lesscodedotnet

@darkoperator By agents, you mean Symantec, Cylance and sysmon64? We had turned off Symantec and Cylance and the problem was still occurring until we also turned off sysmon, so presumably...

@darkoperator If I'm understanding the docs correctly, a file delete rule would watch for files being deleted and just log an event and/or copy the file, right? I'm looking to...

I got their config file and it has a ton of rules, but none of them are FileDelete or FileDeleteDetected rules. We ran some more experiments and we can consistently...

By trial and error we traced the issue to the Event ID 7 (ImageLoad) rules. If we commented out all includes and excludes in this section the issue disappeared. We...

@darkoperator I did post on Microsoft Q&A under the [windows-sysinternals-sysmon] tag: (https://docs.microsoft.com/answers/topics/164854/windows-sysinternals-sysmon.html) Is there a more suitable spot?