There is an end user at my company whose machine has had multiple malware infections in a small amount of time. ...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
Each time IT has reformatted the drive and, in one instance, given him an entirely new machine from the factory. We have scanned the user's data with multiple tools, and no malware is detected. Do you know of a good file/registry monitoring tool that can be automated to track items on a PC/laptop? I know Microsoft has a filemon tool, but I believe that must be run manually.
There are several different Windows file and registry monitoring tools, including Tripwire, OSSec and Filemon/Regmon, which have been replaced by Process Monitor. All of these tools can be used to track malware and monitor the file or registry activities on a Windows system in-depth.
Process Monitor can be used to monitor a system on boot for all registry and file system access by a process. You can configure it to monitor a system from boot, and then go back and analyze the data to determine what was accessed by a process. You may first want to identify the suspicious process and then investigate further what registry or file system access or changes it made. OSSec has similar functionality to Process Monitor for monitoring registry and file system access, but isn’t configured by default to monitor a system in real time. OSSec uses Syscheck to scan a system on a pre-configured interval to identify changes.
You can identify suspicious registry or file system access by a process and then investigate the process further. Once you identify the process, you can potentially identify the executable on the file system, and then submit the file to an antimalware vendor or antimalware service to see if it is detected by the antimalware scanners. If the executable isn’t identified as malware, you can do further advanced investigation on the file to determine if the file is malware or wait for your antimalware vendor.
There are other advanced tools for monitoring file and registry, and some anti-malware software include functionality for monitoring all access to the registry or file system regardless of the process used to make the change.
Dig Deeper on Enterprise Data Governance
Related Q&A from Nick Lewis
An HTTPS session with a reused nonce is vulnerable to the Forbidden attack. Expert Nick Lewis explains how the attack works, and how to properly ...continue reading
The Irongate malware has been discovered to have similar functionality to Stuxnet. Expert Nick Lewis explains how enterprises can protect their ICS ...continue reading
APT groups have been continuously exploiting a flaw in Microsoft Office, despite it having been patched. Expert Nick Lewis explains how these attacks...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.