Windows 10: Sysmon 11.0 is out with file delete monitoring

Microsoft released a new version of Sysinternals Sysmon (System Monitoring) program for Microsoft Windows devices this week. Sysmon 11.0 is a major update of the application; users may download the latest version of the program from the official Sysinternals website or launch the new version of the tool directly using Sysinternals Live.

Sysmon is a specialized system monitor tool for Windows 7 and up that installs as a system service and device driver. The application monitors events on the system commonly used by attackers, e.g. by malware attacks, and logs these to the Windows event log.

The program monitors important activity such as the creation of processes and their termination, network connections, the loading of drivers, the creation of files, or Registry Events when it is active.

Sysmon 11.0 adds a new event to the list of monitored activity on Windows devices. Event 23, FileDelete, monitors all file removal activity on the Windows machine; this gives administrators options to see all files that were deleted on a system while Sysmon was active.

One of the reasons for adding file delete monitoring came from Microsoft's own experience. The company noted that attackers who successfully got into company machines would drop tools on the machine, use these, and delete these when they were done. The new file delete monitoring provides analysts with information about the tools that the attacker used on the system. Naturally, file deletion activity covers other types of deletions as well when it is used.

Here is a video by Mark Russinovich that offers additional details on the update:


Installation of Sysmon is straightforward. All that needs to be done is to download the latest archive version of the program and extract it on the target system. You may check the configuration using sysmon -s using the command prompt, and install the monitoring service using sysmon -accepteula -i; this uses the default configuration. To uninstall sysmon, run sysmon -u from the command line.



Advanced users can use configuration files to customize the monitoring, e.g. to ignore certain activity on the system. The new version of Sysmon comes with a flag to disable reverse DNS lookups to avoid DNS servers being overloaded by requests from the tool.

Now You: do you use Sysinternals tools?

Thank you for being a Ghacks reader. The post Sysmon 11.0 is out with file delete monitoring appeared first on gHacks Technology News.

read more...

 

deleting hard drive files

Hi,

May we know what type of file are you trying to delete? Would it be Office documents, media files, or picture files? If you're trying to delete files for free some space on your device. We suggest to perform a Disc Cleanup. Kindly follow the steps below to
perform the task:

• Type in Cortana Disc Cleanup
  
• Choose the files to delete
  
• Click on "Clean up system files"
  
• Click on Ok
  

For any concerns, don't hesitate to get back to us.

Regards.

 

0 byte folder cannot be deleted Problem

I have a 0 byte folder and I can't delete it. I'm using win 7 64 bit.
please help *Cry :cry:

It says access denied when trying, please login as admin blah blah msgs....

I've searched the net for hours, Trying unlocker, fileassassin, and all other 'file deleter' programs out there. tried on safe mode, tried the cmd commands, even in cmd it says access denied, tried the closing explorer.exe and doing the command. I tried changing permissions and atrributes and it says you do not have permission to view or edit this objects permission settings. I logged in as the Administrator and still no hope.

the folder originally contained all my movies but since then i moved(using the move command) all of them someplace else(on another hdd) and I thought it was gone but the folder is still there, 0 bytes. It was shared when i deleted it and still appeared on the shared folders list but inaccessible coz it was already deleted so i 'unshared' the folder from the shared folders list. and so the problem began. the folder is still there and it is undeletable

One surefire way to do it without deleting my files is copying all other files to another HDD and reformat it and copy it back again but my hdd is currently contains 1 tb out of 1.36 and i dont have any hdds with that free space to use.

ALSO I CAN'T OPEN THE FOLDER it says

Location is not available

'directory' is not accessible.
Access is Denied.

i think its more of a windows glitch than a virus problem

help??? *Frown

 

Deploy Sysmon at scale

Hi,

I would like to deploy Sysmon at scale and also want to have ability manage configuration files if required using central distribution point...

Does anybody know the best way how to to achieve this?

Also I would like to keep everything as simple as I can...

I know that I can use GPO or make scripts, but wanted to know what is preferred way of doing this.

The installation should be done on Win7 and Win10 desktop PCs.

Regards,

Audrius