cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

The source file path is missing in filecreatedonremovablemedia events

Pablo_Rojas
Copper Contributor

‎Jan 09 2023 09:50 AM

‎Jan 09 2023 09:50 AM

The source file path is missing in filecreatedonremovablemedia events

Hello, community,

 

I have these logs from Endpoint related to files copied to removable media, and I found out that Endpoint creates two distinct events:

  • FileCopiedToRemovableMedia, in which the ObjectID is the file's source path and the Destination file path is the final location in the removable device.
  • and FileCreatedOnRemovableMedia, in which both the ObjectID and the Destination file path are the final location in the removable device.

Both events are triggered by explorer.exe and, based on the event's timeline, they likely belong to the same copy activity. Considering this, I need your help to understand:

  • What is the difference between FileCopiedToRemovableMedia and FileCreatedOnRemovableMedia?
  • If explorer.exe executes both activities, what are the conditions that Endpoint evaluates to classify the activity as a file copy or a file creation?
  • Is there a way to obtain the original file location in a FileCreatedOnRemovableMedia event?

Thanks!

756 Views
0 Likes
0 Replies
Reply
0 Replies