Go Up
You are here: OverviewRelease NotesKnown Issues

Known Issues

This section provides a list of all currently known issues that customers may experience with Netwrix Auditor 9.9. For each issue, there is a brief description and a workaround or a comment if available.

General

ID Issue Description Comment
88793 If a Monitoring Plan includes multiple AD domains containing groups with the same name, then Search using Who—In Group filter without specified domain name will return the results for one domain only.

To search within certain domain using this filter, specify filter value in the domain\group format.

Netwrix Auditor Data Discovery and Classification

ID Issue Description Comment
132274 Nutanix does not send SMB notification in case the file was changed using some text editors, like Notepad, WordPad, etc. Some other editors work fine (e.g. MS Word). As a result, NDC does not detect file changes, and re-index for changed file does not start automatically. So, it will be re-indexed during the next scheduled re-index task (1 week by default).

 

Netwrix Auditor for Active Directory

ID Issue Description Comment
10831

Since the AD Configuration partition is common for all domains in a forest, any change to this partition will be reported by the product for each of the audited domains.

The name of the user who made the change will only be displayed for the domain where the change was made. Product reports for other audited domains will show the "System" value in the "Who" column.

Ignore entries with the "System" value in the "Who" column for other domains.

11090 If changes to group membership are made through Exchange Control Panel, the product will report on addition and deletion of all group members in addition to these changes.  
13619 If a change is made to the audited domain through Microsoft Exchange installed in another domain, the originating workstation for such changes will be reported as "Unknown".  
14291 If changes to Active Directory objects are made through Exchange Management Console or Exchange Control Panel, the "Workstation" field in reports showing the computer from which a change was made may contain several workstations.  
31008 31046 Netwrix Auditor reports the scheduled task or service start as an interactive logon.  
63500 The Administrative Group Members report does not show administrative group members beyond the monitored domain (e.g., child domain users).  

Netwrix Auditor for Exchange

ID Issue Description Comment
11537 If a user is added through Active Directory Users and Computers, and then a mailbox is created for this user through the Exchange Management Console within a short period of time (less than 10 minutes), the product will show duplicate entries for the mailbox creation event in the "Who" column. One change will show the Exchange name of the account under which a user was created, and the other—the name of the user who created a mailbox. Ignore the duplicate entry with the Exchange account in the "Who" field.
11110 For Microsoft Exchange, changes to text strings that have line breaks will contain the before and after values only for the text fragment before the line break. The fact of the change itself will be reported for the whole text string. Check the resulting value through Active Directory Users and Computers or other tools.
10897 The product does not report on changes made on an Exchange with the Edge Transport role.  
10590 For Microsoft Exchange, changes to the inetOrgPerson object type will be reported in the Exchange audit reports with the "user" value in the "Object Type" column.  
10431

If a previously disconnected mailbox is reconnected to a user, the Exchange reports will display the mailbox GUID instead of a canonical user name in the "What" column.

If, as a result of this operation, the email address of this user is modified, this change will be reported in the Active Directory reports with the Exchange name in the "Who" column.

To get a canonical user name in an Exchange report, look for the "User" attribute in the "Details" field of the reconnected mailbox change entry.

To get the "Who" value for the email address change entry, open Exchange report for the same time period and look for the entry reflecting the mailbox reconnection event. The user who reconnected the mailbox is the same user who initiated the email address change event. You can match the email notification entry with the mailbox reconnection entry by comparing the Object Path field in the Active Directory report with the User attribute in the "Details" field of the Exchange report.

Netwrix Auditor for File Servers (Windows File Server, EMC, NetApp, Nutanix Files)

ID Issue Description Comment

128593

For Nutanix file server: effective permissions (as a combination of NTFS and Shared permissions) are not calculated properly for the local Administrators group members.

 

126202

For Windows file server: if a mount point is a shared folder, then the objects in its root will be initially collected by Netwrix Auditor and appear as processed by System account.

During the next data collections, all actions for these objects will be monitored in a normal way.

126198

Netwrix Auditor for Windows File Server does not audit the mount points targeted at the subfolder of a file share.

To process such mount points, in the monitored item settings provide network path to the target subfolder.

2871

762

42760

For NetApp 8.3.1 (or earlier), EMC VNX/VNXe and Isilon systems Netwrix Auditor may skip empty files creation and newly created folders in reports and activity summaries.

 

30698

30847

If you switch native log format (EVTX and XML) on a NetApp 8.3.1 (or earlier) file server, you will receive errors on data collections until the first change event is captured and log is created. These errors can be ignored.

If you performed a switch when the data collection was in progress you will receive an error stating that the log cannot be read. After a switch, Netwrix Auditor will not be able to get data from the previously used log.

 

9450

9208

8887

When monitoring NetApp8.3.1 (or earlier) and EMC, viewing an object's security properties may be reported as a change to these properties.  
34787

When monitoring NetApp 8.3.1 (or earlier) , EMC VNX/VNXe and Isilon systems, if an audit configuration error occurred within previous 11 hours, further data collection statuses may be Working and Ready even if this error persists.

Netwrix Auditor automatically checks audit settings every 11 hours irrespective of scheduled or on-demand data collections, and writes a single notification into the Netwrix Auditor System Health log. Scroll down the log to see the error/warning.

To keep data collection status up-to-date, it is recommended to run data collections less frequently (e.g., twice a day—every 12 hours). Or contact Netwrix Support to enable more frequent audit checks.

To resolve configuration error:

  • Enable automatic audit configuration.
  • Fix the error manually if this error is related to insufficient object permissions.
  • Add a problem object to omitcollect.txt to skip it from processing and monitoring.

Netwrix Auditor for SharePoint

ID Issue Description Comment
1549 SharePoint Central Administration URL specified on monitoring plan creation cannot exceed 80 characters. If your SharePoint Central Administration URL exceeds 80 characters, create a short name and specify it in the Alternate Access Mappings, and create a Site Binding in IIS for SharePoint Central Administration v4.
12683 When a lot of SharePoint changes are made within a short period of time (15-20 changes per second), some events may be lost and not reflected in audit reports and Activity Summaries because of the default IIS recycle settings (the IIS Worker Process that accumulates data on changes is restarted before all data is written to the Audit Database). Modify the default IIS recycle settings to keep data when the process is restarted. For details on how to configure recycling, refer to the following Microsoft article: Recycling Settings for an Application Pool.
12883 The timestamp for SharePoint farm configuration changes in audit reports and Activity Summary emails is the time when Netwrix Auditor generates the daily Activity Summary, not the actual event time.  
13445

The following changes are reported by the product with the "Unknown" value in the "Who" column:

  • Automatic creation of SharePoint groups on site creation if it uses unique permissions instead of inheriting them
  • All changes made under the "Anonymous" user if the security policy permits such changes
 
13918

The following changes are reported with the "SHAREPOINT\system" value in the "Who" column:

  • Changes made under an account that belongs to Farm Admins
  • Changes made under an account that is a Managed account for the Web Application Pool
  • Changes made under an account that is specified in the User Policy of the modified Web Application with the "Operates as a system" option enabled
  • Changes resulting from SharePoint Workflows
 
13977

The "Workstation" field is not reported for content changes if they were made in one of the following ways:

  • Through powershell cmdlets
  • Through the Site settings Content and Structure menu
  • Through Microsoft servers and Office applications integrated with SharePoint
  • Through SharePoint workflows
  • Through the Upload Multiple Files menu option
  • Through the Open With Explorer menu option
  • Through a shared folder
  • Deletion of items through the context menu
 
33670 Netwrix Auditor does not report on changes to lists, list items, and web sites that had occurred before these objects were removed.  

Netwrix Auditor for SQL Server

ID Issue Description Comment

7769

Removal of a SQL Job together with unused schedules is reported with the "System" value in the "Who" column.

 
6789

With the Audit data changes option enabled, when you try to perform the UPDATE/INSERT/DELETE operations in an audited database, an error is returned stating that the statements cannot be executed because the database owner SID cannot be resolved or SIDs do not match.

NOTE: Database backup and restore may lead to unresolved or not matching SIDs.

For detailed information about the issue and for a solution, refer to the following Netwrix Knowledge base article:

An error is returned stating that you have problems accessing an audited database.

25667

Netwrix Auditor shows the same workstation name in reports and search results for all changes made to an object within the data collection period (24 hours for default data collection schedule or between two manual launches) even if changes were made by different users and from different workstations.  

Netwrix Auditor for Windows Server

ID Issue Description Comment
134683

When calculating "Servers with unauthorized antivirus software" risk metric value, Windows 2016/2019 machines where pre-installed Windows Defender is running are considered a risk factor.

They will be also considered a risk factor when the "Antivirus Baseline" filter in the "Windows Server Inventory" report is applied.

If you install a third-party antivirus product, you should uninstall Windows Defender as recommended by Microsoft.

Otherwise, there will be two antiviruses running: Windows Defender and third-party solution. In this case, Netwrix Auditor will treat Windows Defender as a main anitvirus, and related calculations will be performed accordingly.

102460 When calculating "Servers with unauthorized antivirus software" risk metric value, Windows 7 machines where pre-installed Windows Defender is running are considered a risk factor. Microsoft Action Center does not classify Windows Defender on Windows 7 machines as antivirus software (see this article for more information). Use fully-featured antivirus software, e.g. Kaspersky Internet Security, ESET File security, Microsoft Security Essentials, etc.

12743

Some registry changes may be reported as who=system or who=computer account.

 
12745 Software upgrade is reported by the product as two consecutive changes: software removal and software installation. The entry for software removal will have the "System" value in the "Who" column. Look for the user name in the entry for software installation to determine who performed the upgrade.
User Activity
12763 Links to video recordings will not open from reports saved in the doc/xls format, or reports received by subscription and attached to emails in one of these formats. Save reports in the PDF format and select this format when configuring a subscription to a report.
12807 On Windows 8.1/Windows Server 2012, the information on the launch of Windows Store (Metro-style) applications is not written to the detailed activity log (reports metadata), as applications in a tile-based interface do not have application descriptions or window titles. Therefore, data search or positioning inside video files will be unavailable for such applications. A video recording session will not start before the user accesses their desktop for the first time.  
12451 Video capture of an RDP session will be terminated if this session is taken over by another user.  

Go Up