File / Folder Modifications Checks Test

Monitoring files on Windows systems is critical to detect suspicious activities. Organizations should keep track of changes that occur to key files and folders, looking for anything out of the ordinary or suspicious file/folder activities. This is where File/Folder Modifications Checks Test helps administrators. By closely monitoring the configured files, this test reports the number of files/folders that are modified. An abnormal increase in the number of modified files is an indication of malware activity. Therefore, by using this test, administrators are able to proactively detect any suspicious changes to the file/folder before it causes a potential security threat. The detailed diagnosis of this test provides additional details on the file name, time of last modification, etc.

Target of the test : A Windows host

Agent deploying the test : An internal agent

Outputs of the test : One set of results for the Windows host being monitored

Configurable parameters for the test
Parameter Description

Test Period

How often should the test be executed.

Host

The host for which the test is to be configured.

Port

The port on which the server is listening. By default, it is given as NULL.

Files to be Monitored

Provide a comma-separated list of the full path of the files that are to be monitored. If the full path to any folder is configured here, then the test monitors the changes only for the files under the folder and not the sub-folders. By default, this parameter is set to none. In that case, this test will not be able to execute and hence no metrics will be generated.

DD Frequency

Refers to the frequency with which detailed diagnosis measures are to be generated for this test. The default is 1:1. This indicates that, by default, detailed measures will be generated every time this test runs, and also every time the test detects a problem. You can modify this frequency, if you so desire. Also, if you intend to disable the detailed diagnosis capability for this test, you can do so by specifying none against DD frequency.

Detailed Diagnosis

To make diagnosis more efficient and accurate, the eG Enterprise embeds an optional detailed diagnostic capability. With this capability, the eG agents can be configured to run detailed, more elaborate tests as and when specific problems are detected. To enable the detailed diagnosis capability of this test for a particular server, choose the On option. To disable the capability, click on the Off option.

The option to selectively enable/disable the detailed diagnosis capability will be available only if the following conditions are fulfilled:

  • The eG manager license should allow the detailed diagnosis capability
  • Both the normal and abnormal frequencies configured for the detailed diagnosis measures should not be 0.
Measurements made by the test
Measurement Description Measurement Unit Interpretation

Modified files

Indicates the number of files/folders that were modified during the last measurement period.

Number

Use the detailed diagnosis to find the file name, last modified time and previous and present checksum values. If the present checksum value has changed from the previous value, then it indicates modification of file/folder.