November 15, 2017 at 21:56 #8239
I am using a File Integrity Monitor on files encrypted with AxCrypt. When I make changes to those files, windows does not reflect the current dateTime of the change and it will not trigger any of my FIM rules.November 15, 2017 at 22:05 #8240
AxCrypt will set the last modified and created time stamps to the current date & time on any encryption operation, and store the original files time stamps inside the encrypted .axx file as part of the meta data stored there along with the actual encrypted data. So the encrypted .axx file will have time stamps reflecting the time of the encryption, which of course includes an update.
When decrypting, the original unencrypted files time stamps will be restored.
If you are seeing any other behavior, please explain the exact sequence of events, preferrably with screen shots so we can understand just what it is you’re seeing as opposed to what you’re expecting.November 16, 2017 at 00:01 #8241
Here is the problem i believe. The actual filename has the extension .xls and Axcrpt makes the extension -xls.axx. In my file integrity monitor the file has the .xls extension. Is there any way to get beyond the -xls.axx so that the FIM agent can get the logs for the actual .xls file?
Hopefully I am asking the right question.November 16, 2017 at 08:12 #8243
No, you can’t get the FIM agent to “reach inside” the encrypted -xls.axx, since that would require it to have the password for the file, not to mention the code required to interpret the file contents – i.e. support AxCrypt specifically.
I think you’re viewing this from the wrong angle. Let the FIM agent monitor .axx files (in addition to .xls etc etc). From your and the FIM agents perspective, the .axx file is the file that should be monitored. That ‘is’ the file to all intents and purposes.
Also, I have really no idea what your FIM agent really does, but as far as file integrity is concerned, please know that AxCrypt using a cryptographically strong keyed checksum (HMAC-SHA-512) to ensure the integrity of the encrypted file. If it is modified in any way after encryption, AxCrypt will detect this.November 28, 2017 at 21:27 #8312
Does Axcrypt write to the windows event logs ? If so, what does it write? Will it log changes to the file it is protecting?
Thanks JayNovember 29, 2017 at 11:02 #8315
It has no own logging to the Windows event logs. If the .NET framework crashes for example, it will log. In either case, AxCrypt will not log any normal activity.
AxCrypt does do it’s own logging to a text file, and it can be found in %localappdata%\AxCrypt . It will not log normal activity, only error situations and such.
In %localappdata% there is also a file describing the list of files in the recent files view, and the secured folders view. The original file names are encrypted, but not the folder names and encrypted files – after all, they are visible in Windows Explorer anyway so it makes little sense to “hide” them as they are in plain sight anyway.December 15, 2017 at 23:32 #8612
I have looked high and low for this file %localappdata%\AxCrypt on both the server and my workstation where Axcrypt is loaded. I can’t find that file. Am I doing something wrong or not looking in the right place?
JayDecember 16, 2017 at 13:23 #8614
Jay, ” %localappdata%\AxCrypt” is not a file, it’s a directory.December 16, 2017 at 14:56 #8615
The file in question is %localappdata%\AxCrypt\ReportSnapshot.txt . Note that %localappdata% is expanded by Windows to a directory specific for your installation. Typically something like C:\Users\[Your User Name]\AppData\Local .