event EventHandler<FireWallDiskManipulationEventArgs> OnDiskManipulation
Event Data
The event handler receives an argument of type FireWallDiskManipulationEventArgs containing data related to this event. The following FireWallDiskManipulationEventArgs properties provide information specific to this event.
Property | Description |
---|---|
Action | the action to perform |
Changed | The violation discovered enriched with information that started the process |
Remarks
If you do not want the firewall to trigger a alert use interface to make disk changes without triggering over a detection
Example
The following code shows how to use the firewall to send an mail (if mail add-on installed) when a change on disk is detected by a application that is actually communicating via the network. This could be RemoteDesktop WinVCM or TeamViewer, Telnet, FTP etc.
private void MyFireWall_OnDiskManipulation(object sender, DiskManipulationEventArgs e) { foreach (var item in e.Violation.Talking) { if (item.tcpRecord.Scope == Walter.Net.Networking.CommunicationScope.WAN) { (this as IFireWall).SendEmail(EMailRoles.SecurityRelevant , "A file change with external communication was detected" , MakeEmailBody(item.tcpRecord.Scope,e.Violation.ExecutingBinary, item.tcpRecord.RemoteAddress) , true); } else { (this as IFireWall).SendEmail(EMailRoles.SecurityRelevant , "A file change with internal communication was detected" , MakeEmailBody(item.tcpRecord.Scope,e.Violation.ExecutingBinary, item.tcpRecord.RemoteAddress) , true); } } e.Action = ApplicationCompromisedActions.ShutDown | ApplicationCompromisedActions.PersistOnReboot; } private string MakeEmailBody(Walter.Net.Networking.CommunicationScope scope,string executingBinary, IPAddress remoteAddress) { if (scope == Walter.Net.Networking.CommunicationScopes.WAN) { var map = _geo.QueryMapLocation(remoteAddress); var whois = Whois(remoteAddress); return @" We have detected a disk change by {ApplicationPath} from IP address: {IPAddress} While capturing the issue we recorded the IP coming from {City} - {Country} google maps linkThe IP address is managed by : {WhoIs} ".Replace("{ApplicationPath}", executingBinary, StringComparison.OrdinalIgnoreCase) .Replace("{IPAddress}", remoteAddress.ToString(), StringComparison.OrdinalIgnoreCase) .Replace("{City}", map.City, StringComparison.OrdinalIgnoreCase) .Replace("{Country}", map.Country, StringComparison.OrdinalIgnoreCase) .Replace("{Link}", map.GoogleMapLocation().AbsoluteUri, StringComparison.OrdinalIgnoreCase) .Replace("{WhoIs}", whois.ToHtml(), StringComparison.OrdinalIgnoreCase); } return @" We have detected a disk change by {ApplicationPath} from IP address: {IPAddress}-{scope}" .Replace("{ApplicationPath}", executingBinary, StringComparison.OrdinalIgnoreCase) .Replace("{IPAddress}", remoteAddress.ToString(), StringComparison.OrdinalIgnoreCase) .Replace("{Scope}",scope.ToString(),StringComparison.OrdinalIgnoreCase); } }
Requirements
Target Platforms: Windows 7, Windows Vista SP1 or later, Windows XP SP3, Windows Server 2008 (Server Core not supported), Windows Server 2008 R2 (Server Core supported with SP1 or later), Windows Server 2003 SP2
See Also