[IAG] Audit found that the IM file was sent from other IMs. Need to locate the software that sent it?
Problem Description
The audit feedback shows that the IM file was sent from other IMs. It is necessary to locate the software that sent it.
Effective troubleshooting steps
- Because the file path is audited, the content audited by the client is located
- The customer version is 12.0.40, but the latest audit general package KB-AC-20230730-444-OPEN-QQ-WX-BELOW_13_0_62_TMP has been installed, so it is necessary to analyze it according to the new access troubleshooting method
- Use the logtool-v6.bat tool to collect logs and analyze the Ingress\imsgprotect\logs\agent_sys file to locate the audited foxmail
- Because the latest audit general package has been implemented, the client supports auditing the outgoing information of foxmail mailbox client files; however, due to version problems, version 12.0.40 can only display QQ and WeChat, and other applications are unknown IMs, so IM audits appear in all behavior logs. The specific application is other logs.
Root cause
The latest audit general package has been implemented, so the client supports auditing the outgoing information of foxmail mailbox client files; however, due to version issues, version 12.0.40 can only display QQ and WeChat, and other applications are unknown IMs, so IM audits appear in all behavior logs. The specific application is other logs.
solution
Upgrading to IAG13.0.102 can solve the problem
Operation Impact Scope
The upgraded version will restart the device and require the purchase of a new anti-leakage authorization
Original Link
https://support.sangfor.com.cn/cases/list?product_id=22&type=1&category_id=26698&isOpen=true