1

I have a folder of video files and every day at 10pm, most of the files are deleted leaving just the folder structure.

\Device\HarddiskVolume3\Video_Library\DM\

Users have the folder Video_Library mapped.

I have removed delete permissions for all users to the DM folder.

I have enabled file auditing for success and failure for deletion of the DM folder and all subfolders and files. There is no entry for this deletion, however at the time of the deletion we get the following:

A handle to an object was requested with intent to delete.

Subject:
    Security ID:        DOMAIN\evuser
    Account Name:       evuser
    Account Domain:     NINEMSN
    Logon ID:       0x1131d2371

Object:
    Object Server:  Security
    Object Type:    File
    Object Name:    \Device\HarddiskVolume3\Video_Library\DM\.DS_Store
    Handle ID:  0x0

Process Information:
    Process ID: 0x4

Access Request Information:
    Transaction ID: {00000000-0000-0000-0000-000000000000}
    Accesses:   DELETE
                SYNCHRONIZE
                ReadAttributes

    Access Mask:    0x110080
    Privileges Used for Access Check:   SeBackupPrivilege
            SeRestorePrivilege

evuser is our Symantec Enterprise Vault service account. I have explicitly added deny permissions to the entire DM folder but it still seems to be able to get in. Enterprise vault is set to archive files at 6 months since last access. These files are at a matter of hours.

I have copied files, renamed files and moved them to different locations. All of these are deleted.

I have transcoded a video and this is NOT deleted.

There is no history of these files being touched by Forefront AV (according to the GUI)

Any suggestions as to how I can trace the deletion of these files?

Thanks

Miles Hayler
  • 173
  • 9
  • This sounds like something that you ought to be talking to Symantec support about. – joeqwerty Nov 11 '15 at 00:46
  • I'm still not 100% certain it is Symantec. I'm trying to get as much info as I can. – Miles Hayler Nov 11 '15 at 00:57
  • Right, I understand that. It seems pretty clear though that it's your Symantec service account that's doing it. You may find the resolution quicker by getting them involved at this stage. – joeqwerty Nov 11 '15 at 01:00

2 Answers2

2

As a test, temporarily enable the security policy "Audit: Audit the use of Backup and Restore privilege". Also ensure you have the "Audit privilege use" policy enabled. If you are using Advanced auditing, ensure you have the "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings." enabled.

SeBackupPrivilege and SeRestorePrivilege combined essentially means a process can do absolutely anything to a resource, regardless of the access control list, and its usage is not limited to just backing up and restoring.

"This security setting determines whether to audit the use of all user privileges, including Backup and Restore, when the Audit privilege use policy is in effect. Enabling this option when the Audit privilege use policy is also enabled generates an audit event for every file that is backed up or restored.

If you disable this policy, then use of the Backup or Restore privilege is not audited even when Audit privilege use is enabled.

Note: On Windows versions prior to Windows Vista configuring this security setting, changes will not take effect until you restart Windows. Enabling this setting can cause a LOT of events, sometimes hundreds per second, during a backup operation.

Default: Disabled."

Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options > "Audit: Audit the use of Backup and Restore privilege".

Greg Askew
  • 34,339
  • 3
  • 52
  • 81
1

Download Process Monitor and set up a filter that has the path to the video files. Have this running before 10pm and watch the output while the files are delete. Whatever is going into the folder and deleting the files will show up

Mass Nerder
  • 997
  • 4
  • 6