Microsoft Windows Device Monitor
One of the biggest risks we have in an enterprise is the introduction of viruses which can have many adverse effects in your network and related resources. Some of them include and are not limited to:
- Create a backdoor into your environment which a bad actor (hacker) will use for his benefit and your losses;
- Allow for malware ‘loader’ to download the actual payload from a Command and Control (C2C) centre
- Waste resources
- and more…
This is normally introduced by privileged users such as Administrator that brings in an infected USB drive and plugs it into a workstation or a server with anti-virus software not running or not properly updated. Now the malware is inside your network and you are a pawn in the cyberwar game. Your system can be a springboard for criminal activities. your data can be sold on the dark-web or you can be a victim of ransomware. There are a few steps you can such as locking down USB ports as part of your DLP implementation. You should have an Acceptable Use Policy that users have acknowledged and signed. This does not stop the action and it is also recommended to monitor activity of users’ transgressions.
Enter the SACS Device Monitor
SACS Device Monitor is a tiny Windows Service that is configurable which allows you to monitor Microsoft Windows devices such as USB and Bluetooth ports and log this using a SYSLOG message format to your logging servers. There are four (4) attributes that can be configured via the registry and they are:
- The SYSLOG server address. Either FQDN or the IP address. (If a small office environment this can be set as a broadcast address i.e. 255.255.255.255)
- The port on the remote server, default is UDP 514
- Verbose logging – True or False
- Monitor Bluetooth – True or False
Download version 1.0 from this website. DOWNLOAD
The hash signature: MD5: 857d39768d274b22bfceee5c34cebdb0
- 25 June 2017 – Initial Release – Version 1.
Device monitor is one of the utilities that will allow you to monitor your environment without installing ‘bloatware’. You do not need any additional libraries such as .NET. It is as small and light on traffic as possible.
If you need a setup with specific IP or FQDN, send an email and I will assist. Send an email to be included for any news and updates. A subscription page is coming.