Deleting a File on Windows 10 does not send FPolicy SMB_DEL request

MohitD · ‎2017-06-06

Hi,

I have configured NetApp FPolicy on a SMB share. The FPolicy server I have developed get requests from NetApp. I am enabled all SMB filters (open, close, setattr, delete, delete_dir, rename, rename_dir).

I am using Data ONTAP 8.3.2. I deleted a file from my Windows 10 client. But NetApp does not send a FPolicy request with SMB_DEL. I only get SMB_OPEN and SMB_CLOSE requests on the file.

Is there someway I can get a delete request when a file is deleted? I am also attaching a Wireshark packet trace for FPolicy captured on the FPolicy server. It has requests that NetApp sends to my FPolicy server.

Thanks for your help!

Jeff_Yao · ‎2017-06-13

just a thought,

if you're testing, try the netapp native fpolicy to see if works?

MohitD · ‎2017-06-14

Thanks. I will check.

mfriedenfeld · ‎2017-11-28

Late reply, but I'm hoping one of you are still around. I'm running into the same issue. I've created a new fpolicy on my 8.3.2 c-mode netapp. All SMB events are being sent to our fpolicy server (stealthaudit) with the exception of delete_file from windows 10 clients (delete folder is being sent from win 10). I can't seem to locate any information on the native fpolicy being discussed in one of the replies. Does anyone have any additional information I could review to try to resolve my issue?

Thanks!

- Matt Friedenfeld