I have Endpoint servers running on Windows Server 2012 R2 in the Americas, Europe and Asia. Each server regularly scans all the workstations in their region for files violating a policy (it's the same policy in all three regions). If a file is found in violation of the policy, the response rule is to move it to a quarantine area on a file server located in that same region. I am puzzled by the timestamps I am seeing on the files in the quarantine directories. In the Americas quarantine directory, all of the files retain their original creation, last modified and last accessed dates. However, in the other two regions, the last accessed and the created dates get changed to the date the scan moved them from the workstations. Since the policy is to delete any files that have not been accessed in the last two years, this results in the files staying in quarantine for too long before they are deleted as a result of aging out.
Any ideas why I would see different timestamp behaviors in Europe and Asia? Does anyone know of any server settings that would cause this type of change?