Control of external drives

Make sure that the necessary options are enabled in the agent configuration. Enable the modules in the USB-CD Devices menu - “Devices ( USB )” and Files - “Shadow Copying”. If the configuration has been changed, click “Save” and wait a few minutes until it is applied to the monitored computers.

Now connect the USB drive (USB flash drive) to one of the monitored computers.

And copy a file to the connected drive.

Then eject the USB-drive.

In the “Dimension panel” click the “Event Type” tab. Select “Disk drive” and “Intercepted files”. We can see the selected criteria in the bottom panel, and in the table - the result of the interception: in 17:32:38. User - “Pomah” on the computer “DESKTOP-0B8NM1B”connected a removable disk “Generic Flash Disk USB Device” and copied to it a file with the name - “_05_cerim_-_license_agreement_template.doc”.

We can search the contents of the intercepted file for words that are important to us. For example, we will enter the key words - “License”,. “Agreement”. We see that these words were found in the intercepted document.

Then we can save the selected filter and receive notifications every time when a copying event containing the words “License Agreement” occurs on one of the computers under the control of StaffCop Enterprise Agent

To do this, click the “Save” button at the top of the window and specify in the filter parameters - “Recipient” to send a notification on the event that was triggered.

В данном случае письмо будет выслано адресату - «pv@staffcop.ru».

After specifying the recipient click the “Save” button.

Make sure that the e-mail parameters are configured so you could send letters.

If you look at the events recorded by agents on workstations, it is obvious that the same flash drive, with the same unique number, was connected to another computer named NB0152 and a user named “abogush”.

Most likely this flash drive was transferred to another employee of the company along with the file copied on it.