Symantec Critical System Protection IPS Driver Does Not Show the Remote User Who Changes Files

book

Article ID: 159302

calendar_today

Updated On:

Products

Critical System Protection Critical System Protection Client Edition Data Center Security Server Advanced

Issue/Introduction

The Critical System Protection (SCSP) IPS driver does not show the remote user that attempted to or successfully changed a file over the network.

Cause

This occurs because the IPS driver blocks the remote file access attempt by blocking Lan Manager process from making the change to the file, which does not have the user information attached.   This behavior is expected due to the architecture of Windows.

Resolution

If it is desired to monitor who made changes to the file, along with what was content within the file was changed, a IDS filewatch policy must be used.

Note that there is a limitation in Windows XP/2003 and earlier that prevents the IDS filewatch policy from seeing the user, so users who made the changes will only be reported on Windows 7/2008 and later. 


Applies To

Windows