Javascript must be enabled to download our products and perform other essential functions on the website.

ionicons-v5-m
ionicons-v5-j
Buy Now Download Free Trial
ionicons-v5-m
ionicons-v5-f

File Sight Endpoint

The File Sight Endpoint can perform Trusted Application checking, as well as help audit files that are accessed on a server from a client computer. The Endpoint is meant to run on user workstations. It does not do the full monitoring of the File Sight monitor which is used on servers.

Trusted Applications

Trusted Application rules can be used by the Endpoint to protect the end user computer from many kinds of malware.

In addition, the rules can control file access, such as denying writes to a local cloud folder (DropBox, OneDrive, etc).

Once the Endpoints are installed (more information on that below) the Endpoint Operations page can be used to enable Trusted Application Rule checking to provide protection. It can also be used to tempoarilty disable protection for software upgrades, etc.

File Access Auditing

By itself, the File Sight monitor sees activity on a file server, which includes which users are accessing files, what actions (reading, writing, deleting, etc) they are doing, their IP address, etc. However, once a file arrives on the client's computer, the server-based File Sight monitor can't see what is happening. Is the file being copied to a thumb drive? Opened in Word? Sent via Email? The File Sight Endpoint helps answer those questions.

The File Sight Endpoint is a small agent that gets installed on end-user Windows computers. It uses very little resources and shouldn't be noticed. It has no user interface.

By detecting a file being read from the server by Explorer.exe and then that same filename being written to the local computer, you can be fairly certain that a file copy is taking place. On the other hand, if you find the file was read into a process named Word.exe, and no local saves took place, this would appear to be a user just editing a document.

The File Sight Endpoint will add additional information to file I/O records that are saved by the File Sight Monitor. These extra fields will be in alerts and available in reports.

ionicons-v5-h

The client and server both need to be Windows 7 / Windows 2008 R2 or newer for the server to know which Endpoint to communicate with. If either is older, an older version of the SMB protocol is used which did not provide the client IP address.

ionicons-v5-h

The File Sight Endpoint should not be installed on a server where the PA File Sight Central Monitoring Service, or a Satellite Monitoring Service are installed.

Normal ClientClient with the File Sight Endpoint*
  • File Name
  • Time
  • File Operation
  • User Account
  • User IP Address*
  • User Computer*
  • Server Process
  • File Name
  • Time
  • File Operation
  • User Account
  • User IP Address*
  • User Computer*
  • Server Process
  • Client Process (Explorer.exe, Word.exe, etc)
  • Logged In User (usually same as User Account above)
  • List of files written by the Client Process
  • Probable Copy (meaning the file is probably being copied)
* Requires that the server and client are both Windows 7 / 2008 R2 or newer

The File Sight Endpoint performs the following functions:

  • Connects to the PA File Sight central service, or to a Satellite service
  • Watches files that area accessed from the network, and notes the process that accesses them
  • Notes which other files are written by that process
  • If a file is read from the network, and then written to disk, it is tagged as a probable copy

We use the term "probable copy" because the actual file contents are not compared between all files read and all files written. This would have a large performance impact on the client computer. Instead, the File Sight Endpoint notes that a file (Finance.xls for example) is read from the network, and then a file also named Finance.xml is saved to disk by the same process (Explorer.exe for example). This looks very much like a copy.

Configuration

No changes to the File Sight monitor are required. If files are accessed from a computer running the File Sight Endpoint, the extra data will automatically be recorded and added to any alerts that are sent.

The only configuration needed for the File Sight Endpoint is to give a host name/IP address and port for the central service/Satellite that will be used for communication. This is done via the command line.

Only one connection to a central service/Satellite is needed. If the client computer will use files from multiple files servers that are all being watched by PA File Sight, and they are all part of the same Ultra installation, they will communicate amongst themselves to find the File Sight Endpoint if needed.

Installing the File Sight Endpoint

The actual File Sight Endpoint is found at:

C:\Program Files\PA File Sight\Install\pafsendp.exe

The File Sight Endpoint executable program (pafsendp.exe) just needs to be copied to a client computer and run with some command line options to direct it to the server it should connect to. It does not require any additional files. The copy and execution steps can be done using any techniques or infrastructure that you already use, such as executing a script, using a software distribution program, or Microsoft's Group Policy. So the steps are simply:

  1. Copy pafsendp.exe to the client computer
  2. Run pafsendp.exe with configuration command-line options given below
  3. Start the pafsendp service on the client computer

The endpoint supports a few command line options. The command line options are not case sensitive.

-SDon't show a pop-up when installing or uninstalling the service
-IInstall the endpoint as a service named pafsendp
-UUninstall the endpoint as a service
-HOST=host:port
-HOST2=host:port
-HOST3=host:port
-HOST4=host:port
Give the hostname or IP address, and port, of the PA File Sight Central Service, or a Satellite that should be connected to. Because Satellites might be unavailable at times, or just for added robustness, additional hostnames can be given which the Endpoint will connect to if the current target host is not available. Example: -HOST=myserver:8000
-LOCKSet the endpoint service so it cannot be stopped. Unlocking happens via the Console in the Endpoint Operations view.

Installation Examples

Here are links to three examples of how to install the File Sight Endpoint.


File Sight Endpoint Status

You can check to see which computers have the File Sight Endpoint installed and running by looking in the Console at Advanced Services > File Sight Endpoints.

If you have some File Sight Endpoints that are not up to the latest version, you can right click the File Sight Endpoint node and choose to have an update command sent to them.


Typical Install Command

Most often you would run pafsendp on the target computer with a command such as:

pafsendp.exe -s -i -host={central server IP}:{central port}

Example:

pafsendp.exe -s -i -host=10.0.5.32:8000

This could be run using any software distribution mechanism you already have in place. If you don't have something in place see the Example Install Script or Example Group Policy below.

A few notes:

  • The File Sight Endpoint uses the same file system driver as PA File Sight to watch file I/O. That means the agent needs to run as an account that has rights to start a driver. A local administrator account or Local System will work.
  • All of the command line operations change registry values that normal user accounts typically don't have access to, so those operations will need to be run with an administrator account.
ionicons-v5-h

IMPORTANT

If you are monitoring servers at multiple sites (separate local networks), be sure the Endpoint is connected to and communicating with a Satellite or the Central Service that is on the same local network as the Endpoint.

Example Install Script

If you don't already have a way to deploy software to workstations, this example installation script could be used to get the File Sight Endpoint installed on an end-user's computer. This example uses Microsoft's PsExec program. It also uses Sleep.exe which is in the same folder as pafsendp.exe.

REM Install the File Sight Endpoint service. PsExec will copy
REM pafsendp.exe to the client computer's Windows folder.
REM Run this from the C:\Program Files\PA File Sight\Install folder
REM so pafsendp.exe can be found by PsExec

psexec \\{target server} -u {username} -p {password} -c -d -h -v
    pafsendp.exe "-s -i
    -host={central service/Satellite IP address:port} -host2={failover     service/second Satellite IP address:port} -lock"

REM wait just a bit for installation to finish

Sleep.exe 15000

REM start the remote service

psexec \\{target server} -u {username} -p {password} -s net start pafsendp

In the example below, our target client computer is 192.168.7.6. We'll be using an administrator account, with password s3cr3t. The central service is at 192.168.7.22, running on port 8000, with a Satellite at 192.168.10.4 that we'll use as a secondary connection.

CD "C:\Program Files\PA File Sight\Install"

c:\tools\psexec \\192.168.7.6 -u administrator -p s3cr3t -c -d -h -v pafsendp.exe "-s -i -host=192.168.7.22:8000 -host2=192.168.10.4:8000 -lock"

sleep.exe 15000

c:\tools\psexec \\192.168.7.6 -u administrator -p s3cr3t -s net start pafsendp

Powershell Install to Many Computers

In this example Powershell script the script will read a list of hostnames from a file named hostList.txt. It will copy the file to \\host\C$\Windows on each workstation, and then use PsExec to configure the Endpoint to point to your Central Server (and a Fail Over server in this example), pause for a moment, and then start the Endpoint service.

The script assumes that the hostList.txt, the script file, and pafsendp.exe are all in the same folder together, and that you run the script as a domain administrator that will have access to copy the Endpoint to the host computer.

$hostnames = Get-Content -Path .\HostList.txt

$centralHost = 'D3'
$centralPort = 8000
$failOverHost = 'D3-Failover'
$failOverPort = 8000

foreach ($hostvar in $hostnames)
{
  #get the path that we'll copy the file to
  
  $remotePath = "\\$($hostvar)\c$\Windows\pafsendp.exe"

  #make sure the file isn't already there before we try to copy
  
  if( ![System.IO.File]::Exists($remotePath))
  {
    #copy the file.  note that PsExec can copy the file, but we find it also deletes it when
    #the command finishes

    Copy-Item -Path .\pafsendp.exe -Destination $remotePath
  }

  #command line to give to PsExec.   Commands to the Endpoint (pafsendp.exe) start with "-i -s ...
  
  $args = [string]::Format('\\{0} -nobanner -s -h pafsendp.exe "-i -s -host={1}:{2} -host2={3}:{4} -lock"', 
                          $hostvar, $centralHost, $centralPort, $failOverHost, $failoverPort)
						  
  #call PsExec with the given command line.  Wait for it to finish because the next step, 
  #starting the service, requires this to complete first
  
  Start-Process -FilePath 'c:\tools\psexec.exe' -ArgumentList $args -Wait -NoNewWindow

  Start-Sleep 3

  $args = [string]::Format('\\{0} -nobanner -s net.exe start pafsendp ', $hostvar)
  Start-Process -FilePath 'c:\tools\psexec.exe' -ArgumentList $args -Wait -NoNewWindow
}

Write-Output 'DONE'

Example Group Policy

This example will show how to use Group Policy to run a Batch file that will install the File Sight Endpoint on many workstations and then start the Endpoints services.

1. Save the pafsendp.exe file to a shared drive that all workstations will have access to. You will need to use that location in the script.

2. Create a script that will copy the pafsendp.exe file to the workstations, and run the installer, and start the service. Here is an example.

@REM Deploys the PA File Sight Endpoints using this script and
@REM Group Policy Object (GPO) to push them to remote clients.

@ECHO OFF

@REM Check to see if the Endpoint has already been installed
SC QUERY | FIND "pafsendp"

@REM If not installed run the following else if installed exit
IF %ERRORLEVEL% EQU 1 (
    @REM ******* Need to change the Shared Location of the executable file *******
    @REM ******* Example \\yourServer\MySharedFolder\pafsendp.exe *******
    COPY "\\server\MySharedFolder\pafsendp.exe" "C:\Windows\"

    @REM ******* Change the Host name and port number for the Endpoints to report to. *******
    START "" "C:\Windows\pafsendp.exe" -s -i -host=192.168.7.4:722 -LOCK

    TIMEOUT 5 > nul
    NET START pafsendp
)

EXIT 0

3. Create a new Group Policy Object in Active Directory:

  • Open Server Manager using the icon on the desktop taskbar or from the Start screen.
  • In the Tools menu, select Group Policy Management.
  • In the Group Policy Management Console (GPMC), expand your Active Directory (AD) forest, domain and click the Group Policy Objects container.
  • Right-click the Group Policy Objects container and New from the menu.
  • In the New GPO dialog box, give the new Group Policy Object (GPO) a name and press OK.
  • Now right-click the new GPO in the left pane and select Edit from the menu.

4. Add the startup script settings to the GPO:

  • In the left pane of the Group Policy Management Editor window, expand Computer Configuration, Policies, Windows Settings and click Scripts.
  • In the right pane, double-click Startup.
  • On the Scripts tab of the Startup Properties dialog, click the Add button.
  • On the Add a Script menu, click the Browse button.
  • Copy and paste your script file into this menu. Then select the script and click on the Open button.
  • Click OK to continue.
  • Close the Group Policy Management Editor window.

5. Edit the Security Filtering of the new Group Policy Object:

  • Select the new Group Policy Object on the left.
  • On the Scope tab under Security Filtering, you will need to add the accounts you want to use or the workstations where you want this new script to run. This example will use workstations, but you could select the default Authenticated Users Group or other accounts from the AD. Use the Add, Remove, and Properties buttons to select the AD objects to this filtering.

Once you have these steps completed, the new Group Policy will be added to the workstations within one to two hours. When the workstation is rebooted, the script will run and install and start up the PA File Sight Endpoint.

Testing: If you need to test how this group policy works. You can force the workstation to update its Group Policy using the following command on the remote workstation. Open an Elevated Command Prompt. Then type in the command and run it.

gpupdate /force

You will be asked to log off to complete the updating of the GPO at this time. The logging off will not run the batch file, you will need to reboot the workstation for this to occur.


PA File Sight

Help Map