Walter.Web.FireWall
OnDiskManipulation Event (IFireWall)
Example 
Walter.Web.FireWall Assembly > Walter.Web.FireWall Namespace > IFireWall Interface : OnDiskManipulation Event
This event will be triggered when the firewall detects a manipulation of files in your application root and sub directories by a 3rd party
Syntax
Event Data

The event handler receives an argument of type FireWallDiskManipulationEventArgs containing data related to this event. The following FireWallDiskManipulationEventArgs properties provide information specific to this event.

PropertyDescription
the action to perform  
The violation discovered enriched with information that started the process  
Remarks
If you do not want the firewall to trigger a alert use interface to make disk changes without triggering over a detection
Example
The following code shows how to use the firewall to send an mail (if mail add-on installed) when a change on disk is detected by a application that is actually communicating via the network. This could be RemoteDesktop WinVCM or TeamViewer, Telnet, FTP etc.
private void MyFireWall_OnDiskManipulation(object sender, DiskManipulationEventArgs e)
 {
     foreach (var item in e.Violation.Talking)
     {
         if (item.tcpRecord.Scope == Walter.Net.Networking.CommunicationScope.WAN)
         {
             (this as IFireWall).SendEmail(EMailRoles.SecurityRelevant
                                         , "A file change with external communication was detected"
                                         , MakeEmailBody(item.tcpRecord.Scope,e.Violation.ExecutingBinary, item.tcpRecord.RemoteAddress)
                                         , true);
         }
         else
         { 
             (this as IFireWall).SendEmail(EMailRoles.SecurityRelevant
                                         , "A file change with internal communication was detected"
                                         , MakeEmailBody(item.tcpRecord.Scope,e.Violation.ExecutingBinary, item.tcpRecord.RemoteAddress)
                                         , true);
 
         }
     }
     e.Action = ApplicationCompromisedActions.ShutDown | ApplicationCompromisedActions.PersistOnReboot;
 }
            
 private string MakeEmailBody(Walter.Net.Networking.CommunicationScope scope,string executingBinary, IPAddress remoteAddress)
 {
     if (scope == Walter.Net.Networking.CommunicationScopes.WAN)
     {       
         var map = _geo.QueryMapLocation(remoteAddress); 
         var whois = Whois(remoteAddress);
         return @"
         
             We have detected a disk change by {ApplicationPath} from IP address: {IPAddress}
         
             While capturing the issue we recorded the IP coming from {City} - {Country} google maps linkThe IP address is managed by :
             {WhoIs}
         
          ".Replace("{ApplicationPath}", executingBinary, StringComparison.OrdinalIgnoreCase)
             .Replace("{IPAddress}", remoteAddress.ToString(), StringComparison.OrdinalIgnoreCase)
             .Replace("{City}", map.City, StringComparison.OrdinalIgnoreCase)
             .Replace("{Country}", map.Country, StringComparison.OrdinalIgnoreCase)
             .Replace("{Link}", map.GoogleMapLocation().AbsoluteUri, StringComparison.OrdinalIgnoreCase)
             .Replace("{WhoIs}", whois.ToHtml(), StringComparison.OrdinalIgnoreCase);
     }
     
     return  @" We have detected a disk change by {ApplicationPath} from IP address: {IPAddress}-{scope}"
                .Replace("{ApplicationPath}", executingBinary, StringComparison.OrdinalIgnoreCase)
                .Replace("{IPAddress}", remoteAddress.ToString(), StringComparison.OrdinalIgnoreCase)
                .Replace("{Scope}",scope.ToString(),StringComparison.OrdinalIgnoreCase);
  }
}
Requirements

Target Platforms: Windows 7, Windows Vista SP1 or later, Windows XP SP3, Windows Server 2008 (Server Core not supported), Windows Server 2008 R2 (Server Core supported with SP1 or later), Windows Server 2003 SP2

See Also