SearchInform Upgrades: FileAuditor on Linux, Alternative Method of Interception, Usability
09.08.2024

We've put together the major new features in SearchInform products for the first half of 2024 and showed how they work.

1. ADVANCED CONTROL OF MESSENGERS 

SearchInform next-get DLP Risk Monitor continues to expand the list of monitored messengers. Since the beginning of 2024, the system has been intercepting data from Google Chat and current versions of popular business messengers such as Skype for Business. In total, Risk Monitor now has covered more than 60 instant messaging services.

Risk Monitor has implemented new features for familiar messengers, and it has become easier to customize them

The number of messengers intercepted over HTTPIM protocol has also increased. Moreover, information from chats in web-based WhatsApp, Telegram, and RocketChat will now be intercepted even if they are used through the browser sidebar. This format of using messengers is common, for example, among users of the Opera browser. The option is enabled with one click in the HTTPIM protocol settings. The data from the RocketChat can also be intercepted via the ICAP protocol. This helps, for example, to control the use of corporate messengers on mobile devices.

Finally, it has become easier to filter intercepted data in web messengers. From now on, the user can separately enable interception of chats and sent files. This saves resources, for example, if you want to control only file transfer over this channel, but you don't need messages, and vice versa. This option was available before, but now it can be set up centrally in one click. The option works for Slack, Teams/Lync, Skype, Facebook, LinkedIn, Imo.Im, ChatQ, Yammer, Instagram, Redhelper, Jivosite, WebIm, Discord, Bitrix24, Evernote, MMP, XMPP, MyChat, and others. 

2. NEW FEATURES IN REPORTS

The Worktime Log report now includes a new column Productive Activity. It shows the total time the user spent in program and on websites that have a productivity coefficient of "1". Let us remind you that productivity coefficients can be customized in the AnalyticConsole settings. 

In the report Summary of User you can now display the scale Productivity. All you need to do is select the checkbox Productivity in the report parameters. 

In the report Search by processes/sites activity, we have enriched the information about users who use certain resources. Add domain name, position and department to the report to get a clear picture: which managers are watching TikTok videos and which accountants are using Photoshop. 

Summary information included in the report User efficiency is now displayed in a more user-friendly way. The average value of unproductive work by departments is now displayed in the ascending order of unproductivity value in percent.

In addition, we have added the parameter Activity for the previous day to the tab Current activity. When activated, the activity bar will be split in half to include data for the selected date and previous day. For example, if you select the current date, on the left side you will see the time intervals of the user's activity yesterday, on the right side – today’s activity. The option is available in the desktop AnalyticConsole.

3. USER INTERFACE ON AGENT 

The main UX upgrade relates to the Risk Monitor user interface on the agent. The security auditor can now customize the name, UI description and notification text in the settings in EndpointController. You can also enable the display of a work activity bar. 

Now clicking the icon on the taskbar opens a large window with menu. It can be expanded to full screen or hidden using buttons. The section Access Requests shows the list of available directories and devices, as well as the level of access and time period for which access has been granted. Using the button below, you can create an access request by specifying the required period and reason. There is also a new tab Notifications. Here all events are recorded in detail including, for example, date and time when access was granted or denied, date and time when any object was blocked, etc. 

4. USABILITY 

To facilitate work of security auditors, the interface of consoles in SearchInform Risk Monitor has been improved and several functions have been added to automate routine tasks.

For example, in AlertCenter the user can save the settings for displaying the incident table for each criterion separately. To do this, it is necessary to save the table view (by the way, each display option can be named at the user’s discretion), and next time you just need to select the desired view from the drop-down list. Thus, to find job search incidents, the user needs to look at the names of the sites visited. In the search criteria for FileAuditor events, the user should immediately activate the display of labels for easy navigation. It is possible to save the customized view of the table for different criteria even within the same security policy.

Similarly, the user can save templates of filters of the computers with agents the list in the EndpointController. All parameters that were applied before are saved. The template can have any name, which can be then selected from the saved filters in the drop-down list. The user can save changes to the available template or create a new one based on the changes made that are required for future work.

If you need to react to suspicious emails automatically, Quarantine has a function to run external scripts. Now it is easier to set it up: on the Advanced tab when viewing the Quarantine policy, tick the checkbox Enable script and specify the script location and its interpreter in the dialogue box.

Finally, the CameraController features have been enhanced. The user can take some precautionary measures against extra dark or over-lit snapshots by adjusting their brightness in advance. To do this, open CameraController settings and go to the Advanced section. Then just move the slider towards the "+" and "-" icons to increase/decrease the brightness of taken snapshots, respectively. The brightness option applies to taken snapshots and recorded videos from the webcam on user stations, as well as LiveCam mode.

5. LINUX CONTROL 

There is also a big functional novelty in CameraController. On Linux workstations, it is now possible to control access to PCs of unauthorized users and data leaks associated with smartphones. The feature of phone detection and face recognition can be configured in the EndpointController. We have already shared the piece on our DLP feature to detect attempts to take photo of screen with smart phone and recognize faces. The functionality and its settings are common for Windows and Linux, so, if your company uses both OSes, you will not have to waste time configuring it twice.

The FileAuditor agent from now on can be implemented on Linux-based workstations. Previously, files on such devices could be monitored using DCAP network scanning. Now the possibilities have been extended. FileAuditor scans storage and analyses documents by content locally, marks them with classification labels, tracks operations with documents and manages access to them.

The feature is configured in the same way as on Windows. In EndpointController, when creating and configuring automatic classification rules, you need to include Linux workstations in the list of storage locations to be checked. You will only need to set exceptions, a white list of files and folders on such PCs that should not be scanned. 

6. NEW FEATURES IN FILEAUDITOR 

Capabilities of SearchInform DCAP system have also evolved.

It is now possible to scan cloud storages via WebDAV protocol in the network scanning mode of FileAeuditor. 
To configure it, in EndpointController go to FileAuditorScanning on server section, then click the button Add in the area List of servers for scanning area. Then select WebDAV in the Data Source drop-down list, fill in the connection parameters and specify the list of directories to be scanned. 

In AnalyticConsole, we have added the function Become exclusive owner available in the context menu on the tab File Auditor. It allows urgently withdrawing the permission to perform any actions with the selected file by anyone except the FileAuditor administrator. The Administrator will get all rights to the file, no one else will have access to it. The option allows the user to quickly restrict access to a file if it is found in the wrong place until the reasons are clarified or it is placed in a safe directory. Rights can then be restored. Make sure that users of the PC where the file is stored cannot get administrator rights and regain access on their own.

The FileAuditor can now mark files with sensitivity labels automatically upon two events, when a document is opened or saved. That's why we have slightly redesigned the Wizard for creating rules of automatic management of manual labels. Here is how it looks like now. In EndpointController, in the Wizard of automatic management of labels, you can specify the conditions for setting a label. The option When opening a document allows you to visibly mark a document if it has already fallen under some automatic classification rule, for example, Confidential. If a user opens such document on the computer, the sensitivity label will immediately appear on the file. If you select When saving a document, you can specify additional conditions for setting a label, for example, when certain keywords are entered, or when the file is accessed by the specified user.

Subscribe to get helpful articles and white papers. We discuss industry trends and give advice on how to deal with data leaks and cyberincidents.