How can I tell if the Endpoint Filesystem monitoring is enabled properly?
Verify that the Agent is running and FS driver is loaded using the following commands: sc query edpa sc query vfsmfd
Verify that the FS driver is attached to the drive on which files were copied using the following commands: fltmc instances -f vfsmfd Here's sample screenshot of the output of the above command:
In the above case F: corresponds to a USB drive.
If all the above steps were satisfactory then verify the file filters are configured properly.
Verify that the device and the file is configured to be monitored.
Verify that the file is not over 30MB as detection has a limit and will not detect on files greater than 30MB.
If all the above steps are still satisfactory, then change the log level of FileSystemConnector component to FINER using the following command:
Open a command prompt.
cd to agent installed directory.
Type "vontu_sqlite3 -db=cg.ead -p=VontuStop" (without quotes)
This will display a sqlite prompt.
At the prompt type the following command: insert into configuration values ('Logging', 'FileSystemMessageListenerLevel', 'str', 'FINER');
Restart the agent using "sc stop edpa". Watchdog will restart the agent.
Copy the test file and verify that the log file contains the following logs. The logs should contain following entries corresponding to FileSytemMessageListener:
03/03/2009 16:22:26 | 6080 | FINER | FileSystemMessageListener | Received file information from file system mini filter driver for: \Device\HarddiskVolume1:\agenttest\abc.txt access: 1 processid: 6076 03/03/2009 16:22:26 | 6080 | FINER | FileSystemMessageListener | The file (\agenttest\abc.txt) will be monitored 03/03/2009 16:22:26 | 1764 | FINER | FileSystemMessageListener | Received file close from file system mini filter driver for: \agenttest\abc.txt temp. filename:284408019506831775.VEP
If the above events are logged then the FileSystem is enabled properly. The next step is to check Detection.
Imported Document ID: TECH220069
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe