Monitor the immutability of operating system and application files
In this blog post you will find out:
- Why binary file tampering is a security risk for your sub-enterprise IT
- How you can monitor the manipulation of binary files
- How to implement immutability monitoring with Versio.io in 5 minutes
Manipulation of binary files = security risk
The manipulation of operating system files or applications represents a significant
security risk, as it can allow unauthorised access to the system. Modified files can
contain malware such as viruses, Trojans or ransomware that infect the system, steal
or damage data and take control of the system. The introduction of backdoors also
enables attackers to gain undetected access to the system, which can lead to further
attacks on the entire network. In addition, manipulated files can affect the stability
of the system and cause applications or the operating system to no longer function
reliably.
Recognising manipulated binary files
The integrity of binary files is crucial for the security and stability of an operating
system or application.
Hash values play a central role in this. A hash value is a unique fingerprint of
a file that is calculated from its content.
Any change to the file, no matter how small - be it due to a download error or
malware - changes the hash value.
The hash values of binary files may therefore only change as part of updates. Otherwise
it is an unauthorised change.
Example of a checksum of a file based on the MD5 algorithm: 097202d6e3d2077e717e75ad6e9a4ba4
Implement monitoring with Versio.io in 5 minutes
Configuration of integrity monitoring
Versio.io is a software platform that creates transparency, control and efficiency
in IT operations. The core component is the continuous and automated documentation
(inventory) of IT landscapes. A OneImporter (agent) on the host computer to be monitored
and the activated 'Folder Importer' module are required to monitor binary files.
A directory to be monitored must be specified in the Folder Importer configuration.
If the 'Capture files' option is activated, the files it contains are also inventoried.
The 'Capture file hashes' option adds the checksum (MD5 hash value) of each file to
the documentation.
In the following configuration, the files to be captured for the blog post example
were still limited to files with the name 'python3'.
Figure: Configuration of file binary integrity monitoring
Documentation of the integrity violation
The following illustration shows the result of the inventory of the directory in
the Instance Viewer. The initial state was recorded in the lower area (original).
We see the file 'python3' with its metadata, which also contains the checksum.
The change (manipulation) recognised by Versio.io is documented in the centre of
the figure. The content of the file 'python3' was changed manually (simulation of
a cyber attack), which leads to a change in the checksum.
Figure: Manipulation detection based on continuous and automated inventory in Versio.io
You may also be interested in:
- Events & Alerting -
An event can be generated for the recognised manipulation of the file and the associated
integrity violation using policies (logical rules). Alerting can be executed based
on the event, which can send notifications by email or chat or generate an incident
ticket, for example.
- Configuration files -
The approach shown above can also be used for any other files, such as configuration
files. With the help of the file importer, it would also be possible here to inventory
the entire content of the configuration and process it in Versio.io.
The use of checksums for binary files therefore not only contributes to system stability,
but also protects against targeted attacks on system files. It is an indispensable
tool for the operational security management of a company's IT.
Autoren | 21. Januar 2025

Fabian Klose
Head of Software Development
P:Â +49-30-221986-51

Keywords
Cybersecurity
Â
Binary file
Â
Binary format
Â
Manipulation
Â
Integrity
Â
Ransomware
Â