Javascript must be enabled to download our products and perform other essential functions.

ionicons-v5-m
ionicons-v5-j
Buy Now Download Free Trial
ionicons-v5-m
ionicons-v5-f

File Sight - Interpreting Application Behavior

Many applications that work with documents (word processors, spreadsheet programs, graphic programs, etc) open your document and then work with it in a temporary file. For example, imagine you have the following file:

C:\Docs\My Story.doc

When you open the file, your word processor will often create the following file to track your edits:

C:\Docs\~My Story.tmp

When you are finished editing the document, the temporary file has all of your changes. In order to minimize data loss and be as safe as possible, many programs will do the following:

WRITE to C:\Docs\~My Story.tmp (to save all of your edits)
DELETE C:\Docs\My Story.doc
RENAME C:\Docs\~My Story.tmp to C:\Docs\My Story.doc

PA File Sight sees all of this activity and reports it. You might be concerned to receive alerts about files being deleted since people should only be editing, not deleting important documents. However, as shown above, the file really was deleted.

In order tell you what is really happening, PA File Sight will try to interpret the stream of activity above. It will match the DELETE and RENAME and turn it into a write event for alerting and reporting purposes.

So, if PA File Sight sees:

WRITE to C:\Docs\~My Story.tmp
DELETE C:\Docs\My Story.doc
RENAME C:\Docs\~My Story.tmp to C:\Docs\My Story.doc

it will turn it into

WRITE C:\Docs\My Story.doc

This will help you understand what is really happening as far as the end users are concerned.

Caveats:

  • Doing the above processing requires extra memory--more events have to be held in memory now so they can be compared. (For example, all DELETEs have to be held in case a RENAME comes along a short while later).
  • Some additional CPU processing power is also required to search through and match up related events.
  • Alerting is delayed a few seconds (a DELETE alert should not be sent if it will ultimately get turned into a WRITE).
  • Several saves within a few (5 - 10) seconds will not always be interpretted correctly, so some of the underlying RENAME and DELETE operations may show through.

PA File Sight

Help Map