Root / System Folders Checks Test

Windows OS has its set of individual folders in the System driver that it uses to store crucial data. The root directory is the top-level directory of a folder structure. The directory includes all other directories and files on a system. The Root Directory includes different folders, each specifically designed to store particular files and applications. Hence, if the attackers access the root directory, then they can have access to all other files and folders stored in the root folder. Then, they may be able to read and write arbitrary files on the system, thus enabling them to manipulate applications and associated data. In addition, they may be able to read sensitive information such as passwords, or even take control of the whole system. This is why, it is highly imperative to monitor the root/system folders on the Windows host.

This test continuously monitors the root/system folders on the target host and reports the number of new files added to the root folder. This enables the administrators to proactively track and eliminate any chance of malicious attacks or other security threats. They can use the detailed diagnosis offered by this test to avail further details on the file addition such as the File object and time of creation.

Note:

The folders that are considered as root/system folders by the target system are:
- %HOMEDRIVE%
- %SYSTEMROOT%\\System32\\
- % SYSTEMROOT %\\SysWOW64\\
By default, this test excludes eGurkha install directory from the scope of monitoring.

Target of the test : A Windows host

Agent deploying the test : An internal agent

Outputs of the test : One set of results for the Windows host being monitored

Configurable parameters for the test
Parameter	Description
Test Period	How often should the test be executed.
Host	The host for which the test is to be configured.
Port	The port on which the server is listening. By default, it is given as NULL.
DD Frequency	Refers to the frequency with which detailed diagnosis measures are to be generated for this test. The default is 1:1. This indicates that, by default, detailed measures will be generated every time this test runs, and also every time the test detects a problem. You can modify this frequency, if you so desire. Also, if you intend to disable the detailed diagnosis capability for this test, you can do so by specifying none against DD frequency.
Detailed Diagnosis	To make diagnosis more efficient and accurate, the eG Enterprise embeds an optional detailed diagnostic capability. With this capability, the eG agents can be configured to run detailed, more elaborate tests as and when specific problems are detected. To enable the detailed diagnosis capability of this test for a particular server, choose the On option. To disable the capability, click on the Off option. The option to selectively enable/disable the detailed diagnosis capability will be available only if the following conditions are fulfilled: The eG manager license should allow the detailed diagnosis capability Both the normal and abnormal frequencies configured for the detailed diagnosis measures should not be 0.

Measurements made by the test
Measurement	Description	Measurement Unit	Interpretation
New files added to root/system folders	Indicates the number of new files added to root/system folders during the last measurement period.	Number	The detailed diagnosis of this measure provide details of the file object added, and created time.