Control of external drives¶
Make sure that the necessary options are enabled in the agent configuration. Enable the modules in the menu USB-CD Devices menu - Devices ( USB ) and Files - “Shadow copying”. If the configuration is changed click “Save” and wait for a couple of minutes until it get’s applied on the chosen computers.
Now let’s connect a USD-drive to one of the computers.
And copy a file to the connected frive.
Extract the USD-drive.
In the admin panel of StaffCop Enterprise we open the home page, click the “Event type” tab. Choose “Disk drive” and “Intercepted file”. In the bottom panel we can see the chosen criteria and in the table we can see the result of interception: in 19:58:18. The “User” logged on the computer «philvoch2» connected a removable drive «Kingston DataTraveler 2.0 USB Device» and copied there a file «Газовая промышленность».
We can search the content of the intercepted file for words that are important for us. For example, let’s input the word “Gazprom”. We can see this word is not found in the intercepted document.
Then we can save the applied filter to receive an alert each time an event occurs on any of the computers with StaffCop Agent installed when a file contain the word “Gazprom” is copied.
For this click the “Save” button at the top part of the window and specify the recipient of the alert for the triggered event.
In this case alerts will be sent to «firstname.lastname@example.org».
After specifying the recipient click the “Save” button.
Keep in mind that alerts are delivered only in case the mail server is configured.
If we take a look at the events from other workstations we will see that the same flash-drive with the same unique HWID was connected to another workstaton named oooodddddd-ПК with the “Lenovo” user.
Most probably, this USB-drive was passed to another user along with the files copied to this drive.