Microsoft today released a free tool which reports changes to system that can identify malicious or anomalous activity. The tool is called Sysmon, part of Microsoft's SysInternal suite and available for Windows Vista, Windows 7 and Windows 8.
Sysmon starts early in the boot process to capture activity made by even sophisticated kernel-mode malware. In contrary to antivirus software is Sysmon not designed to actively search or prevent malware and virus infection, instead the tool reports when e.g. the executable of a process is changed.
The software also reports when the creation date of a file is changed, according to Microsoft a method often used by malware developers to cover their tracks. Sysmon is also able to monitor network connections bu that feature is disabled by default. The tool is only able to reveal malware and virus infections that become active after the software is installed.
Sysmon runs as a Windows service and reports to the Windows Log. The SysInternal suite contains more tools for sysadmins, like a tool to capture and analyse network traffic and a tool to monitor all activity on the filesystem.
