Skip to main content

vast limits GmbH and uberAgent are now part of Citrix, a business unit of Cloud Software Group. Learn more at


uberAgent 7.1 Preview: File System Activity Monitoring for Windows & macOS

  • by Helge Klein
  • June 12, 2023

While we’re working on version 7.1 of our digital employee experience monitoring & endpoint security analytics products uberAgent UXM and uberAgent ESA, let’s take a look at an exciting new ESA feature: file system activity monitoring for Windows and macOS.

What is File System Activity Monitoring?

File system activity monitoring is uberAgent ESA’s capability to detect changes to objects in the file system. The monitored object types include files, of course, but also named pipes. uberAgent ESA can identify and react to the following types of file system events:

  • File create
  • File write
  • File delete
  • Creation time change
  • Alternate data stream (ADS) create
  • Raw read access
  • Named pipe create
  • Named pipe connect

Use Cases for File System Activity Monitoring

There are numerous use cases for file system activity monitoring. The following examples provide but a brief glimpse into the many possibilities.

Detecting a Download

On Windows, when a file is downloaded from the internet, the downloading application adds a “Mark of the Web” (MOTW) to the file. Under the hood, the MOTW is an alternate data stream (ADS) named Zone.Identifier whose contents mainly consist of the text ZoneId=3.

By monitoring the creation of alternate data streams whose name and contents match the MOTW, uberAgent can detect file downloads.

Detecting Persistence

There are many places in the file system where attackers can create or modify files to achieve persistence. Examples include any user profile’s Startup directory or the location where Windows stores scheduled task definitions, C:\Windows\System32\Tasks.

By monitoring these and other locations, uberAgent can detect attempts to achieve persistence. Whenever such an attempt occurs, uberAgent creates an event with rich metadata in its backend SIEM (typically Splunk).

Detecting the Destruction of Forensic Evidence

Operating systems and applications record user activity in a variety of logs. Such logs are a treasure trove for DFIR investigators, who can use them as forensic evidence to piece together a threat actor’s methodology. Attackers naturally like to cover their tracks by deleting such compromising information.

An excellent example of a log file that can be very revealing is the PowerShell command history, which is stored in %AppData%\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt by default.

By monitoring the file delete activity of this history file and similar logs, uberAgent can detect attempts to destroy forensic evidence. As with all other Threat Detection events, uberAgent collects rich metadata, such as the executing process, its parent, and the user account, to name but a few.

More Info & Implementation Details

Which uberAgent Features Make Use of File System Activity Monitoring?

Initially, uberAgent exposes file system activity in its Threat Detection Engine. Future versions of uberAgent will probably use file system activity events in other parts of the uberAgent products, too.

How Is File System Activity Monitoring Implemented on Windows?

On Windows, uberAgent uses a minifilter driver to monitor the file system. This new driver complements the existing drivers for network, registry, and process monitoring,

How Is File System Activity Monitoring Implemented on macOS?

On macOS, uberAgent subscribes to events from the Endpoint Security Framework to monitor the file system.

About uberAgent

The uberAgent product family offers innovative digital employee experience monitoring and endpoint security analytics for Windows and macOS.

uberAgent UXM highlights include detailed information about boot and logon duration, application unresponsiveness detection, network reliability drill-downs, process startup duration, application usage metering, browser performance, web app metrics, and Citrix insights. All these varied aspects of system performance and reliability are smartly brought together in the Experience Score dashboard.

uberAgent ESA excels with a sophisticated Threat Detection Engine, endpoint security & compliance rating, the uAQL query language, detection of risky activity, DNS query monitoring, hash calculation, registry monitoring, and Authenticode signature verification. uberAgent ESA comes with Sysmon and Sigma rule converters, a graphical rule editor, and uses a simple yet powerful query language instead of XML.

About vast limits

vast limits GmbH is the company behind uberAgent, the innovative digital employee experience monitoring and endpoint security analytics product. vast limits’ customer list includes organizations from industries like finance, healthcare, professional services, and education, ranging from medium-sized businesses to global enterprises. vast limits’ network of qualified solution partners ensures best-in-class service and support anywhere in the world.


Your email address will not be published. Required fields are marked *