KBI 311907 New Features: Exclude Some File Extensions in File Audit Events

Version

Argent Advanced Technology 5.1A-2101-B and later

Date

Thursday, 28 January 2021

Summary

When file audit is turned on for some folders, any file changes in the folders would generate security events for file audit.

For example, MS Word can create temporary files (~*.tmp) while editing a Word doc if auto saving feature is turned on.

Customer might not want events of these temporary files polluting the Compliance reports or generating unnecessary file deletion events.

Argent AT has been enhanced to handle this.

Global control file \Argent\ArgentCommon\FILE_AUDIT_EXCLUSION.txt can be used to exclude certain file audit events from archiving and alerting.

The format of control file is simple, one line one file name format using wildcards. For example,

*.tmp

~*.*

It will exclude files with extension ‘.tmp’ and files start with character ‘~’.

Argent AT engine automatically sort the content for easier reading if it is not sorted to begin with.

If user updates the file while Argent is running, the product checks the file every minute.

Argent AT engine keeps the change history of this control file under \Argent\ArgentForCompliance\CONTROL_FILES.

All used copies are kept in name format of FILE_AUDIT_EXCLUSION_yyyy_MM_dd_HH_mm_ss.txt. The time stamp is the time that change is found.

Argent AT engine replicates this control file among Argent Non-Stop Monitor motors. Customer only needs to update the file at one motor; the latest version will be replicated to all motors.

This new feature has been added to Argent AT 5.1A-2101-B or later.

Technical Background

N/A

Resolution

Upgrade to Argent AT 5.1A-2101-B or later.