With real time file integrity monitoring enabled (RTFIM), after reboot of DCS agent, IDS FIM (file integrity monitoring) events are being generated as polling, rather than real time events for a short time.
Users see "missing" file modification data in the event that is generated.
IDS on all DCS agent versions.
Windows Baseline Detction Policy
Unix Baseline Detection Policy
User will see polling events, similar to the event below for any modifications to files before the IDS service has completely initialzed. This occurs after an agent reboot: "P" indicates a polling event, "M" indicates a file modification event)
IDS services should be initialized as follows in order for file integrity monitoring to generate real time file modifications events with realtime file info such as users, and what modification was performed on the file in question:
MSTD,15,2017-05-22 03:55:56.000 Z+0530,I,0,R,,,IA_0024,,,,Main Module,,,,,IA_0024,,,,IA_0024: Symantec IDS Service is stopping
MSTD,1,2017-05-22 03:55:59.000 Z+0530,I,0,R,,,IA_0023,,,,Main Module,,,,,IA_0023,,,,IA_0023: Symantec IDS Service has started
In DCS, polling file integrity monitoring does not monitor real time event data. Polling is the act of checking critical system files at designated intervals.Polling is accomplished by calculating file attributes, which are compared to a preexisting or "baseline" scan of critical system files, and events are generated if any differences between the two are seen. In DCS, filewatch.dat is used to watch for changes made during the reboot sequence or anytime the IDS service is stopped, those events will also be generated as polling events.
Polling events show that the file was modified, but because DCS is not checking for real time file information when doing polling file integrity monitoring, sometimes users will see these events as "missing" information, such as which user modified the file, what was modified, etc. This is working as designed.
Here is an example of what a file modification event will look like before IDS service is fully initialized. Note: User and file modification information are not provided by default in polling mode.