In order to timely detect attempts (including successful ones) to hack into end devices and take appropriate measures, we recommend that you take advantage of the security auditing option.
To do this:
Go to the Control Panel → Administrative Tools → Local security policy → Advanced audit policy configuration → Object access →Audit file system. Set the file system audit for success and failure.
Next, enable an audit for the folder you need:
Open the properties of the shared folder → the Security tab → Advanced → the Audit tab → Change → Add;
specify the users to be audited. Select All, application level — For this folder and its subfolders and files;
specify the actions to be audited: Create files/append data, Create folders/append data, Remove folders and files, or just Remove. For all actions, select the audit option for both success and failure.
After that, file and folder access events will appear in the security event log.
If, in a system that already has the auditing option configured, the anti-virus detects changes in the file system, make sure to note the detection time and compare it with the events in the security log.
You can familiarise yourself with security event codes on Microsoft's official website.
