Skip to main content
Code42 Support

Endpoint monitoring

Applies to:
  • Code42 CrashPlan (previously CrashPlan PROe)

Overview

Endpoint monitoring uses the Code42 CrashPlan app to capture file activity on each device in real time, helping you identify five types of potential data leaks or security problems:

  • Removable media
  • Personal cloud
  • File upload (Windows devices only)
  • Restore
  • Pattern matching

Endpoint monitoring identifies most file activity anywhere on a user's device, not just within the user's backup file selection. Pattern matching, however, only applies to files included in the user's backup file selection.

Considerations

If Compliance Settings have been activated for an organization (version 5.4 and later), you cannot enable endpoint monitoring for the organization or child organizations that inherit settings. Parent and sibling organizations are not affected.

Endpoint monitoring types

Endpoint monitoring identifies five types of security-related activity on each CrashPlan app device.

Endpoint Monitoring Type What Activity Is Identified Example
Removable media Users placing files on removable media, such as USB drives or SD cards. A user plugs in a USB drive, copies a file to the drive, and removes the drive.
Personal cloud

Users syncing files using these cloud storage apps:

  • Box
  • Dropbox
  • Google Drive*
  • iCloud
  • OneDrive
    OneDrive for Business is not supported.

A user uploads a file to the Google Drive desktop app.*

 

File upload
(Windows devices only)
Users opening files in web browsers, such as attaching to a web-based email. A user attaches a file to a Gmail message.
Restore

File restores:

  • Users restoring files, including files belonging to other users.
  • Administrators performing a push restore of files to a user.
A user restores files from the CrashPlan app.
Pattern matching Existence of known malicious files or patterns of sensitive data based on YARA rules for text (non-binary) files included in the user's backup file selection. A user saves a text file that contains Social Security numbers.

*By default, Google Drive grants read access to only the logged-in user. The CrashPlan service runs as a system process by default, so you must grant read access to SYSTEM for the Google Drive folder on each device in order to monitor activity in that folder. See the Microsoft support site for how to add read access to a folder.

Before you begin

Ensure your Code42 environment meets all the requirements for endpoint monitoring:

Component Or Configuration Requirements
Licensing You must purchase a Code42 Security Tools license in order to use endpoint monitoring.
Master server
  • Runs version 5.1 or later of the Code42 server software
  • Must be located on-premises (not fully hosted)
  • Meets the minimum system requirements
Storage server
  • Runs version 5.1 or later of the Code42 server software
    • Version 5.2 or later:
      • Storage can be either on-premises or provider storage, including the Code42 cloud
      • On-premises storage servers that have enough free storage available for a small amount of endpoint monitoring data
    • Version 5.1:
      • Storage must be located on-premises
  • Meets the minimum system requirements
CrashPlan app
  • All CrashPlan apps must meet these version requirements before following the steps below to enable endpoint monitoring:
    • 5.x CrashPlan apps: 5.1 or later
    • 4.x CrashPlan apps: 4.5 or later
  • Operating system:
    • Windows
    • OS X
  • Installed for all users
    Per-user installations are not supported.
Backup encryption key policy Users' archives must use the Standard archive encryption key policy.
Archive key password and Custom key are not supported.
Code42 app for Splunk (Optional)

With a subscription (or trial) for Splunk Enterprise, you can view the data collected by endpoint monitoring using version 2.1 or later of the Code42 app for Splunk.

Enable endpoint monitoring

Step 1: Lock archive encryption key settings

Endpoint monitoring requires standard encryption. Before implementing endpoint monitoring in any organization in your Code42 environment, you must lock the encryption setting at its standard level. Locking this setting prevents users or administrators from changing the setting.

Disabling inheritance
If inheritance is disabled for an organization, that organization is not affected by changes to its parent organization.

Option A: Lock encryption settings for all organizations

  1. Sign in to the administration console.
  2. Go to Settings > Device Backup.
  3. Click Security.
  4. Under Archive Encryption Key:
    1. Deselect Use default archive encryption key setting.
    2. Verify that Standard is selected.
    3. Click Lock to prevent users from changing this setting.
      A confirmation prompt is displayed.
    4. Select inheritance options as desired for your Code42 environment.
    5. Select I understand.
    6. Click Push and Lock.
  5. Click Save.

Option B: Lock encryption settings for a specific organization

  1. Sign in to your administration console.
  2. Go to Organizations.
  3. Select an organization to view its details.
  4. From the action menu, click Device Backup Defaults.
  5. Under General, deselect Use device defaults from parent.
  6. Click Security.
  7. Under Archive Encryption Key:
    1. Deselect Use default archive encryption key setting.
    2. Verify that Standard is selected.
    3. Click Lock to prevent users from changing this setting.
      A confirmation prompt is displayed.
    4. Select inheritance options as desired for child organizations of this organization.
    5. Select I understand.
    6. Click Push and Lock.
  8. Click Save.

Step 2: Enable endpoint monitoring for organizations

Enable endpoint monitoring for each organization in your Code42 environment using the administration console.

Disabling inheritance
If inheritance is disabled for an organization, that organization is not affected by changes to its parent organization.

Option A: Enable endpoint monitoring for all organizations

To enable endpoint monitoring on all devices in your Code42 environment:

  1. Sign in to your administration console.
  2. Go to Settings > Endpoint Monitoring (labeled Detection in version 5.1.x).
  3. Select one or more detection types to enable them.
  4. Click Save to immediately apply your changes to all devices in your Code42 environment.

Option B: Enable endpoint monitoring for a specific organization

To enable endpoint monitoring on devices in a specific organization:

  1. Sign in to your administration console.
  2. Go to Organizations.
  3. Select an organization.
  4. From the action menu, choose Edit.
  5. Select Endpoint Monitoring (labeled Detection in version 5.1.x).
  6. Deselect Inherit settings from parent, if necessary.
  7. Select one or more detection types to enable them.
  8. Click Save to immediately apply your changes to all devices in this organization and all of its inheriting child organizations.

Step 3: Configure pattern matching (optional)

In order to use the pattern matching method of endpoint monitoring, you must manually deploy a file to each device you want to monitor for patterns. This file identifies dangerous, malicious, or sensitive files included in the user's backup file selection with a rule-based framework called YARA.

Perform these steps on each device:

  1. Create a folder named yr on the device in the CrashPlan app's cache directory.
    Default cache directories on each operating system:
    • Windows Vista, 7, 8, 10, Server 2008, and Server 2012: C:\ProgramData\CrashPlan\cache
      To view this hidden folder, open a file browser and paste the path in the address bar. If you installed per user, see the file and folder hierarchy for file locations.
    • Windows XP: C:\Documents and Settings\All Users\Application Data\CrashPlan\cache
      To view this hidden folder, open a file browser and paste the path in the address bar.
    • OS X: /Library/Caches/CrashPlan
      If you installed per user, see the file and folder hierarchy.
    • Linux: /usr/local/crashplan/cache
  2. Create a YARA rule file using the instructions from the YARA project.
    See below for an example YARA rule file.
  3. Save the YARA rule with the name rules.yar to the yr folder.
  4. Restart the CrashPlan service on the device.

Pattern matching considerations

  • You must manually deploy the YARA rule file to each device you want to monitor for patterns.
  • Unlike the other types of endpoint monitoring, pattern matching only monitors files included in the user's backup file selection.
  • The frequency of pattern matching scans is set by the Backup new version frequency setting. By default, this is every 15 minutes.
  • Pattern matching only monitors files that are created or modified after a YARA rule is added. Files existing before a YARA rule is added are not scanned for that rule until the file changes.
  • Pattern matching can scan for MD5 hash and filename matches on any file, but does not extract file contents of binary or compressed files. Practically speaking, this means pattern matching only searches the contents of plain text files, unless you create a rule targeting a specific binary string.
  • After adding a new YARA rule, you must restart the CrashPlan service on each device.

Sample YARA rule file

The example rule file below includes two rules. Each rule contains instructions for identifying a pattern of data on users' devices, including:

  • An MD5 hash for a specific file
  • Text strings formatted as Social Security numbers
import "hash"

rule md5Match
{
meta:
meta_tag = "MD5 example"

condition:
hash.md5(0, filesize) == "5b110441c6eead0d1943211d6a3e704c"
}

rule ssnMatch
{
meta:
meta_tag = "SSN example"

strings:
$re1 = /(\d{3})-(\d{2})-(\d{4})/

condition:
$re1
}

Visualize data from endpoint monitoring

You can visualize the data collected by endpoint monitoring in two ways.

Security web app

Sign in to the Security web app to view basic information from endpoint monitoring in a web browser.

Required permissions for the Security web app
You must have the Org Security Viewer or All Org Security Viewer roles, or equivalent permissions in a custom role, to view the Security web app. The default local administrator with the SYSADMIN role cannot be used to view data in the Security web app if your backup data is stored in the Code42 cloud; however, any other account can be used if it has the Org Security Viewer or All Org Security Viewer roles.
  1. In a web browser, access the URL for the Security web app.
    Example: https://master-server.example.com:4285/security
  2. Sign in using your administrative credentials.
  3. Review the basic information gathered by endpoint monitoring.
Security Tools requires a trusted certificate for SSL connections
If your Code42 environment uses a self-signed certificate, Security Tools activity results do not appear when browsing over an SSL connection. To view results, you must either:

Code42 app for Splunk

Install the Code42 app for Splunk to visualize detailed endpoint monitoring data as part of a larger Splunk installation.

For more information on Splunk, including their free trial that can be used with the Code42 app for Splunk, see Splunk's documentation.