SCSP Not Tracking Delete Activity in the Event Logs

book

Article ID: 156559

calendar_today

Updated On:

Products

Critical System Protection

Issue/Introduction

When files are placed in the Recycle Bin, the Symantec Critical Systems (SCSP) agent does not log the delete activity.

Resolution

When a file is sent to the Recycle Bin, it is renamed by Windows and indexed. For example, the file "C:\myfile.txt" could be renamed as "C:\$Recycle.Bin\S1-1-5-21-...\$rd96bh.txt", and an index is maintained so that it will still show as myfile.txt in the recycle bin.

SCSP does not consider a file placed in the Windows Recycle Bin as "deleted" due to the recoverability of the file. Instead, SCSP accurately records a "file renamed" event when a file is sent to the Recycle Bin.

Once the file is in the Recycle Bin, a rule must exist to monitor the Recycle Bin itself, otherwise subsequent deletion events will not be reported. This rule needs to use a wildcard to capture events as the file is renamed once it is sent there.

If a file in the Recycle Bin is later restored, this will be reported as a “file added", and if it the recycle bin is emptied, the renamed file will be reported as deleted. All these events will be logged as a normal flewatch events.


Applies To

This issue only applies to Windows OS's only.