There is an end user at my company whose machine has had multiple malware infections in a small amount of time. ...
Each time IT has reformatted the drive and, in one instance, given him an entirely new machine from the factory. We have scanned the user's data with multiple tools, and no malware is detected. Do you know of a good file/registry monitoring tool that can be automated to track items on a PC/laptop? I know Microsoft has a filemon tool, but I believe that must be run manually.
There are several different Windows file and registry monitoring tools, including Tripwire, OSSec and Filemon/Regmon, which have been replaced by Process Monitor. All of these tools can be used to track malware and monitor the file or registry activities on a Windows system in-depth.
Process Monitor can be used to monitor a system on boot for all registry and file system access by a process. You can configure it to monitor a system from boot, and then go back and analyze the data to determine what was accessed by a process. You may first want to identify the suspicious process and then investigate further what registry or file system access or changes it made. OSSec has similar functionality to Process Monitor for monitoring registry and file system access, but isn’t configured by default to monitor a system in real time. OSSec uses Syscheck to scan a system on a pre-configured interval to identify changes.
You can identify suspicious registry or file system access by a process and then investigate the process further. Once you identify the process, you can potentially identify the executable on the file system, and then submit the file to an antimalware vendor or antimalware service to see if it is detected by the antimalware scanners. If the executable isn’t identified as malware, you can do further advanced investigation on the file to determine if the file is malware or wait for your antimalware vendor.
There are other advanced tools for monitoring file and registry, and some anti-malware software include functionality for monitoring all access to the registry or file system regardless of the process used to make the change.
Dig Deeper on Enterprise Data Governance
Related Q&A from Nick Lewis
Latentbot malware has layers of obfuscation that makes it hard to detect. Expert Nick Lewis explains how its process works, beginning with a phishing...continue reading
A hard to detect type of Linux malware, Rekoobe, can download files to user systems. Expert Nick Lewis explains the malware's key functionality and ...continue reading
Pro POS, a new type of POS malware, has simple operations and is easy to obtain. How was it so successful against businesses? Expert Nick Lewis ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.