簡易偵測 - 活動層級(Activity Level)

PA File Sight Ultra 提供一個監看使用者活動的功能表。當在 Y 分鐘內讀取了超過總量 X 的檔案時就通知管理者。 一般來看，正常的辦公室使用者在5分鐘內從伺服器上應該(或是)只會讀取 3 ~ 4 個文書檔案，所以當您發現一個使用者在5分鐘內竟然從伺服器上讀取了20隻檔案，那這個情形應該合理的就可判斷為正在複製檔案了。

此種檔案複製偵測技術如下範例所示：

• 使用者 Domain\Bob 在5分鐘內讀取了超過20隻檔案。
• 時間戳記：十月 30, 2017 1:48pm
• IP Address：192.168.7.22
• 電腦名稱：BOB-PC
• 檔案讀取(Files Read)：
• \\Server\Share\Finance\Expenses.xls
• \\Server\Share\Finance\Receivable.xls
• \\Server\Share\Finance\Payable.xls
• \\Server\Share\Finance\Customers.xls
• etc ...
   

注意，以上範例，僅是表明了有哪些檔案從伺服器上被讀取，並且進行告警。而且它們可能僅只是被讀取到 Word 中、或是被帶附件到 mail 中、或是被複製到一個USB外接碟中，但是並沒有辦法知道是否有檔案被複製到用戶端電腦中。

Better Detection - File Sight EndpointTo better help determine where/how server files are being used on a client computer, the File Sight Endpoint can be installed on end user computers. This is a silent service that runs in the background. When files are retrieved from a file server, the File Sight Endpoint can provide additional information such as what process loaded the file (Word.exe, Explorer.exe, WinZip.exe, etc) and where that process is saving files.In this example, the plain text is what the alert looks like without the Endpoint, and the bold text shows the additional information available when the Endpoint is running:User: Domain\BobFile: \\Server\Share\Finance\Expenses.xlsTimestamp: Oct 30, 2017 1:48pmIP Address: 192.168.7.22*Computer Name: BOB-PCOperation: ReadLocal Process: Explorer.exeSaved Files: F:\stealing\Expenses.xlsProbable Copy: trueWith this complete picture, it is now clear that in this example user Bob has copied a file from the file server to a local F: drive.Better Detection - File Sight EndpointTo better help determine where/how server files are being used on a client computer, the File Sight Endpoint can be installed on end user computers. This is a silent service that runs in the background. When files are retrieved from a file server, the File Sight Endpoint can provide additional information such as what process loaded the file (Word.exe, Explorer.exe, WinZip.exe, etc) and where that process is saving files.In this example, the plain text is what the alert looks like without the Endpoint, and the bold text shows the additional information available when the Endpoint is running:User: Domain\BobFile: \\Server\Share\Finance\Expenses.xlsTimestamp: Oct 30, 2017 1:48pmIP Address: 192.168.7.22*Computer Name: BOB-PCOperation: ReadLocal Process: Explorer.exeSaved Files: F:\stealing\Expenses.xlsProbable Copy: trueWith this complete picture, it is now clear that in this example user Bob has copied a file from the file server to a local F: drive.* Note that the client and server computers both need to be Windows 7 / 2008 R2 or newer for the Endpoint to detect file copying. Older versions of Windows did not communicate the client IP address.Probable Copy: true:In the example above, File Sight on the server sees that Expenses.xls was read, and asks the Endpoint for more information. The Endpoint sees a file named Expenses.xls was read from the server, and a file of the same name was saved to the F:\stealing folder using Windows Explorer (the same process that read the file from the server). This appears to be a file copy operation, however the contents of the two files are not compared, so it's not 100% guaranteed to be a file copy, and that is why it is labled a "Probable Copy". If the the process was WinZip.exe and the output file was F:\stealing\Documents.zip, this operation would not be tagged as a Probable Copy, but the WinZip.exe process and outgoing filename of F:\stealing\Documents.zip would still be saved to the database for reports later.Probable Copy: true[2]:Seeing true[2] is fairly rare. This scenario is similar to the true scenario above, except in this circumstance the Endpoint did not see the file being read from the server, but it did see the file being saved. An example of this happening would be if a user copied the file in an RDP session, and then pasted it locally. In that case the file was transfered "out-of-band", meaning not through the Windows SMB protocol.Better Detection - File Sight Endpoint

更好的偵測 Better Detection - File Sight Endpoint

為了有更好的幫助偵測在用戶端的電腦上是否/如何被使用及存取，您可以將 File Sight Endpoint 安裝在使用者端的電腦上。此為一個背景執行的服務，當檔案從伺服器上被存取到的時候，此 File Sight Endpoinr 可以提供額外的資訊，例如是用何種程序來讀取檔案 (Word.exe, Explorer.exe, WinZip.exe, etc)，以及程序將檔案儲存到哪裡 ?

在此範例中，此細體字的資訊是沒有 Endpoint 時可以提供的一般存取資訊，而粗體字是有安裝 PA File Sight Endpoint 時可以再額外提供的更多資訊:

• 使用者：Domain\Bob
• 檔案：\\Server\Share\Finance\Expenses.xls
• 時間戳記：Oct 30, 2017 1:48pm
• IP Address: 192.168.7.22*
• 電媼名稱：BOB-PC
• 操作：Read
• 本地端程序：Explorer.exe
• 儲存檔案：F:\stealing\Expenses.xls
• Probable Copy: true
   

如以上的完整資訊來看，使用者 Bob 從檔案伺服器上複製了 Expenses.xls 這隻檔案，到他的本地端電腦上的 F 碟上。

* ★注意：伺服器及用戶端版本，須為 Windows 7 / 2008 R2 或更新的版本方可以提供此額外資訊 (電腦名稱及IP)。

Probable Copy: true:

在以上的範例中，File Sight Ultra 看到了 Expenses.xls 被讀取，就會再去 Endpoint 端要更多的資訊回來。Endpoint 看到了 Expenses.xls 這隻檔案從伺服器上被讀取，然後有一個相同名稱的檔案被使用 Windows Explorer 儲存到用戶端的 F:\stealing 目錄中 (與從伺服器上讀取檔案是相同的程序)。 

此行為似乎是一個檔案複製的操作行為，但是因為沒有去比對此2個檔案的內容是否想同，因此此操作行為我們不能保證100%是為檔案複製。這也就是為何我們將其定義為 "Probable Copy"。 

若是此程序(process)是 WinZip.exe 而且輸出的檔案是 F:\stealing\Documents.zip，那此操作行為就將不會被視為 "Probable Copy"，但是此 WinZip.exe 程序的軌跡以及輸出的檔案 F:\stealing\Documents.zip，將會被完整的紀錄下來，做為日後查詢及產出報表使用。

Probable Copy: true[2]:

true[2] 是相當罕見的，此行為是類似以上的行為，Endpoint 並沒有看見檔案從伺服器上被讀取，但是它卻看見檔案被儲存。此案例發生的情形可能是，使用者是透過 RDP Session 來複製檔案並且直接存近其本地端。在此情形下，此檔案傳輸是為 "out-of-band"，這代表著此檔案並不是透過 Windows SMB prorocol 來進行存取。

除了可以幫助偵測檔案複製之外，File Sight Endpoint 也可以封鎖用戶端上的外接磁碟(USB/external drives)，以預防檔案被複製到這些外接磁碟上，我們也提供白名單機制，可以針對指定的磁碟設備(drives/discs)是可以被允許使用的。

被封鎖的使用者清單是被有安裝PA File Sight Ultra 的伺服器所共享的，因此其他的伺服器也可以一起受到這些封鎖清單的共同保護。