2.10.7 Prerequisites and notes on collecting operation logs
- Organization of this subsection
-
-
(3) Information and notes about operation logs for startup and blockage of programs
-
(4) Prerequisites for and notes on collecting web access operation logs
-
(5) Information and notes about operation logs collected for file/folder operations
-
(6) Notes on collecting operation logs for file uploads and downloads
-
(7) Information and notes about operation logs collected when emails are sent and received
-
(8) Notes on collecting operation logs when attached files are saved
-
(9) Notes on collecting operation logs when files are sent and received
-
(12) Notes on collecting operation logs for window operations
(1) Notes on collecting operation logs
-
Do not enable operation logs on a computer on which 64-bit OS is running and VMWare Server has been installed. If you enable operation logs, the guest OS for VMWare Server might not start.
-
If processing is forcibly terminated after operation log data was sent from an agent-installed computer to the management server and before the operation log is deleted from the computer, the same operation log data might be collected twice.
(2) Notes on power-on/shut-down operation logs
-
When an agent is overwrite-installed, a computer power-on/shut-down operation log is acquired.
-
If the Fast Boot feature is enabled in a computer running Windows 8.1 or Windows 8, a power-on or shut-down operation log might not be acquired when the computer is started or shut down.
Related Topics:
(3) Information and notes about operation logs for startup and blockage of programs
-
Startup and blocking of programs can be collected in operation logs only when the character string that starts the program (including the file name and the folder name) is less than 260 characters.
-
If a software program finishes its processing immediately after it starts up, startup and blocking of the program might not be collected because it might finish before it is blocked by the agent.
-
The startup of the programs that have any of the following file name extensions can be blocked:
-
exe
-
com
-
scr
-
-
If a program in the JP1/IT Desktop Management 2 - Agent-installation-folder#\bin folder cannot be started from the Start menu, startup and blocking of the program will not be collected in operation logs.
-
Startup and blocking of the following programs in the JP1/IT Desktop Management 2 - Agent-installation-folder#\bin folder will not be collected in operation logs.
-
cacls.exe
-
cmd.exe
-
conime.exe
-
cscript.exe
-
jdngsendinv.exe
-
jdngsetup.exe
-
netsh.exe
-
regsvr32.exe
-
secedit.exe
-
#: In the case of a management relay server in a multi-server configuration, the folder is JP1/IT Desktop Management 2 - Manager-installation-folder.
Related Topics:
(4) Prerequisites for and notes on collecting web access operation logs
The following describes the prerequisites and notes when operation logs are collected for web accesses.
Prerequisites
-
For Internet Explorer, on the Advanced tab of the Internet Options dialog box, Enable third-party browser extensions must be selected. Note that in Internet Explorer installed on Windows Server 2016, Windows Server 2012 and Windows Server 2008 R2, Enable third-party browser extensions is not selected by default.
-
The add-on for monitoring web accesses that is added to the user's computer must be enabled.
-
For Internet Explorer, in Toolbars and Extensions (which is displayed when you select Manage Add-ons from the Tools menu), the JP1/IT Desktop Management 2 BHO add-on must be enabled.
- Tip
-
The following add-ons are added to Internet Explorer on the agent-installed computer:
- Add-on for Web access monitoring
- Add-on for file upload monitoring (in the case of Internet Explorer 10 or later)
Web accesses are monitored and detected by the add-on for web access monitoring. File uploads via HTML forms or Javascript are monitored and detected by the agent if the Internet Explorer version is 9 or earlier. Alternatively, file uploads are monitored and detected by the add-on for file upload monitoring if the Internet Explorer version is 10 or later.
Note that downloads, sending, and receiving of files are monitored and detected by the agent.
Notes
-
If you start a web browser when all add-ons are disabled, operation logs of web accesses cannot be collected.
-
When you open a file or folder in Internet Explorer, operation logs for the web access can be collected.
-
Images on a web page cannot be collected.
-
If multiple web accesses are performed within a second, the web accesses might not be collected in the operation logs.
-
If 15 or more Internet Explorer programs are running at the same time, web accesses might not be collected in the operation logs.
-
If Internet Explorer is started immediately after you log on to the Windows, web accesses might not be collected in the operation logs.
-
If the Enhanced Protected Mode is enabled in an environment using Internet Explorer 10 or 11, web access operation logs cannot be collected.
-
Even if an error occurs during a web access (for example, due to a communication error or because the accessed URL does not exist), operation logs for the web access might be collected.
Related Topics:
(5) Information and notes about operation logs collected for file/folder operations
When a user copies, moves, or deletes a folder, information about the operations for all the files and subfolders in the folder can be collected. Note that when a folder is renamed, information about the operation cannot be collected.
Operation logs are collected for the operations performed using Windows Explorer. Therefore, operations performed at the command prompt or by the COPY command cannot be collected.
The following describes information about operation logs and notes when operation logs are collected for file or folder operations.
If a user performs an undo operation (by selecting the Undo menu or pressing the Ctrl + Z keys) immediately after a file or folder operation, any of the operation logs in the following table is collected.
Operation performed before an undo operation |
Operation log collected during an undo operation |
---|---|
Copy |
Indicates that the copied file or folder has been deleted. |
Move |
Indicates that the moved file or folder has been moved back to the original location. |
Rename |
Indicates that the file or folder has been renamed to the original name. |
Delete |
Indicates that the deleted file or folder has been moved back to the original location |
When a file operation is performed, operation logs for file creation or deletion that is not directly related to the user's operations (such as operations in the Windows Recent Items folder) might be output. Therefore, operation logs that satisfy all the following conditions are not collected:
-
The operation is creating or deleting a file.
-
The file path includes either of the following folders:
-
%USERPROFILE%\Recent
-
%APPDATA%\Microsoft\Office\Recent
-
-
The file extension is .lnk.
Also, for operations (on files or folders under the installation folder for agent and agent for management relay server) that satisfy all the following conditions, operation logs are not collected:
-
The operation is creating, deleting, or renaming a file, or creating, deleting, or renaming a folder.
-
The file path is either of the following folders (including subfolders):
-
In the case of an agent:JP1/IT Desktop Management 2 - Agent-installation-foloder
-
-
In the case of an agent for management relay server:JP1/IT Desktop Management 2 - Manager-installation-foloder\bin
Notes
-
If a user repeatedly copies the same file or folder, information indicating that a file or folder was created might be collected.
-
When a user moves a file or folder to the Windows Recycle Bin, the information indicating that the file or folder was deleted (not moved) is collected.
-
When a user deletes a file or folder in the Windows Recycle Bin, the collected file name or folder name might be different from the name before deletion.
-
If a user deletes a large number of files in a batch, the history about the deletion of some of those files might not be collected.
-
If a user overwrite-copies or moves a large number of files or folders, information about some file operations might not be collected.
-
If a user overwrites a file in the destination folder when moving files, or if a user performs an undo operation (by selecting the Undo menu or pressing the Ctrl + Z keys) for file movement, excess information about deleting the source files might be collected, in addition to the information about moving files.
-
Information about the operations for compressed folders (in ZIP format) cannot be collected. However, information about some of such operations might be collected depending on the OS or user operations.
-
When the use of USB devices is restricted, information about the file operations on a USB-connected device might not be collected.
-
Information about operations of Windows portable devices cannot be collected. However, some operation information might be collected, depending on the OS or device.
When the OS is Windows Server 2016, Windows 10, Windows 8.1, Windows 8, Windows Server 2012, Windows 7, or Windows Server 2008 R2, in addition to the above notes, the following notes also apply:
Notes (Windows Server 2016, Windows 10, Windows 8.1, Windows 8, Windows Server 2012, Windows 7, or Windows Server 2008 R2)
-
All operations
-
Even when an operation on a file or folder is performed by an application program or at the command prompt, operation logs for some operations might be collected.
-
Information about shadow copy operations and restoration operations from backup cannot be collected. However, some information might be collected.
-
-
Copy
-
When a file is overwritten by a copy operation, if Copy, but keep both files is selected in the Confirm File Replace dialog box, the following pieces of information are collected:
- Information indicating that the file name after copying became file-name-before-copying(n) (where n indicates a number) is collected.
- If the source file is deleted after copying, information about file movement might be collected additionally.
- If the last modified date and time of the source file is the same as the one of the overwritten file, information indicating that the file names were the same before and after copying is collected.
-
If the Confirm Folder Replace dialog box is displayed multiple times for one copy operation, excess history of copying the folder and files might be collected.
-
If a user copies a file or folder whose name includes parentheses (()), information might not be correctly collected.
-
If a user selects multiple files or folders whose names include (n) (where n indicates a number), and overwrite-copies the files or folders, selecting Copy, but keep both files in the Confirm File Replace dialog box, information might not be correctly collected.
-
If a user performs a redo operation (by selecting the Redo Copy menu or pressing the Ctrl + Y keys) after an undo operation, information about the file operation cannot be collected. Note that for a redo operation for a folder, information can be collected as a folder copy operation.
-
If a user copies a series of files or folders whose names include (n) (where n indicates a number), for the second or later copy operation, information is collected as creation of files or folders.
-
If a user selects multiple files or folders, or selects a folder that contains multiple files and folders, and then copies them, information about the operations might not be collected.
-
When a user cancels copying in the dialog box that confirms whether to perform an overwrite operation, if the latest modified date and time are the same for the source file and the file that has the same name as the source file in the destination folder, information is collected as a copy operation.
-
-
Move
-
When a file is overwritten due to a user's move operation, if the user selects Move, but keep both files in the Move File dialog box, information indicating that the name of the file after moving became file-name-before-moving(n) (where n indicates a number) is collected. Also, excess information indicating that the file names become the same before moving and after moving is collected.
-
When a user selects multiple files or folders whose names include (n) (where n indicates a number) and moves the files or folders, if Move, but keep both files is selected in the Confirm File Replace dialog box, information might not be correctly collected.
-
When a folder is overwritten due to a user's move operation, if the user confirms overwriting by clicking the Yes button in the Confirm Folder Replace dialog box, the following pieces of information are collected:
- If files with the same name exist in the source folder and the destination folder, when the folder is merged, only the files are moved and the folders in the source folder are not deleted. At this time, information indicating the folder copy operation is collected.
- If a user selects Move and replace when confirming overwriting of a file, and if the last modified date and time is the same for the source file and the overwritten file, information indicating file copy and delete operations (not a file move operation) is collected.
- If a user selects Move, but keep both files when confirming overwriting of a file, information indicating that the name of the file after moving became file-name-before-moving(n) (where n indicates a number) is collected. If the last modified date and time is the same for the file before moving and the overwritten file, excess information indicating the file copy and delete operations is collected in addition to the information indicating the file move operations. If the last modified date and time is different for the source file and the overwritten file, excess information indicating that the file names became the same for the source file and the destination file is collected.
- In Windows 7 or later, if a file is moved from a folder that needs elevation of permissions to a drive whose file system is other than NTFS, the type of the original drive might not be collected and the file might not be tracked correctly.
-
-
Rename
-
When a folder is overwritten due to a rename operation performed by a user, the Confirm Folder Replace dialog box is displayed. If the user clicks the Yes button in this dialog box, the following pieces of information are collected:
- If a user renames a folder that contains some files, operation logs for creation of the files in the overwritten folder and operation logs for deletion of the files in the source folder are collected. An operation log for deletion of the source folder is not collected. If no files are contained in the source folder, only the operation logs for creation of the subfolders in the new folder are collected.
- If subfolders with the same name exist in the source folder and in the destination folder, information indicating the creation of the subfolders is collected. At this time, information indicating the deletion of the source folder is not collected.
- If multiple files or subfolders exist in the source folder, information about some of the file operations might not be collected.
- Information about operations for the files in the subfolders of the source folder might not be collected.
-
If a user select multiple files or folders, or a folder that contains multiple files and folders and then renames the files and folders in a batch, information about those operations might not be collected.
-
-
Delete
-
If a user performs an undo operation or selects the Undo menu after deleting a file, information about the operation of creating the deleted file at the original location, and information about the operation of deleting the file from the Windows Recycle Bin are collected. However, for the information about the operation of deleting the file from the Windows Recycle Bin, the file name cannot be correctly collected.
-
If a user moves a file from the Windows Recycle Bin after deleting the file, information about the operation of moving the deleted file to the original location is collected.
-
Assume that a user select multiple files or folders, or a folder that contains multiple files and folders, delete them, and then select the Undo or move the folder or folders from the Windows Recycle Bin. In this case, information about those operations might not be collected.
-
Related Topics:
(6) Notes on collecting operation logs for file uploads and downloads
Operations for uploading or downloading files on a web browser can be monitored, and the operation logs for those operations can be collected. The following describes the notes you must keep in mind when collecting operation logs for uploading or downloading files.
Prerequisites
-
If your Web browser is Internet Explorer 10 or 11, the Enable third-party browser extensions check box must be selected on the Advanced Settings tab in Internet Options. Note that this check box is cleared by default for Internet Explorer installed in Windows Server 2016, Windows Server 2012 and Windows Server 2008 R2.
-
If your Web browser is Internet Explorer 10 or 11, the add-on for upload monitoring that is added to the user's computer must be enabled.
If you register the add-on for file upload monitoring, a message prompting you to select if you want to enable the add-on appears. If you enable the add-on and restart Internet Explorer, file upload monitoring starts.
-
If your Web browser is Internet Explorer 10 or 11, the JP1/IT Desktop Management 2 FUO add-on must be enabled in the list of add-ons displayed by selecting Tools, Manage Add-ons, and then Toolbars and Extensions.
Notes
-
For web uploads executed by unusual upload processing (such as SOAP, WebDAV, Flash, Silverlight), operation logs are not collected.
-
If the folder for storing the internet temporary files for Internet Explorer is changed, operation logs might be collected even if no web download operation is performed. To collect operation logs correctly, immediately restart Internet Explorer.
-
If the Enhanced Protected Mode is enabled in an Internet Explorer 10 or 11 environment, operation logs for file uploads and downloads cannot be collected.
-
In Internet Explorer 9, an operation log is collected when uploading of a file is completed. In Internet Explorer 10 and 11, an operation log is collected when uploading of a file is started. Therefore, in Internet Explorer 10 and 11, an operation log can be acquired even when the uploading operation is interrupted by a communication error or other cause.
-
If a user uploads multiple files simultaneously to an HTML5 upload site by using Internet Explorer 10 or 11, an operation log for only a single file is acquired.
-
When a user uploads a file by using Internet Explorer 10 or 11, if encoding differs between the Web page from which data was uploaded and the data sent from the browser to the destination, the file name in the acquired operation log will become garbled. If garbling occurs when, for example, encoding conversion fails, the file name of the operation log will become unknown.
-
If a file download destination is a FAT file system, file download logs can be output duplicately.
Related Topics:
(7) Information and notes about operation logs collected when emails are sent and received
Among the emails sent and received by users via email clients, you can collect operation logs for the operations of sending and receiving emails with attachments. The following provide information and notes about when operation logs are collected for the operations of sending and receiving emails.
The following table shows the email clients for which operation logs can be collected.
Email client |
Version |
---|---|
Microsoft Outlook |
2002 |
2003 |
|
2007 |
|
2010 |
|
2013 |
|
Windows Live Mail |
2009, 2011, or 2012 |
The table below shows the email operations for which operation logs can be collected. Note that when multiple attached files are sent or received, operation logs are collected for individual attached files.
Email operation that can be collected |
Protocol |
---|---|
Receive |
POP3, APOP, or IMAP4 |
Send |
SMTP or ESMTP |
Notes
-
If communication is encrypted by SSL/TLS (such as SMTP over SSL or POP3 over SSL), operation logs are not collected.
-
If emails are encrypted by S/MIME encryption, PGP encryption, or other encryption methods, operation logs cannot be collected.
-
When an email is sent, if multiple files with the same contents are attached to the email, information about the files moved from the system is not correctly collected. For the operation source file name and the drive type, the name of the file last loaded among the attached files with the same contents and the drive type are displayed.
-
If an email to which a file with zero bytes is attached is sent, the operation source file name might be different from the name of the file actually sent.
-
If emails sent in TNEF format of Microsoft Outlook are sent or received, information about the attached files might not be correctly collected in the operation logs for the operations of sending and receiving emails. Therefore, file tracking or detection of suspicious file movements from the system might not be possible.
-
If the number of attached files per email exceeds 200, it might not be possible to collect operation logs.
-
If Content-type in the MIME header is either of the following, the attachment is not treated as an attached file:
-
application/pkcs7-mime, application/pkcs7-signature, or application/pkcs10 (digital signature)
-
multipart/alternative (such as HTML mails)
-
Related Topics:
(8) Notes on collecting operation logs when attached files are saved
You can collect operation logs when attached files are saved from an email a user received using a specific mailer to a local disk or another location. Listed below are some notes on operation logs that are collected for the operations of saving attached files.
The following table shows the email clients for which operation logs can be collected.
Email client |
Version |
---|---|
Microsoft Outlook |
2002 |
2003 |
|
2007# |
|
2010# |
|
2013# |
|
Windows Live Mail |
2009, 2011, or 2012 |
#: If attached files are saved with the network drive specified as the destination, file names that are different from the saved file names will be collected as the destination file names in the operation logs.
Notes
-
When an email (to which multiple files with the same contents are attached) is received and the attached files are saved, the name of the file last received among the attached files with the same contents will be displayed as the operation source file name.
-
In Windows 7 or later, if either of the following operations is performed in the email client's window, operation logs for saving attached files might not be collected.
-
Select attached files, and drag and drop the files to Windows Explorer or the Desktop.
-
Select files, click Copy, and then Paste to save the files.
-
-
If attached files are saved from an email that was received before collection of operation logs started, the operation logs for the operations of saving the attached files will not be collected.
-
If emails in TNEF format of Microsoft Outlook are received, operation logs for the operations of saving attached files might not be collected correctly.
-
If the number of attached files per email exceeds 200, it might not be possible to collect operation logs.
-
If Content-type in the MIME header is either of the following, the attachment is not treated as an attached file:
-
application/pkcs7-mime, application/pkcs7-signature, or application/pkcs10 (digital signature)
-
multipart/alternative (such as HTML mails)
-
Related Topics:
(9) Notes on collecting operation logs when files are sent and received
You can collect operation logs when a user accesses an FTP site via a web browser and sends or receives files. For the supported web browsers, see the table of prerequisites in 2.10.1 Types of operation logs that can be collected. The following are notes on when operation logs are collected for the operations of sending and receiving files.
Notes
-
If FTP over SSL/TLS is used when files are sent or received, operation logs cannot be collected.
-
If the Enhanced Protected Mode is enabled in an Internet Explorer 10 or 11 environment, operation logs for FTP receive operations cannot be acquired.
-
The URL is collected as the operation source file name when an operation log for file reception is acquired using Internet Explorer.
-
As the destination file information in the operation log for FTP send operations, the IP address of the FTP server is collected.
-
If the Enhanced Protected Mode is enabled in an Internet Explorer 10 or 11 environment, operation logs for FTP receptions cannot be collected.
Related Topics:
(10) Information about, prerequisites for, and notes on operation logs collected for print operations
You can collect operation logs for print operations. The table below shows the printers for which operation logs for print operations can be collected. Note that only the printers set in the Devices and Printers dialog box are supported. Note that the printers displayed in the Devices and Printers dialog box can be commonly used by all users.
Printer type |
Collection of operation logs for print operations |
---|---|
Local printer |
Y |
Network shared printer |
Y # |
Internet printer |
N |
Virtual printer |
Y |
Legend: Y: Operation logs can be collected for this type of printer. N: Operation logs cannot be collected for this type of printer.
#: Information about the number of print pages cannot be collected.
Prerequisites
In the properties for each printer, Print and Manage Documents must be allowed for all logged on users.
For the network shared printer, the following prerequisites are added.
-
The table below shows the supported combination of the agent and the print server.
Agent
Print server
Collection of operation logs for print operations
Windows 7 or later
Windows XP/2003
N
Windows 7 or later
Windows Vista or later
Y
Any
Others
N
Legend: Y: Operation logs can be collected for this type of printer. N: Operation logs cannot be collected for this type of printer.
-
RPC communication must be possible between the print server and the agent PC. If RPC communication is not possible, the problem might be caused by one of the following:
-
The print server is a server based on the Internet Printing Protocol (IPP).
-
A firewall, proxy or NAT is present between the print server and the agent PC.
-
The agent PC's Windows firewall is enabled and File and Printer Sharing is not set to Exceptions.
-
-
The agent PC's File and Printer Sharing for Microsoft Networks must be enabled.
-
The print server must be able to resolve the name of the agent PC.
-
If the agent PC is Windows 7 or later, the agent PC and the print server must join the same domain, or the credential of the print server must be registered on the Credential Manager of the agent PC. The agent PC needs to reboot after registering the credential.
Notes
-
If printing is restricted by Hibun, operation logs for print operations cannot be collected.
-
If printing is performed immediately after a printer is added, it might not be possible to collect operation logs for print operations.
-
If printing is performed immediately after you log on to the OS, it might not be possible to collect operation logs for print operations.
-
If a print job is finished before the print operations are notified to the agent, operation logs for print operations cannot be collected.
-
Depending on the printer, multiple printing restriction logs are collected at a single printing.
For the network shared printer, the following notes are added.
-
If IPv6 is enabled and rendering of the print job does not work on the client computer, the printing might not be restricted. To operate rendering of print jobs on the client computer, the following settings are required:
-
Render print jobs on client computers is enabled.
-
Enable advanced printing features is enabled.
-
-
When a network shared printer is used, information about the number of print pages cannot be collected. Therefore, the detection of large numbers of print jobs and the report of User Activity (Print) are out of scope.
Related Topics:
(11) Notes on collecting logs for device operations
If prohibited operations are set, you can also collect operation logs for device connection suppression and device connection permission.
Logs of inserting or ejecting media (such as CDs, DVDs, SD cards) into or from drives cannot be collected. The following notes are about collecting operation logs of device operations.
Notes
-
Console session users are regarded as the target users. If no one is using a console session, no account name can be collected.
-
If a device is connected to the computer for the first time, multiple instances of connecting and disconnecting (detaching) information might be acquired for a single connection.
-
If you detach a device from a computer running Windows 8.1 or Windows 8 with the Fast Boot feature enabled while the computer is shutting down, a device disconnection operation log is acquired when the computer is restarted.
-
Items might be missing in device connection logs, disconnection logs, block device connections logs, and events acquired in a condition where the device is restricted.
-
An operation log cannot be acquired if a device is connected before JP1/IT Desktop Management 2 is started (for example, immediately after the computer is turned on).
-
If a device with multiple device instance IDs is connected to a computer, multiple operation logs and events are acquired for the single device. However, only one operation log and event might be acquired when the device is disconnected.
-
If you connect a device to a computer for the first time, and drive installation is performed, the same operation log and event might be acquired multiple times.
-
In a case where a restart of the computer is required to activate a setting, the connection suppression logs, and connection suppression events are acquired when you apply the setting.
-
An operation log is also acquired when the device setting is changed by another product, and the system detects connection or disconnection of the device.
-
If a USB device is connected, operation logs cannot be acquired for devices that are not identified as a USB device, Bluetooth device, or imaging device.
-
Multiple logs might be acquired if you connect a CD/DVD drive that has a CD or DVD inserted.
-
In a case where a restart of the computer is required to activate the deterrence of a device, deterrence logs, disconnection logs, and events are not acquired for the deterrence-target device.
-
If a log-acquisition-target device is identified by the OS as a different device, operation logs for the device cannot be acquired. However, if the OS identifies it as another log-acquisition-target device, the device is restricted according to the OS identification.
-
If you change the deterrence setting on the same device a number of times in a short period of time, connection logs and disconnection logs might not be acquired.
-
With the Citrix XenApp and Microsoft RDS server, the type of drive that exists on the source device is displayed as Other by the session at the connection destination. An operation log of connecting a device to the computer and disconnecting it from the computer cannot be acquired for such drives.
Related Topics:
(12) Notes on collecting operation logs for window operations
You can collect operation logs for window OS operations in the following cases:
-
When a window starts and becomes active.
-
When the active window is switched by a mouse operation or because the Alt + Tab keys are pressed.
-
When a new window starts during window operations and that window becomes active.
The followings are notes on collecting operation logs for window operations.
Notes
-
When the OS is Windows Server 2016, Windows 10, Windows 8.1, Windows 8, Windows Server 2012, Windows 7, or Windows Server 2008 R2, operation logs for windows for which user permissions have been elevated cannot be collected.
-
If operation logs for window operations are collected immediately after logon, the logon user name might become null.
-
For a window that is created by an application and first displayed without a title and then the title is set, the window title is not collected.
Related Topics:
(13) Prerequisite for collecting source information when checking incoming files and notes on suspicious out-movement of files
You can collect information about the input source of a file when the file is moved to an agent-installed computer. The following are a prerequisite for collecting source information when checking incoming files and notes on suspicious out-movement of files.
Prerequisite
-
The file system on an agent-installed computer must be NTFS 5.0 or later.
Notes
-
When a file is moved or copied to a drive that was formatted by a file system other than NTFS (such as FAT or ReFS), information related to suspicious operations is deleted. (Such information includes the results of checking incoming files. Such results are necessary for the checking of suspicious out-movement of files.) Therefore, if such files are moved or copied to external media, suspicious file movements from the system might not be correctly detected. Correct detection also might not be possible when the data is processed (such as when a file is compressed or uncompressed).
-
On an agent-installed computer on which operation log collection is enabled, if a file is moved or copied by Windows Explorer to a drive that was formatted in a file system other than NTFS (such as FAT or ReFS), the Windows Confirm Stream Loss dialog box might be displayed.
Related Topics: