FIM+
What Makes FIM+ Unique
FIM+ is the file-focused module of CSF. It monitors critical system files for unauthorized changes—detecting malware insertion, ransomware attacks, and unapproved updates before damage spreads.
FIM+ answers the question: "Has anyone tampered with my critical files?"
FIM+ Capabilities
- Detect Malware/Ransomware Insertion — Identifies malicious code and encryption patterns in real-time
- Alert on Unapproved Updates — Flags changes that don't match approved change requests
- Remove Ransomware & Verify — Guides recovery and verifies restored files match trusted state
How FIM+ Works
FIM+ continuously monitors your z/OS environment, detecting changes at the member and dataset level by creating and comparing cryptographic signatures. When something changes unexpectedly, you know immediately—not hours or days later.
Real-Time Detection
Unlike log-based detection that reviews SMF records after the fact (sometimes 30+ minutes delayed), FIM+ detects changes as they happen. When ransomware or unauthorized modifications occur:
- Malicious process is suspended instantly (typically under 1 second)
- Support team receives real-time alert with job name, ID, and submitter
- Forensics browser shows exactly which datasets were impacted
- Support investigates while attack is frozen—it cannot progress
- Cancel or resume: if legitimate, resume; if malicious, cancel and recover
Change Control Integration
FIM+ integrates with your change control processes (ServiceNow, BMC Helix) to verify whether detected changes have approved change requests. When an alert fires, it's a real issue—not planned maintenance.
Recovery Guidance
FIM+ knows when issues started and which components were affected. Through CSF Foundation's Restore Assist, it recommends the best recovery source:
- IBM SafeGuarded Copy
- Dell SnapVX / ZDP snap sets
- Hitachi snapshots
- Conventional backups (DFDSS, FDR, HSM)
Critical insight: SafeGuarded copies may contain malware if attackers installed backdoors hours or days before the visible attack. FIM+ scans identify when malware was installed, helping select the correct backup point—sometimes a conventional backup from before the compromise, not the most recent immutable copy.
Backup Verification
Using the mainframe's onboard hashing facilities, FIM+ verifies backup integrity in seconds, ensuring restored files exactly match their trusted state.
Detection Coverage
FIM+ monitors:
- Authorized program libraries (APF)
- System parameter libraries (PARMLIB)
- Procedure libraries (PROCLIB)
- Configuration datasets (VTAMLST, TCPPARMS)
- Started task libraries and datasets
- User-defined critical files and datasets
Technical Specifications
- FIM+ Server: 64MB minimum
- FIM+ Agents: 32MB each
- CPU usage: Negligible in production environments
Compliance Support
| Framework | Requirement Addressed |
|---|---|
| PCI DSS | Control 10.5 (FIM required), Control 11.5 (monitor log files) |
| NIST CSF | Detect and Respond functions |
| DORA | ICT risk management, operational resilience |
| Zero Trust | Continuous verification of system integrity |
FIM+ vs. Other CSF Products
| If you need to... | Use... |
|---|---|
| Detect file changes, malware, ransomware | FIM+ |
| Catch attackers before they attack | Early Warning |
| Stop data leaving your mainframe | Data Exfiltration Defense |
| Verify vendor software before install | Supply Chain |
FIM+ runs on CSF Foundation, which provides Real-time Reaction, Human Interface, Whitelisting, and Restore Assist capabilities.