Skip to main content

vast limits GmbH and uberAgent are now part of Citrix, a business unit of Cloud Software Group. Learn more at Citrix.com.

Documentation

Version

  1. uberAgent
  2. 7.1.2
  3. ESA Features & Configuration
  4. Threat Detection Engine
  5. File System Activity Monitoring
Previous document Next document

File System Activity Monitoring

In this article

File system activity monitoring is uberAgent ESA’s capability to detect changes to objects in the file system. The monitored object types include files, of course, but also named pipes. uberAgent ESA can identify and react many different types of file system events, e.g., read, write, delete. Please see the event types documentation for details.

Configuration

File system activity monitoring can be configured via the stanza [FilesystemMonitoring]. By default, file system activity monitoring is enabled. To disable file system activity monitoring set Enabled = false.

Monitored Volumes

New Volumes Added to the System

In the default configuration, uberAgent only monitors volumes that were present when the agent was started; newly added volumes are ignored. This can be changed by setting Hotplug = true.

Disabling Monitoring by Volume Type

To monitor only certain volume types, use the setting Monitor. The following table shows available values.

Volume type Description Platform
Disks Monitors all hard drives. This includes removable media such as USB thumb drives. all
Mailslots Monitors all mailslots, a mechanism for one-way interprocess communication (IPC) using pseudofiles that reside in memory. Windows
NamedPipes Monitors all named pipes, a mechanism for interprocess communication (IPC) that is accessed much like a file. Windows
NetworkShares Monitors all remote file systems (access to network shares). Supported protocols depend on the OS:

Windows: all protocols handled by the multiple UNC provider (MUP), typically:

  • SMB
  • RDPNP (remote desktop services client drives)
  • WebDAV

macOS:

  • SMB
  • AFP
  • NFS
all

Example Configurations

With the following example configuration, uberAgent monitors disks only, i.e., hard drives and removable media. As Hotplug is set to true, uberAgent monitors volumes that were present when the agent was started as well as volumes mounted at runtime. Monitoring of network shares, mailslots, and named pipes is disabled.

[ProductComponents]
EnableESA = true

[FilesystemMonitoring]
Enabled = true
Hotplug = true
Monitor = Disks

With the following example configuration, uberAgent monitors disks and network shares. As Hotplug is not enabled, uberAgent only monitors volumes that were present when the agent was started. Monitoring of mailslots and named pipes is disabled.

[ProductComponents]
EnableESA = true

[FilesystemMonitoring]
Enabled = true
Monitor = Disks
Monitor = NetworkShares

File System Events in Threat Detection Engine (TDE)

File system events are available in TDE rules, whose queries are powered by uAQL. uAQL queries for file system events can make use of common event properties as well as file system event properties.

Example Rule for Windows

The following example detects writes to files in the directory C:\Windows (Windows):

[ActivityMonitoringRule]
# Detect writes to files in the directory C:\Windows.
RuleId = 2b635c8b-3c2b-4c51-b073-40a796d4ab9e-write
RuleName = Any file write
EventType = File.Write
Tag = file-write
RiskScore = 100
Query = File.Path like "%C:\\Windows\\%"
GenericProperty1 = File.Name
GenericProperty2 = File.CreationDate
GenericProperty3 = File.IsExecutable
GenericProperty4 = File.Path

Example Rule for macOS

The following example detects writes to files in the directory /Library/LaunchAgents (macOS):

[ActivityMonitoringRule]
# Detect writes to files in the directory /Library/LaunchAgents.
RuleId = 2b635c8b-3c2b-4c51-b073-40a796d4ab9e-write
RuleName = Any file write
EventType = File.Write
Tag = file-write
RiskScore = 100
Query = File.Path like "%/Library/LaunchAgents/%"
GenericProperty1 = File.Name
GenericProperty2 = File.CreationDate
GenericProperty3 = File.IsExecutable
GenericProperty4 = File.Path

Platform-Specific Notes

Windows

On Windows, uberAgent uses a minifilter driver to monitor the file system. Only successful file system activity is reported. Attempts that are not permitted due to missing permissions and attempts that are blocked by security products are not reported.

macOS

On macOS, uberAgent leverages the Endpoint Security Framework to monitor the file system. The Endpoint Security Framework provides the necessary APIs to capture a comprehensive range of events, including both successful and unsuccessful events. Different from the Windows implementation, on macOS uberAgent may capture unsuccessful events, too. Such events might result from permissions issues, for example. Specific results depend on the altitude at which the framework hooks the list of syscalls needed for file system activity.

Comments

Your email address will not be published. Required fields are marked *