As users of NNT Change Tracker, we know the benefits of Windows File Integrity Monitoring, namely associating a user account with identified file changes, but there is additional value in also understanding at a granular level what specifically changed within the file including the actual line in and to what?
NNT Change Tracker’s File Content tracker can help. The content tracker, available in the Change Tracker templates, will read and store the content of a file and should any line within the file change it will compare the new content with the old.
An excellent example of the use of file content tracking, is monitoring the host file on any Windows server. It is well known that malware exists which will alter the host file settings, redirecting web traffic or blocking access to AV update servers. Tracking line item changes to the Windows Host file can be an excellent strategy in averting such Malware attacks!
Configuring content tracking in Change Tracker is a simple, multi-step approach but before we dive into how the configuration is achieved, a word on hardening. System Hardening/Vulnerability Management, the science of rendering servers, database systems, firewalls, EPOS systems and all other IT devices fundamentally secure, is still the most effective but often the most neglected security best practice. A Hardened System is one that has a ‘locked down’ configuration, removing all unnecessary functions, access and other potential vulnerabilities that could be exploited. Combining hardened systems with forensic change detection provided by NNT Change Tracker effectively provides robust host-based intrusion protection and detection!
Below are full instructions for setting up File Content Tracking. These should be reasonably straightforward but feel free to contact support for any assistance needed.
NNT has a range of training and managed service offerings to help you get the most of your solution.
Call 1-888-898-0674 or click here to request more information.
Step 1: In the example below, we will enable content tracking in the Windows Base template by logging into the Change Tracker console and heading for Settings > Configuration Templates. Once there, find the template and click the ‘Edit’ button.
Move to the ‘File Contents’ tab when the template loads and check ‘Track file contents in this template’. You’ll see the configuration options:
- Tracking style – Select between tracking (live tracking) and polling (scheduled polling at intervals specified in the polling frequency).
- Polling frequency – choose to start content checks at agent startup or a user configurable time and date and at an interval of hourly, daily, weekly or a custom set number of minutes.
Use the ‘Add a Tracked File’ button to add the path to the file of interest. In the example below I have used a wildcard in order to track all files in the etc directory but a specific path to a file such as, ‘C:\Windows\System32\drivers\etc\hosts’ could also be used.
Step 2: With all the configuration added click the save button and providing the template is assigned to devices, you will now be monitoring for file content!
Note: to complete the circle and provide full coverage, add the etc directory to the ‘FIM File Integrity’ tab as well.
Step 3: With our configuration set, any change to a file within the etc directory will be detected by both the file integrity and file content tracker. The below screenshots will give an idea of the valuable information provided. Presenting detailed data about what changed and by whom.
In this example, we can see that the host file has been changed, the user account which changed the file and the altered parameters.
The file content tracker monitoring the hosts file has identified a number of suspicious additions to the file.
Hopefully, the information here has proved useful in demonstrating the power of content tracking. If you have any further questions about content tracking please contact [email protected].