KBI 310778 Microsoft Office Programs Generate File Deletion Audit Events When User Actually Modify Files


Argent for Compliance all versions


Friday, 13 Dec 2013


When a Microsoft Office program such as Microsoft Word is used to edit a document, instead of file modification audit, file deletion audit event is generated

Technical Background

When an Office document is opened for editing, the following occurs:

  1. Copy the file with a new name
  2. Creates one or more temporary files
  3. Update the metadata in the original file to indicate it is locked for editing
  4. Operate on the copy

When the document is saved, the following occurs:

  1. Deletes the original file
  2. Renames the working copy with the original name
  3. Deletes the temporary working files

As results, a file deletion audit event is generated

The best solution is to instruct Microsoft Office program to generate exact audit events that accurately reflect customer’s actions

It will depend on how Microsoft will improve its Office products

In the meantime, Argent is also working on a solution that can filter out these audit noises