GFI LANguard System Integrity Monitor (SIM) detects whether files have been changed on a Windows 2000/XP system. It identifies exactly which files have been changed, making it easy to restore the system to its original state, although it does not provide any utility for automatic recovery - you have to have secured original copies of these files elsewhere.

SIM may be configured to watch any files of your choice, including operating system files. It works by computing an MD5 checksum for each file to be monitored. These checksums are then stored in a database for comparison with checksums generated later. MD5 checksums are computed again at scheduled intervals and compared with the stored values.

If a changed file is detected, an email is sent automatically to the system administrator. Besides scanning individual files, it can also be configured to scan folders, in which case it can scan the folder and all its contents for changes and/or detect added, deleted, or renamed files.

Installation is straightforward and creates a default scan job, which monitors key Windows system files. This default job may be modified in any way to suit your particular requirements, including customising the email alert message, changing the schedule, and selecting more files to be watched. You can also create other (multiple) scan jobs, each with a different schedule. Each scan job can be configured to send email alerts to different administrators, if required.

The alerts give full details of the change detected - it is not necessary to refer to a system log to obtain all the information required to reverse the unauthorised changes made. However, SIM itself is tamperproof because it also logs all changes to an undeletable file called the Windows Security Event Log, which is available for later analysis. For this purpose, integration is provided with GFI LANguard Security Event Log Monitor (SELM), which is an optional extra-cost program for managing multiple installations of SIM centrally. SELM also categorizes the changes detected by how serious they are. It has some additional functionality that detects failed unauthorized access attempts, admin logons outside normal hours and other suspicious activity.