Hi All,

Windows 10 and 11, Pro, 22H2

Any idea how I would implement this Payment Card Industry
requirement:

https://docs-prv.pcisecuritystandards.org/SAQ%20(Assessment)/SAQ/PCI-DSS-v4-0-SAQ-C-r1.pdf

11.5.2, pg 61: A change-detection mechanism (for example,
file integrity monitoring tools) is deployed as follows:

• To alert personnel to unauthorized modification
(including changes, additions, and deletions) of critical
files.

• To perform critical file comparisons at least once weekly.

Applicability Notes, pg 62:

For change-detection purposes, critical files are usually
those that do not regularly change, but the modification
of which could indicate a system compromise or risk of
compromise. Change-detection mechanisms such as file
integrity monitoring products usually come pre-configured
with critical files for the related operating system. Other
critical files, such as those for custom applications, must
be evaluated and defined by the entity (that is, the merchant
or service provider).

Many thanks,
-T

On 1/29/2024 10:04 AM, T wrote:
> Hi All,
>
> Windows 10 and 11, Pro, 22H2
>
> Any idea how I would implement this Payment Card Industry
> requirement:
>
> https://docs-prv.pcisecuritystandards.org/SAQ%20(Assessment)/SAQ/PCI-DSS-v4-0-SAQ-C-r1.pdf
>
>     11.5.2, pg 61: A change-detection mechanism (for example,
>     file integrity monitoring tools) is deployed as follows:
>
>     • To alert personnel to unauthorized modification
>     (including changes, additions, and deletions) of critical
>     files.
>
>     • To perform critical file comparisons at least once weekly.
>
>     Applicability Notes, pg 62:
>
>     For change-detection purposes, critical files are usually
>     those that do not regularly change, but the modification
>     of which could indicate a system compromise or risk of
>     compromise. Change-detection mechanisms such as file
>     integrity monitoring products usually come pre-configured
>     with critical files for the related operating system. Other
>     critical files, such as those for custom applications, must
>     be evaluated and defined by the entity (that is, the merchant
>     or service provider).
>
>
> Many thanks,
> -T

Rather than me designing something in C, maybe we could think
about where this requirement is coming from.

To avoid PCI compliance, you could move the payment thing to
separate equipment, on a separate network. Making it easier to
prove compliance.

You don't really want staff in the office, picking up a phone,
listening to customer request, and bringing up a CC processing
application and typing in the details. As now the computer has
to meet PCI.

WinCE may have been replaced by Win10 IoT (Win10 without standard
graphics). But that hardly seems like good material for the job.

*******

The easiest way to meet change detection, is to virtualize, and
checksum the container each time before execution.

Windows 10 Sandboxed applications, use a miniature image of the
OS stored in memory. Presumably a copy of this is made as a mini-container,
to run an application the user wants Sandboxed. I do not know whether
the container is checksummed or scanned or anything else. But this
amounts to Microsoft taking advantage of the inverted hypervisor
running on every PC.

The software that public libraries use, or the software that
Internet Cafes use, it reboots between every customer. And this
wipes out the "state", including presumably, attempts to tip over
the OS. This is not bulletproof however, because miscreants do manage
to tip over library machines. It's not like rebooting from a read-only
image, is good enough in any absolute sense.

Virtualization is not a guarantee either, as at least applications
in containers, know they're in a container. If they need to carry
out an attack, it's not like they've been "fooled about where they are".
I ran into this years ago, when evaluating a video filter, and the
filter installer said "you cannot install this software in a virtual machine".
It also detected WINE when I tried it. The installer was a more clever
design, than the software the guy was actually trying to sell.

*******

In any case, Windows Defender scans critical files when Windows 10 or Windows 11
boots up. That's what the delay is, on hard drive based systems. But because
this does not say on the tin "our behavior is perfect for PCI compliance",
any observation "it's doing some good things" matters not a lot when
filling out your form stating the stack on the hardware you support
really is PCI compliant.

When Windows has "Cloud Based Protection" turned on, it can do the equivalent
of Virustotal and send up a hash and see if it exists or see if the
application is unique. Then, it can squash something flat, if it thinks
the "reputation" isn't good enough. I think possibly someones attempt to
download a quick-turn version of BetterBird, WD quarantined the download rather
than allow the user to use it.

The level of defenses people here have seen, will depend on some extent
to "how many things they switched off". I don't run any Sandbox behaviors
here, and I have Cloud Protection switched off (in the hope there will be
fewer false positives). Some of these features really aren't observable,
and I couldn't say a thing positive or negative about them.

I don't think Windows uses Tripwire as an approach, which is kind of what
PCI quoted in your post is implying. Windows has Windows Defender, which
does signature analysis, and it may not necessarily be using a Tripwire
approach as such. This means you can't honestly make any bold assertions,
unless some learn.microsoft.com page says explicitly "we do Tripwire while
you sleep".

If I Google PCI Compliance, all I get for answers is adverts for services
by middlemen. Without a lot of nifty observations about stuff that
just happens to accidentally meet the requirements. I wasn't able to
gain any foothold that way. Perhaps a Reddit search would pick something up.

If you have the CoPilot trial running on your desk, you can try CoPilot.
I've noticed, the last time I tried CoPilot, the I/O rate over the
network has slowed considerably, and the "fluid typing" the AI used
to do, is degraded a lot.

CoPilot answers tend to be filled with Waffles, so it's hardly all that useful.

OK, so let's try that. I will ask CoPilot

"Which version of Windows 10 is PCI Compliant?"

"According to the web search results, Windows 10 is certified as compliant under PCI DSS version 3.2
at Service Provider Level 1 (1). However, this does not automatically mean that any service or
application built or hosted on Windows 10 is also PCI compliant. Customers are responsible for
ensuring that they meet the PCI DSS requirements for their specific scenarios (1). You can use the
Security Compliance Toolkit (2) to help you manage and test your security configuration baselines
for Windows 10. You can also use Windows Defender and other Microsoft security products to enhance
your protection against malicious code and other threats (3). For more information and guidance,
you can check out the web search results 1, 2, 3, and 4.

https://learn.microsoft.com/en-us/compliance/regulatory/offering-pci-dss
https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/security-compliance-toolkit-10
https://download.microsoft.com/download/C/7/7/C778B7BB-0783-42D7-93A9-B86DFB5A7BAD/Coalfire_Branded_Windows_Defender_Whitepaper_EN_US.pdf
https://www.dnsstuff.com/pci-compliance-software

The first reference (1) is Not Applicable.
The second reference (2), has nothing to do with Tripwire (hashing) as an approach.
The third reference (3) is at least focused on answering assessment questions. You could read that one for a laugh (PDF).
And the fourth one, I'm not even going to look :-/ That would be like my Google Search. Pointless.

Paul

On 1/29/24 07:04, T wrote:
> Hi All,
>
> Windows 10 and 11, Pro, 22H2
>
> Any idea how I would implement this Payment Card Industry
> requirement:
>
> https://docs-prv.pcisecuritystandards.org/SAQ%20(Assessment)/SAQ/PCI-DSS-v4-0-SAQ-C-r1.pdf
>
>     11.5.2, pg 61: A change-detection mechanism (for example,
>     file integrity monitoring tools) is deployed as follows:
>
>     • To alert personnel to unauthorized modification
>     (including changes, additions, and deletions) of critical
>     files.
>
>     • To perform critical file comparisons at least once weekly.
>
>     Applicability Notes, pg 62:
>
>     For change-detection purposes, critical files are usually
>     those that do not regularly change, but the modification
>     of which could indicate a system compromise or risk of
>     compromise. Change-detection mechanisms such as file
>     integrity monitoring products usually come pre-configured
>     with critical files for the related operating system. Other
>     critical files, such as those for custom applications, must
>     be evaluated and defined by the entity (that is, the merchant
>     or service provider).
>
>
> Many thanks,
> -T
>

This looks like it will work, but
it looks too stripped. I need alerts
eMailed to me:

http://www.nirsoft.net/utils/folder_changes_view.html

Maybe if I could get at a log file, I can write
a program to sift through it and mail out alerts?
I'd rater it came with it though.

-T

On 1/29/24 12:42, T wrote:
> On 1/29/24 07:04, T wrote:
>> Hi All,
>>
>> Windows 10 and 11, Pro, 22H2
>>
>> Any idea how I would implement this Payment Card Industry
>> requirement:
>>
>> https://docs-prv.pcisecuritystandards.org/SAQ%20(Assessment)/SAQ/PCI-DSS-v4-0-SAQ-C-r1.pdf
>>
>>      11.5.2, pg 61: A change-detection mechanism (for example,
>>      file integrity monitoring tools) is deployed as follows:
>>
>>      • To alert personnel to unauthorized modification
>>      (including changes, additions, and deletions) of critical
>>      files.
>>
>>      • To perform critical file comparisons at least once weekly.
>>
>>      Applicability Notes, pg 62:
>>
>>      For change-detection purposes, critical files are usually
>>      those that do not regularly change, but the modification
>>      of which could indicate a system compromise or risk of
>>      compromise. Change-detection mechanisms such as file
>>      integrity monitoring products usually come pre-configured
>>      with critical files for the related operating system. Other
>>      critical files, such as those for custom applications, must
>>      be evaluated and defined by the entity (that is, the merchant
>>      or service provider).
>>
>>
>> Many thanks,
>> -T
>>
>
>
> This looks like it will work, but
> it looks too stripped.  I need alerts
> eMailed to me:
>
> http://www.nirsoft.net/utils/folder_changes_view.html
>
> Maybe if I could get at a log file, I can write
> a program to sift through it and mail out alerts?
> I'd rater it came with it though.
>
> -T

This one looks like it will work. 800 U$D for a 10 user
license and has alerts eMailing. 21 day trial and a
free version (no alerts though).

https://directorymonitor.com

On 1/29/2024 6:23 PM, T wrote:
> On 1/29/24 12:42, T wrote:
>> On 1/29/24 07:04, T wrote:
>>> Hi All,
>>>
>>> Windows 10 and 11, Pro, 22H2
>>>
>>> Any idea how I would implement this Payment Card Industry
>>> requirement:
>>>
>>> https://docs-prv.pcisecuritystandards.org/SAQ%20(Assessment)/SAQ/PCI-DSS-v4-0-SAQ-C-r1.pdf
>>>
>>>      11.5.2, pg 61: A change-detection mechanism (for example,
>>>      file integrity monitoring tools) is deployed as follows:
>>>
>>>      • To alert personnel to unauthorized modification
>>>      (including changes, additions, and deletions) of critical
>>>      files.
>>>
>>>      • To perform critical file comparisons at least once weekly.
>>>
>>>      Applicability Notes, pg 62:
>>>
>>>      For change-detection purposes, critical files are usually
>>>      those that do not regularly change, but the modification
>>>      of which could indicate a system compromise or risk of
>>>      compromise. Change-detection mechanisms such as file
>>>      integrity monitoring products usually come pre-configured
>>>      with critical files for the related operating system. Other
>>>      critical files, such as those for custom applications, must
>>>      be evaluated and defined by the entity (that is, the merchant
>>>      or service provider).
>>>
>>>
>>> Many thanks,
>>> -T
>>>
>>
>>
>> This looks like it will work, but
>> it looks too stripped.  I need alerts
>> eMailed to me:
>>
>> http://www.nirsoft.net/utils/folder_changes_view.html
>>
>> Maybe if I could get at a log file, I can write
>> a program to sift through it and mail out alerts?
>> I'd rater it came with it though.
>>
>> -T
>
>
> This one looks like it will work.  800 U$D for a 10 user
> license and has alerts eMailing.  21 day trial and a
> free version  (no alerts though).
>
> https://directorymonitor.com
>
>

TO simulate a change, I can use Copy.

copy IMG_2029.HEIC IMG_2029a.HEIC # 1,812,033 byte

PS D:\> fsutil usn readjournal C: > D:\read.txt # Check for recent changes to C:

Usn : 11954266800
File name : IMG_2029a.HEIC
File name length : 28
Reason : 0x00000100: File create
Time stamp : 1/29/2024 21:01:08
File attributes : 0x00000020: Archive
File ID : 0000000000000000002f00000000b479 \____ These are critical to finishing the task
Parent file ID : 0000000000000000001000000008f5d0 /
Source info : 0x00000000: *NONE*
Security ID : 0
Major version : 3
Minor version : 0
Record length : 104

Usn : 11954266888
File name : IMG_2029a.HEIC
File name length : 28
Reason : 0x00000102: Data extend | File create
Time stamp : 1/29/2024 21:01:08
File attributes : 0x00000020: Archive
File ID : 0000000000000000002f00000000b479
Parent file ID : 0000000000000000001000000008f5d0
Source info : 0x00000000: *NONE*
Security ID : 0
Major version : 3
Minor version : 0
Record length : 104

Usn : 11954266976
File name : IMG_2029a.HEIC
File name length : 28
Reason : 0x00000103: Data overwrite | Data extend | File create
Time stamp : 1/29/2024 21:01:08
File attributes : 0x00000020: Archive
File ID : 0000000000000000002f00000000b479
Parent file ID : 0000000000000000001000000008f5d0
Source info : 0x00000000: *NONE*
Security ID : 0
Major version : 3
Minor version : 0
Record length : 104

Usn : 11954267064
File name : IMG_2029a.HEIC
File name length : 28
Reason : 0x00200103: Data overwrite | Data extend | File create | Stream change
Time stamp : 1/29/2024 21:01:08
File attributes : 0x00000020: Archive
File ID : 0000000000000000002f00000000b479
Parent file ID : 0000000000000000001000000008f5d0
Source info : 0x00000000: *NONE*
Security ID : 0
Major version : 3
Minor version : 0
Record length : 104

Usn : 11954267152
File name : IMG_2029a.HEIC
File name length : 28
Reason : 0x00200123: Data overwrite | Data extend | Named data extend | File create | Stream change
Time stamp : 1/29/2024 21:01:08
File attributes : 0x00000020: Archive
File ID : 0000000000000000002f00000000b479
Parent file ID : 0000000000000000001000000008f5d0
Source info : 0x00000000: *NONE*
Security ID : 0
Major version : 3
Minor version : 0
Record length : 104

Usn : 11954267240
File name : IMG_2029a.HEIC
File name length : 28
Reason : 0x00200133: Data overwrite | Data extend | Named data overwrite | Named data extend | File create | Stream change
Time stamp : 1/29/2024 21:01:08
File attributes : 0x00000020: Archive
File ID : 0000000000000000002f00000000b479
Parent file ID : 0000000000000000001000000008f5d0
Source info : 0x00000000: *NONE*
Security ID : 0
Major version : 3
Minor version : 0
Record length : 104

Usn : 11954267328
File name : IMG_2029a.HEIC
File name length : 28
Reason : 0x00208133: Data overwrite | Data extend | Named data overwrite | Named data extend | File create | Basic info change | Stream change
Time stamp : 1/29/2024 21:01:08
File attributes : 0x00000020: Archive
File ID : 0000000000000000002f00000000b479
Parent file ID : 0000000000000000001000000008f5d0
Source info : 0x00000000: *NONE*
Security ID : 0
Major version : 3
Minor version : 0
Record length : 104

Usn : 11954267416
File name : IMG_2029a.HEIC
File name length : 28
Reason : 0x80208133: Data overwrite | Data extend | Named data overwrite | Named data extend | File create | Basic info change | Stream change | Close
Time stamp : 1/29/2024 21:01:08
File attributes : 0x00000020: Archive
File ID : 0000000000000000002f00000000b479 <=====+
Parent file ID : 0000000000000000001000000008f5d0 |
Source info : 0x00000000: *NONE* |
Security ID : 0 |
Major version : 3 |
Minor version : 0 |
Record length : 104 |
|
PS D:\> nfi.exe C: > files.txt |
|
File 46201 <===== 46201 decimal = 0xb479 ===========+
\Users\username\Downloads\IMG_2029a.HEIC
$STANDARD_INFORMATION (resident)
$FILE_NAME (resident)
$FILE_NAME (resident)
$DATA (nonresident)
logical sectors 27851344-27854887 (0x1a8fa50-0x1a90827)
$DATA Zone.Identifier (resident)

File 587216 <--- Parent is the folder 0x8f5d0

\Users\username\Downloads

Between the $USN and the $MFT, you can figure out which item changed.

But if someone boots Linux and changes a file, you cannot see this
when Windows boots and you check the $USN. You need a hash approach,
to hash the files and compare to a previous hash on the files.
hashdeep64 will do this, but it will have the usual permission issues.

Every time Windows patches itself, things in the "critical" area will
change. Like when Windows Defender updated definitions several times
a day, those would count as changes, and your filter term (what
area do I want alerts about), will be popping those up. Metro.App
will be randomly updated (does not update the same time as Windows Update
does things). If you were planning to "authenticate" changes, it is tough
to know who is a legit player in the file system.

That's some of the technical challenge with a roll your own approach.

The information is there, but you still need a fallback plan (hashes).

Paul

On 1/29/24 19:37, Paul wrote:
> That's some of the technical challenge with a roll your own approach.
>
> The information is there, but you still need a fallback plan (hashes).

I was planning on going through someone else's log file
that does not send eMail alerts, such as
http://www.nirsoft.net/utils/folder_changes_view.html

Doing it all myself, and as you have mentioned previously,
"a hole opens up and Todd gets swallowed".