File integrity monitoring
File integrity monitoring (FIM) is one way to detect changes to a known filesystem's files, and in the case of Windows, the registry. Typically, when a system has malicious activity, either changes are made to existing files or harmful files are placed in critical areas of the filesystem. In order to detect these changes, FIM tools create a hash database of the known good versions of files in each filesystem location. The tool can then periodically or real-time scan the filesystem looking for any changes to the installation including known files and directories. Hashing is used because any variation in the file will result in a different hash value, and therefore confirm there has been a change to the file, directory, or registry. The tool will then create an event that will need to be reviewed to ensure the detected addition, removal, or modification was expected. If yes, then the reviewer can comment and accept the new hash as the new baseline. Any subsequent...
