Javascript must be enabled to download our products and perform other essential functions on the website.

ionicons-v5-m
ionicons-v5-j
Buy Now Download Free Trial
ionicons-v5-m
ionicons-v5-f

Bulk File Copy Prevention

PA File Sight can see what files clients are interacting with on the server, and can alert when a client is reading an unusually large number of files.

Besides just alerting, PA File Sight can also use the Add to Blocked User List action which will add the user account to the Blocked User List. Any user on that list will not be able to access any files on the server. That list is shared among all servers that are monitored by PA File Sight.

Bulk File Access Prevention

Don't just alert when a bulk file copy operation is taking place, prevent it! PA File Sight's advanced detection techniques, and unstoppable blocking technology will stop a user from copying files in bulk within a few short moments after they start.

Bulk File Copy Detection Techniques

Simple Detection - Activity Level

PA File Sight Ultra has a Watch User Activities tab. Here you can alert when a user Reads more than X amount of files in Y minutes. So considering that a typical office worker would only open perhaps 3-4 word documents in a 5 minute period, if you knew a worker had read 20 files from the server in those 5 minutes it is probably a situation where files are being copied.

This detection technique can provide alerts such as the following example:

  • User Domain\Bob has read more than 20 files in 5 minutes.
  • Timestamp: Oct 30, 2017 1:48pm
  • IP Address: 192.168.7.22
  • Computer Name: BOB-PC
  • Files Read:
    • \\Server\Share\Finance\Expenses.xls
    • \\Server\Share\Finance\Receivable.xls
    • \\Server\Share\Finance\Payable.xls
    • \\Server\Share\Finance\Customers.xls
    • etc ...

Note that the above is careful to indicate it is alerting on files being read from the server. The server has no way of knowing where the files go on the client computer. They might get loaded into Word, or attached to an email, or copied to a USB thumb drive.

Better Detection - File Sight Endpoint

To better help determine where/how server files are being used on a client computer, the File Sight Endpoint can be installed on end user computers. This is a silent service that runs in the background. When files are retrieved from a file server, the File Sight Endpoint can provide additional information such as what process loaded the file (Word.exe, Explorer.exe, WinZip.exe, etc) and where that process is saving files.

In this example, the plain text is what the alert looks like without the Endpoint, and the bold text shows the additional information available when the Endpoint is running:

  • User: Domain\Bob
  • File: \\Server\Share\Finance\Expenses.xls
  • Timestamp: Oct 30, 2017 1:48pm
  • IP Address: 192.168.7.22*
  • Computer Name: BOB-PC
  • Operation: Read
  • Local Process: Explorer.exe
  • Saved Files: F:\stealing\Expenses.xls
  • Probable Copy: true

With this complete picture, it is now clear that in this example user Bob has copied a file from the file server to a local F: drive.

Block Users Doing Bulk File Copy

PA File Sight can block a client account so it cannot access any more files on the server using the Add to Blocked User List action. This will prevent the user from accessing any more files on the server, while still allowing other users to continue their work with the server.

The Blocked Users List is actively shared among servers protected within the same PA File Sight installation, so other servers can be protected from this client account before he tried to copy files from them.

Limitations

Read more about limitations and nuances to detecting file copying here.

Block Bulk File Copying

Amazing program I have to say, I absolutely love it. I don't have to guess whether my servers are down or not now.

Michael D., USA ionicons-v5-b