OnDiskManipulation Event (IFireWall)

This event will be triggered when the firewall detects a manipulation of files in your application root and sub directories by a 3rd party

Syntax

event EventHandler<FireWallDiskManipulationEventArgs> OnDiskManipulation

Event Data

The event handler receives an argument of type FireWallDiskManipulationEventArgs containing data related to this event. The following FireWallDiskManipulationEventArgs properties provide information specific to this event.

Property	Description
Action	the action to perform
Changed	The violation discovered enriched with information that started the process

Remarks

If you do not want the firewall to trigger a alert use interface to make disk changes without triggering over a detection

Example

The following code shows how to use the firewall to send an mail (if mail add-on installed) when a change on disk is detected by a application that is actually communicating via the network. This could be RemoteDesktop WinVCM or TeamViewer, Telnet, FTP etc.

private void MyFireWall_OnDiskManipulation(object sender, DiskManipulationEventArgs e)
 {
     foreach (var item in e.Violation.Talking)
     {
         if (item.tcpRecord.Scope == Walter.Net.Networking.CommunicationScope.WAN)
         {
             (this as IFireWall).SendEmail(EMailRoles.SecurityRelevant
                                         , "A file change with external communication was detected"
                                         , MakeEmailBody(item.tcpRecord.Scope,e.Violation.ExecutingBinary, item.tcpRecord.RemoteAddress)
                                         , true);
         }
         else
         { 
             (this as IFireWall).SendEmail(EMailRoles.SecurityRelevant
                                         , "A file change with internal communication was detected"
                                         , MakeEmailBody(item.tcpRecord.Scope,e.Violation.ExecutingBinary, item.tcpRecord.RemoteAddress)
                                         , true);
 
         }
     }
     e.Action = ApplicationCompromisedActions.ShutDown | ApplicationCompromisedActions.PersistOnReboot;
 }
            
 private string MakeEmailBody(Walter.Net.Networking.CommunicationScope scope,string executingBinary, IPAddress remoteAddress)
 {
     if (scope == Walter.Net.Networking.CommunicationScopes.WAN)
     {       
         var map = _geo.QueryMapLocation(remoteAddress); 
         var whois = Whois(remoteAddress);
         return @"
         
             We have detected a disk change by {ApplicationPath} from IP address: {IPAddress}
         
             While capturing the issue we recorded the IP coming from {City} - {Country} google maps linkThe IP address is managed by :
             {WhoIs}
         
          ".Replace("{ApplicationPath}", executingBinary, StringComparison.OrdinalIgnoreCase)
             .Replace("{IPAddress}", remoteAddress.ToString(), StringComparison.OrdinalIgnoreCase)
             .Replace("{City}", map.City, StringComparison.OrdinalIgnoreCase)
             .Replace("{Country}", map.Country, StringComparison.OrdinalIgnoreCase)
             .Replace("{Link}", map.GoogleMapLocation().AbsoluteUri, StringComparison.OrdinalIgnoreCase)
             .Replace("{WhoIs}", whois.ToHtml(), StringComparison.OrdinalIgnoreCase);
     }
     
     return  @" We have detected a disk change by {ApplicationPath} from IP address: {IPAddress}-{scope}"
                .Replace("{ApplicationPath}", executingBinary, StringComparison.OrdinalIgnoreCase)
                .Replace("{IPAddress}", remoteAddress.ToString(), StringComparison.OrdinalIgnoreCase)
                .Replace("{Scope}",scope.ToString(),StringComparison.OrdinalIgnoreCase);
  }
}

Requirements

Target Platforms: Windows 7, Windows Vista SP1 or later, Windows XP SP3, Windows Server 2008 (Server Core not supported), Windows Server 2008 R2 (Server Core supported with SP1 or later), Windows Server 2003 SP2

Reference

IFireWall Interface
IFireWall Members
IFireWallDiskGuard Interface

Send Feedback