We had a bit of an issue last week when I got calls from the server team that I should stop scanning one pf the fileservers... Responded that no scan was planned or scheduled and that the scanner (process in Task Manager) was not active. (Yet, there was a lot of ENS activity and CPU was overloaded).
After searching for a (long) while, we found out that a user had decided that it should be OK to just copy/move several hundred thousand filesfrom one disk to the fileserver.
So, when the files arrived, ENS-APP kicked in and I started getting loads of 1095-Events (Remote creation of files). The (Agent or ENS10 on the) fileserver was active for more than 2 days uploading those events to the ePO server.
I'm wondering how to avoid repeating this situation in the future.
*) Should we just disregard 1095-Events ? The signal-to-noise ratio is ridiculous at this point, but I don't like the idea of losing this information in case I need to search the source/cause of an issue.
*) Should we stop logging the specific event (1095 - "Remotely creating or modifying files or folders", this is not the one protecting the Windows folder, nor the "Program Files" folders)?
What is the combined opinion of the community on this?