‎02-10-2020 06:36 PM
‎02-12-2020 11:27 PM
Select Top 1000000 tblAssets.AssetID,
tblAssets.AssetName,
tblAssets.Username,
tblFileVersions.FilePathfull,
tblFileVersions.Filesize,
tblFileVersions.LastModified
From tblAssets
Inner Join tblFileVersions On tblAssets.AssetID = tblFileVersions.AssetID
Inner Join tblOperatingsystem On
tblAssets.AssetID = tblOperatingsystem.AssetID
Where tblFileVersions.FilePathfull Like '%hosts%' And
tblFileVersions.LastModified > GetDate() - 30 And tblAssets.Assettype = -1 And
tblOperatingsystem.InstallDate < GetDate() - 30
Order By tblAssets.AssetName
‎02-11-2020 08:17 PM
#Variable Definition
$directoryPath = 'C:\windows\temp'
$directoryName = 'HostsFileCheck'
$fileName = 'HostsFileCheck.txt'
$directoryExist = Test-Path C:\Windows\temp\HostsFileCheck\
$fileExist = Test-Path C:\Windows\temp\HostsFileCheck\$fileName
#Directory existence check. If it doesn't exist, create it.
if ( $directoryExist -eq $False ) {
New-Item -Path $directoryPath -Name $directoryName -ItemType Directory
}
#Check for the existence of our hash check reference file. If it doesn't exist, create it.
if ($fileExist -eq $False ) {
$hash1 = Get-FileHash 'C:\windows\system32\drivers\etc\Hosts' | Select-Object -ExpandProperty Hash | Out-File $directoryPath\$directoryName\$fileName
}
#If the file exists, pull the hash value written to it, as well as the hash of the current hosts file.
if ( $fileExist -eq $True ) {
$content = Get-Content $directoryPath\$directoryName\$fileName
$hash2 = Get-FileHash 'C:\windows\system32\drivers\etc\Hosts' | Select-Object -ExpandProperty Hash
}
#If the hash from within the hosts file does not match the current hash, send an email alert.
if ( $content -ne $hash2 ) {
$Subject = "HOSTS file modified - $env:COMPUTERNAME"
$Message = "The HOSTS file on $env:COMPUTERNAME has been modified. Please investigate if necessary. If this is intentional, the $fileName file must be deleted from: C:\windows\temp\HostsFileCheck\$filename in order to reset the hash check file."
$From = "anyemailEmail@Organization.com"
$To = "yourEmail@Organization.com"
$SmtpServer = "mailserveraddress.com"
Send-MailMessage -Subject $Subject -Body $Message -From $From -To $To -SmtpServer $SmtpServer
}
‎02-12-2020 03:24 PM
RKCar wrote:
What are your requirements?
One or multiple devices?
"Instant" alert?
I don't think you will accomplish anything worthwhile from within Lansweeper unless you are ok with receiving a report like CyberCitizen detailed.
I think you could accomplish something via PowerShell, but you'll need to add a scheduled task to run at whatever interval you are ok with being alerted at. I just created an example of what a script might look like. It essentially takes an initial snapshot of the hash of your hosts file, and then when it is subsequently run, sends you an email if the hash of the hosts file is different than what was written to the file originally.
Testing was minimal and it could technically be circumvented if someone knew the process and modified the file manually. I'm sure there are better ways but I became interested and decided to do this.#Variable Definition
$directoryPath = 'C:\windows\temp'
$directoryName = 'HostsFileCheck'
$fileName = 'HostsFileCheck.txt'
$directoryExist = Test-Path C:\Windows\temp\HostsFileCheck\
$fileExist = Test-Path C:\Windows\temp\HostsFileCheck\$fileName
#Directory existence check. If it doesn't exist, create it.
if ( $directoryExist -eq $False ) {
New-Item -Path $directoryPath -Name $directoryName -ItemType Directory
}
#Check for the existence of our hash check reference file. If it doesn't exist, create it.
if ($fileExist -eq $False ) {
$hash1 = Get-FileHash 'C:\windows\system32\drivers\etc\Hosts' | Select-Object -ExpandProperty Hash | Out-File $directoryPath\$directoryName\$fileName
}
#If the file exists, pull the hash value written to it, as well as the hash of the current hosts file.
if ( $fileExist -eq $True ) {
$content = Get-Content $directoryPath\$directoryName\$fileName
$hash2 = Get-FileHash 'C:\windows\system32\drivers\etc\Hosts' | Select-Object -ExpandProperty Hash
}
#If the hash from within the hosts file does not match the current hash, send an email alert.
if ( $content -ne $hash2 ) {
$Subject = "HOSTS file modified - $env:COMPUTERNAME"
$Message = "The HOSTS file on $env:COMPUTERNAME has been modified. Please investigate if necessary. If this is intentional, the $fileName file must be deleted from: C:\windows\temp\HostsFileCheck\$filename in order to reset the hash check file."
$From = "anyemailEmail@Organization.com"
$To = "yourEmail@Organization.com"
$SmtpServer = "mailserveraddress.com"
Send-MailMessage -Subject $Subject -Body $Message -From $From -To $To -SmtpServer $SmtpServer
}
‎02-11-2020 01:45 AM
‎02-12-2020 03:17 PM
CyberCitizen wrote:
You could use custom file scanning to scan details, then have a report that would show last modified time. Then have that report emailed to you on a schedule. But as for the reporting of just the change of date, I am not sure, if you had the report first you could see what date was listed then do a greater than check on that date for the report.
Experience Lansweeper with your own data. Sign up now for a 14-day free trial.
Try Now