How to trace a user who copy any file to or from USB storage?
|
Logged in as: Guest
|
|
Users viewing this topic:
none
|
|
Login  | |
|
How to trace a user who copy any file to or from USB st... - 18.Apr.2008 4:40:46 AM
|
|
|
ufgeorge
Posts: 254
Joined: 11.Sep.2003
Status: offline
|
Hi,
I can see there are lots of logs in ESEC4 SQL DB.
But if someone did copy one file to usb, how can I know?
The reason I ask is because I can see events, but there is no fields to record this is copy to, copy from, edit or...event.
George
|
|
|
|
|
RE: How to trace a user who copy any file to or from US... - 2.May2008 3:09:10 PM
|
|
|
LeoSanchez
Posts: 13
Joined: 28.Apr.2008
Status: offline
|
Hello ufgeorge,
When a user attempts to access a file that is stored in a controlled device the name of the file is written to the event logs locally. These events are then transmitted back to the GFI EndPointSecurity server for storing in the backend database.
These events can be found in the Agent_Logs table of your GFI EndPointSecurity database. The column named Device_Path will contain the information on the file/drive that was accessed.
In order to obtain this information in a report you can run the Detailed device activity list. An example of this report can be viewed here - http://www.gfi.com/endpointsecurity/reports/technical-detailed-device-activity-listing.pdf
_____________________________
Regards,
Leo - Technical Support Team Lead
GFI Software - www.gfi.com
|
|
|
|
|
RE: How to trace a user who copy any file to or from US... - 2.May2008 5:18:37 PM
|
|
|
colorquimicaSA
Posts: 2
Joined: 2.May2008
Status: offline
|
I have the same Problem
I can see the record but never can get the file name.
|
|
|
|
|
RE: How to trace a user who copy any file to or from US... - 2.May2008 8:04:02 PM
|
|
|
ufgeorge
Posts: 254
Joined: 11.Sep.2003
Status: offline
|
Can you explain how can I explain which file is copy from or save to storage device?
|
|
|
|
|
RE: How to trace a user who copy any file to or from US... - 6.May2008 10:27:35 AM
|
|
|
LeoSanchez
Posts: 13
Joined: 28.Apr.2008
Status: offline
|
Hello,
Here is an example of what is written to the GFI EndPointSecurity log when an attempt to move a file to device is denied:
Access denied:
User Name: \\CYBERTRON\Administrator
Device: XXXXXX Mini TravelDrive USB Device
File Path: E:\testing.mdb
This event will only be written to the windows event logs if the device that is being accessed is controlled by GFI EndPointSecurity, and a user tries to move a file to a device in which they do not have the write permission. If full access is denied then the file is not audited because it was not moved to or from the device.
_____________________________
Regards,
Leo - Technical Support Team Lead
GFI Software - www.gfi.com
|
|
|
|
|
RE: How to trace a user who copy any file to or from US... - 6.May2008 10:39:57 AM
|
|
|
ufgeorge
Posts: 254
Joined: 11.Sep.2003
Status: offline
|
Your sample is access denied. Since access is denied, no file can be copy/move to/from usb storage.
Customer really need to know is if they give permission to clients to use usb storage, how to audit which files really copy/move to/from usb?
From event log, I can not see it is copy to or from usb. That makes audit impossible. I think EndpointSecurity should add this feature.
|
|
|
|
|
RE: How to trace a user who copy any file to or from US... - 7.May2008 5:23:17 PM
|
|
|
LeoSanchez
Posts: 13
Joined: 28.Apr.2008
Status: offline
|
ufgeorge,
Let me correct myself. If a user tries to move a file to a device in which they have Read Access only, or Full Access then the file informaton as displayed as such:
Access allowed:
User Name: \\CYBERTRON\Administrator
Device: XXXXXXMini TravelDrive USB Device
File Path: E:\test.mdb
The above event was generated when moving a file named test.mdb to a USB storage device in which I can read/write from.
The below event will be generated if a user DOES NOT have read/write access to the device:
Access denied:
User Name: \\CYBERTRON\Administrator
Device: XXXXXXMini TravelDrive USB Device
File Path: E:\
In this case the file was not copied to/from the device and therefore no file name is given, only the drive in which the attempt was made to.
_____________________________
Regards,
Leo - Technical Support Team Lead
GFI Software - www.gfi.com
|
|
|
|
|
RE: How to trace a user who copy any file to or from US... - 7.May2008 8:01:52 PM
|
|
|
ufgeorge
Posts: 254
Joined: 11.Sep.2003
Status: offline
|
Hi, Leo,
I can understand the "Access denied" case. Since there is no any file copy to/from usb device, there wil no hurt to company.
But about "Access allowed" event, it shows the filename, but does this event means the file is copyed to or from USB device?? No idea. Such event can not provide enough info to boss! That's what customers need.
Enough and clear info to admin or the report is totally no use!
Please let your developer knows what customer really need on report function. I sell GFI's product for more than 5 years. I understand EPS history. The system functions are OK but report not.
George
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
|
Printable Version
