Linux Server Vs Windows Malware Tripwire, AIDE, Gamin or FAM ? Which tool can i use?

[knoppixusr 0]

This is the situation.

I have a Centos Linux samba file server that serves the windows network. Somewhere on the windows network there is a compromised computer that writes an autorun.inf file and some other files to the samba server.

The problem is , all the computers have Anti virus and as soon as the infected computer puts the virus on the network one of the other workstations removes the virus permanently. If the virus stays there i could look at the file and see at least which user name created it. I have tried the testdisk utility to see if i can undelete the file but had no success.

Ideally it would be very useful if i could setup a program that could monitor the autorun.inf file and as soon as it changes do a lsof command to see who the user is and then also do a netstat to see which computer ip address it traces back to.
If i were to do it manually it i could do lsof -V /path/autorun.inf and then take the resulting username and pid number and do a netstat -ap | grep with pid number and that should give the clients IP address. I could write a bash script to automate this. But if there is already a utility to do this or even a way to view the history that would be awesome.
I am a bit scared of writing a program or script to do this because i don't know what the overhead on the system will be to do a stat or lsof continuously. I can't imagine that it would be very efficient nor through.

If anyone here has used Tripwire, AIDE, Gamin or FAM ? Please could you advice if it would work in my situation. The main thing is I need to track which IP on my Local Area Network puts the auotrun.inf on the server.

Im going to look at FAM so long and will report back success or failure if anyone is interested.

[shadowx 0]

If your AV is centralized then tell it not to auto delete the files then periodically check for the autorun file and then re-enable deletion/quarrantine of infected files.sounds like it is on a usb to me, we have the same thing here, our AV just deletes the file and sends an email to let us know so we dont really have to do anything.