File integrity monitoring
File integrity monitoring (FIM) is one way to detect changes to a known filesystem's files, and in the case of Windows, the registry. Typically, when a system has malicious activity, either changes are made to existing files or harmful files are placed in critical areas of the filesystem. In order to detect these changes, FIM tools create a hash database of the known good versions of files in each filesystem location. The tool can then periodically or real-time scan the filesystem looking for any changes to the installation including known files and directories. Hashing is used because any variation in the file will result in a different hash value, and therefore confirm there has been a change to the file, directory, ...
Get Enterprise Security: A Data-Centric Approach to Securing the Enterprise now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.