2.10.4 Conditions for determining whether a file is to be monitored for suspicious file movements
When files are moved to an agent-installed computer from an external source or are moved from an agent-installed computer to an outside destination, they are checked to determine whether they are monitoring targets for suspicious operations. The following table shows the conditions for these checks.
Determining whether a file moved to a system is to be monitored for suspicious operations
Operation log collection item |
Whether a file is to be monitored for suspicious operations |
---|---|
Copy file |
C#1 |
Move file |
C#1 |
Rename file |
C#1 |
Create file |
Y |
Delete file |
C#1 |
Web Access (Upload) |
C#1, #2 |
Web Access (Download) |
C#3 |
FTP (Send File) |
C#1 |
FTP (Receive File) |
C#3 |
Send Mail (Attachment File) |
C#1 |
Receive Mail (Attachment File) |
C#3 |
Save Attached File |
C#1 |
|
N |
Legend: Y: The file should be monitored. C: The file should be monitored depending on certain conditions. N: The file does not need to be monitored.
#1: The file should be monitored when the drive is a local drive, remote drive, or RAM drive, or when the drive information cannot be collected. The file does not need to be monitored when the drive is a removable drive or CD-ROM drive.
#2: A file uploaded from Internet Explorer 10 or 11 does not need to be monitored.
#3: The file should be monitored when the operation matches the conditions defined for monitoring targets, or when the operation does not match any of the conditions.
Determining whether movement of a file from a system is determined to be a suspicious operation
Operation log collection item |
Whether an operation is determined to be a suspicious operation |
---|---|
Copy file |
C#1 |
Move file |
C#1 |
Rename file |
N |
Create file |
C#2 |
Delete file |
N |
Web Access (Upload) |
C#3, #4, #5 |
Web Access (Download) |
C#6 |
FTP (Send File) |
C#3 |
FTP (Receive File) |
C#6 |
Send Mail (Attachment File) |
C#3 |
Receive Mail (Attachment File) |
N |
Save Attached File |
C#6 |
|
N |
Legend: C: An operation is determined to be suspicious depending on a certain condition. N: An operation is not determined to be suspicious.
#1: For the conditions, see the table Conditions for determining whether an operation is determined to be suspicious when a file is copied or moved from a system below.
#2: For the conditions, see the table Conditions for determining whether an operation of moving a file from a system is determined to be suspicious for file creation below.
#3: An operation is determined to be suspicious when the operation matches one of the conditions defined for determining suspicious operations or when the operation does not match any of the conditions.
#4: In Internet Explorer 10 or 11, all the files are determined to be suspicious.
#5: In Internet Explorer 10 or 11, a check for suspicious operation is performed when a file upload is started. Therefore, a suspicious operation can be detected even when an upload is interrupted by a communication error. For the conditions, see the table Conditions for determining whether an operation of moving a file from a system is determined to be suspicious for receive operations below.
#6: For the conditions, see the table Conditions for determining whether an operation of moving a file from a system is determined to be suspicious for receive operations below.
- Conditions for determining whether an operation is determined to be suspicious when a file is copied or moved from a system
-
Source
Destination
Local drive
Remote drive
Removable drive
CD-ROM drive
RAM drive
Drive information cannot be collected
Local drive
N
N
C#
C#
N
C#
Remote drive
N
N
C#
C#
N
C#
Removable drive
N
N
N
N
N
N
CD-ROM drive
N
N
N
N
N
N
RAM drive
N
N
C#
C#
N
C#
Drive information cannot be collected
N
N
C#
C#
N
C#
Legend: C: An operation is determined to be suspicious depending on a certain condition. N: An operation is not determined to be suspicious.
#: An operation is determined to be suspicious when Copy/Move the File to External Device is selected in the security policy.
- Conditions for determining whether an operation of moving a file from a system is determined to be suspicious for receive operations
-
Source
Destination
Local drive
Remote drive
Removable drive
CD-ROM drive
RAM drive
Drive information cannot be collected
Any source
N
N
C#
C#
N
C#
Legend: C: An operation is determined to be suspicious depending on a certain condition. N: An operation is not determined to be suspicious.
#: An operation is determined to be suspicious when Copy/Move the File to External Device is selected in the security policy.
- Conditions for determining whether an operation of moving a file from a system is determined to be suspicious for file creation
-
Source
Destination
Local drive
Remote drive
Removable drive
CD-ROM drive
RAM drive
Drive information cannot be collected
No source
N
N
C#
C#
N
C#
Legend: C: An operation is determined to be suspicious depending on a certain condition. N: An operation is not determined to be suspicious.
#: An operation is determined to be suspicious when Copy/Move the File to External Device is selected in the security policy.
Related Topics: