2.10.4 Conditions for determining whether a file is to be monitored for suspicious file movements
When files are moved to an agent-installed computer from an external source or are moved from an agent-installed computer to an outside destination, they are checked to determine whether they are monitoring targets for suspicious operations. The following table shows the conditions for these checks.
Determining whether a file moved to a system is to be monitored for suspicious operations
|
Operation log collection item |
Whether a file is to be monitored for suspicious operations |
|---|---|
|
Copy file |
C#1 |
|
Move file |
C#1 |
|
Rename file |
C#1 |
|
Create file |
Y |
|
Delete file |
C#1 |
|
Web Access (Upload) |
C#1, #2 |
|
Web Access (Download) |
C#3 |
|
FTP (Send File) |
C#1 |
|
FTP (Receive File) |
C#3 |
|
Send Mail (Attachment File) |
C#1 |
|
Receive Mail (Attachment File) |
C#3 |
|
Save Attached File |
C#1 |
|
|
N |
Legend: Y: The file should be monitored. C: The file should be monitored depending on certain conditions. N: The file does not need to be monitored.
#1: The file should be monitored when the drive is a local drive, remote drive, or RAM drive, or when the drive information cannot be collected. The file does not need to be monitored when the drive is a removable drive or CD-ROM drive.
#2: A file uploaded from Internet Explorer 10 or 11 does not need to be monitored.
#3: The file should be monitored when the operation matches the conditions defined for monitoring targets, or when the operation does not match any of the conditions.
Determining whether movement of a file from a system is determined to be a suspicious operation
|
Operation log collection item |
Whether an operation is determined to be a suspicious operation |
|---|---|
|
Copy file |
C#1 |
|
Move file |
C#1 |
|
Rename file |
N |
|
Create file |
C#2 |
|
Delete file |
N |
|
Web Access (Upload) |
C#3, #4, #5 |
|
Web Access (Download) |
C#6 |
|
FTP (Send File) |
C#3 |
|
FTP (Receive File) |
C#6 |
|
Send Mail (Attachment File) |
C#3 |
|
Receive Mail (Attachment File) |
N |
|
Save Attached File |
C#6 |
|
|
N |
Legend: C: An operation is determined to be suspicious depending on a certain condition. N: An operation is not determined to be suspicious.
#1: For the conditions, see the table Conditions for determining whether an operation is determined to be suspicious when a file is copied or moved from a system below.
#2: For the conditions, see the table Conditions for determining whether an operation of moving a file from a system is determined to be suspicious for file creation below.
#3: An operation is determined to be suspicious when the operation matches one of the conditions defined for determining suspicious operations or when the operation does not match any of the conditions.
#4: In Internet Explorer 10 or 11, all the files are determined to be suspicious.
#5: In Internet Explorer 10 or 11, a check for suspicious operation is performed when a file upload is started. Therefore, a suspicious operation can be detected even when an upload is interrupted by a communication error. For the conditions, see the table Conditions for determining whether an operation of moving a file from a system is determined to be suspicious for receive operations below.
#6: For the conditions, see the table Conditions for determining whether an operation of moving a file from a system is determined to be suspicious for receive operations below.
- Conditions for determining whether an operation is determined to be suspicious when a file is copied or moved from a system
-
Source
Destination
Local drive
Remote drive
Removable drive
CD-ROM drive
RAM drive
Drive information cannot be collected
Local drive
N
N
C#
C#
N
C#
Remote drive
N
N
C#
C#
N
C#
Removable drive
N
N
N
N
N
N
CD-ROM drive
N
N
N
N
N
N
RAM drive
N
N
C#
C#
N
C#
Drive information cannot be collected
N
N
C#
C#
N
C#
Legend: C: An operation is determined to be suspicious depending on a certain condition. N: An operation is not determined to be suspicious.
Note: With the Citrix XenApp and Microsoft RDS server, the type of drive that exists on the source device is displayed as Other by the session at the connection destination. Copying or moving files to such drives does not constitute a suspicious operation.
#: An operation is determined to be suspicious when Copy/Move the File to External Device is selected in the security policy.
- Conditions for determining whether an operation of moving a file from a system is determined to be suspicious for receive operations
-
Source
Destination
Local drive
Remote drive
Removable drive
CD-ROM drive
RAM drive
Drive information cannot be collected
Any source
N
N
C#
C#
N
C#
Legend: C: An operation is determined to be suspicious depending on a certain condition. N: An operation is not determined to be suspicious.
#: An operation is determined to be suspicious when Copy/Move the File to External Device is selected in the security policy.
- Conditions for determining whether an operation of moving a file from a system is determined to be suspicious for file creation
-
Source
Destination
Local drive
Remote drive
Removable drive
CD-ROM drive
RAM drive
Drive information cannot be collected
No source
N
N
C#
C#
N
C#
Legend: C: An operation is determined to be suspicious depending on a certain condition. N: An operation is not determined to be suspicious.
#: An operation is determined to be suspicious when Copy/Move the File to External Device is selected in the security policy.
Related Topics: