Video Screencast Help
Symantec Appoints Michael A. Brown CEO. Learn more.

Is it possible to detect in scsp, who is accessing my shared folders or whom did changes ?I

Created: 10 Jul 2013 • Updated: 16 Jul 2013 | 5 comments
ramling p's picture

Is it possible to detect in scsp who is accessing my shared folders or whom did changes ?I

I have applied prevention policy "allow but log modifications to these files" check attached screen shot

for testing i have accessed  shared folder and created one text file form other computers, scsp agent genreat log but not showing who is created this file , what is system ip address or what is user name who is created this file.

what i need to do changes in policy, so i can detect who created file, ip and user name in  local network?

 

below log has been genreated

 

SOURCE

Agent Name                      avadmin
Host Name                       avadmin
Host IP Address                 192.168.42.250
Agent Version                   5.2.9.670
OS Type                         Windows
OS Version                      Server 2008 R2
Agent Type                      CSP Native Agent

EVENT

Event Type                      File Access
Event Category                  Real Time - Prevention
Operation                       IoCreateFile
Event Severity                  Notice
Event Priority                  25
Event Date                      10-Jul-2013 01:13:56 PDT
Post Date                       10-Jul-2013 01:14:49 PDT
Post Delay                           00:00:53
Event Duration                       00:00:00
Event Count                     1
Event ID                        194951

DETAILS

Description                     File Write Allowed for LanManager on C:\Symantec RU3\New Text Document.txt
Policy Name                     sym_win_protection_strict_sbp for AVADMIN
Process                         LanManager
File Name                       C:\Symantec RU3\New Text Document.txt
Disposition                     Allow
Process Set                     remote_file_ps
Operation                       IoCreateFile
OS Result                       00000000 (SUCCESS)
SCSP Result                     00000000 (SUCCESS)
Permissions Requested           00110080 (delete, synch, read_attr)
Process ID                      4
Thread ID                       3216

 

Operating Systems:

Comments 5 CommentsJump to latest comment

Will V's picture

You need to apply a detection policy.  You can create a custom file watch policy for the file (or folder) you wish to monitor.  That would be the quickest way to enable tracking for a specific list of files.

Check out the Detedtion Policy Guide.  Look under the section on file monitoring.  You can find it here;

http://www.symantec.com/docs/DOC5946

Let me know if you need additional details.

 

Please mark posts as the solution if they solve your problem!

ramling p's picture

Hi, Thanks for Update. I have Created One Windows Template Policy,’ File watch’ and given that folder path for watching. Now I am able to detect who is accessing my file. But it is not showing form which system or what is ip address of that system accessing my file.
Do I need to apply one more policy to detection ip address or hostname?

Please let me know if you have any information, so i can get IPAddress or Hostname.

SOURCE

Host Name: JTPLMENTRS-D02
User Name: ram
Agent Version: 5.2.9.670
OS Version: Server 2003 Service Pack 2

DETAILS

Description: Watched File Modified (c:\documents and settings\ram\desktop\sepm\new text document.txt)
Rule Name: File watch
User Text:
Operation: M
File Name: c:\documents and settings\ram\desktop\sepm\new text document.txt
Old Size:
New Size:
New File Name:
Old Permission Bitmask:
New Permission Bitmask:
Old Creation Date:
New Creation Date:
Old Modification Date: 2013-07-16 16:20:40.563
New Modification Date: 2013-07-16 18:29:26.261
Old Access Date: 2013-07-16 18:29:25.699
New Access Date: 2013-07-16 18:29:26.261
Old # of Hard Links:
New # of Hard Links:
File Difference:

AMoss's picture

Short answer is 'No...you can not tell who the remote user is that is accessing files in a local share using a CSP policy'.

 

As you see in your prevention event, the process set is 'remote_file_ps' and the process accessing the file is Lan Manager.  CSP is a kernel mode intercept and only sees users asscociate with LOCAL processes...it does not see the authentication chain and the authenticated user is NOT associated with the process that is accessing the file (Lan Manager).

Neither IDS or IPS policies will acheive your goal.

Looking for real-time reporting and data visualization for your Symantec Security solutions?  http://www.trysolve.com