When I was talking about a "simple monitor", I was specifically referring to the OP mointering apps which are not gonna to detect root kits (in general), unless you have lots of experience on how to write rootkits and know how they avoid detection.

Process Moniter seems competent enough, though a quick google search seems to indicate that there exist mechanisms to avoid its detection.

Good Luck!

-ddn

Quote: Original post by ddn3
When I was talking about a "simple monitor", I was specifically referring to the OP mointering apps which are not gonna to detect root kits (in general), unless you have lots of experience on how to write rootkits and know how they avoid detection.

Process Moniter seems competent enough, though a quick google search seems to indicate that there exist mechanisms to avoid its detection.

Good Luck!

-ddn

Fortunately, I've managed to isolate it to a particular version of our image. I think it may be a problem with the way app distribution is handled for that image, as there are bundles that are being pushed out to these machines in weird ways that have been breaking for years it seems. Recently the files that we've seen corrupting lately were packed for distribution, and that tipped us off to the issue.

Thanks for everyone's suggestions! I genuinely appreciate all of you who made the effort to respond.