Once upon a time, I needed to get a quick and dirty file integrity checking process in place for Windows systems so that we could meet a customer compliance requirement that was growing more and more popular.
FIM – File Integrity Monitoring
At the time, we were evaluating more expensive options like solutions from Tripwire and LogRythm, and we were looking at open source options like OSSEC.
While waiting on testing and budget approval and inevitable implementation time, I put together a script which was initially based on Microsoft’s free FCIV utility. It ran once a day, and generated sufficient logging to satisfy our customers and their auditors. And still our budgeting process lingered.
FCIV was fast, but didn’t offer enough filtering options, and under load it sometimes crashed, so I began to look for alternatives. Oh, and it only supported MD5 and SHA1 hashes.
I dabbled with MD5SUM, but it was not fast enough, and still didn’t provide any helpful filtering options.
Then I found FSUM. It was an awesome utility that could support almost a dozen hashing algorithms, and could move fairly quickly through a directory tree. And it was stable, although a little slower than FCIV.
I modified my script to be able to use any of the above utilities with a command-line parameter.
This ran for many months, but I realized that I needed to write my own utility to obtain the post process filtering that I so badly needed. Why generate hashes for files that you don’t need to evaluate? (In this case, files that are not executable or configuration files…)
Enter FILEHASH
It started off very modestly, but by the time I got it to version 2.1, it had the ability to process file exclusion lists, and it sported an option to provide output compatibility with FSUM so that processing work could be consistent regardless of which utility was used.
Eventually, there was no need for any other file hashing utility. Version 2.5 added a 64-bit edition and many other features which improved performance and allowed me to greatly simplify the file integrity monitoring script.
Over the years, I have successfully used this script to help many customers running Windows systems to quickly deploy FIM functionality while they take some time to evaluate a more integrated or real-time commercial solution, or work through the testing and deployment of an open source solution. I have also used FILEHASH for a variety of other automation tasks where robust file hashing is required.
At present, FILEHASH supports legacy hashes like MD5 and SHA1, along with cryptographic hashes like the SHA2 family, the SHA3 family, Blake2, and Blake3, as well as non-cryptographic hashes like XXHASH64.
Take a look and see what you think of both FILEHASH and its companion FIM script.