So I took FileChecker for a quick spin...

Discussion in 'FileChecker & ID-Blaster Forum' started by osmethne, Oct 13, 2003.

Thread Status:
Not open for further replies.
  1. osmethne

    osmethne Registered Member

    Joined:
    Oct 12, 2003
    Posts:
    16
    Excerpts from my personal blog follow... Someone tell me I'm wrong?
    [hr]
    * The checksum options offered are all CRC-based. Unix root-kits have been circumventing these for years (decades?) and I would assume that many Windows ones do as well.

    * Checksumming is disabled by default. To turn it on, the user must enable it both globally (disabled by default), and then individually for each file (again, disabled by default.) This is not immediately obvious within the product (and in fact I assumed that the per-file check-list was actually for the "delete selected file from list" funtion.) As a result, the risk of misconfiguration is extremely high.

    * The interface shows "Checksum Computation Running" even when it is disabled (both globally and on all files). As a result, the risk of misconfiguration is extremely high.

    * The datestamp tests only check the modification time, rather than the creation time. This is trivially spoofed, and doesn't require any special rights (WinZip does this all the time, for example.) note: Tested on a FAT partition, it is possible that the results on NTFS would be different.

    * Watch-lists are not encrypted by default, and it is not possible to tell from the GUI whether or not they are encrypted. This would create a serious risk of misconfiguration if it weren't for...

    * Watch-list "encryption" is little more than XOR with all-bits-one. It is not clear that this achieves anything other than lulling users into a false sense of security.

    * The product doesn't detect unauthorised changes to its own configuration, even while running. (Although note that it will not actually reload the configuration until restarted.) While it might be claimed that the user will notice configuration changes, I would expect a significant amount of time to pass before this actually happens (if ever -- for example, how many users really come back and double-check their anti-virus settings once they have them set up to their satisfaction?) note: It is not possible to configure the tool to monitor its own configuration as that is stored in the registry, rather than as a file.

    * The product doesn't appear to store file checksums between runs. As a result, any changes that happen on your system while the filechecker is not actually running will not get detected. For example, if the user picks up malware that only fully installs on a reboot (when fewer files are locked), FileChecker will not detect it.
     
  2. javacool

    javacool BrightFort Moderator

    Joined:
    Feb 10, 2002
    Posts:
    4,098
    Yes, at the moment FileChecker doesn't store any data between runs. That has been on my to-do list for a while. (It wasn't the original intent of the program either. It was meant to detect file changes only while running.)

    And I'm not claiming it can't be defeated - no security product should make that claim (although I'm not sure why it displayed "Checksum Computation Running" even when it was disabled...I'll look into that). It checks file properties, and can (optionally, as you correctly noted) calculate a CRC checksum. If something can forge that data, there is (IMHO) a much bigger problem at hand - but you have mentioned some good points, and I do have some new ideas for improvements (when/if I get around to them), such as adding a different checksumming method (i.e. a more recent one).

    I haven't recommended the product for novice users - in fact, I will recommend against it in the current state. It wasn't designed for beginners, and I do realize that some of the function settings may be implemented in unordinary ways.

    NOTE: FileChecker should be checking the creation date in addition to the modification date.

    I hope this addresses some/most of your points.

    Best regards,

    -Javacool

    P.S. FileChecker was one of the first programs I released, and it was more of a small project, to test various ideas out. It certainly can be useful for some things, but it should not be considered a full-blown, unbreakable security product - it isn't (then again, what is...). For simple protection against some general changes, it can work - and that's what it was designed for. (If you want to know when your HOSTS file is modified, FileChecker can tell you.) I haven't updated the program for a while, and I unfortunately haven't had time to. If someone is looking for protection against the most advanced rootkits, and other such software, FileChecker is not sufficient, but for alerting of general changes to files, FileChecker can fit the bill.
     
  3. osmethne

    osmethne Registered Member

    Joined:
    Oct 12, 2003
    Posts:
    16
    Thanks for responding :)

    As I said, *nix root-kits have been making trojaned binaries with the same date/size/checksum as the original for years. I see no reason that this should be any different under Windows (there's certainly no technical reason why they woudn't be doing this.)

    Note also that CRC's are not "cryptographic hashes", as you call them in the help. If it helps, the last I looked seriously into crypto (which is admittedly 2-3 years ago now), sha-1 was considered the best choice.

    With regards to the rest of your post, I kinda guessed this was the case. Nevertheless, you do have some real users out there, and they need information on the level of protection that the software is offering them so that they can judge how their time and computing resources are best spent.
     
  4. peakaboo

    peakaboo Registered Member

    Joined:
    Oct 20, 2002
    Posts:
    377
    when osmethne started this thread 10/03 I guess he was testing version 1.6 so any new changes are in version 1.7 as of this writing. If this is incorrect feel free to correct me.

    this is a good thread to read... for those interested in trying filechecker

    on the face of it (without having tested) it seems this program may be useful (current state) as the author states for alerting of general changes to files (while running)

    I will wait for the following before I test it:

    1) store data between runs
    2) adding a different checksumming method (i.e. a more recent one).
    3) other issues as the author has time to implement

    Appreciate all your work jc
     
  5. Bmacguy

    Bmacguy Registered Member

    Joined:
    Jul 12, 2003
    Posts:
    13
    Does anyone have a suggestion about a more up to date program that has the same function ?
    Shareware is ok also.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.