IDS policy triggering filewatch event when folder altered is not configured to be monitored
|Article:TECH196674|||||Created: 2012-09-13|||||Updated: 2012-09-13|||||Article URL http://www.symantec.com/docs/TECH196674|
"Host_IDS_File_Tampering" IDS policy triggers filewatch event when C:\windows\temp folder altered is NOT configured to be monitored.
From testing, this issue is not specific to a particular version of Symantec Critical System Protection (SCSP).
Monitoring %systemroot%\*.exe or %systemroot%\*.dll (as defined in the default "Host_IDS_File_Tampering" policy) will trigger events for c:\windows\temp\*.exe or c:\windows\temp\*.dll due to wildcard match.
SCSP is behaving as designed but the design can be improved.
The issue is planned to be addressed in the next major release of SCSP which can be some time away.
A workaround is to add %SystemRoot%\Temp to the "Ignore Files" option setting in the policy.
Article URL http://www.symantec.com/docs/TECH196674