SCSP Not Tracking Delete Activity in the Event Logs

Article:TECH190401  |  Created: 2012-06-05  |  Updated: 2013-07-30  |  Article URL http://www.symantec.com/docs/TECH190401
Article Type
Technical Solution


Issue



When files are placed in the Recycle Bin, the Symantec Critical Systems (SCSP) agent does not log the delete activity.


Environment



This issue only applies to Windows OS's only.  


Solution



When a file is sent to the Recycle Bin, it is renamed by Windows and indexed. For example, the file "C:\myfile.txt" could be renamed as "C:\$Recycle.Bin\S1-1-5-21-...\$rd96bh.txt", and an index is maintained so that it will still show as myfile.txt in the recycle bin.

SCSP does not consider a file placed in the Windows Recycle Bin as "deleted" due to the recoverability of the file. Instead, SCSP accurately records a "file renamed" event when a file is sent to the Recycle Bin.

Once the file is in the Recycle Bin, a rule must exist to monitor the Recycle Bin itself, otherwise subsequent deletion events will not be reported. This rule needs to use a wildcard to capture events as the file is renamed once it is sent there.

If a file in the Recycle Bin is later restored, this will be reported as a “file added", and if it the recycle bin is emptied, the renamed file will be reported as deleted. All these events will be logged as a normal flewatch events.




Article URL http://www.symantec.com/docs/TECH190401


Terms of use for this information are found in Legal Notices