File Integrity Monitoring

system · March 15, 2008, 1:25am

(imported topic written by ZebAce91)

Does BigFix have the capability to perform integrity monitoring of system binaries or sensitive files? For example, can I set up a rule that says “file abc.dll cannot change” or more specifically it’s size or modified date cannot change?

system · February 26, 2009, 5:26pm

(imported comment written by Leland_Jobe)

ZebAce,

Is this something that is still of interest? We have this solution available via professional services.

Leland

system · March 24, 2009, 2:21am

(imported comment written by ZebAce91)

Hi Leland,

Though the immediate need based on that post has been met, I would still be interested for potential future needs in what kind of solution BigFix can provide so such file integrity monitoring.

Thanks

system · July 29, 2011, 7:51pm

(imported comment written by alaurent91)

ZebAce

Hi Leland,

Though the immediate need based on that post has been met, I would still be interested for potential future needs in what kind of solution BigFix can provide so such file integrity monitoring.

Thanks

What was the outcome for this? I’m interested too.

anon83250822 · August 20, 2020, 1:20pm

I would like to revive this post; any FIM (file integrity monitoring) available with BigFix?

JasonWalker · August 20, 2020, 2:32pm

While this is not present in the default content, it would be easy enough to create fixlets to check individual files (and is a common use-case for monitoring configuration files).

On a larger scale, a task to deploy fciv or yara scans and compare results over time would also be feasible.

DanPaquette · August 25, 2020, 4:48pm

BigFix can’t perform real time FIM capability.

As Jason noted, it’s most efficient using fciv or yara scans in conjunction with custom content if you have an extensive list of files.

However, if you have a small list and are ok with BigFix checking those files just several times a day you can use something like the relevance below in an analysis to show compliant or non-compliant files. There are ways to modify this to point at a folder of files, etc - but it’s more expensive on Agent time.

if size of file “c:\test\test.txt” = 30 and sha256 of file “c:\test\test.txt” = “7e57ae19612ab75b543946d36bf8b40e0c7388a3fc671edb69b37829af225479” then (“Compliant”) else (“Non-Compliant”)