Active rule currently published.
This rule is detects when a monitored file changes. This may be an authorized change, or an unauthorized change and these changes should be investigated further.
Specifically this rule detects if a files size has been reduced, but has not been replaced. This can occur if an attacker has removed lines from the log file, if an attacker has "zeroed" out the log file, or if a non-malicious process has zeroed out the log file.
Some log rotation tools may do this, instead of moving the file.
There is no known false positive for this rule. This rule detects when files change, therefore, it is not recommended that you disable this rule. Instead, if you do not wish to be alerted when a specific file or files in a particular directory change, please log into the ASL GUI, click on the ASL tab, select the File Integrity menu options and modify your configuration to ignore this file or directory.
If you do not wish to monitor the file or directory reported as changed, log into the ASL GUI, click on the ASL tab, select the File Integrity menu options and modify your configuration to ignore this file or directory.
Knowledge Base Articles