KBI 311736 New Feature: Extensive Check Mode For File Audit Compliance Reports
Version
Argent Advanced Technology 5.1A-1901-B or above
Date
Monday, 18 March 2019
Summary
File Audit Compliance Reports in Argent Compliance rely on analyzing Windows security Events
OS generates file audit Events based on the underline Win32 API calls, not on actual user operations
As a result, for many scenarios, it is impossible to restrict user operations solely based on audit Events
For example, renaming a file/folder only generates write-data Event for the container folder
There is no information for what actually is changed in the container folder, so no information for newly renamed file/folder name
Argent Advanced Technology 5.1A-1901-B has been enhanced to cope with the issue
Argent Advanced Technology Engine can optionally start File Change monitoring on audited folder path
By correlating the File Change Notifications while parsing Windows File Audit Events, Argent Advanced Technology Engine can recover the information missing from Windows security Events
Of course, it requires system resource to monitor File Changes
Argent recommends turning on this feature on vital file servers
The feature can be selectively turned on individually for each licensed server using License Node Properties
To control the on/off status, use option ‘Extensive Check’
Technical Background
File Change monitoring generally requires dedicate worker thread for each monitored folder
Argent Advanced Technology Engine makes use of advanced I/O completion technique to deal with potentially large amount of monitored folders
The system cost has been kept to minimum
Resolution
Upgrade to Argent Advanced Technology 5.1A-1901-B or above