I have a folder of video files and every day at 10pm, most of the files are deleted leaving just the folder structure.
\Device\HarddiskVolume3\Video_Library\DM\
Users have the folder Video_Library
mapped.
I have removed delete permissions for all users to the DM
folder.
I have enabled file auditing for success and failure for deletion of the DM
folder and all subfolders and files. There is no entry for this deletion, however at the time of the deletion we get the following:
A handle to an object was requested with intent to delete.
Subject:
Security ID: DOMAIN\evuser
Account Name: evuser
Account Domain: NINEMSN
Logon ID: 0x1131d2371
Object:
Object Server: Security
Object Type: File
Object Name: \Device\HarddiskVolume3\Video_Library\DM\.DS_Store
Handle ID: 0x0
Process Information:
Process ID: 0x4
Access Request Information:
Transaction ID: {00000000-0000-0000-0000-000000000000}
Accesses: DELETE
SYNCHRONIZE
ReadAttributes
Access Mask: 0x110080
Privileges Used for Access Check: SeBackupPrivilege
SeRestorePrivilege
evuser
is our Symantec Enterprise Vault service account. I have explicitly added deny permissions to the entire DM
folder but it still seems to be able to get in. Enterprise vault is set to archive files at 6 months since last access. These files are at a matter of hours.
I have copied files, renamed files and moved them to different locations. All of these are deleted.
I have transcoded a video and this is NOT deleted.
There is no history of these files being touched by Forefront AV (according to the GUI)
Any suggestions as to how I can trace the deletion of these files?
Thanks