|
|
The File Watch module reports changes to files since the last snapshot update and violations of template settings.
Most module security checks use File Watch templates, which define the files, folders, and operating systems that are watched, the depth of folder traversal, and the types of changes that are reported. These templates have .fw file extensions.
The Malicious files security check uses Malicious File Watch templates, which define known attack files and signature patterns. These files have .mfw extensions.
The Changed file (signature) security check uses File Signatures templates to compare the file signatures on the agent with the signatures that are stored in templates on Symantec ESM 5.1 and 5.5 managers. These templates have .fs file extensions.
You can use some File Watch messages to update snapshot or template files to match current agent settings. Updatable messages are identified as TU or SU types in the descriptions of checks that use them.
The File Watch messages that are not mapped to specific security checks are generated by the following:
The function that creates the baseline snapshot file the first time when the File Watch module is run on an agent
Checks and options that require enabled templates that are specified in the Files/ directories to watch option, the Malicious files check, and the Invalid signature check
Security checks that cannot locate, and therefore cannot check, a file or a directory that is listed in a template
Security checks that find a template entry for a remote file or directory that cannot be checked because the Local disks only option is enabled on a UNIX agent