Anyone know if it's possible to configure Windows Sysmon v.11's new 'File Delete' event not to archive a copy of deleted files in the 'ArchiveDirectory' config key directory (as config key has a default value: Sysmon, hence it seems not possible to avoid the copying)?
Moving this to the SIEM category so it gets the right developers' attention.
@stefws you might want to try out the CopyOnDelete* configuration entries documented here.
That said, you may consider checking or asking about sysmon-specific configuration in a sysmon-specific forum such as https://social.technet.microsoft.com/Forums/en-US/home?forum=windowsinternals
Right, just thought if someone here already knew of this new feature, I didn't had to join yet another Community 
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.