File Integrity Monitor Windows Edition Version 4.0

Similar documents
4cast Client Specification and Installation

IBM Security QRadar Version (MR1) WinCollect User Guide

Ad Hoc Transfer Plug-in for Outlook Installation Guide

Intelligent Power Protector User manual extension for Microsoft Virtual architectures: Hyper-V 6.0 Manager Hyper-V Server (R1&R2)

Windows XP Service Pack 2 Windows Firewall Group Policy Setup for Executive Software Products

Snow Inventory. Installing and Evaluating

Dell UPS Local Node Manager USER'S GUIDE EXTENSION FOR MICROSOFT VIRTUAL ARCHITECTURES Dellups.com

Aspera Connect User Guide

Installation Notes for Outpost Network Security (ONS) version 3.2

LogLogic Trend Micro OfficeScan Log Configuration Guide

IBM Connections Plug-In for Microsoft Outlook Installation Help

Setting Up a Unisphere Management Station for the VNX Series P/N Revision A01 January 5, 2010

How to Install Multiple Monitoring Agents on a Microsoft Operating System. Version StoneGate Firewall/VPN 2.6 and SMC 3.2

HOW TO SILENTLY INSTALL CLOUD LINK REMOTELY WITHOUT SUPERVISION

SysPatrol - Server Security Monitor

CONFIGURING MICROSOFT SQL SERVER REPORTING SERVICES

Log Forwarder for Windows SolarWinds, Inc.

SecureAnywhereTM Business Global Site Manager

INSTALLING MICROSOFT SQL SERVER AND CONFIGURING REPORTING SERVICES

Legal Notes. Regarding Trademarks KYOCERA Document Solutions Inc.

MSI Admin Tool User Guide

safend a w a v e s y s t e m s c o m p a n y

SyncLockStatus Evaluator s Guide

Adaptive Log Exporter Users Guide

ms-help://ms.technet.2005mar.1033/security/tnoffline/security/smbiz/winxp/fwgrppol...

XMap 7 Administration Guide. Last updated on 12/13/2009

Desktop Surveillance Help

Remote Management System

Network Licensing. White Paper 0-15Apr014ks(WP02_Network) Network Licensing with the CRYPTO-BOX. White Paper

Windows Server 2008 Hyper-V, Windows Server 2008 Server Core Installation Notes

Web-Access Security Solution

How To Test The Bandwidth Meter For Hyperv On Windows V (Windows) On A Hyperv Server (Windows V2) On An Uniden V2 (Amd64) Or V2A (Windows 2

User Manual. Onsight Management Suite Version 5.1. Another Innovation by Librestream

Trademark Notice. Copyright Notice

Deploying System Center 2012 R2 Configuration Manager

NETWRIX EVENT LOG MANAGER

How to - Install EventTracker and Change Audit Agent

DiskPulse DISK CHANGE MONITOR

...2. Standard Installation...4. Example Installation Scenarios...5. Network Installation...8. Advanced Settings Product Requirements

Novell ZENworks Asset Management

Federated Identity Service Certificate Download Requirements

Installation and Operation Manual Unite Log Analyser

Installation Instruction STATISTICA Enterprise Small Business

Ekran System Help File

Immotec Systems, Inc. SQL Server 2005 Installation Document

STATISTICA VERSION 12 STATISTICA ENTERPRISE SMALL BUSINESS INSTALLATION INSTRUCTIONS

Issue Tracking Anywhere Installation Guide

NETWRIX EVENT LOG MANAGER

Server Manager Help 10/6/2014 1

11.1. Performance Monitoring

Acronis Backup & Recovery 10 Server for Windows. Installation Guide

Central Management System

DisplayLink Corporate Install Guide

CS WinOMS Practice Management Software Server Migration Help Guide

EventSentry Overview. Part I About This Guide 1. Part II Overview 2. Part III Installation & Deployment 4. Part IV Monitoring Architecture 13

STATISTICA VERSION 9 STATISTICA ENTERPRISE INSTALLATION INSTRUCTIONS FOR USE WITH TERMINAL SERVER

How to Configure Windows Firewall on a Single Computer

LANDPARK NETWORK IP Landpark, comprehensive IT Asset Tracking and ITIL Help Desk solutions October 2016

Healthstone Monitoring System

Kepware Technologies Remote OPC DA Quick Start Guide (DCOM)

Magaya Software Installation Guide

Installation Guide for LynxClient

HP Device Manager 4.6

CostsMaster. CostsMaster Dongle Server User Guide

vtcommander Installing and Starting vtcommander

START YOUR INVENTORY WITH SCANFRE

Print Audit 4 Network Install Guide

TANDBERG MANAGEMENT SUITE 10.0

Direct Storage Access Using NetApp SnapDrive. Installation & Administration Guide

NETWORK PRINT MONITOR User Guide

Dell Statistica Statistica Enterprise Installation Instructions

Lab 5.5 Configuring Logging

There are numerous ways to access monitors:

QIAsymphony Management Console User Manual

How To Create An Easybelle History Database On A Microsoft Powerbook (Windows)

EVALUATION ONLY. WA2088 WebSphere Application Server 8.5 Administration on Windows. Student Labs. Web Age Solutions Inc.

Installation and Deployment

TRIPWIRE PURECLOUD. TRIPWIRE PureCloud USER GUIDE

Application Discovery Manager User s Guide vcenter Application Discovery Manager 6.2.1

TSM for Windows Installation Instructions: Download the latest TSM Client Using the following link:

Installing and Trouble-Shooting SmartSystems

Network Load Balancing

ilaw Installation Procedure

Windows Quick Start Guide for syslog-ng Premium Edition 5 LTS

Sharp Remote Device Manager (SRDM) Server Software Setup Guide

WhatsUp Event Alarm v10.x Listener Console User Guide

Getting Started With Halo for Windows

TMS Database Knowledge Tips

NETWRIX ACCOUNT LOCKOUT EXAMINER

TECHNICAL DOCUMENTATION SPECOPS DEPLOY / APP 4.7 DOCUMENTATION

Configuring Security Features of Session Recording

Net Protector Admin Console

Kerio VPN Client. User Guide. Kerio Technologies

TecLocal 4.0 MultiUser Database

ilaw Server Migration Guide

Installing GFI MailEssentials

Insight Video Net. LLC. CMS 2.0. Quick Installation Guide

Nexio Connectus with Nexio G-Scribe

Transcription:

File Integrity Monitor Windows Edition.0

Table of Contents EzFIM Overview...3 EzFIM Features...3 System Requirements...3 Installation...3 Command Line Options...4 EzFIM Control Files...5 Monitored Files (Requested Files)...5 Excluded Files...5 Monitored Registry Keys (Registry File)...5 Excluded Registry Keys (Registry Exclude File)...6 EzFIM Configuration...7 Customizable Configuration File Entries...7 EzFIM GUI... 11 Settings Menu... 11 Alert and Report Examples... 12 EzFIM Alert Example... 12 EzFIM Daily Report Example... 12 Frequently Asked Questions... 14 Document History... 16 2

EzFIM Overview EzFIM is a lightweight Win32 service that is specifically designed to solve PCI DSS requirement 11.5. EzFIM also provides retail merchants a cost effective alternative to other expensive File Integrity Monitoring (FIM) solutions. EzFIM performs the act of validating the integrity of operating system and application software files using a verification method between the current file state and a known good baseline. This comparison method involves calculating a cryptographic checksum of the file's original baseline and comparing it with the calculated checksum of the current state of the file. EzFIM then converts the information into a syslog message which is forwarded to any existing log/siem console where these logs are stored and can monitored via alerts and daily report reviews for security and compliance. EzFIM Features EzFIM has the following features: Configurable directory and file include and exclude lists Configurable registry include and exclude lists Configurable scan time or interval EzFIM logs every time the service is started or stopped EzFIM logs after every scan Send to any log/siem solution System Requirements Supported Operating Systems include: Windows XP SP3 (or higher) Windows Server 2003 (or higher) Additional Requirements include: Microsoft.NET Framework 3.5 The Microsoft.NET Framework 3.5 web installer package downloads and installs the.net Framework components required to run on the target machine architecture and OS. An Internet connection is required during the installation. The Client Profile is used to run most client applications that target the.net Framework 3.5. http://www.microsoft.com/en-us/download/details.aspx?id=21 TCP port 514 must be opened from a device using EzFIM to the log server to deliver syslog traffic. If this port is changed in the EzFIM configuration, the corresponding port needs to be open to allow syslog delivery. Installation A number of installation options are available depending on the installation environment. Supported options include: Batch automation supporting MSI package installations 3

o Silent installation can be done using the following command line command: MSIEXEC /I EzFIMSetup.msi /quiet Microsoft SCCM/MOM Simply running the EzFIM Setup.msi installer package Note: After installation, open the services snap-in and verify that the service EzFIM File Integrity Monitor has started. Command Line Options The following command line options may be used to supply information for your environment during installation. These settings can be modified after installation via the configuration file. For more details regarding what these settings do, please see the EzFIM Configuration section. Name Default Value Description SerialKey License key provided upon purchase IPAddress 127.0.0.1 IP Address to send logs to Port 514 Port to send logs to Protocol TCP Protocol used to send logs PollingMin 1440 Number of minutes between scans PollingTime 00:00 Time of day to scan MonitorRegistry false Enable monitoring Windows Registry SilentFirstRun true Reduce network overhead of first scan Debug false Debug Logging Notify false Enable system tray notifications TargetDir Installation Directory DisableUI Disable the GUI Note: If both PollingMin and PollingTime are supplied, PollingTime will take priority. Example install commands: Scenario: Send all logs to the syslog server at IP address 10.1.1.10 using TCP port 9514, scan every day at 3AM, and activate using the serial key XXX-XXX-XXX-XXX. msiexec /i EzFIMSetup.msi /q IPAddress= 10.1.1.10 Port= 9514 Protocol= TCP PollingTime= 3:00 AM SerialKey= XXX-XXX-XXX-XXX Scenario: Send all logs to IP address 10.1.1.10 using UDP port 514, scan every hour, don t install the GUI, activate using serial key XXX-XXX-XXX-XXX, and install to D:\Program Files\EzFIM. msiexec /i EzFIMSetup.msi /q IPAddress= 10.1.1.10 Port= 514 DisableUI= true Protocol= UDP PollingMin= 60 SerialKey= XXX-XXX-XXX-XXX TargetDir= D:\Program Files\EzFIM 4

EzFIM Control Files These files govern what files, directories, and registry keys will be monitored. These files will be repopulated with defaults if they are not found. These files are in the EzFIM installation directory. On 32 bit systems this directory is C:\Program Files\EzFIM\EzFIM and on 64 bit systems in C:\Program Files (x86)\ezfim\ezfim. Monitored Files (Requested Files) The installation installs a file titled RequestedFile.txt in the default directory C:\Program Files (x86)\ezfim\ezfim. This file is used to list the files and directories that will be monitored for file modifications by EzFIM. This file can be modified with any text editor. Each line should include the full path to a specific file, or a path and wildcards to instruct EzFIM to collect one or multiple files in a directory. EzFIM can also be told to descend into directories by using the D flag. The following is an example of an entry specifying one file, an entry specifying a full directory, and using the descend flag: C:\windows\win.ini C:\windows\system32\*.* C:\Windows\*.* -D 5 Monitor one file Monitor multiple files Monitor multiple files and descend 5 directories deep Supported wildcards: * and? Excluded Files EzFIM will exclude specified files in the file titled ExcludedFile.txt. Each line should include the full path to a specific file, or a path and wildcards to instruct EzFIM to ignore one or multiple files in a directory. The following is an example of an entry specifying one file and an entry specifying a full directory: C:\windows\win.ini C:\windows\system32\*.* Exclude one file Exclude multiple files Monitored Registry Keys (Registry File) The installation installs a file titled RegistryFile.txt in the default directory C:\Program Files (x86)\ezfim\ezfim. This file is used to list the registry keys that will be monitored for modifications by EzFIM. This file can be modified with any text editor. Each line should include the full path to a specific key to instruct EzFIM to collect the values in a key. The following is an example of an entry specifying one key: HKEY_LOCAL_MACHINE/System/CurrentControlSet HKEY_LOCAL_MACHINE/System/CurrentControlSet -N Monitor multiple keys Monitor single key By default, EzFIM will monitor the values in the specified key only without recursing into the subkeys. Using the -N will tell EzFIM not to monitor the subkeys contained within the specified key. 5

Excluded Registry Keys (Registry Exclude File) EzFIM will exclude specified files in the file titled RegistryExcludeFile.txt. Each line should include the full path to a specific key to instruct EzFIM to ignore this key. If you wish to include subkeys of this key, these subkeys will need to be added to the RegistryFile.txt to be monitored. The following is an example of an entry specifying one file and an entry specifying a full directory: HKEY_LOCAL_MACHINE/System/CurrentControlSet Exclude this key 6

EzFIM Configuration The file config.xml is used to change various settings for the EzFIM operation. It is an XML file that contains various settings for how EzFIM operates. Changes to this configuration file require the service to be rebooted to take effect. Explanation of each setting follows the sample configuration. Sample config.xml file: <EzFIMSettings> <ActiveFile>ActiveFile.txt</ActiveFile> <RequestedFile>RequestedFile.txt</RequestedFile> <ExcludedFile>ExcludedFile.txt</ExcludedFile> <ActiveTemp>ActiveTemp.txt</ActiveTemp> <EzFIMLog>EzFIMLog.txt</EzFIMLog> <Directory>C:\Program Files (x86)\ezfim\ezfim\</directory> <PollingMinutes>1440</PollingMinutes> <PollingTime>00:00</PollingTime> <UsePollTime>false</UsePollTime> <RegMonitor>false</RegMonitor> <RegistryFile>RegistryFile.txt</RegistryFile> <RegExcludeFile>RegistryExcludeFile.txt</RegExcludeFile> <RegActiveFile>RegActiveFile.txt</RegActiveFile> <RegActiveTemp>RegActiveTemp.txt</RegActiveTemp> <Debug>false</Debug> <DebugFile>DebugLog.txt</DebugFile> <SilentFirstRun>true</SilentFirstRun> <EnableRemoteLogging>false</EnableRemoteLogging> <Protocol>TCP</Protocol> <IP_Address>127.0.0.1</IP_Address> <Port>514</Port> <ShowNotifications>true</ShowNotifications> <Registration /> </EzFIMSettings> Customizable Configuration File Entries ActiveFile This is the name of the file that EzFIM will use during its FIM operations. It is a required file that is self-maintained by EzFIM but can be viewed in a text editor. Default: ActiveFile.txt RequestedFile This is the name of the file that contains the list of files that EzFIM will check. See page 6 for more details. Default: RequestedFile.txt ExcludedFile This is the name of the file that contains the list of files that EzFIM will not check. See page 6 for more details. Default: ExcludedFile.txt 7

ActiveTemp This is the name of the file that EzFIM will use during its EzFIM operations as a temporary work space. This file is self-maintained by EzFIM. Default: ActiveTemp.txt EzFIMLog This is the name of the file that EzFIM will use to write events to. This can include all syslog messages and any operational messages generated by EzFIM that are not sent via syslog. EzFIM will maintain this file, but it can be viewed in a text editor. EzFIM will rotate this log file and maintain up to 5 previous log files. Default: EzFIMLog.txt Directory This is the full path to the directory where EzFIM.exe is installed. All configuration files must be present in this same directory. Default: C:\Program Files\EzFIM\EzFIM\ For 64-bit systems, this may need to be changed to: C:\Program Files (x86)\ezfim\ezfim\ PollingMinutes This is the amount of time in minutes between each EzFIM scan. The default is 1440 minutes (24 hours). Default: 1440 Note: Setting the time too low will cause some scans to be missed because a new scan cannot be started until the previous scan has finished. PollingTime This value allows for the ability to schedule a scan for a specific time by specifying the value in the format hh:mm AM/PM. Ex: 3:30 AM, 10:00 PM. All times are local. Default 00:00. Note: An incorrect value in Polling Time will cause EzFIM to default over to using the Polling Minutes entry. UsePollTime This controls which polling option is being used, Polling Minutes or Polling Time. Setting this value to true will cause EzFIM to run at the time specified by PollingTime. Setting it to false will cause EzFIM to run using the value specified by Polling Minutes. Default: false. RegMonitor This is a True or False value that tells EzFIM whether or not to monitor registry values. Default: False True EzFIM will monitor registry values False EzFIM will not monitor registry values RegistryFile This is the name of the file that contains a list of the registry keys that EzFIM will monitor. Please see page 6 for more details. Default: RegistryFile.txt 8

RegExcludeFile This is the name of the file that contains the list of registry keys that EzFIM will not check. See page 5 for more details. Default: RegistryExcludeFile.txt RegActiveFile This is the name of the file that EzFIM will use during its registry monitoring operations. It is a required file that is self-maintained by EzFIM but can be viewed in a text editor. Default: RegActiveFile.txt RegActiveTemp This is the name of the file that EzFIM will use during its registry monitoring operations as a temporary work space. This file is self-maintained by EzFIM. Default: RegActiveTemp.txt Debug This is a True or False value that enables or disables extra debugging features in EzFIM. This extra data will be output to a file specified by the DebugFile configuration setting. Default: False NOTE: This feature is not meant to be used during normal operations as it may produce a large amount of data on EzFIM operations. True EzFIM will output debugging data False EzFIM will not output debugging data Debug File This is the name of the file that all debugging data will go to if debugging is enabled. Default: DebugLog.txt SilentFirstRun On its first run, EzFIM will report all of its findings, which can possibly result in a large amount of network traffic. To help avoid this traffic, the setting SilentFirstRun in the EzFIM.exe.config can be set to True. This controls whether or not EzFIM will send syslog messages during its initial scan of the system upon the service starting. Default: True SilentFirstRun = True Does not send logs during its first run SilentFirstRun = False EzFIM will send logs during its first run EnableRemoteLogging This option controls whether or not to send logs to a remote syslog server. Setting this to true will send logs remotely, while setting it to false will not send logs. This option will automatically be enabled if an IP address is specified during installation. Default: false Protocol This allows the ability to switch between sending the syslog messages via UDP or TCP. Options: TCP, UDP. Default: TCP 9

IP Address This is the IP address that EzFIM will send all syslogs to. This address will need to be changed to the IP address of a syslog collector. IPv4 addresses only. Default: 127.0.0.1 Port The default port to use when EzFIM is sending logs. Default: 514 ShowNotifications This controls the option to allow notifications in the Windows system tray. Setting this to false will disable notifications. Default: true 10

EzFIM GUI EzFIM contains a graphical user interface (GUI) component that allows for ease configuration. When EzFIM is loaded it will appear in the Windows system tray. The appearance of the icon changes slightly depending on the status of EzFIM. Indicates that EzFIM is idle. Indicates that EzFIM is currently scanning. Right clicking on the icon will display the following options: View Log Settings Exit Name Description Open the EzFIMLog.txt file Opens the Settings window Exit the EzFIM service Settings Menu The Settings menu is pictured to the right. The following settings can be enabled or disabled from the Settings menu: Show Notifications Debug mode Registry monitoring Silent First Run The menu also allows the ability to swap from running at a specific time, to running on an interval. The Settings menu also has an option for enabling/disabling remote logging. If it is not already enabled, you can check the Enabled box at the bottom to enable remote logging, and then can specify the IP address and port to send logs to. 11

Alert and Report Examples EzFIM Alert Example (Example generated on a LogLogic platform) EzFIM Daily Report Example (Example generated on a LogLogic platform) 12

13

Frequently Asked Questions What is it? (Software, hardware what all is involved)? o EzFIM is software designed for Windows XP SP3 and higher desktop systems or Windows 2003 server and higher for servers. What does it do? o Given a customizable list of files or directories to include/exclude, EzFIM maintains a list of each file found and computes the hash value of each. If it finds a new entry (new file), cannot find a file (file deleted) or that the hashes do not match (file modified), it creates a syslog that contains pertinent data (filename, create/deleted/last modified time, old/new hash) and sends it to the logging server. What s the topology? Where does it reside? o Currently EzFIM is only provided as an agent; therefore it must be installed to each device needing monitored. Is there a Server and Client license or just a Client aggregator/compiler? o Agent only Is there a licensing agreement/contract? o Yes, EzFIM is licensed using a Software Licenses Purchase Agreement. What if the customer decides to no longer make their Software as a Service (SaaS) payment? Must they rip-out our solution or will they still be able to run the last released version? o Per the terms of the Software Licenses Purchase Agreement and End User Licenses Agreements: Obligations on Termination. Within ten (10) days after termination of this Agreement, Licensee shall cease and desist all use of the Software and Documentation and shall return to EzFIM all full or partial copies of the Software and Documentation in Licensee s possession or under its control. Audit. For a period of three (3) years following the delivery of Software, Licensee shall keep complete and accurate records of the number of copies of the Software installed or otherwise transferred and the media in which it was transferred to End Users by Licensee under the license granted by this Agreement in sufficient detail to enable the royalties payable hereunder to be determined accurately. Licensee shall permit an independent public accountant selected by EzFIM or its representatives, and approved by Licensee, such approval not to be unreasonably withheld, at EzFIM s expense, to periodically examine its books, ledgers, and records during regular business hours for the purposes of and to the extent necessary to verify any report required under this Agreement. How frequently will the software/code/product be updated? o Updates will occur as: New features are added Stability or performance features are improved 14

Who will handle the software updates? o Any future versions that are released will be provided to the Licensee whose responsibility will be to distribute it to any devices that have EzFIM installed. Are there any system requirements in order for EzFIM to be installed? o Yes, please see the above system requirements section. How frequently will EzFIM check files? o By default, EzFIM performs checks once per day. This is customizable in the configuration file if the client wishes to change it. What type of reports will be obtained from EzFIM? o EzFIM sends a syslog to a dedicated log/siem console. Once the log shows up on the logging server, simply searching for anything with the trigger of 'EzFIM' will bring up all of the FIM entries for that timespan. This means that while EzFIM does not generate reports directly, the logging server can generate its reports (and the client doesn't have to learn a new reporting system). An example of a LogLogic based alert and report is included in this manual. How can I find what version I am running? o EzFIM creates a registry value that contains the current installed version. Path for 32 bit HKEY_LOCAL_MACHINE\SOFTWARE\EzFIM\Version Path for 64 bit HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\EzFIM\Version 15

Document History Version Number Revision Date Summary of Change 1.0 May 19, 2009 Initial Documentation 1.0.2 Added extra logging features 1.0.3 Added FAQ to manual 1.1 Added extra logging features 2.0 April 17, 2013 Added new feature documentation 2.1 Aug 5, 2013 Added new feature documentation 3.0 Oct 15, 2013 Added new feature documentation 4.0 Nov 19, 2014 New feature documentation 16

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information