DiskManipulationEventArgs Class

Event arguments raised by the firewall when disk manipulations has been discovered

Object Model

Syntax

public class DiskManipulationEventArgs : System.EventArgs

Remarks

This argument allows you to perform a choice of actions the firewall will do for all future requests

Example

The following code shows how to use the firewall to send an mail (if mail add-on installed) when a change on disk is detected by a application that is actually communicating via the network. This could be RemoteDesktop WinVCM or TeamViewer, Telnet, FTP etc.

private void MyFireWall_OnDiskManipulation(object sender, DiskManipulationEventArgs e)
 {
     foreach (var item in e.Violation.Talking)
     {
         if (item.tcpRecord.Scope == Walter.Net.Networking.CommunicationScopes.WAN)
         {
             (this as IFireWall).SendEmail(EMailRoles.SecurityRelevant
                                         , "A file change with external communication was detected"
                                         , MakeEmailBody(item.tcpRecord.Scope,e.Violation.ExecutingBinary, item.tcpRecord.RemoteAddress)
                                         , true);
         }
         else
         {
             (this as IFireWall).SendEmail(EMailRoles.SecurityRelevant
                                         , "A file change with internal communication was detected"
                                         , MakeEmailBody(item.tcpRecord.Scope,e.Violation.ExecutingBinary, item.tcpRecord.RemoteAddress)
                                         , true);
            
         }
     }
     e.Action = ApplicationCompromisedActions.ShutDown | ApplicationCompromisedActions.PersistOnReboot;
 }
            
 private string MakeEmailBody(Walter.Net.Networking.CommunicationScopes scope,string executingBinary, IPAddress remoteAddress)
 {
    private string MakeEmailBody(Walter.Net.Networking.CommunicationScope scope,string executingBinary, IPAddress remoteAddress)
    {
        if (scope == Walter.Net.Networking.CommunicationScopes.WAN)
        {
            var map = _geo.QueryMapLocation(remoteAddress);
            var whois = Whois(remoteAddress);
            return @"
            
                We have detected a disk change by {ApplicationPath} from IP address: {IPAddress}
            
                While capturing the issue we recorded the IP coming from {City} - {Country} google maps linkThe IP address is managed by :
                {WhoIs}
            
             ".Replace("{ApplicationPath}", executingBinary, StringComparison.OrdinalIgnoreCase)
                .Replace("{IPAddress}", remoteAddress.ToString(), StringComparison.OrdinalIgnoreCase)
                .Replace("{City}", map.City, StringComparison.OrdinalIgnoreCase)
                .Replace("{Country}", map.Country, StringComparison.OrdinalIgnoreCase)
                .Replace("{Link}", map.GoogleMapLocation().AbsoluteUri, StringComparison.OrdinalIgnoreCase)
                .Replace("{WhoIs}", whois.ToHtml(), StringComparison.OrdinalIgnoreCase);
        }
            
        return  @" We have detected a disk change by {ApplicationPath} from IP address: {IPAddress}-{scope}"
                   .Replace("{ApplicationPath}", executingBinary, StringComparison.OrdinalIgnoreCase)
                   .Replace("{IPAddress}", remoteAddress.ToString(), StringComparison.OrdinalIgnoreCase)
                   .Replace("{Scope}",scope.ToString(),StringComparison.OrdinalIgnoreCase);
     }
   }
}

Inheritance Hierarchy

System.Object
   System.EventArgs
      Walter.IO.EventArguments.DiskManipulationEventArgs
         Walter.Web.FireWall.EventArguments.FireWallDiskManipulationEventArgs

Requirements

Target Platforms: Windows 7, Windows Vista SP1 or later, Windows XP SP3, Windows Server 2008 (Server Core not supported), Windows Server 2008 R2 (Server Core supported with SP1 or later), Windows Server 2003 SP2

Reference

DiskManipulationEventArgs Members
Walter.IO.EventArguments Namespace
OnDiskManipulation Event