3 Portable Tools to Monitor Files and Folders for Changes

[MrXidus]

Whenever you’re in Windows, it never seems to be sitting still. There always appears to be something that that is either creating new files or folders, or making changes to them. This could be in the background in which case it might be something you don’t know about, or could simply be files you are downloading or receiving via the network. Many pieces of software these days will also write or modify data in parts of your system that you might not expect or specifically want and you might never know about it. It would be almost impossible to keep watch over all this activity yourself.
If you want to keep a watch on what files or folders are being created, modified or deleted in a specific location, it can be quite a time consuming and boring task. Thankfully, there are tools around to help you out and keep watching these areas for you. One such utility that can do this and more is Watch 4 Folder. While performing the task of watching for a number of different actions such as file or folder create, delete, rename or change, it can also pop up an alert to notify you, write the event to a log file, or trigger the execution a specified program or batch file.

Watch 4 Folder is completely free and portable which some people find essential these days. A PDF manual is included in the zip archive for further reading.

Usage is pretty simple and is set out as a series of steps. First select the folder to monitor, all the sub folders can be selected for monitoring as well by using the tick box below the folder tree.
Secondly, select the events to monitor the folder for which the usual options such as create, delete, change and rename are available. There are also a few others such as watching for a file association change, whether the free space has changed and also if a CD/DVD (not USB media) is inserted or ejected. The developer recommends you may have to experiment a little bit with the event triggers as ticking something like ‘File change’ and ‘File rename’ together would create 2 events in the log with a simple rename, because the file is renamed and also changed.

Read more: http://www.raymond.cc/blog/3-portable-tools-monitor-files-folders-changes/#ixzz1zYnGaxwn

I've used a few of these tools in VMWare when deliberately infecting the machine, It's handy to have and to watch which files are created/modified.

They're great to use when testing certain exploits with Java. You can see and collect which file are dropped onto the system and then upload them to VirusTotal or Anubis.

Thought I'd share this software, You might find it useful sometime! Thanks.

Note: The comments section also mentions a couple more tools that do similar functions.

 

[MrXidus]

Do any other VM users (such as Biozfear, Umbra Corp.) run tools like this when testing out various malicious items or have given them a go?

I often pick up small files created and they have very low detection on VirusTotal. (Especially Trojan.Droppers)

Got to be quick to get them as they will very often self-delete after doing the damage.

 

[Deleted member 178]

Not using those one but i will give them a go when i will get back my laptop from repair shop in 2 days.

 

[Plexx]

Do any other VM users (such as Biozfear, Umbra Corp.) run tools like this when testing out various malicious items or have given them a go?

I often pick up small files created and they have very low detection on VirusTotal. (Especially Trojan.Droppers)

Got to be quick to get them as they will very often self-delete after doing the damage.

And I thought I was one of the few who used this type of monitoring tools.

I use these type of tools for one purpose after a review or test or video is done: to understand how certain infections work and what files get damaged or created or modified.

I have used in and sometimes still use these: Watch 4 Folder and TheFolderSpy. I also use ProcessMonitor and Autoruns or Winpatrol.

Basically when I finish a test, I restore the image to a clean snapshot, unpack again the malware samples, scan it with whatever product I used. I then isolate the VM completely and with the left overs I choose a couple by running them one by one and I then see what is happening behind the scenes. Sometimes i spend days on a few infections since I don't always have the time. I also take notes on a notebook

The folders monitoring is handy but I also rely on Winpatrol, Autoruns and ProcessMonitor.

Process Monitor I still use it even on my host machine. Before it was composed by 2 tools Regmon and Filemon, although I was never a big fan of Regmon back then but then again my knowledge was nowhere closer than it is now.

This is how I learn how some Trojans, Fake AVs and other infections work. The purpose is basically self educate since I share the interested to learn the mechanics etc and not simply limiting myself to test an AV solution and that's it. By knowing what where to look for and what usual major changes the infections make, becomes slightly easier to understand its core mechanics.

You never know, one day such knowledge might come in handy.

 

[Deleted member 178]

What i like with an HIPS, is that in case of infection you have a lot of popups that tells you what the malwares are trying to do, on a VM i just click "allow" and see what are the changes.

Process Monitor, Comodo Autoruns/Killswitch and System Explorer are my taskbar-pinned apps. i'm using also some Nirsoft or Sysinternal's apps

 

[Plexx]

Some of the Sysinternal apps I only use it when I need to fix a friend's system (not always infections related).

Handy tools those are!