SCSP Not Tracking Delete Activity in the Event Logs
|Article:TECH190401|||||Created: 2012-06-05|||||Updated: 2013-07-30|||||Article URL http://www.symantec.com/docs/TECH190401|
When files are placed in the Recycle Bin, the Symantec Critical Systems (SCSP) agent does not log the delete activity.
This issue only applies to Windows OS's only.
When a file is sent to the Recycle Bin, it is renamed by Windows and indexed. For example, the file "C:\myfile.txt" could be renamed as "C:\$Recycle.Bin\S1-1-5-21-...\$rd96bh.txt", and an index is maintained so that it will still show as myfile.txt in the recycle bin.
SCSP does not consider a file placed in the Windows Recycle Bin as "deleted" due to the recoverability of the file. Instead, SCSP accurately records a "file renamed" event when a file is sent to the Recycle Bin.
Once the file is in the Recycle Bin, a rule must exist to monitor the Recycle Bin itself, otherwise subsequent deletion events will not be reported. This rule needs to use a wildcard to capture events as the file is renamed once it is sent there.
If a file in the Recycle Bin is later restored, this will be reported as a “file added", and if it the recycle bin is emptied, the renamed file will be reported as deleted. All these events will be logged as a normal flewatch events.
Article URL http://www.symantec.com/docs/TECH190401