When some protected file is deleted from menu via Explorer, it does not appear delete event as "Erase" in audit log.
This problem caused by conflict with AV software, sophos in this case.
Release : all
Component : PAM SERVER CONTROL ENDPOINT WINDOWS/ PIM ENDPOINT WINDOWS
PAMSC/PIM intercepts OS event along with OS behavior.
It is not application behavior.
Delete at Explorer is not delete file but move to Trash folder.
But PAMSC/PIM can intercept this event as 'Erase'.
In other side, AV software is similar behavior at this action.
So, conflict is occurred and PAMSC/PIM cannot find correct event as the results.
In this case, AV software's bypass is not enough.
When customer use following action, it appears "Erase" event in audit log since it is delete file in OS view.
- del command in command prompt.
- select Shift+Delete menu in Explorer.