We sometimes get requests from customers asking for help understanding a File Sight report. It often involves some user account is shown as having read 100’s of files very quickly. This post is to help explain what might have happened.
From the server (where PA File Sight runs), it’s hard to know for sure. File Sight sees the requested filename, the user account requesting the file, and the IP address they are requesting the file from. What it doesn’t know is what process on the end-user’s computer is requesting the file.
Knowing if a file is being read from Word.exe or Explorer.exe can make a difference. NOTE: If the end-user has the File Sight Endpoint installed, that information is available. This blog post is for cases where the Endpoint is not being used.
So, what can read a lot of files quickly?
User Copying Files
This is the case that businesses worry about. Someone walking out the door with a USB drive full of customer information. (Did I mention that the Endpoint can block USB drives?). This is definitely a possibility. With the file copy detection and alerts, someone could go visit the user and see what is happening.
Anti-Virus Scanner
Most of the time client anti-virus scanners are set to only scan local drives. However, if an anti-virus product was set to scan a network drive, PA File Sight would see that and report all of the files that were read by the scanner.
Backup Application
Typically client backup applications would be configured to backup the local computer, and the server backup would backup the server. If a client backup is set to backup network drives, PA File Sight would see that and report those files as read (because they really were read).
Search/Indexing Programs
Google used to have a tool called Google Desktop. It’s largely been replaced on most computers by Windows Search. I’m sure there are others. These products search through your files and index them so you can do a search like “find all chili recipes”, and it knows exactly which documents contain the words “chili” and “recipe”. If these applications scan shared files on a server, PA File Sight will see it and report it as a read.
Malware
Although malware/ransomware does quickly read many files, it most often then also writes them back out (writing encrypted versions), and then deletes the original. Usually you’ll know if it’s malware because the files are changed, there are new extensions and/or ransom notes.
Other Programs
Just recently (at the time of this writing), it was revealed that Google Chrome had a bug where it ended up scanning a lot of local files. I don’t know if it could end up scanning server files, but if it did, PA File Sight could see it.
In short, it’s hard to know from the server why a user account is reading files. That’s why the Endpoint was created. Could it be a bug? Maybe. Software is never perfect. But we’ve not yet found a case where PA File Sight reported activity that was incorrect.