Version

Argent Advanced Technology 5.1A-1810-B and below

Date

Thursday, 31 January 2019

Summary

Opening a file in the directory for viewing only does not generate any audit report entries

It does generate a report entry if user opens and edits the file, but not if user opens the file and reads it without making edits

The issue has been addressed in Argent Advanced Technology 5.1A-1901-A

Technical Background

File audit reports rely on the file audit events in Windows security log

Windows OS generates audit events based on the Windows Win32 API calls

A lot of read events could be generated even when user simply opens the container folder in File Explorer (explorer.exe)

Argent AT does not record these read events to avoid generating noisy events that user might not be interested at

Argent Advanced Technology 5.1A-1901-A has been enhanced to detect the file read events when user opens file in file editor such as notepad.exe

Resolution

Upgrade to Argent Advanced Technology 5.1A-1901-A or above