KBI 311729 Issue Addressed: File Audit Report Does Not Show Entry For File Or Folder Renaming
Version
Argent Advanced Technology 5.1A-1810-B and below
Date
Thursday, 31 January 2019
Summary
Renaming an existing file creates a report entry saying the original file name was deleted, and has no reference to the new file name or that it was renamed
In this example, the file ‘COPIED_FILE.txt’ was renamed to ‘COPIED_FILED_RENAMED.txt’
The issue has been addressed in Argent Advanced Technology 5.1A-1901-A
Technical Background
File audit reports rely on the file audit Events in Windows security log
Windows OS generates audit Events based on the Windows Win32 API calls
The user’s file renaming operation is actually accomplished by deleting original file entry from NTFS Master File Table (MFT), then adding new file name entry to MFT
That’s why there are one event about file deletion and one Event about folder modification
Argent Advanced Technology 5.1A-1901-A has been enhanced to detect the Event sequence and replace them with one audit entry of file renaming
Resolution
Upgrade to Argent Advanced Technology 5.1A-1901-A or above