KBI 311730 Issue Addressed: File Audit Report Does Not Show Entry For Opening File In Notepad Or Other File Editor
Version
Argent Advanced Technology 5.1A-1810-B and below
Date
Thursday, 31 January 2019
Summary
Opening a file in the directory for viewing only does not generate any audit report entries
It does generate a report entry if user opens and edits the file, but not if user opens the file and reads it without making edits
The issue has been addressed in Argent Advanced Technology 5.1A-1901-A
Note: Read events are generated only when file is read accessed by programs other than ‘explorer.exe’
Technical Background
File audit reports rely on the file audit events in Windows security log
Windows OS generates audit events based on the Windows Win32 API calls
A lot of read events could be generated even when user simply opens the container folder in File Explorer (explorer.exe)
Argent AT does not record these read events to avoid generating noisy events that user might not be interested at
Argent Advanced Technology 5.1A-1901-A has been enhanced to detect the file read events when user opens file in file editor such as notepad.exe
Resolution
Upgrade to Argent Advanced Technology 5.1A-1901-A or above