#Note
This repo has been migrated to OWASP repo. Please visit the OWASP repo https://github.com/OWASP/www-project-winfim.net for the latest update
WinFIM.NET - File Integrity Monitoring For Windows
For detail introduction, please visit my Cyber Security Corner technical blog.
#Introduction
There are plenty of commercial tools to do file integrity monitoring (FIM). But, for freeware / Open Source, especially for Windows, it seems not much options.
I have developed a small Windows Service named “WinFIM.NET” (https://github.com/redblueteam/WinFIM.NET) trying to fill up this gap.
#characteristics
The characteristics of this small application are:
- It will identify add / remove / modify of files and directories
- Monitoring scope could be easily customized
- Path exclusion (e.g. sub-directory) could be configured
- File extension exclusion could be configured (e.g. *.bak, *.tmp, *.log, *.mdf, *.ldf, *.xel, *. installlog)
- All the events are saved as native Windows Events, which could easily integrate with users’ existing log management mechanism (e.g. Windows Event Subscription, Winlogbeat , nxlog, etc.)
- Deployment friendly
- Using SHA256 for hashing
#Installation (single machine)
- Manual download all files to destination computer
- Configure the parameters to fill your own environment
a) ‘monlist.txt‘ – put your in-scope monitoring files / directories (Absolute path) line by line under this file
b) ‘exclude_path.txt‘ – put your exclusion (Absolute path) line by line under this file (the exclusion should be overlapped with the paths in ‘monlist.txt’ (e.g. Sub-directory of the in-scope directory)
c) ‘exclude_extension.txt‘ – put all whitelisted file extension (normally, those extensions should be related to some frequent changing files, e.g. *.log, *.tmp)
d) ‘scheduler.txt‘ – This file is to control whether the WinFIM.NET will be run in schedule mode or continuous mode.
- Put a number ‘0’ to the file, if you want the WinFIM.NET keep running.
- Put a number (in minute) for the time separation of each run. e.g. 30 (that means file checksum will be run every 30 minutes).
- Unblock the “WinFIM.NET Service.exe”
- Install the Windows Service - Bring up an Administrator command prompt and navigate to the deployed folder, then execute “install_service.bat”
- Verify if the Windows Service is up and running
- Please make sure maximum log size is configured according to your deployment environment. By default, it only reserves around 1MB for it. - %SystemRoot%\System32\Winevt\Logs\WinFIM.NET.evtx
#Uninstallation
Bring up an Administrator command prompt and navigate to the deployed folder, then execute “uninstall_service.bat”
#Windows Event ID for file / directory changes
Event ID 7776 – File / Directory creation
Event ID 7777 – File modification
Event ID 7778 – File / Directory deletion
Enjoy!
Cheers
Henry