WLS 18.104.22.168 has been released!
As detailed in a previous post, commands entered at the command prompt are now monitored and reported along with the cmd.exe process ID. This includes tracking the last command added and last command displayed; if command processes exist when WLS is started, all existing commands will be logged, then as they change.
Monitor removable drive file system changes; monitor fixed disk file system changes by interface type (1394, IDE, SCSI, USB); optionally log the interactive user
License information must now be entered for WLS to run.
When enabled, Event Logs generated while WLS was not running (OS startup, shutdown, etc.) will be processed on WLS startup. On the first run, no logs are backfilled.
When running as a service as LocalSystem (normal operation), user session changes will be logged. The logs will be tagged with WLS_SessionMonitor and include the session ID and associated user. This includes ConsoleConnect, ConsoleDisconnect, RemoteConnect, RemoteDisconnect, SessionLock, SessionLogoff, SessionLogon, SessionRemoteControl, and SessionUnlock.
Signed Binary Detection
Signed binary detection by catalog. Previously files were only checked for an embedded signature; now if a file’s hash is included in a signature catalog, the Signed flag will be set to Catalog. Signed flag options are now Catalog, False, True.
For more information on WLS, click “WLS Information” at the top, or here: WLS Information
If you’d like additional information about WLS, send me a note via the contact form. WLS is currently available to US entities, but does require a signed license agreement.