Files

../../_images/configurations_11.png

File system activity — This module tracks file activities on a computer, including reading, writing, and deletion of files.

Note

Misconfiguring this module may cause performance drops on users’ workstations. If monitoring file activity is not essential for your needs, consider disabling this module to reduce system load.

FTP — Monitors connections via the FTP protocol, including login credentials and file transfers

Shadow copying — Module designed to create shadow copies of transferred files. It captures files sent through:

  • Email clients and webmail services

  • USB drives

  • Internet messengers

  • Printers

  • Web browsers to Google Drive

Note

On Linux systems, shadow copying of files on USB drives is supported only for paths defined**Rule: File monitoring — Paths and wildcards**.

Intercept files from external media — Captures a list of files from connected USB drives. If Rule: Shadow copy of files from removable devices is enabled, it creates shadow copies of files.

Shadow copy of files from mobile devices (WPD) — Captures a list of files stored on connected mobile devices. If Rule: Shadow copy of files from removable devices is enabled, it creates shadow copies of files.

Shadow copying when transferring by RDP — Creates shadow copies of files transferred through the shared clipboard when connected to a remote desktop via RDP (Remote Desktop Protocol).

To create shadow copies when copying files via RDP, enable the following two settings:

  • Clipboard in the RDP connection settings — to enable shared clipboard operations.

  • Clipboard in the Keyboard and Clipboard section — to track file copying and create shadow copies.

Without these settings, shadow copies will not be created.

A shadow copy is created when copying a file both from a computer to a remote desktop, and vice versa — from a remote desktop to a computer being monitored by an agent.

Note

A shadow copy will only be created if the file size is within the limit set in the Max File Size for Shadow Copying field.

Below is the module’s behavior in different scenarios:

Scenario

Outcome

A PC without an agent connected via RDP to a PC with an agent.
The user copied the file on either PC.

The agent creates a shadow copy of the file

A PC with an agent connected via RDP to a PC without an agent.
The user copied the file to the agent’s PC.

The agent creates a shadow copy of the file

A PC with an agent connected via RDP to a PC without an agent.
The user copied the file to a PC without an agent.

The agent does not create a shadow copy of the file

The PC with the agent is connected via RDP to another PC with the agent.
The user copied the file on either PC.

The agent creates a shadow copy of the file

Max file size for shadow copying — Defines the maximum file size allowed for shadow copying. This setting prevents overloading the monitored PC, data channels, and server during large file transfers.

SMB cache — Enhances file processing speed, especially useful when there are multiple file servers in your network.

Normalize file names — Expands all shortened file names to their full versions.

Rules: File monitoring — Paths and wildcards

Disallow — Disables tracking of file operations for the specified paths.

Allow — Tracks file operations only for the paths specified in the list. All other file activity is ignored.

When defining monitoring paths, you can use special characters for flexibility:

  • asterisk (*) — this is a wildcard that can match zero or more characters in a path or string. It’s useful when you would like to monitor multiple paths.

    Example: home/*/documents/* tracks all file activity in the documents folder for any user.

  • question mark (?) — it is a wildcard that matches exactly one character. It is useful when you want to monitor paths with specific variations in a single position.

    Example: /home/user?/documents/ tracks activity in the documents folder for users whose folder names vary by a single character, such as user1 or user2.

Rules: File monitoring on Linux agents

To enable file monitoring on the Linux agent, turn on the File system activity switch. Then, add paths for tracking to the Rules: File monitoring — Paths and wildcards.

Note

If the Allow and Disallow lines are left blank, file activity will not be tracked.

You can use these paths to configure file monitoring and control which parts of the system are tracked:

Path

Description

Comment

/

All directories on the machine

The majority of file operations are system-related and not tied to user activity.
Using “/” in the Allow line can cause high system load

~/

Users’ home directories

Reduces the number of events displayed with files.
Provides a sufficient level of control

~user/

A specific user’s home directory

Focuses on monitoring a particular user’s home directory

/media/

Operations with CD and USB devices

Specify the path used on your system

/mnt/

Operations with mounted USB devices

Specify the appropriate path for your system

~/.*

Operations in system folders, such as /home/user/cache/etc

Most operations here are system-related and not relevant to user activity

Rules: File monitoring — Paths and wildcards — Read

Disallow — Disables tracking of read operations along the specified paths.

Allow — Enables tracking of read operations only for the paths specified in the filter. All other file activity on paths outside the filter will not be tracked.

Note

This rule affects the File Activity module. If the wildcard “*” is used at the end of a path or mask in the Disallow line, read operations for files in that path will not be tracked. Since reading a file is the first operation that happens when working with a file, this means no file operations will be tracked or displayed for that path in the Lens.

Rules: File monitoring — Application

Disallow — Disables tracking file operations by name of an executable file or a list of executable files. File operations of any other applications are tracked.

Allow — Enables tracking file operations only for the stated executable file or a list of executable files. File operations of any other application are not tracked.

Rules: File Monitoring — Application — Read

Disallow — Disable tracking read file operations for the specified executable files. Read operations from other applications are tracked.

Allow — Enables tracking read file operations only for for the specified executable files. Read operations from other applications are not tracked.

Rules: File monitoring — Special monitoring

Allow — Creates a shadow copy for selected files during all file operations, except for deletion.

Note

On Linux systems, shadow copying only works if the paths are specified in Rules: File Monitoring — Paths and Wildcards.

Shadow copies are logged under the event type File – Operation. You can find them in the Lens dashboard.

Note

With intensive use of files or folders, a large number of shadow copies may be generated.

Rules: Shadow copy of files from removable devices

Allow — This rule defines masks for intercepting files from external devices.

You can use these entries to capture:

  • *.docx — DOCX files.

  • name.* — Files with the specified name.

  • *.* — All files from the storage medium.

Warning

Be careful with the rule ., it may lead to huge load on the server.