Jump to content











Photo
- - - - -

ShareWatch.net


  • Please log in to reply
7 replies to this topic

#1 DarkPhoeniX

DarkPhoeniX

    Frequent Member

  • Team Reboot
  • 452 posts
  • Location:In the middle of nowhere
  • Interests:Interesting Things
  •  
    South Africa

Posted 11 June 2015 - 10:21 AM

Posted Image

File Name: ShareWatch.net
File Submitter: DarkPhoeniX
File Submitted: 08 Jun 2015
File Updated: 06 Jul 2015
File Category: Security

ShareWatch.net is the spiritual successor to Steve Miller’s ShareWatch.
Since Work on ShareWatch Has Stopped Development For Years I decided to make a more Useful Tool.

What The Program Does :
This Program Is Made For Enterprise Class File Servers
It logs File Usage To a CSV file That Can Be Reviewed Later Using a spreadsheet program like Excel
A new Log Is Created Daily as to Not to overwhelm Excel's Pivot Table or filtering functions
Using Excel's Pivot table you can track what files have been Used The most And By What User.
Basically a Poor Man's Netwrix
It Uses a Table System That will allow you to easily see what a specific user is up to on the file server By filtering the results to the bottom table. So Be Sure To Sort Out The Usernames On your Network To See Valuable Information Here.

How It Does it:
It's Made Using C# Dotnet Framework 4
So It Will Work on Older OS's like Windows XP & Windows 2003 (Not Win98/NT4)
Newer OS's Like Windows Vista/7/8/8.1/10 Also Support the FrameWork.
Please Be Sure To Run The Program As Administrator or Disable The UAC completely.

Network Monitor
This Uses API Calls to Windows DLL's:
These are Some of the main the Functions:(if you want to google them)
NetShareEnum
NetSessionEnum
These Functions Are Limited In the Information it returns.
So This Program Would Have To Try to Ask The Incoming Clients For More Info
Like The Mac Address And Netbios Names. This Is Done On a Separated Thread.

File Monitor
This Uses FileSystemWatcher a dot net framework Component
A Multi Threaded system is setup to catch Multiple Folders(and Subfolders)
Please Note That FileSystemWatcher is not perfect (Please See Here For Limitations)
With My tests It does not seem to catch All of the changes...
FileSystemWatcher Tries to catch all Changed,Deleted,Renamed and Created files and directories
Unfortunately FileSystemWatcher does not know what user did what change, you would have to compare it with the
Network monitor logs to see what happened in that time period.Luckily everything is in CSV Format and via some filtering via EXCEL with the timestamp you can find out what happened.

Notification System
The Notification System Will notify you either via The Tray Icon or Email if a Pre-set alert was Triggered
There is a Buffer in place that will collect messages and send them all in one Bag.
Specify this timeout in the "Alert Interval"(Default 5 Minutes) Text box in the email settings aria.
You can use gmail as a SMTP host just be sure to enable POP3 and enable "Less secure apps" in your gmail settings.
(Just google the SMTP settings)
The Notification System Will Also Perform actions Like Shutting the PC Down,Reboot Blacklist The User Or Disabling all The Network Adapters.

Disable All Network Adapters
This Feature is Part of the Notification system,When Triggered it will Disable All network Connections.
You can Re-Enable The connections in the "Network And Sharing Center" under "Change Adapter Settings"
Or Use "File" > "Enable All Network Adapters".This Works By Calling the Windows WMI interface (Win32_NetworkAdapter) and Manipulating it

BlackList
This Feature Will Kick then Disable The User Account (On the Local PC) So That User Can No longer Access Shared File And Resources From The Network (This Is Untested On a Active Directory)
Note The User running ShareWatsh.net (Localy) Cannot Be disabled.This is so you cannot accidentally Disable the Administrator account running the program.
A Action Trigger is Available On "Access Files (Per User)" to Disable The User Account that Has Accessed Too many Files. Unfortunately it's not available on the other Event Types Because Of The lack of Information The File Monitor Returns (FileSystemWatcher does Not Return User Information)

Similar Programs:
http://stevemiller.net/sharewatch/-Free!
https://www.netwrix.com- Not So Free
http://securityxplod...haremonitor.php- Free!
http://www.codeproje...tor-Your-System-Free Open Source!
http://www.codeproje...iles-on-Network-Free Open Source!

Things To Do
Add an Email Alert System
Add an File Monitoring system to check for changes in files
Add an Alert/Action event on Multiple File Modifications to combat Crypto Lockers/Malicious Users
Add an Alert/Action event on Multiple File Accsess to Indicate File Copying?
Add a Tab to See Shared Files ?
Add a Tab to See Users and User Privileges ?
Add More stuff being Logged like What users are using what pc's to Login & Weekly Logs For Disk Space Usage
Fix shutdown and reboot options in Alert system
Add context menu on rows to open file location
Add Start on Windows Startup Checkbox
Add Run a File to Actions
Make a Video On How To use this program
Bugfix / Cleanup code / Optimise.
Add Stuff You want ?


Extra Info
This is My First C# Program I’m making available to the public. Updates Will Take Longer From Now On Since i added all the Features i can Think of But if you have an Idea or Found a bug or a Crash please leave a Comment in the Support Topic.

Please Donate If it Helped You/Support Development.

Click here to download this file
  • Nuno Brito likes this

#2 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 13585 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 11 June 2015 - 12:18 PM

With all due respect :), you will need anyway to post some more info on the program, it's usage and it's intended goal.

I will provide here a set of three basic ALOAQ (At Least Once Asked Questions) that I presume will be asked more than once and that possibly may become FAQ:

  1. In what exactly is this program different from the "original" http://stevemiller.net/sharewatch/I.e. what added features it has when compared to it or what it can do that Sharewatch cannot (see list in the above link)?
  2. Which OS does it run on?
  3. Which .Net :ph34r: version it requires?

Which answers represent IMHO the bare-bare minimum that one needs to know before even thinking of  downloading your program.

 

:duff:

Wonko

 

EDIT: Attached a screenshot of the original post that originated this comment.

Attached File  ShareWatch.jpg   42.61KB   0 downloads

 


  • DarkPhoeniX likes this

#3 pscEx

pscEx

    Platinum Member

  • Team Reboot
  • 12688 posts
  • Location:Korschenbroich, Germany
  • Interests:What somebody else cannot do.
  •  
    European Union

Posted 12 June 2015 - 03:06 PM

With all due respect to Wonko's answer:

 

You are on a good way! Continue!

 

Peter :cheers:



#4 DarkPhoeniX

DarkPhoeniX

    Frequent Member

  • Team Reboot
  • 452 posts
  • Location:In the middle of nowhere
  • Interests:Interesting Things
  •  
    South Africa

Posted 15 June 2015 - 02:31 PM

A Update just dropped!

I need you Guys to check for bugs...

 

But more importantly i need to know what the speed of a crypto ware/virus generally is?

I'm Estimating 50 Files Per Minute, I would like to know this so when i setup a Notification System. it will know that something is wrong when 50 files in the last minute just suddenly up and changed. I know that Processing speed and file size plays a role here.But i want a base line.

I'm Thinking Threat Levels here like 25 Changes PM = Email Alert, 50 Changes PM = Attempt to Disable(Active) or Disconnect(Passive) the User Account , 100 = Pc Shutdown or Network Adapter disable?

The Current version (1.1.0.0) Does Have The Counters In Place If You want to test/Play With it abit.



#5 DarkPhoeniX

DarkPhoeniX

    Frequent Member

  • Team Reboot
  • 452 posts
  • Location:In the middle of nowhere
  • Interests:Interesting Things
  •  
    South Africa

Posted 26 June 2015 - 10:34 AM

OMFG! Another update is available!

Please Help Fight those bugs and give some suggestions on improvement

The Current Version (1.2.0.0) hase a System in place to Log Bugs So you can Attach That Log File in a post.

:thumbsup:



#6 Nuno Brito

Nuno Brito

    Platinum Member

  • Team Reboot
  • 10441 posts
  • Location:boot.wim
  • Interests:I'm just a quiet simple person with a very quiet simple life living one day at a time..
  •  
    European Union

Posted 27 June 2015 - 10:23 PM

But more importantly i need to know what the speed of a crypto ware/virus generally is?

I'm Estimating 50 Files Per Minute

 

Tough question. Some people will argue that at minimum you'd need to take into account disk access speed (HDD vs SSD vs USB) and state of the operating system (difference between a Windows hogged with 1000 services/processes running in the background or a clean and recently installed Windows machine).

 

I am wondering how many viruses one sees in the present time that infect more than 50 files on the disk. Usually the ones I found are very selective about what they infect, would you happen to have a link to where I can read more about this specific kind of thing happening?

 

Would you also see as a good indicator to highlight processes that been too active? "Active" in this sense would be defined as a process doing too much of reading/writing the registry, accessing disk, using network (ping, web request, ..) which is something that I'd see virus processes doing like crazy. Distinguishing them from normal executables wouldn't likely be easy. Perhaps looking on the file size as viruses might typically be only a few kilobytes in size? :huh:

 

Anyways, congratulations on the interesting release and continuing ShareWatch. Certainly many interesting possibilities for this project to detect anomalous activity.

 

:cheers:



#7 DarkPhoeniX

DarkPhoeniX

    Frequent Member

  • Team Reboot
  • 452 posts
  • Location:In the middle of nowhere
  • Interests:Interesting Things
  •  
    South Africa

Posted 30 June 2015 - 06:43 AM

Tough question. Some people will argue that at minimum you'd need to take into account disk access speed (HDD vs SSD vs USB) and state of the operating system (difference between a Windows hogged with 1000 services/processes running in the background or a clean and recently installed Windows machine).


I think the Question Would be more along the lines of how many files a user would be able to access. Let say at any one time a user would access about 25 files (A SolidWorks Drawing with part files) Accessing more files than that would mean that the user is copying the files , Or a virus is infecting/affecting it.In the case of corporate servers.Users have Access to a lot of files , they are usually small in size so they can be accessed quickly.If a user copy's information on a large scale you may want to know about it,If a virus is Editing/Deleting/Accessing the files on mass you may want to know this too.But all of this Would Require you to Check the logs of share watch to see what your users usage patterns are.

I am wondering how many viruses one sees in the present time that infect more than 50 files on the disk. Usually the ones I found are very selective about what they infect, would you happen to have a link to where I can read more about this specific kind of thing happening?


Viruses Like Crypto-Ware may want to access all the files it can get its grubby hands on.. Unfortunately i do not have a link but i can tell you what happened to me a couple of months back.

We have a Server Storing Files For about 25 Users,One of the users got sent a email With Subject that would led the user to believe that Someone Sent a CV, it had a attached Zip file. Inside The Zip there was a *.pdf.exe file, The user opening the email thought that it was a PDF because "Hide Extentions Was Enabled".A day later ESET AV picked up the Infection But it was too late.A lot of files was Encrypted on the server.With a message that linked to a Website Saying to pay up to unlock the files.

So Did Some Research on Crypto-Ware and Found the following:Crypto-Ware may have filters in place to encrypt only Certain types of Files like *.doc/*.cad/*.exl files but they will start to encrypt them all as fast as possible.Some Crypto-Ware Use Windows's own encryption software to encrypt the files. It would target Network Drives or Links To network Files First then the documents folder then it would scan everywhere on the local PC for it's Targeted files, encrypting as it goes along.

So The next Week i Installed A tool Called CryptoPrevent i also Installed The latest Eset AV Version, Password Protected the Settings,Set the Settings To the Most Secure I Can, and to email me if a infection Occurred On all PC's.On the server I tightened up the screws on the now 10 year old server's User accounts and Restored the files From the weekly backup.The infected PC was formatted.

That's why I started this program's Development to alert me if something fishy is happening on the server.
 

Would you also see as a good indicator to highlight processes that been too active? "Active" in this sense would be defined as a process doing too much of reading/writing the registry, accessing disk, using network (ping, web request, ..) which is something that I'd see virus processes doing like crazy. Distinguishing them from normal executables wouldn't likely be easy. Perhaps looking on the file size as viruses might typically be only a few kilobytes in size? :huh:


That would be possible, But now you are starting to talk about what a antivirus is suppose to do.I was thinking of creating an alert that would check if a service/program stopped working and restart it.Also something that could monitor a Connection by pinging a target.But that may be beyond the scope of this project.



#8 DarkPhoeniX

DarkPhoeniX

    Frequent Member

  • Team Reboot
  • 452 posts
  • Location:In the middle of nowhere
  • Interests:Interesting Things
  •  
    South Africa

Posted 06 July 2015 - 08:53 AM

Another Update Is In The Bag (1.3.0.0)

Some interesting Features have been added Like Disabling all the Network Adapters and Disabling User accounts With The Notifications System

 

Updates From Now On Will Take Longer as all The Features i can Think of have been added.

Possible Bugs/Crashes can Still Remain So Report Them If You See Them!!






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users