Enable endpoint monitoring for file exfiltration detection

In order to use the pattern matching method of endpoint monitoring, you must manually deploy a file to each device you want to monitor for patterns. This file identifies dangerous, malicious, or sensitive files included in the user's backup file selection with a rule-based framework called YARA.

Perform these steps on each device:

1. Create a folder named yr on the device in the Code42 app's cache directory.
   Default cache directories on each operating system:
   • Windows: C:\ProgramData\CrashPlan\cache
     To view this hidden folder, open a file browser and paste the path in the address bar. If you installed per user, see the file and folder hierarchy for file locations.
   • Mac: /Library/Caches/CrashPlan
     If you installed per user, see the file and folder hierarchy.
   • Linux: /usr/local/crashplan/cache
2. Create a YARA rule file using the instructions from the YARA project.
   See below for an example YARA rule file.
3. Save the YARA rule with the name rules.yar to the yr folder.
4. Restart the Code42 service on the device.

import "hash"

rule md5Match
{
meta:
meta_tag = "MD5 example"

condition:
hash.md5(0, filesize) == "5b110441c6eead0d1943211d6a3e704c"
}

rule ssnMatch
{
meta:
meta_tag = "SSN example"

strings:
$re1 = /(\d{3})-(\d{2})-(\d{4})/

condition:
$re1
}

By default, endpoint monitoring does not automatically perform a file scan when a removable drive is detected. This prevents the collection of data on removable media that you may not want to monitor. However, you can enable this automatic file scanning if desired.

1. Call the Code42 API with the following curl command:

curl -i -X PUT -H 'Content-Type: application/json' -d '{"packets": [{"key": "org-securityTools-device-detection-scan-enable","value": "true","locked": true}]}' -u '<username>:<password>' https://<server_address>:<port>/api/OrgSettings/<orgId>

Setting "locked" to true locks this setting so that it cannot be overridden at the user level.

Replace the following entries with the values of your authority server:

• Replace <username> and <password> with the administrator username and password.
• Replace <server_address>:<port> with the host and port of your authority server.
• Replace <orgId> with the organization ID. To find this ID, export a CSV file containing the organization's data and locate the orgId value in the exported file.

2. To verify that scanning is enabled, use the following curl command to get all the settings for the organization:

curl -i -X GET -u '<username>' https://<server_address>:<port>/api/OrgSettings/<OrgID>

When prompted, enter your password.  

3. Search the output for the "org-securityTools-device-detection-scan-enable" key to verify that its value is set to "true".

You can exclude paths of personal cloud services and removable media if you do not want to monitor them. This can reduce both the amount of unwanted monitoring data and the processing load on user devices.

1. Call the Code42 API with the following curl command:

curl -i -X PUT -H 'Content-Type: application/json' -d '{"packets":[{"key":"org_securityTools_detection_monitoring_exclusions","value":"{\"windows\":[\"<regEx1>\",\"<regEx2>\"],\"macintosh\":[\"<regEx>\",\"<regEx2>\"]}","locked":true}]}' -u '<username>:<password>' https://<server address>:<port>/api/OrgSettings/<orgId>

Setting the "locked" value to "true" locks this setting so that it cannot be overridden at the user level. If you do not want to use this setting for certain users, you may move the users to a separate child organization with its own setting.

Replace the following entries with the values of your authority server:

• Replace <regEx1> and <regEx2> with regular expressions for the paths to exclude. You may add as many expressions as you need to exclude multiple paths.
  • Note: File paths must use forward slashes ( / ) for path separators, even for Windows paths. For example: [\"C:/Users/Clyde/Temp(?:.*)*\"]. Using a backslash ( \ ) to escape characters in your regex value is not supported.
• Replace <username> and <password> with the administrator username and password.
• Replace <server_address>:<port> with the host and port of your authority server.
• Replace <orgId> with the organization ID. To find this ID, export a CSV file containing the organization's data and locate the orgId value in the exported file.

2. To verify that exclusions are set, use the following curl command to get all the settings for the organization:

curl -i -X GET -u '<username>' https://<server_address>:<port>/api/OrgSettings/<OrgID>

When prompted, enter your password. 

3. Search the output for the "org_securityTools_detection_monitoring_exclusions" key to verify that its value is set to the desired paths to exclude from monitoring.

In addition to watching file activity, endpoint monitoring can also optionally scan all contents of monitored cloud folders. These scan results provide a snapshot of all files in the folder at the time of the scan, and are only visible via the CSV export and the Code42 app for Splunk. Scan results are not reported in Security Center.

Beginning with Code42 server version 6.8.4, cloud folder scanning is off by default. Because some cloud services provide on-demand file streaming, user devices may contain a shortcut file for every file the user has access to throughout the organization. Disabling the scan reduces both the amount of unwanted monitoring data and the processing load on user devices. However, you can manually re-enable the cloud folder scans with the steps below.

1. Sign in to the administration console.
2. Double-click the Code42 logo in the upper-left to open the command-line interface (CLI).
3. Enter this command: setting.set ORG org-securityTools-cloud-detection-scan-enable true <orgId>
4. Replace <orgId> with the organization ID you want to monitor. To find this ID, export a CSV file containing the organization's data and locate the orgId value in the exported file.