There is an end user at my company whose machine has had multiple malware infections in a small amount of time. ...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
Each time IT has reformatted the drive and, in one instance, given him an entirely new machine from the factory. We have scanned the user's data with multiple tools, and no malware is detected. Do you know of a good file/registry monitoring tool that can be automated to track items on a PC/laptop? I know Microsoft has a filemon tool, but I believe that must be run manually.
There are several different Windows file and registry monitoring tools, including Tripwire, OSSec and Filemon/Regmon, which have been replaced by Process Monitor. All of these tools can be used to track malware and monitor the file or registry activities on a Windows system in-depth.
Process Monitor can be used to monitor a system on boot for all registry and file system access by a process. You can configure it to monitor a system from boot, and then go back and analyze the data to determine what was accessed by a process. You may first want to identify the suspicious process and then investigate further what registry or file system access or changes it made. OSSec has similar functionality to Process Monitor for monitoring registry and file system access, but isn’t configured by default to monitor a system in real time. OSSec uses Syscheck to scan a system on a pre-configured interval to identify changes.
You can identify suspicious registry or file system access by a process and then investigate the process further. Once you identify the process, you can potentially identify the executable on the file system, and then submit the file to an antimalware vendor or antimalware service to see if it is detected by the antimalware scanners. If the executable isn’t identified as malware, you can do further advanced investigation on the file to determine if the file is malware or wait for your antimalware vendor.
There are other advanced tools for monitoring file and registry, and some anti-malware software include functionality for monitoring all access to the registry or file system regardless of the process used to make the change.
Dig Deeper on Enterprise Data Governance
Related Q&A from Nick Lewis
When it comes to state-sponsored attacks infecting mobile devices, do users have any chance of tracing the attack? Expert Nick Lewis offers some ...continue reading
Microsoft won't patch certain ASLR bypass flaws, but enterprises still need to protect against them. Expert Nick Lewis explains the threat and how to...continue reading
Threat actors in China are using VPN services to hide and anonymize their attacks. Expert Nick Lewis explains how to get a handle on these ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.