• EventTracker
  • Log Management
  • Change Monitoring
  • Configuration Control
  • Change Browser
  • Registry Management
  • Registry Restore
  • Change Report
  • Change Management
  • Enterprise View
  • Architecture
  • FAQ
  • Agents
  • Appliance vs. Software
  • Log Storage
    (EventVault)
  • Editions
  • Support
  • ET Knowledgebase
  • EventTracker 21-Day Trial
• Training & Services
• Pricing

Change Monitoring

A Windows system can contain well over two hundred thousand files and half a million registry values. Monitoring the changes on the file system and the system registry is invaluable as a method to substantially improve corporate security. An unauthorized software install or the introduction of a virus or worm, for instance, both change the file or registry structure. This change, especially in the case of a virus or worm, is often the only clue you have as an administrator that something has happened on the system.

In a responsible IT organization, nothing should be changing on your critical servers outside of maintenance windows except data files, log files and error files. Approved changes should be applied during a planned maintenance timeframe. If unplanned, all changes, even trivial changes, should be reviewed or documented by a system or security manager. On workstations, installation of unauthorized software or unsupported versions of software often cause security holes and headaches for IT staff.

Using WhatChanged, the change management module of EventTracker, a user can monitor hundreds of thousands of objects within a Windows system by taking a quick, periodic snapshot of each system and comparing it against either a master configuration snapshot of the correct configuration, or a comparison of change over time. WhatChanged quickly detects and alerts on critical clues to unauthorized changes on the system.

WhatChanged is fully integrated into the EventTracker framework. Detection by WhatChanged of a change policy violation can cause an event to be sent to the EventTracker console. These events can have correlation rules written against them, reports run, or analysis performed. WhatChanged also stores a record of all changes in a central repository. The central repository consists of highly compressed binary files and there are no additional hidden costs in the form of database licenses and time-consuming database administrative tasks. These stored change records can be used as a powerful forensic tool to go back and figure out just what happened after the fact.

Detect Zero-day Attacks

Zero-day attacks are malware attacks that are so new they often have not even been named yet. Considering how fast these new threats move across the internet, reactive anti-virus and rule-based firewall systems alone are often insufficient to prevent damage. By the time a cure has been discovered and your firewall rules and anti-virus definitions updated, serious damage has already been done. In addition, malware signatures are changing constantly and often the same malware can come back in a slight variation that is enough to elude the anti-virus systems.

An effective way to help prevent costly damage from these new attack types is through change monitoring. Most infections (Sasser, myDoom, Blaster) hide on your system by adding or modifying an EXE or DLL. Something on the system has to change, and WhatChanged can detect these conditions and alert you to the change. WhatChanged enables you to quickly cut through the sheer number of executables and dll’s with misleading, innocuous names that need to be examined, even on the most basic machine. With WhatChanged you only see the ones that matter. You need accurate and reliable notification of such infections. WhatChanged does just that and a lot more.