KBI 310778 Microsoft Office Programs Generate File Deletion Audit Events When User Actually Modify Files
Version
Argent for Compliance all versions
Date
Friday, 13 Dec 2013
Summary
When a Microsoft Office program such as Microsoft Word is used to edit a document, instead of file modification audit, file deletion audit event is generated
Technical Background
When an Office document is opened for editing, the following occurs:
- Copy the file with a new name
- Creates one or more temporary files
- Update the metadata in the original file to indicate it is locked for editing
- Operate on the copy
When the document is saved, the following occurs:
- Deletes the original file
- Renames the working copy with the original name
- Deletes the temporary working files
As results, a file deletion audit event is generated
The best solution is to instruct Microsoft Office program to generate exact audit events that accurately reflect customer’s actions
It will depend on how Microsoft will improve its Office products
In the meantime, Argent is also working on a solution that can filter out these audit noises
Resolution
N/A