Version

Argent Advanced Technology 5.1A-1901-B or above

Date

Monday, 18 March 2019

Summary

File Audit Compliance Reports in Argent Compliance rely on analyzing Windows security Events

OS generates file audit Events based on the underline Win32 API calls, not on actual user operations

As a result, for many scenarios, it is impossible to restrict user operations solely based on audit Events

For example, renaming a file/folder only generates write-data Event for the container folder

There is no information for what actually is changed in the container folder, so no information for newly renamed file/folder name

Argent Advanced Technology 5.1A-1901-B has been enhanced to cope with the issue

Argent Advanced Technology Engine can optionally start File Change monitoring on audited folder path

By correlating the File Change Notifications while parsing Windows File Audit Events, Argent Advanced Technology Engine can recover the information missing from Windows security Events

Of course, it requires system resource to monitor File Changes

Argent recommends turning on this feature on vital file servers

The feature can be selectively turned on individually for each licensed server using License Node Properties

To control the on/off status, use option ‘Extensive Check’

Technical Background

File Change monitoring generally requires dedicate worker thread for each monitored folder

Argent Advanced Technology Engine makes use of advanced I/O completion technique to deal with potentially large amount of monitored folders

The system cost has been kept to minimum

Resolution

Upgrade to Argent Advanced Technology 5.1A-1901-B or above