The Google for Education Community Platform

jawt · ‎03-18-2024

Hi everyone,

Does anyone know how to trace a file that shows up in the Google Drive desktop app cache in Drive? A user has a file that our XDR is showing as malware in the Google Drive drivefs content cache. Anyone know how I can find the source file in Drive so we can address it at the source? Is that possible?

Thank you!

Kim_Nilsson · ‎03-18-2024

You need some type of reference to the file.

With a reference, not a problem.

Without, nope, not happening.

File name, or file id, or any reference to its content will work when searching in the Drive Audit Log.

Drive Audit

--
https://wheretofind.me/@NoSubstitute

jawt · ‎03-18-2024

All I'm getting from the XDR is a content cache file the AppData folder for the Drive desktop app. The folder is just a string of letters and numbers of the specific cache file is just a string of numbers.

Kim_Nilsson · ‎03-18-2024

And has the XDR removed the content locally, so you're not allowed to read the file?

I'm checking my cache now, and I see I only see content, no filenames.

All files are "readable", though. Using the built-in Viewer in Total Commander, I can view basically anything.

But, you are right. There is absolutely no reference between the local file and the online file, especially if XDR doesn't allow you to read the offending file.

I'm assuming these db files could contain such references.

Other than that, the answer seems to be No.

You need to have your XDR give you more details of the actual content, as that could hint to what the file is.

--
https://wheretofind.me/@NoSubstitute

The Google for Education Community Platform

Tracing a file in Google Drive from Drive desktop app?