3 replies to this topic

[alfa21]

Hi,

 

We have recently purchased Netwrix for our purposes, and we are slowly configuring it. I receive daily reports for file server activity, and I noticed a lot of auditing for file access from specific processes, as given below

 

domain.com\servername$

 

Process: "C:\Windows\System32\fsdmhost.exe"

 

Process: "C:\Windows\System32\svchost.exe"

 

Is there a way to exclude these processes, in order to have auditing as real as possible.

 

Thank you

[jeffb]

Hello,

 

You should be able to just use the omitstoreprocesslist.txt  in C:\Program Files (x86)\Netwrix Auditor\File Server Auditing

 

Syntax: Monitoring plan name,resource path,executable path

Example:   Production Servers,\\\\productionserver1.corp.local\\builds\\releases\\*,*wordpad.exe

 

*,*,*fsdmhost.exe

 

*,*,*svchost.exe

 

-Jeff

[alfa21]

Hello,

 

Thank you for  the reply.

 

Now it is clear to me for the processes, but how to exclude users like: domain\servername$, or any other user which may run backup or any other process.

 

Thank you

[jeffb]

This can be done with the omitstorelist.txt option.

 

Syntax: Monitoring plan name,Change Type,who changed,resource type,resource path,property name

 

Example: *,,CORP\\jsmith,*,*,

 

As seen in section 10.2.5. Exclude Data from File Servers Auditing Scope starting on page 127 of the Netwrix Auditor Administration Guide  https://www.netwrix....rator_Guide.pdf

 

-Jeff