PIM/PAMSC(EP) All: Erase evnet is not found in audit log at delete file via Explorer

book

Article ID: 141958

calendar_today

Updated On:

Products

CA Privileged Access Manager - Server Control (PAMSC) CA Privileged Identity Management Endpoint (PIM)

Issue/Introduction

When some protected file is deleted from menu via Explorer, it does not appear delete event as "Erase" in audit log.

Cause

This problem caused by conflict with AV software, sophos in this case.

Environment

Release : all

Component : PAM SERVER CONTROL ENDPOINT WINDOWS/ PIM ENDPOINT WINDOWS

Resolution

PAMSC/PIM intercepts OS event along with OS behavior.
It is not application behavior.
Delete at Explorer is not delete file but move to Trash folder.
But PAMSC/PIM can intercept this event as 'Erase'.

In other side, AV software is similar behavior at this action.

So, conflict is occurred and PAMSC/PIM cannot find correct event as the results.

In this case, AV software's bypass is not enough.

Additional Information

When customer use following action, it appears "Erase" event in audit log since it is delete file in OS view.

- del command in command prompt.

- select Shift+Delete menu in Explorer.