MwWatcher's Online Manual

You can download PDF version Manual here.

Installation

Install from ISO

Download the MwWatcher's ISO image, mount it as the CD-ROM disk in vmpot's setting, enter the \MWWATCHER\bin\ directory, double click on the mww_install.exe which is a self-extract file, set the install path (recommend to use default path) and click install.

There will be three files and a directory in the installation directory.

Configuration

MwWatcher is configured through the MwWathcer.ini file.

Attention: the configure file MwWatcher.ini has to be in the same directory as the executable file and its name has to be MwWatcher.ini, or else the program will set to use default settings.

[FILTER] 	        filter setting
SET_FILTER=1	        when SET_FILTER=1 the program will use while list，
                        and when SET_FILTER=0 it will use black list.

[DELAY]			delay settings
TIME=2000		check if there are files to submit every 2000ms

[DIR0]	                settings for dir going to be monitored, at most 10 dirs can be monitored  
                        simultaneously
PATH=C:\WINDOWS		directory path
FILE_NAME=1		whether to monitor file name changes
DIR_NAME=1		whether to monitor sub-dir name changes
LAST_WRITE=0		whether to monitor last write
LAST_ACCESS=0		whether to monitor last access
SIZE=1			whether to monitor file size changes
SECURITY=0		whether to monitor file security setting changes
ATTRIBUTES=0		whether to monitor file attributes changes
CREATION=1		whether to monitor new file/dir creation
SUB_DIR=1		whether to monitor sub-dir recursively

Start Monitoring

Double click the MwWatcher.exe and the program will start monitoring according to the settings in MwWatcher.ini.

Log File

While running MwWatcher will write logs to the log file MwWatcher.log with the following format

Date	   Time     Changes		     Target
2005/12/02 18:05:11 Directory Watch Started: C:\WINDOWS	 Start monitoring C:\WINDOWS
2005/12/02 18:05:11 Directory Watch Started: C:\WINDOWS\SYSTEM32
2005/12/02 18:05:16 File Modified: C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG
2005/12/02 18:05:16 File Modified: C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG

And the successfully submitted files’ log will be saved in the submitted.log file with the same format above.

Sample Submit

MwWatcher will store samples in the Sample directory waiting MwFetcher to fetch. In order to avoid name conflicts it will rename each file according to its path as below.

Path		           File Submitted
C__WINDOWS_SYSTEM32_CONFIG_SOFTWARE.LOG

Attention: all the ‘\’ in the path are replaced by ‘_’, so the ‘_’ in the original path or file name are not identifiable.

Hence, the SOFTWARE.LOG file in the C:\WINDOWS\SYSTEM32\CONFIG\ will be stored as C__WINDOWS_SYSTEM32_CONFIG_SOFTWARE.LOG

Mics

FTP Submit

MwWatcher also supports submit samples using FTP protocol. But we do not recommend you to do so since the ftp server address and ftp user name and password will be stored in the setting file. If you really want to use this function, add the following settings in MwWatcher.ini.

[FTP]	ftp settings
ENABLE=1
ADDRESS=127.0.0.1	server address
USER=test		user name
PASSWORD=test	password
PATH=/pub/	remote submit directory

While submit with FTP protocol, MwWatcher use a different rename mode to avoid name confliction: it will add a local system time before the file’s full path name, e.g.

Date	       Path		         File Name
20051202183319_C_WINDOWS_SYSTEM32_CONFIG_SOFTWARE.LOG

The window after turning on the ftp submit mode will be like this

Auto Reboot

MwWatcher can auto-reboot the system after counting down the time you set in the setting file. However, it won’t always succeed and in virtual machine this is not necessary, so in default, this function is turn off. If you want to turn it on, add following settings in MwWatcher.ini.

[REBOOT]	auto-reboot setting
TIME=60000	after 1 minute, counting in mini-second
SET=1		SET=1 auto-reboot on, SET=0 auto-reboot off

Attention: If you have turned on the auto-reboot function, do not close the window of MwWatcher, or else it will reboot the machine, and all your unsaved works will be lost.