Version

Argent Advanced Technology 5.1A-1810-B and below

Date

Thursday, 31 January 2019

Summary

Customer might create a new file or folder by doing ‘New’ in context menu then renaming the name to the desired name

The result audit entries in SQL Table ARGSOFT_COMPLIANCE_AUDIT_FILE_SYSTEM shows a new file or folder is created then deleted but no final file name

The issue has been addressed in Argent Advanced Technology 5.1A-1901-A

Technical Background

File audit reports rely on the file audit events in Windows security log

Windows OS generates audit events based on the Windows Win32 API calls

The user’s file renaming operation is actually accomplished by deleting original file entry from NTFS Master File Table (MFT), then adding new file name entry to MFT

That’s why there are one event about file deletion and one event about folder modification

Argent Advanced Technology 5.1A-1901-A has been enhanced to detect the event sequence and replace them with one audit entry of file renaming

Resolution

Upgrade to Argent Advanced Technology 5.1A-1901-A or above