Zanglirex
commented
11 months ago I've experienced this issue too. Through trial and error managed to track it down to the FileDeleteDetected Event (ID 26)
Closed gixxerdaveneo closed 11 months ago
Zanglirex
commented
11 months ago I've experienced this issue too. Through trial and error managed to track it down to the FileDeleteDetected Event (ID 26)
foxmsft
commented
11 months ago This is fixed in v15.11. If file deletion rules are selected and with file hashing enabled, at least the hashing operation will need to complete before the deletion is let through.
gixxerdaveneo
commented
11 months ago Will test v15.11 and report back
foxmsft
commented
11 months ago v15.12 is approaching, just test with v15.11 and make sure it's good for this case, will shortly publish the next one, as soon as Santa pleases.
gixxerdaveneo
commented
11 months ago This is fixed in v15.11. If file deletion rules are selected and with file hashing enabled, at least the hashing operation will need to complete before the deletion is let through.
Is there a way to disable hash for only FileDeleteDetected Event (ID 26)
foxmsft
commented
11 months ago Not really, as the hash of the deleted object is the "identity" of the deletion being logged. But that's something definitely to consider!
Example: when deleting a 110 GB file it takes 8 minutes with sysmon running. with sysmon not running file deletes in 1 second. The slow deletes started happening after upgrading sysmon from version 10.0.4.2 to 14.13.