NT Authority\System coming in from FIM

sejod2004

I would like a way to stop NT Authority\System coming in from FIM. I open a file and 9 out of 13 events is from NT\System

Not just filters. I would like the events to not even hit the LEM. The less events it has to store the better. IMHO the fact that NY\system did anything to a file doesn't help in auditing.

Need to know who did what.

A second thought - the .tmp and ~$ files are also a bit much. I have tried filtering it without success and also tried this article without success https://thwack.solarwinds.com/thread/71965

Find more posts tagged with

lem 6.2

FIM

file_integrity_monitoring

Status: None

Comments

marcusmm8

curtisi any thoughts here?

curtisi

I'm afraid this is a "working as expected." Windows either generates all the events for a watched file, or none of them. The Agent has no means of filtering or excluding events from reaching LEM.

Quick Links

All Categories
Recent Posts
Activity
Unanswered
Groups
Help
Best Of