Monitoring a directory for permission changes

Article:HOWTO47819  |  Created: 2011-03-31  |  Updated: 2011-04-07  |  Article URL
Article Type
How To

Product: Symantec Critical Systems Protection

In order to monitor the attributes of a directory and its contents you will need to configure the policy with either  'G:\Windows\*' or 'G:\Windows*\'.  Configuring the policy to use  'G:\Windows' will not allow you to monitor the changes to the directory's permissions.

The directory  G:\TEST\*  when modified will generate the event below:


Agent Name:                    ESX1-2K8X64_new2
Host Name:                      ESX1-2K8x64
Host IP Address:   
User Name:                      ESX1-2K8X64\Administrator
Agent Version:       
OS Type:                          Windows
OS Version:                     Server 2008 Service Pack 2
Agent Type:                     CSP Native Agent


Event Type:                      File Watch
Event Category:              Real Time - Detection
Operation:                        Modified
Event Severity:                Critical
Event Priority:                  90
Event Date:                     26-Jan-2011 08:35:59 PST
Post Date:                       26-Jan-2011 14:34:33 PST
Post Delay:                     05:58:34
Event Count:                   1
Event ID:                          70035


Description:                     Watched File Modified (c:\test\new folder)
Policy Name:                   Copy of Host_IDS_File_Tampering_WILLIAM
Rule Name:                      Critical_File_Modified
Operation:                        Modified
File Name:                       c:\test\new folder
File Difference:                (Access Control List Changed)
                                Previous Access Control List:

                                (A;OICIID;FA;;;NT AUTHORITY\SYSTEM)
                                (A;OICIIOID;GA;;;CREATOR OWNER)
                                 Current Access Control List:

                                (A;OICIID;FA;;;NT AUTHORITY\SYSTEM)
                                (A;OICIIOID;GA;;;CREATOR OWNER)
Session ID                      1
Process Path                   C:\Windows\explorer.exe
Process ID                      2272

Article URL

Terms of use for this information are found in Legal Notices