Information Leaks - File Copy Detection, External Drive Blocking

PA File Sight can see what files clients are interacting with on the server, and can alert when a client is reading an unusually large number of files.

If the File Sight Endpoint is installed on the client, external (USB) drives can be blocked, and file copying can be detected more accurately.

These features are only available in the Ultra Edition. Compare Ultra vs Lite to see the differences.

Copy Detection Techniques

Simple Detection - Activity Level

PA File Sight Ultra has a Watch User Activities tab. Here you can alert when a user Reads more than X amount of files in Y minutes. So considering that a typical office worker would only open perhaps 3-4 word documents in a 5 minute period, if you knew a worker had read 20 files from the server in those 5 minutes it is probably a situation where files are being copied.

This detection technique can provide alerts such as the following example:

Note that the above is careful to indicate it is alerting on files being read from the server. The server has no way of knowing where the files go on the client computer. They might get loaded into Word, or attached to an email, or copied to a USB thumb drive.

Better Detection - File Sight Endpoint

To better help determine where/how server files are being used on a client computer, the File Sight Endpoint can be installed on end user computers. This is a silent service that runs in the background. When files are retrieved from a file server, the File Sight Endpoint can provide additional information such as what process loaded the file (Word.exe, Explorer.exe, WinZip.exe, etc) and where that process is saving files.

In this example, the plain text is what the alert looks like without the Endpoint, and the bold text shows the additional information available when the Endpoint is running:

With this complete picture, it is now clear that in this example user Bob has copied a file from the file server to a local F: drive.

* Note that the client and server computers both need to be Windows 7 / 2008 R2 or newer for the Endpoint to detect file copying. Older versions of Windows did not communicate the client IP address.

Probable Copy: true:

In the example above, File Sight on the server sees that Expenses.xls was read, and asks the Endpoint for more information. The Endpoint sees a file named Expenses.xls was read from the server, and a file of the same name was saved to the F:\stealing folder using Windows Explorer (the same process that read the file from the server).

This appears to be a file copy operation, however the contents of the two files are not compared, so it's not 100% guaranteed to be a file copy, and that is why it is labled a "Probable Copy".

If the the process was WinZip.exe and the output file was F:\stealing\, this operation would not be tagged as a Probable Copy, but the WinZip.exe process and outgoing filename of F:\stealing\ would still be saved to the database for reports later.

Probable Copy: true[2]:

Seeing true[2] is fairly rare. This scenario is similar to the true scenario above, except in this circumstance the Endpoint did not see the file being read from the server, but it did see the file being saved. An example of this happening would be if a user copied the file in an RDP session, and then pasted it locally. In that case the file was transfered "out-of-band", meaning not through the Windows SMB protocol.

Block USB/External Drives

Besides helping with copy detection, the File Sight Endpoint can also block USB/external drives on client computers, to prevent files being copied to those drives.

A global white list exists for drives/discs that are allowed for special cases. Read more about drive blocking.

Block Users

PA File Sight can block a client account so it cannot access any more files on the server using the Add to Blocked User List action. This will prevent the user from accessing any more files on the server, while still allowing other users to continue their work with the server.

The Blocked Users List is actively shared among servers protected within the same PA File Sight installation, so other servers can be protected from this client account before he tried to copy files from them.

Learn more about PA File Sight

Start Your Free Trial
No signup needed
30-day full trial - no credit card needed
I wanted to say thank you for the brilliant product, PA Server Monitor! It has given me a much greater sense of security and confidence in my network administration duties, and is an absolute must for every admins toolkit.
Joe J., TechProse , USA more customer quotes...
see customer list...