I activated the File Activity Anomaly Report a couple of months ago and strangely I receive reports from 17 Microsoft FileServers every Saturday morning from one particular domain (which accounts for about of half of the servers (all running the same software) - these are a mixture of 2008, 2012 & 2016 Windows OS). I've subsequently used CVIOMonitor.log in an attempt to troubleshoot however when viewing the properties of identified files they are displaying that each file was last amended in 2014. All of the servers are running Kaspersky AV and I can locate a limited number of 4670 – permissions on an object were changed’ entries in some of the server event logs (but not all).
I really don't want to have to disable this feature on these servers as the Alerts is obviously attempting to tell me something but I'm unable to validate the accuracy of the reports.
I am recived everyday this alert. Can some one explain why?
Alert: File Activity Anomaly Alert
Type: Operation - Event Viewer Events
Detected Criteria: Event Viewer Events
Detected Time: Wed May 6 23:39:22 2020
Event ID: 2608456
Monitoring Criteria: (Event Code equals to 7:211|7:212)
Event Date: Wed May 6 23:38:55 2020
Description: Detected file activity anomaly of type [Deleted ] in last 5 minutes. Number of files Modified  Deleted  Renamed  and Created . Please verify the data on the machine.