Part of the protection aspect of PA File Sight is the Blocked Users List. Any account added to the Blocked Users List will not be able to read, write or delete files on any drive that is monitored by the PA File Sight installation (including drives monitored by Satellite Monitoring Services).
This action can only be added to a File Sight monitor. It is not supported with any other monitor type.
This action can automatically add accounts to the Blocked Users List when a monitor triggers on some particular action. This might be useful in the following scenarios:
User Deletes X files in Y time*
If a user is deleting many files, it might be malware, or a user trying to cause damage. The user could automatically be blocked from all monitored servers when this is triggered.
User Reads X files in Y time*
This might happen if a user is copying files, or a malware out break is reading files in order to encrypt them.
Honeypot file is touched
You could setup a special directory that users shouldn't access. It would act as a honeypot, and any account that accesses files in that folder could be automatically blocked.
*These options are available in the Ultra edition of PA File Sight.
This action is very powerful, and caution should be taken when using it so valid accounts are not blocked.
The action is very easy to configure: you just specify how long an account should be blocked when the monitor it is attached to fires this action.
Any time a File Sight monitor has one of these actions attached, it will show a red warning banner reminding you that any account that the monitor triggers on will have file access blocked.
Because blocking access to the wrong accounts could cause trouble, there is always a TESTING version of the Add to Blocked Users List action. This action does the exact same thing as the normal action, except it adds "TEST" to the wrong of all accounts on the blocked list. Because of this, they are not actually blocked.
It is recommended to use this TESTING action while you are getting your monitor configured, and let it run that way for a little while. When you are convinced that no false positives are occurring, remove the TESTING action
from the monitor and attach the real action.
It is expected that having an account on the Blocked Users List should be a rare event. Therefore, when a user is added to the list:
A System Alert is fired so administrators know who was added
A red banner will be shown in the Console and at the top of group-level reports
Adding this action to a File Sight monitor without also adding an Email Action will cause a warning.
The bottom half of the action is a convenient place to see the current Blocked List and the White List of unblockable accounts. It's also where you can add and remove users from the lists.