Agent Setup

Print Capture

To capture files sent to print:

1. Go to Control panel → Computer configurations and select the target computer.

2. In the side panel, open the Files tab and turn on the Shadow copying option.

3. Open the Printers tab and turn on the Printing option.

4. Open the Assign agents tab and add the target computer.

In the Printers tab, the Setup printer spooler interception option allows the agent to capture print jobs using the file name. To ensure the function works correctly, install the libmagic library, used to detect file content type:

sudo apt-get install libmagic-dev

After installing the library, restart the computer.

IMAP4/SMTP Network Email Interception

To configure email capture:

1. Go to Control panel → Computer configurations and select the target computer.

2. In the side panel, open the Network connections tab and turn on the Network monitoring option.

3. In the Email and messengers tab, turn on the E-mail option.

Note

For agent versions 0.11.0-master or later, AppArmor support has been added. For versions earlier than 0.11.0-master, disable AppArmor on the agent workstation:

sudo systemctl disable apparmor

To capture attachments: 1. In the Files tab, turn on the Shadow copying option. 2. Set a value in Max file size for shadow copying.

Local Client Email Capture

Email and attachment capture are available for Thunderbird, Evolution, Geary, and clients based on the Akonadi framework (Kmail, Gmail…). Akonadi-based clients are recognized under the application name Akonadi.

To capture emails and attachments:

1. Go to Control panel → Computer configurations and select the target computer.

2. In the side panel, open the Email and messengers tab and turn on the E-mail (MAPI/Exchange) option.

3. In the Files tab, turn on both the File system activity and Shadow copying options.

4. Set the Max file size for shadow copying.

File System Activity

To monitor file operations and create shadow copies, turn on those options in the Files tab.

Note

To capture file operations, the agent logs each subprocess: creating a copy, writing data, deleting the original. As a result, the agent creates two events when recording file operations:

Operation	Event
Copy	Copy, Write
Move	Copy, Move

Port Capture

Starting from version 5.6, Staffcop agents support capturing data via any ports, including non-standard ones. This functionality allows you to monitor network traffic even if the standard ports are blocked.

Captured ports and addresses are sent to the server in the form of Network connection events.

Example: If an antivirus blocks standard ports like 80 and 443, the agent can’t capture any web traffic passing through them. To solve this problem, you can configure a proxy server to redirect traffic through a non-standard port, such as 3128. In this scenario, in order to configure the agent to capture traffic on the new port, even though the standard ones remain blocked:

1. Go to Control panel → Computer configurations and select the target computer.

2. In the side panel, open the Network connections tab and turn on the Network connections option.

3. In the Network monitoring - Ports section:

• in the Allow field, set port 3128 for capture;

• leave the Disallow field unchanged.

4. Click Save.

The agent will start to capture traffic according to the selected options.