitor Service includes functionality from:
    • Process Logger Service (Process Creations+Terminations)
    • Registry Guard Service (Access to Registry Keys)
    • PE Capture Service (capturing of dropped executables)
    ...and some more monitoring features.

    But it's good to have them separately.
    If i only want to log all Process Creations, and instead of installing "the whole package" (and disabling of unneeded functionality in the settings) i can install the Process Logger Service only.
     
  6. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    2,884
    Location:
    Mexico
    Alright. This is something should be mentioned since the beginning in the first post or subsequent one (no offense @novirusthanks ) but as usual you, @mood, always quick and willing to test software then your comments save my day.:thumb:
    * Btw, when you say "includes functionality from..." do you actually mean to say full functionality or just some features of them?
    * If yes, then I'll be switching to Event Monitor Service asap.

    Different points of view mate. Perhaps you're right anyway.
     
    Last edited: Mar 26, 2017
  7. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    2,878
    99% functionality :doubt:
    The most details of Process Creations you'll get with Process Logger Service (for example it is logging these information: Bitness, Integrity Level, Protected Process, ...)
    And with Event Monitor Service Process Creations and Process Terminations are logged in different log-files .

    And because it is a Monitoring Service, changes in the registry are logged but not prevented.
     
  8. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    2,884
    Location:
    Mexico
    Not much of an issue for me. As I'm always in shadow mode I really don't care for reg changes. Just a reboot an all is gone.

    So it's a go for me. Next time I restart the PC I will install it.

    Thanks for your kind explanation. :)
     
  9. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    2,878
    It has also some other nice monitoring features like monitoring loaded dll's, drivers, created files, deleted files...
    Good monitoring suite.
    I guess for malware researchers it can be very useful.

    Btw.: The logfiles can be read by anyone. To mitigate this, the logs-folder can be hidden or ACLs can be modified to deny the access to the logs-folder for regular users.
    This was also mentioned on the website:
     
  10. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    2,884
    Location:
    Mexico
  11. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    6,527
    Location:
    U.S.A. (South)
    Oh now this is good stuff.

    Appreciate the new service.
     
  12. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    2,524
    Location:
    The etherlands
    @mood Currently I use NVT Process Logger Service, and Registry Guard Service.

    I am thinking of installing Event Logger Service, instead of the Process Logger Service due it's additional monitoring. What info would I 'lose' that Process Logger Service has?

    But I will retain Registry Guard Service due to it's blocking ability, but am thinking of going the GUI version when it gets updated, as it will probably be easier to disable for installs (currently I have a desktop shortcut for the service config.ini).

    Edit: Re-reading your post, I suppose one gets most info's using all three, despite the overhead of maintaining / running three services. Perhaps Andreas could consider switches to turn on / off process monitoring or registry monitoring in Event Monitor Service (where these overlap with the others).
     
  13. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    2,878
    If i need information about file deletions/file creations/dropped files or other information then i would run Event Monitor Service.
    For more detailled information about processes or "blocking ability" if a program wants to write to the registry, might be a better choice: #7
    And they don't need to inject a dll into each process, which can lead to some problems under specific circumstances. Some programs "don't like this".
    Event Monitor Services is injecting the file: EventMon.dll / EventMon32.dll
     
  14. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    2,524
    Location:
    The etherlands
    Thanks @mood
    Just installed and disabled ProcessCreations, ProcessTerminations and Registry as these are already covered by the other two services. (So Andreas does have these switches already).

    I see my logs are in .xml format? How should I view these - with Notepad?

    Edit: Did I do something wrong? I have tried installing twice with same result.
     
    Last edited: Apr 6, 2017
  15. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    2,878
    Then the output-format has been changed with the new version :cautious:
    These files should be readable with a normal file-viewer or notepad, but i haven't tested the version v1.3 yet. I'll do it at a later time.
     
  16. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    2,524
    Location:
    The etherlands
    @novirusthanks @mood My logs are in .xml format (unlike Process Logger Service or Registry Guard Service). Any idea why this is so and what I could be doing wrong on install?
     
  17. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    2,878
    I had the idea to look into the changelog, and i found this:
    Code:
    [17-Nov-2016] v1.1.0.0
    + Events are saved in an XML-like format (no root element)
    It seems it is by design, with Event Monitor Service v1.1.0.0 and newer versions.
    You did nothing wrong :)
     
  18. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    2,524
    Location:
    The etherlands
    I wonder why. It is much less readable (in Notepad).
     
  19. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    2,878
    An option for choosing the format of the log-file would be nice:
    Code:
    @ config.ini
    LogfileOutput: xml
    LogfileOutput: txt
    Only an idea ...
     
  20. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    6,527
    Location:
    U.S.A. (South)
    Nice idea anyway whether it's considered or not.
     
  21. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    755
    Location:
    Italy
    @mood @paulderdash @EASTER

    We've released a new version 1.4:
    http://www.novirusthanks.org/products/event-monitor-service/

    Changelog:

    Code:
    [27-Apr-2017] v1.4.0.0
    
    + Made XML log format optional, default is Plain Text now
    + To enable XML logging edit Config.ini and set LogAsXml = y
    
    This is the full Config.ini file with the new LogAsXml option:

    Code:
    [Monitoring]
    
    FileCreations = y
    FileDeletions = y
    PEImageDrops = y
    LoadedDrivers = y
    ProcessCreations = y
    ProcessTerminations = y
    LoadedDLLs = y
    Registry = y
    
    [Folders]
    
    Logs = C:\EMSvc\Logs
    Exclusions = C:\EMSvc\Exclude
    
    [Paths]
    
    RegistryExcludeFile = C:\EMSvc\Registry\
    RegistryRuleFile = C:\EMSvc\Registry\
    
    [Settings]
    DeleteLogsOlderThanNDays=0
    
    [Logging]
    LogAsXml=n
    
     
  22. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    2,878
    This issue is fixed with v1.4 :thumb:
     
  23. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    2,524
    Location:
    The etherlands
    Andreas, you are amazing!

    I am currently running Process Logger Service, Registry Guard Service and now Event Monitor Service with Process Creations, Process Terminations, and Registry set to 'n' (to avoid duplication) for monitoring and control.

    Though for my purposes Event Monitor Service alone would be fine for monitoring only.

    I do understand that with Registry Guard Service one has the ability to not just monitor but protect the registry, but is there a benefit running Process Logger Service over and above the process monitoring provided by Event Monitor Service?
     
    Last edited: Apr 27, 2017
  24. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    2,878
  25. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    2,524
    Location:
    The etherlands
    @novirusthanks No biggie, but could you add an 'Enabled=y' config.ini parameter (a la Process Logger Service?)
     
Loading...