FileAudit allows certain events to be excluded from the audited access events:
How to add an exclusion.
You can exclude access events generated for specific user accounts, executables and files pattern. Select what type of item is to be excluded (e.g. ‘Add a pattern’), which will activate a panel on the right-hand side. In this panel, type the object you wish to exclude:
Take note: Wildcards are usable only to define exclusions on file patterns:
* : matches any string.
? : matches any character.
Ignore read on executable
Most executable files load an associated icon image when the file name is listed in Windows Explorer, generating a read access event.
By default, FileAudit ignores this read event to avoid the display of these non-relevant read accesses. This doesn't affect the 'execute' access type.
If for any reason you need to take in consideration a 'read access attempt' of an executable file, just switch off this option.
Audit file attributes changes
FileAudit can audit modifications done on file attributes (Read-only, Hidden, etc...). By default this ability is disabled.
To enable the audit on file attribute changes, just switch it on.
Take note: All paths already registered to be audited by FileAudit (listed in the 'Audit configuration' view) doesn't include the suitable NTFS Audit configuration to audit the file attributes changes. Once this option is enabled, it's necessary to relaunch the configuration of existing path. You can simply do it following the procedure described in the help section "Check the audit configuration". Next paths which will be configured after having switch this option on will integrate the proper configuration without any additional action required.