There is an end user at my company whose machine has had multiple malware infections in a small amount of time. Each time IT has reformatted the drive and, in one instance, given him an entirely new machine from the factory. We have scanned the user's data with multiple tools, and no malware is detected. Do you know of a good file/registry monitoring tool that can be automated to track items on a PC/laptop? I know Microsoft has a filemon tool, but I believe that must be run manually.
There are several different Windows file and registry monitoring tools, including Tripwire, OSSec and Filemon/Regmon, which have been replaced by Process Monitor. All of these tools can be used to track malware and monitor the file or registry activities on a Windows system in-depth.
Process Monitor can be used to monitor a system on boot for all registry and file system access by a process. You can configure it to monitor a system from boot, and then go back and analyze the data to determine what was accessed by a process. You may first want to identify the suspicious process and then investigate further what registry or file system access or changes it made. OSSec has similar functionality to Process Monitor for monitoring registry and file system access, but isn’t configured by default to monitor a system in real time. OSSec uses Syscheck to scan a system on a pre-configured interval to identify changes.
You can identify suspicious registry or file system access by a process and then investigate the process further. Once you identify the process, you can potentially identify the executable on the file system, and then submit the file to an antimalware vendor or antimalware service to see if it is detected by the antimalware scanners. If the executable isn’t identified as malware, you can do further advanced investigation on the file to determine if the file is malware or wait for your antimalware vendor.
There are other advanced tools for monitoring file and registry, and some anti-malware software include functionality for monitoring all access to the registry or file system regardless of the process used to make the change.
This was first published in November 2011