| CPC G06F 21/565 (2013.01) [G06F 16/137 (2019.01); G06F 21/64 (2013.01); G06F 2221/034 (2013.01)] | 20 Claims |
|
1. A method for monitoring file integrity of files in a file system, comprising:
for a byte array representing a file, determining whether a size of the file is larger than a threshold size value;
in response to the file size being larger than the threshold size value, selecting a first predetermined section of file bytes in the byte array, a second predetermined section of file bytes in the byte array, and a third random section of files bytes in the byte array;
performing a first hashing of the file, wherein the first hashing includes generating a first hash value of the first predetermined section of file bytes, the second predetermined section of file bytes, and the third random section of file bytes, wherein the location of the third random section of file bytes is recorded;
checking whether the file remains in the file system;
in response to the file remaining in the file system, performing a second hashing of the file, wherein the second hashing includes generating a second hash value of the first predetermined section of file bytes and the second predetermined section of file bytes, and the second hashing utilizes the third random section of file bytes recorded from the first hashing;
determining whether the second hashing generates a second hash value that matches the first hash value of the first predetermined section of file bytes, the second predetermined section of file bytes, and the third random section of file bytes; and
automatically determining that the file has been tampered, in the event the second hash value does not match the first hash value, monitoring for one or more offending processes attached to the tampered file, logging the occurrence of one or more offending processes, and performing a user pre-determined action in response to one or more offending processes.
|