IDS policy triggering filewatch event when folder altered is not configured to be monitored

Article:TECH196674  |  Created: 2012-09-13  |  Updated: 2012-09-13  |  Article URL http://www.symantec.com/docs/TECH196674
Article Type
Technical Solution


Issue



"Host_IDS_File_Tampering" IDS policy triggers filewatch event when C:\windows\temp folder altered is NOT configured to be monitored.


Environment



From testing, this issue is not specific to a particular version of Symantec Critical System Protection (SCSP).

 


Cause



Monitoring %systemroot%\*.exe or %systemroot%\*.dll (as defined in the default "Host_IDS_File_Tampering" policy) will trigger events for c:\windows\temp\*.exe or c:\windows\temp\*.dll due to wildcard match.

 


Solution



SCSP is behaving as designed but the design can be improved.

The issue is planned to be addressed in the next major release of SCSP which can be some time away.

A workaround is to add %SystemRoot%\Temp to the "Ignore Files" option setting in the policy.




Article URL http://www.symantec.com/docs/TECH196674


Terms of use for this information are found in Legal Notices