We have added the following ACE to many .EXE files and .COM files to see what is being run:
Code: Select all
(AUDIT=SECURITY,ACCESS=EXECUTE+SUCCESS)
Analysing the audit log we see our .EXE files being reported in the logs in various fields.
However the reporting of .COM files seems to be less reliable: some are logged, and some are not, even though we know they are being run (e.g. as regular batch jobs).
I'm guessing that the above ACE triggers an audit event when the image activator loads an image.
But what causes the equivalent event for a .COM file? Or to put it another way, how could a .COM file be run without creating an audit record?
Thanks
Jeremy Begg