Forums Help & support Windows does not reflect date of changes made to files encrypted w/ AxCrypt

This topic contains 8 replies, has 2 voices, and was last updated by  Svante 6 years, 11 months ago.

Viewing 9 posts - 1 through 9 (of 9 total)
  • Author
    Posts
  • #8239 Reply

    Anonymous

    I am using a File Integrity Monitor on files encrypted with AxCrypt.  When I make changes to those files, windows does not reflect the current dateTime of the change and it will not trigger any of my FIM rules.

    #8240 Reply

    Svante
    Spectator

    Hello Anonymous,

    AxCrypt will set the last modified and created time stamps to the current date & time on any encryption operation, and store the original files time stamps inside the encrypted .axx file as part of the meta data stored there along with the actual encrypted data. So the encrypted .axx file will have time stamps reflecting the time of the encryption, which of course includes an update.

    When decrypting, the original unencrypted files time stamps will be restored.

    If you are seeing any other behavior, please explain the exact sequence of events, preferrably with screen shots so we can understand just what it is you’re seeing as opposed to what you’re expecting.

    #8241 Reply

    Jay

    Svante

    Here is the problem i believe.  The actual filename has the extension  .xls and Axcrpt makes the extension -xls.axx. In my file integrity monitor the file has the .xls extension.  Is there any way to get beyond the -xls.axx so that the FIM agent can get the logs for the actual .xls file?

    Hopefully I am asking the right question.

    #8243 Reply

    Svante
    Spectator

    Hello Jay!

    No, you can’t get the FIM agent to “reach inside” the encrypted -xls.axx, since that would require it to have the password for the file, not to mention the code required to interpret the file contents – i.e. support AxCrypt specifically.

    I think you’re viewing this from the wrong angle. Let the FIM agent monitor .axx files (in addition to .xls etc etc). From your and the FIM agents perspective, the .axx file is the file that should be monitored. That ‘is’ the file to all intents and purposes.

    Also, I have really no idea what your FIM agent really does, but as far as file integrity is concerned, please know that AxCrypt using a cryptographically strong keyed checksum (HMAC-SHA-512) to ensure the integrity of the encrypted file. If it is modified in any way after encryption, AxCrypt will detect this.

    #8312 Reply

    Jay

    Svante

    Does Axcrypt write to the windows event logs ?  If so, what does it write?  Will it log changes to the file it is protecting?

    Thanks Jay

    #8315 Reply

    Svante
    Spectator

    Hello Jay,

    It has no own logging to the Windows event logs. If the .NET framework crashes for example, it will log. In either case, AxCrypt will not log any normal activity.

    AxCrypt does do it’s own logging to a text file, and it can be found in %localappdata%\AxCrypt . It will not log normal activity, only error situations and such.

    In %localappdata% there is also a file describing the list of files in the recent files view, and the secured folders view. The original file names are encrypted, but not the folder names and encrypted files – after all, they are visible in Windows Explorer anyway so it makes little sense to “hide” them as they are in plain sight anyway.

    #8612 Reply

    Jay

    Svante

    I have looked high and low for this file %localappdata%\AxCrypt on both the server and my workstation where Axcrypt is loaded.  I can’t find that file.  Am I doing something wrong or not looking in the right place?

    Jay

    #8614 Reply

    Derek

    Jay, ” %localappdata%\AxCrypt” is not a file, it’s a directory.

    #8615 Reply

    Svante
    Spectator

    Hello Jay,

    The file in question is %localappdata%\AxCrypt\ReportSnapshot.txt . Note that %localappdata% is expanded by Windows to a directory specific for your installation. Typically something like C:\Users\[Your User Name]\AppData\Local .

Viewing 9 posts - 1 through 9 (of 9 total)
Reply To: Windows does not reflect date of changes made to files encrypted w/ AxCrypt
Your information: