{"id":5318,"date":"2018-04-19T11:47:52","date_gmt":"2018-04-19T16:47:52","guid":{"rendered":"https:\/\/www.poweradmin.com\/blog\/?p=5318"},"modified":"2018-04-12T16:18:51","modified_gmt":"2018-04-12T21:18:51","slug":"file-sight-reported-files-read-what-happened","status":"publish","type":"post","link":"https:\/\/www.poweradmin.com\/blog\/file-sight-reported-files-read-what-happened\/","title":{"rendered":"File Sight Reported Files Read?  What Happened?"},"content":{"rendered":"<p><a href=\"https:\/\/www.poweradmin.com\/blog\/wp-content\/uploads\/2018\/04\/file-sight-question.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"alignleft wp-image-5319 size-full\" src=\"https:\/\/www.poweradmin.com\/blog\/wp-content\/uploads\/2018\/04\/file-sight-question.jpg\" alt=\"\" width=\"380\" height=\"253\" srcset=\"https:\/\/www.poweradmin.com\/blog\/wp-content\/uploads\/2018\/04\/file-sight-question.jpg 380w, https:\/\/www.poweradmin.com\/blog\/wp-content\/uploads\/2018\/04\/file-sight-question-300x200.jpg 300w\" sizes=\"auto, (max-width: 380px) 100vw, 380px\"><\/a><\/p>\n<p><span style=\"font-family: verdana, geneva, sans-serif;\">We sometimes get requests from customers asking for help understanding a File Sight report.\u00a0 It often involves some user account is shown as having read 100\u2019s of files very quickly.\u00a0 This post is to help explain what might have happened.<\/span><\/p>\n<p>\u00a0<\/p>\n<p><span style=\"font-family: verdana, geneva, sans-serif;\">From the server (where PA File Sight runs), it\u2019s hard to know for sure.\u00a0 File Sight sees the requested filename, the user account requesting the file, and the IP address they are requesting the file from.\u00a0 What it doesn\u2019t know is what process on the end-user\u2019s computer is requesting the file.\u00a0<\/span><\/p>\n<p>\u00a0<\/p>\n<p><span style=\"font-family: verdana, geneva, sans-serif;\">Knowing if a file is being read from Word.exe or Explorer.exe can make a difference.\u00a0 \u00a0NOTE: If the end-user has the <a href=\"https:\/\/www.poweradmin.com\/help\/latestfshelp.aspx?page=monitor_filesight-file-tracker.aspx&amp;ref=blog\">File Sight Endpoint<\/a> installed, that information <span style=\"text-decoration: underline;\">is<\/span> available.\u00a0 This blog post is for cases where the Endpoint is <span style=\"text-decoration: underline;\">not<\/span> being used.<\/span><\/p>\n<p>\u00a0<\/p>\n<p><span style=\"font-family: verdana, geneva, sans-serif;\">So, what can read a lot of files quickly?<\/span><\/p>\n<h3><span style=\"font-family: verdana, geneva, sans-serif;\">User Copying Files<\/span><\/h3>\n<p><span style=\"font-family: verdana, geneva, sans-serif;\">This is the case that businesses worry about.\u00a0 Someone walking out the door with a USB drive full of customer information.\u00a0 (Did I mention that the Endpoint can <a href=\"https:\/\/www.poweradmin.com\/help\/latestfshelp.aspx?page=monitor_filesight-endpoint-usb-drive-blocking.aspx&amp;ref=blog\">block USB drives<\/a>?).\u00a0 This is definitely a possibility.\u00a0 With the <a href=\"https:\/\/www.poweradmin.com\/help\/latestfshelp.aspx?page=monitor_filesight.aspx&amp;ref=blog\">file copy detection and alerts<\/a>, someone could go visit the user and see what is happening.<\/span><\/p>\n<h3><span style=\"font-family: verdana, geneva, sans-serif;\">Anti-Virus Scanner<\/span><\/h3>\n<p><span style=\"font-family: verdana, geneva, sans-serif;\">Most of the time client anti-virus scanners are set to only scan local drives.\u00a0 However, if an anti-virus product was set to scan a network drive, PA File Sight would see that and report all of the files that were read by the scanner.<\/span><\/p>\n<h3><span style=\"font-family: verdana, geneva, sans-serif;\">Backup Application<\/span><\/h3>\n<p><span style=\"font-family: verdana, geneva, sans-serif;\">Typically client backup applications would be configured to backup the local computer, and the server backup would backup the server.\u00a0 If a client backup is set to backup network drives, PA File Sight would see that and report those files as read (because they really were read).<\/span><\/p>\n<h3><span style=\"font-family: verdana, geneva, sans-serif;\">Search\/Indexing Programs<\/span><\/h3>\n<p><span style=\"font-family: verdana, geneva, sans-serif;\">Google used to have a tool called Google Desktop.\u00a0 It\u2019s largely been replaced on most computers by Windows Search.\u00a0 I\u2019m sure there are others.\u00a0 These products search through your files and index them so you can do a search like \u201cfind all chili recipes\u201d, and it knows exactly which documents contain the words \u201cchili\u201d and \u201crecipe\u201d.\u00a0 If these applications scan shared files on a server, PA File Sight will see it and report it as a read.<\/span><\/p>\n<h3><span style=\"font-family: verdana, geneva, sans-serif;\">Malware<\/span><\/h3>\n<p><span style=\"font-family: verdana, geneva, sans-serif;\">Although malware\/ransomware does quickly read many files, it most often then also writes them back out (writing encrypted versions), and then deletes the original.\u00a0 Usually you\u2019ll know if it\u2019s malware because the files are changed, there are new extensions and\/or ransom notes.<\/span><\/p>\n<h3><span style=\"font-family: verdana, geneva, sans-serif;\">Other Programs<\/span><\/h3>\n<p><span style=\"font-family: verdana, geneva, sans-serif;\">Just recently (at the time of this writing), it was revealed that Google Chrome had a bug where it ended up scanning a lot of local files.\u00a0 I don\u2019t know if it could end up scanning server files, but if it did, PA File Sight could see it.<\/span><\/p>\n<p><span style=\"font-family: verdana, geneva, sans-serif;\"><a href=\"https:\/\/www.engadget.com\/amp\/2018\/04\/07\/chrome-cleanup-download-scan\/\" target=\"_blank\" rel=\"nofollow\">Chrome File Scanning Bug<img class=\"extlink-icon\" src=\"https:\/\/www.poweradmin.com\/blog\/wp-content\/plugins\/external-links-nofollow-open-in-new-tab-favicon\/images\/extlink.png\"><\/a><\/span><\/p>\n<p>\u00a0<\/p>\n<p><span style=\"font-family: verdana, geneva, sans-serif;\">In short, it\u2019s hard to know from the server why a user account is reading files.\u00a0 That\u2019s why the Endpoint was created.\u00a0 Could it be a bug?\u00a0 Maybe.\u00a0 Software is never perfect.\u00a0 But we\u2019ve not yet found a case where PA File Sight reported activity that was incorrect.\u00a0\u00a0<\/span><\/p>\n<p>\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"<p>We sometimes get requests from customers asking for help understanding a File Sight report.\u00a0 It often involves some user account is shown as having read 100\u2019s of files very quickly.\u00a0 This post is to help explain what might have happened. \u00a0 From the server (where PA File Sight runs), it\u2019s hard to know for sure.\u00a0 [&hellip;]<\/p>\n","protected":false},"author":3,"featured_media":5319,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4,10,9,8],"tags":[],"class_list":["post-5318","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-general-it","category-power-admin","category-technical","category-windows"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/posts\/5318","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/comments?post=5318"}],"version-history":[{"count":5,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/posts\/5318\/revisions"}],"predecessor-version":[{"id":5327,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/posts\/5318\/revisions\/5327"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/media\/5319"}],"wp:attachment":[{"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/media?parent=5318"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/categories?post=5318"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/tags?post=5318"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}