This help page is for version 7.2. The latest available help is for version 8.4.
File Sight Endpoint
By itself, the File Sight monitor sees activity on a file server, which includes which users are accessing files, what actions (reading, writing, deleting, etc) they are doing, their IP address, etc. However, once
a file arrives on the client's computer, the server-based File Sight monitor can't see what is happening. Is the file being copied to a thumb drive? Opened in Word? Sent via Email? The File Sight Endpoint helps answer those questions.
The File Sight Endpoint is a small agent that gets installed on end-user Windows computers. It uses very little resources and shouldn't be noticed. It has no user interface.
By detecting a file being read from the server by Explorer.exe and then that same filename being written to the local computer, you can be fairly certain that a file copy is taking place. On the other hand, if you find the file was read into a process
named Word.exe, and no local saves took place, this would appear to be a user just editing a document.
The File Sight Endpoint will add additional information to file I/O records that are saved by the File Sight Monitor. These extra fields will be in alerts and available in reports.
The client and server both need to be Windows 7 / Windows 2008 R2 or newer for the server to know which Endpoint to communicate with. If either is older, an older version of the SMB protocol is used which did not provide the client IP address.
Client with the File Sight Endpoint*
User IP Address*
User IP Address*
Client Process (Explorer.exe, Word.exe, etc)
Logged In User (usually same as User Account above)
List of files written by the Client Process
Probable Copy (meaning the file is probably being copied)
* Requires that the server and client are both Windows 7 / 2008 R2 or newer
The File Sight Endpoint performs the following functions:
Connects to the PA File Sight central service, or to a Satellite service
Watches files that area accessed from the network, and notes the process that accesses them
Notes which other files are written by that process
If a file is read from the network, and then written to disk, it is tagged as a probable copy
We use the term "probable copy" because the actual file contents are not compared between all files read and all files written. This would have a large performance impact on the client computer. Instead, the File Sight Endpoint
notes that a file (Finance.xls for example) is read from the network, and then a file also named Finance.xml is saved to disk by the same process (Explorer.exe for example). This looks very much like a copy.
No changes to the File Sight monitor are required. If files are accessed from a computer running the File Sight Endpoint, the extra data will automatically be recorded and added to any alerts that are sent.
The only configuration needed for the File Sight Endpoint is to give a host name/IP address and port for the central service/Satellite that will be used for communication. This is done via the command line.
Only one connection to a central service/Satellite is needed. If the client computer will use files from multiple files servers that are all being watched by PA File Sight, and they are all part of the same Ultra installation,
they will communicate amongst themselves to find the File Sight Endpoint if needed.
The File Sight Endpoint executable program (pafsendp.exe) just needs to be copied to a client computer and run with some command line options to direct it to the server it should connect to. The copy and execution steps can be done
using any techniques or infrastructure that you already use. So the steps are simply:
Copy pafsendp.exe to the client computer
Run pafsendp.exe with configuration command-line options given below
Start the pafsendp service on the client computer
The endpoint supports a few command line options. The command line options are not case sensitive.
Don't show a pop-up when installing or uninstalling the service
Give the hostname or IP address, and port, of
the PA File Sight Central Service, or a Satellite that should
be connected to. Because Satellites might be unavailable at times, or just for added robustness, additional hostnames can be given which the Endpoint will connect to if the
current target host is not available.
Set the endpoint service so it cannot be stopped. Unlocking happens via the Console in the Endpoint Operations view.
A few notes:
The File Sight Endpoint uses the same file system driver as PA File Sight to watch file I/O. That means the agent needs to run as an account that has rights to start a driver. A local administrator account or Local System will work.
All of the command line operations change registry values that normal user accounts typically don't have access to, so those operations will need to be run with an administrator account.
If you are monitoring servers at multiple sites (separate local networks), be sure the Endpoint is connected to and communicating with a Satellite or the Central Service that is on the same local network as the Endpoint.
Example Install Script
An example installation script is given below to show how to get the File Sight Endpoint installed on an end-user's computer. This example uses Microsoft's PsExec program. It also uses Sleep.exe which is in the same folder as pafsendp.exe.
REM Install the File Sight Endpoint service. PsExec will copy
REM pafsendp.exe to the client computer's Windows folder.
REM Run this from the C:\Program Files (x86)\PA File Sight\Install folder
REM so pafsendp.exe can be found by PsExec
In the example below, our target client computer is 192.168.7.6. We'll be using an administrator account, with password s3cr3t. The central service is at 192.168.7.22, running on port 8000, with a Satellite at 192.168.10.4 that we'll use as a secondary connection.