On VM ( VirtualBox ) Windows 8.1 installed. On this machine, I study the behavior of Malvari, which encrypts files.

Actions:

1> I start the file monitor (then I would like to track changes by logs)

2> I launch malware

After a while, the computer restarts, and the log that the file monitor kept is also encrypted.

Question: how can you "protect" the log from changes?

I wouldn't want to write it in the storage outside the VM, because it may not help - if the file monitor sees this drive, it will see it and malware.

  • And if the malware is run under a user with limited rights, and the monitor is under the administrator, and the file, respectively, will have rights only for the administrator? .. - spopovru
  • @spopovru, the malware appears on the machine as follows: there is a js script that pulls a file from the remote server, then this file is executed. As such, I do not run the binary. If this is important, then I’ll clarify: it draws some file, for example, with the .jpeg extension, it looks harmless outwardly, but the malware itself is behind this picture , somehow it is packaged like that. Is your method possible in connection with the above? - isnullxbh
  • I think yes. Unfortunately, there is no way to check. I see something like this: in VM you create an admin user and a user with limited rights. Go under the admin, create a log file, set access to it only for the admin, start the monitor. Go under the normal user, catch the malware. Ideally, the file should remain intact ... The easiest way is to create a VM snapshot and check, because My answer is rather theoretical, and the result depends, in particular, on the concrete piece. - spopovru
  • @spopovru, thanks for the help, I'll try. As for the snapshots: are there any tools that compare snapshots and show changes in the file system, settings, or something like that? - isnullxbh
  • @isnullxbh: Does the file monitor that you use know how to send reports by mail or other Internet protocol? - MAN69K

0