audit remotely created files


We are facing a worm that is copying files to shared folders.
But to find the source that is spreading the files I want to log the source who is creating these files.

I've tried using process monitor from sysinternals but this tool only seems to log files that are created localy and not from a remote source.

What other possibilities are there to log a remote source trying to create/copy files?

Who is Participating?
iedenConnect With a Mentor Commented:
Under the security properties of a target system assign Creator/Owner full rights to the directories it creates. When viewing the properties of directories and files you will notice a user has been assigned rights specifically. That should help in narrowing down which account is compromised.
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.