General discussion

Locked

Monitor system for virus files

By awallace ·
I would like to monitor my server to see who is writing virus files, for example those ending in EML. Is there a way to log when a file type was written on which PC it came from?


tks for your help

This conversation is currently closed to new comments.

11 total posts (Page 1 of 2)   01 | 02   Next
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Monitor system for virus files

by DKlippert In reply to Monitor system for virus ...

.EML files are normally Outlook e-mail files, but an unusual propagation of these files can be an indication of the Nimda virus. See:

www.symantec.com/avcenter/venc/data/w32.nimda.a@mm.html

or search for CA-2001-26 at:

www.cert.org/

Collapse -

Monitor system for virus files

by awallace In reply to Monitor system for virus ...

The reply did not really help me. My question was:
"How Can I setup some kind of trace on the server that will tell me; "Who created a file and when it was created."

If I knew this, I would then be able to contact the person who infected the server.

Collapse -

Monitor system for virus files

by DKlippert In reply to Monitor system for virus ...

I don't think that identifing the "source" will help, because of the way the Nimda produces it's attacks.
Good luck tough. Here's a very through look at Nimda.

www.incidents.org/react/nimda.pdf

Collapse -

Monitor system for virus files

by awallace In reply to Monitor system for virus ...

Thanks for your reply however you have not answered my question.

"How Can I setup some kind of trace on the server that will tell me; "Who created a file and when it was created."

Collapse -

Monitor system for virus files

by Rookie@NPA In reply to Monitor system for virus ...

Hi,

You have not told us what security infrastructure you have in place. Sniffers/Firewalls/IDS/Anti Virus?? What messaging software do you use?? The reason I ask is simple. There are two approaches to thwarting this:

a). I don't care whocreated it. I just don't want it to linger on my network, sucking my bandwidth ===> Ideal but not the forensics approach. I am sure you have thousands of things to do other than catching guys who created .eml files.

b). The investigator approach- I care who created it and why did he or she violate security policy.

Coming back to your question:

How Can I setup some kind of trace on the server that will tell me; "Who created a file and when it was created."

Sorry man, but this is not easy without procuring some third party software. You can write a rule for your IDS which checks the payload of the data. You can have dedicated sniffers with a special filter written to look for the .eml strings. The sniffer will tell you who sent it. But I can create it and store it anywhere in anyform (zip files/txt files/whatever). Remember not all .eml means malicious activity. So you need to be discreet and cautious when you catch a host transmitting .eml stuff. Snort can do this, I guess realsecure too. NA Sniffer will do it, I guess. Well who created the file is difficult to tell but when it was created should not be a problem. Get a good ID analyst or an amateur forensics guy to help you trace the file to its sender (In case it is not NIMDA/variants..)

Thanks,
--Rookie

Collapse -

Monitor system for virus files

by awallace In reply to Monitor system for virus ...

The question was auto-closed by TechRepublic

Collapse -

Monitor system for virus files

by clrichardson In reply to Monitor system for virus ...

What kind of server ?

If it's Win NT or above using NTFS, you can check the security on the files in question. This will tell you who "owns" the file. You can also use the builtin NT auditing functions. You will need a third party utility to sortthru the NT event logs to get what you want. NT's viewer isn't too flexible.

You can also look at the header info if the files are actual emails.

Collapse -

Monitor system for virus files

by awallace In reply to Monitor system for virus ...

The question was auto-closed by TechRepublic

Collapse -

Monitor system for virus files

by ZmeyrD In reply to Monitor system for virus ...

Don't you love it when technical people avoid answering your question?

If you are using Win2K OR Win NT you can turn on AUDITING of the directory in question (or the root C$, D$ drive(s) -- be careful, there is a performance hit, but you'll see the computer AND logged on user that created the file (you can choose to monitor create/delete/modify/etc.) -- in NT 4.0 you go to user manager, choose Auditing and away you go. I haven't done this recently in Win2K but I assume it's similar?

Hopethis helps!!

Collapse -

Monitor system for virus files

by awallace In reply to Monitor system for virus ...

The question was auto-closed by TechRepublic

Back to Security Forum
11 total posts (Page 1 of 2)   01 | 02   Next

Related Discussions

Related Forums