File Integrity Checker

Learn how a file integrity checker (FIC) identifies changes made to files.

Overview

A file integrity checker (FIC) monitors specific files on a device for unauthorized changes. Critical system files, whose alteration could result in system compromise, are a good place to start. However, files change all the time on a device. The key is to determine which files are worth monitoring from a security standpoint and to make the FIC aware when authorized changes will take place to prevent false positives from being triggered.

Identification of differences in system files

Ideally, our organization should have a base image of all operating systems used on the production network. This helps identify what the system files should look like. Any difference between the base image version of a file and what’s on a device should be investigated to rule out malicious activity. The FIC can make these comparisons.

How it works

An FIC runs on a device and takes daily fingerprints of the monitored files. This fingerprint is often in the form of a checksum, otherwise known as a hash value. Any change in a file will result in a completely different hash value compared to the file’s fingerprint before the change.

Get hands-on with 1400+ tech skills courses.