Monitoring a directory for permission changes

Article:HOWTO47819  |  Created: 2011-03-31  |  Updated: 2011-04-07  |  Article URL http://www.symantec.com/docs/HOWTO47819
Article Type
How To



Product: Symantec Critical Systems Protection

In order to monitor the attributes of a directory and its contents you will need to configure the policy with either  'G:\Windows\*' or 'G:\Windows*\'.  Configuring the policy to use  'G:\Windows' will not allow you to monitor the changes to the directory's permissions.

The directory  G:\TEST\*  when modified will generate the event below:

SOURCE

Agent Name:                    ESX1-2K8X64_new2
Host Name:                      ESX1-2K8x64
Host IP Address:             10.130.9.63
User Name:                      ESX1-2K8X64\Administrator
Agent Version:                 5.2.6.161
OS Type:                          Windows
OS Version:                     Server 2008 Service Pack 2
Agent Type:                     CSP Native Agent

EVENT

Event Type:                      File Watch
Event Category:              Real Time - Detection
Operation:                        Modified
Event Severity:                Critical
Event Priority:                  90
Event Date:                     26-Jan-2011 08:35:59 PST
Post Date:                       26-Jan-2011 14:34:33 PST
Post Delay:                     05:58:34
Event Count:                   1
Event ID:                          70035

DETAILS

Description:                     Watched File Modified (c:\test\new folder)
Policy Name:                   Copy of Host_IDS_File_Tampering_WILLIAM
Rule Name:                      Critical_File_Modified
Operation:                        Modified
File Name:                       c:\test\new folder
File Difference:                (Access Control List Changed)
                                Previous Access Control List:

                                O:BUILTIN\Administrators
                                G:none
                                D:AI
                                (A;OICIID;FA;;;NT AUTHORITY\SYSTEM)
                                (A;OICIID;FA;;;BUILTIN\Administrators)
                                (A;OICIID;0x1200a9;;;BUILTIN\Users)
                                (A;CIID;LC;;;BUILTIN\Users)
                                (A;CIID;DC;;;BUILTIN\Users)
                                (A;OICIIOID;GA;;;CREATOR OWNER)
                                 Current Access Control List:

                                O:BUILTIN\Administrators
                                G:none
                                D:AI
                                (D;CIID;RC;;;BU)
                                (A;OICIID;FA;;;NT AUTHORITY\SYSTEM)
                                (A;OICIID;FA;;;BUILTIN\Administrators)
                                (A;OICIID;0x1200a9;;;BUILTIN\Users)
                                (A;CIID;LC;;;BUILTIN\Users)
                                (A;CIID;DC;;;BUILTIN\Users)
                                (A;OICIIOID;GA;;;CREATOR OWNER)
                                
Session ID                      1
Process Path                   C:\Windows\explorer.exe
Process ID                      2272



Article URL http://www.symantec.com/docs/HOWTO47819


Terms of use for this information are found in Legal Notices