London, UK, 12 December 2002 - Knowledge, reputation and customers take years of hard work to acquire - but can all be lost in minutes. That's as long as it takes for a malicious attacker or discontented employee to plant a Trojan that can undo years of hard work. Seeing an attack as it happens, stopping its progress, recovering any lost files, and discovering the cause are essential conditions for business continuity in the connected world. Now all this can all be achieved with GFI's new freeware intrusion detection system, GFI LANguard System Integrity Monitor (S.I.M.).

Monitors important system files for changes
Like all good ideas, the underlying concept is simple, while the implementation is elegant. For an intruder to leave a Trojan that is not immediately apparent, he or she needs to modify existing files; for a malcontent employee to cause damage, he or she needs to change or destroy files. GFI LANguard S.I.M. runs as a service and monitors important system files. If anything happens to them, it immediately sends an alert to an administrator.

GFI LANguard S.I.M. works by generating a checksum for the important files. This is done with MD5, an industry standard one-way hash algorithm developed by one of the world's greatest cryptographers (Ronald Rivest, the 'R' in 'RSA'). The resulting checksum is then stored in a GFI LANguard S.I.M. database. At predetermined intervals a new checksum is generated and compared to the one stored in the database. If it differs, this means that the file has changed and is therefore suspect. An email alert is immediately sent to an administrator.

The effect is that system files cannot be infected by Trojans or viruses without the administrator immediately knowing about it - even where the culprit is new malware that cannot yet be detected by traditional anti-virus applications. The administrator is in a position to take immediate action. He or she will be told about all infected/modified files throughout the LAN, and will consequently be able to disinfect the system thoroughly without fear of re-infection from missed files.

The sequence of events is also securely logged to the GFI LANguard S.I.M. event log, which can be viewed from the Windows Event Log Viewer, meaning that:

• it is relatively easy to restore the system to full health (because the administrator knows which files have been affected);
• the administrator can build evidence against the perpetrator (which is particularly useful when the culprit is an insider); and
• administrators can get an insight into any external hacker's true intentions.

"It is essential for administrators to know when important system files have been modified or deleted, but to date this information has been extremely cumbersome to attain. Using GFI LANguard S.I.M., administrators now have a simple but effective way to receive notifications about such changes as they occur," said André Muscat, GFI LANguard S.I.M. product manager.

Integration with GFI LANguard S.E.L.M.
GFI LANguard S.I.M. integrates with GFI LANguard Security Event Log Monitor (S.E.L.M.), GFI's host-based intrusion detection system designed to monitor Windows-based networks for security breaches in real time. GFI LANguard S.E.L.M. continuously scans the security event logs of all Windows NT/2000/XP machines on a network. If it detects an anomalous event such as a non-authorized user accessing a restricted file, it sends out real-time alerts to the system administrators, allowing immediate attention to potential attacks and intrusions as they occur.

When used in tandem with the workstation-based GFI LANguard S.I.M., a particular strength is in its consolidation and reporting capabilities. Since a high percentage of malicious attacks stem from insiders, GFI LANguard S.E.L.M. can correlate the data provided by GFI LANguard S.I.M. to highlight suspicious behavior, failed logons, and unauthorized attempted object accesses or replacements. Such behavioral patterns can be used to identify potential insider problems before they cause serious damage.

More GFI LANguard S.I.M. features
GFI LANguard S.I.M. also includes these features:

• Multiple scan jobs allowing administrators to monitor different types of files at different intervals.
• Email alerts can be sent to different people for different scan jobs.
• Scans website pages for changes, and can detect web vandalism immediately.
• Tamperproof - it logs file changes to the GFI LANguard S.I.M. Event Log.

More information and a free copy of the product are available at http://www.gfi.com/lansim/index.html.