Overview
This page contains a list of frequently asked questions for users of Code42's products.
Insider risk questions:
- How can I use Code42 Incydr to detect and respond to insider risks?
- How do I get notifications for file events I'm most concerned about?
- How do I pull suspicious file activity together for another team member to review?
- How is the severity of a file event calculated?
- How can I more closely monitor users with higher risk of exfiltration?
- How do I connect Incydr to my other systems?
- How long does it take for file events to appear in Incydr?
Upgrade questions:
Installation questions:
- How do I configure deployment policies?
- How can I use Incydr with EDR software?
- How do I install or uninstall Code42 agents?
Trials, licenses, billing, and licensing questions:
- How is Code42 licensed?
- Is Code42 software available outside of the US and Canada?
- Is Code42 software translated in other languages?
- How do I buy?
- How do I get help with my license, invoice or bill?
- Why are we using more licenses than we have active users?
Compliance questions:
Backup agent only:
- Backup questions
- How does backup work?
- Why does the Code42 agent report a different file size than the size of files selected for backup?
- Why isn’t this backup reaching 100% complete?
- How do users add a computer/device?
- Can the Code42 agent handle terabytes (TBs) of data?
- What should users back up?
- Can users back up files on an external drive, NAS, or a mapped drive?
- Can I run Code42 software on a headless/NAS setup?
- Can users back up to other users' computers?
- Can I back up a server with Code42 software?
- How do users set up a new device for backup and no longer back up the old one?
- How do I exclude entire folders and specific files from backups?
- Restore questions
- Performance questions
- Cold storage questions
- Archive maintenance questions
- Reporting questions
Contact support questions:
Insider risk
Code42 provides a number of tools to help you quickly detect and respond to both malicious and unintentional activity that threatens your intellectual property, sensitive data, and overall security. For example:
-
Exfiltration dashboard: Provides a high-level view of all endpoint and cloud file activity in your Code42 environment that may be putting data at risk. The Exfiltration dashboard highlights file activity:
- On removable media
- Synced to cloud services
- Read by browsers and other apps (uploads and downloads)
- In .zip files and other archive formats
- Cases: Collect, document, and share details with teammates about insider risks to make more informed decisions about how to respond. Cases also provide a permanent record of the file activity and users associated with the investigation.
- Alerts: Enable you to define specific file-activity behaviors and thresholds that trigger an alert. Alerts can be sent as emails, appear on dashboards, or both. For example, you could create an alert that emails you every time any user transfers a certain number of files to removable media or to a cloud sync folder.
- All Users list: See all of the users in your Code42 environment sorted by the highest number of critical-severity file events, then by high-severity file events.
- Watchlists: Monitor your higher-risk employees more closely to mitigate insider risk. Add them to one or more watchlists with customized alerts to notify you of their riskiest activity.
- Forensic Search: Perform ad-hoc searches to review file metadata and download file contents for endpoint, cloud, and email file activity.
For detailed steps about how to leverage these tools to protect your environment, see Detect and respond to insider risks.
Use Alerts to notify you of suspicious file activity. You can use our recommended alerts or create your own to fit your needs. For more information, see Create and manage alert rules.
Cases enable you to assemble evidence related to an investigation and share findings with others in your organization. To bolster your case, you can collect file events from Forensic Search and add notes to provide additional context. For more information about how to build a case, see Manage cases.
Risk indicators are assigned to file events for various possible exposure risks. Each indicator has a risk score. A file event can have one or more risk indicators applied to it and the combined risk scores of the indicators determine the overall severity of the file event. Higher scores denote higher risk severity.
Default scores are based on how likely the activity is to increase exfiltration or exposure risk, but you can change any score to better match your specific risk tolerance. For more information about risk indicators, see Risk settings reference.
File activity of employees whose roles, behaviors, and access increase risk to the company can be monitored with watchlists. Watchlists help cut through the noise of file activity across your organization by highlighting the users you are the most concerned about.
For more information about how to add users to a watchlist, see Manage watchlists.
A variety of integrations are available, enabling you to leverage Code42 features and data in other systems. Including the following:
- APIs
- Python SDK
- Code42 command-line interface (CLI)
- SOAR, SIEM, and other tools
- Incydr Flows
For more information, see Code42 integrations resources.
File events appear in Forensic Search within 75 minutes. Events typically appear in dashboards, Watchlists, and Alerts within 75-90 minutes, but may take up to 2 hours.
For more details, see Introduction to Incydr.
Upgrades
We update the Code42 console and Code42 agents on user devices automatically so you are always on the latest version. However, administrators can optionally delay Code42 agent upgrades on user devices for up to 30 days. This enables you to test new versions on a small group of users before updating all users in your Code42 environment. It also allows for a staggered rollout schedule.
Installation
When you create a deployment policy in the Code42 console, the process generates user-detection scripts and arguments for Code42 agent install commands.
Deployment is a secure process:
- During installation, device-server communications are encrypted.
- Devices can connect via proxy. See the PROXY_URL parameter.
- Deployment can run silently, with no intervention from users at devices.
For more information about deployment, see Deploy Code42 agents.
Code42 agents require full disk access, reads many files, and auto-updates itself. These features enable Incydr to provide continuous monitoring. However, these activities may initially be identified as suspicious behavior by EDR tools that use heuristics and machine learning to augment content definitions and policy.
In most cases, EDR tools don't necessarily categorize Code42 agents as malware or a virus, but Code42 activity without context may appear suspicious enough to generate an alert the first time it occurs. Depending on how your EDR tool is configured and how you respond to the initial alert, the tool may learn to correctly categorize Code42 activity as approved and trusted behavior, or it may incorrectly generate more alerts.
For more information, see Best practices for using Code42 with EDR software.
- To install, follow the instructions at Install the Code42 backup agent.
- To install using a deployment policy, see Deploy Code42 agents.
- To uninstall and then reinstall, see Uninstall and reinstall the backup agent.
- To uninstall, see Uninstall the backup agent.
Trials, licenses, billing, and licensing
Code42 software is licensed annually. Each active user consumes a user license.
Yes. Code42 software is available worldwide.
Yes. For more information, see details on available languages for all Code42 products.
If you are an existing customer and want to renew or add more users, contact your Customer Success Manager (CSM) or email renewals@code42.com. If you are a new customer, contact sales.
For questions about your license, invoice or bill, contact your Customer Success Manager (CSM). If you do not know your CSM, please contact our Technical Support Engineers.
Does not apply to the insider risk agent
If you are using more licenses than the total number of active users, it may be because you have data in cold storage that is consuming a license. When users are deactivated, their backup archives go into cold storage where they continue to consume user licenses until they expire and are permanently deleted. To free up licenses before expiration, you can purge archives from cold storage. For more information, see:
Compliance
Code42 is an ISO 27001-certified organization and conducts annual SOC 2 Type 2 attestations on our product and infrastructure. Additionally, Code42 ensures and monitors appropriate security assurance obligations (SOC 1, SOC 2, ISO 27001) for its cloud data centers. For more information, see https://www.code42.com/security/.
All Incydr products support HIPAA, provided you Obtain a BAA with Code42
Backup
Backup agent only
Backup begins with a process called data de-duplication. The Code42 agent analyzes a small piece of the file (a block), and checks to see if that block was previously backed up.
- If that block was already backed up, the Code42 agent moves on and analyzes the next block.
- If the block has not yet been backed up, the Code42 agent compresses the block to save storage space, encrypts the block to secure the data, and sends the block to the backup destination.
As a result of this analysis, compression, and encryption activity for new files, a device’s initial backup takes much longer than subsequent, incremental backups. The length of time for the initial backup can quite literally range from minutes to weeks, and is dependent on many factors, including the number and size of files being backed up, the backup destination, network topology, and available device resources. However, once the first backup is complete, future backups are much faster, because the Code42 agent only needs to back up new files and changed blocks of data for each file.
If users compare the size of files selected for backup to the file size the Code42 agent reports it's backing up, they may notice a difference. Multiple factors can contribute to this difference, such as our our de-duplication and compression processes. For more information, see:
In addition, users may notice that the Code42 agent and Code42 console show slightly different values for the size of backup. This is because the Code42 agent and Code42 console calculate file sizes differently.
When a backup is unable to reach 100% complete, it is often because the Code42 agent can't access some of the files. This may happen if a file is in use by another application or has incorrect permissions. Click a link below to troubleshoot:
To add a computer, users simply download the Code42 agent from the Code42 console, install it, and sign in. The device then appears on the Agents list in the Code42 console. For instructions on how to replace an existing device, see Replace your device.
Each new file that the Code42 agent backs up is indexed, compressed, and de-duplicated, which takes time. This usually isn't a problem for smaller backups, but if the backup is more than 1 TB of data or more than 1 million files, users will likely need to increase the amount of memory available to the Code42 agent to get the backup to complete. For more information, see:
Users should back up the files they create, edit, and access. Typically, these are stored in the User directory or Home folder. The Code42 agent isn't designed to back up system and application files. For more information, see What should you back up?.
- External drives: The Code42 agent can back up storage connected to a device such as an external hard drive directly attached via USB, Thunderbolt, or Firewire.
-
NAS:
- Users can back up Network Attached Storage (NAS) on Mac and Linux, but not Windows.
- Storage must be mounted in order for the Code42 agent to access it.
- Users may see performance bottlenecks on a NAS that is serving multiple purposes or is not fiber attached because the Code42 agent requires fast disk I/O.
- Mapped drive: Users can back up any drive that is mounted as a Volume for Mac and Linux. However, we don't support backing up mapped drives on Windows due to an OS-level restriction built into Windows.
No. Installing the Code42 agent on a headless/NAS setup is not supported.
Computer-to-computer backup, also known as inbound backup or peer-to-peer, is no longer supported in the Code42 agent. Users can only back up to local drives and to the Code42 cloud, not to other computers.
No, we do not support server backup with Code42 software. For details, see Platform end of support for the Code42 app on Windows Server.
When a device is lost or stolen, the hardware fails, or users get a new device, the Code42 agent's replace device wizard can help transfer files, move the backup, and update settings from a previous device. After users have installed the Code42 agent on the new computer, they will need to associate the new device with their existing archive.
In the wizard, the transfer files step is an opportunity to download files from the archive. If users do not need to download the previously backed-up files to the new device right now, they can skip it. Regardless of what they choose, everything currently in the archive will remain there as long as it is selected for backup and they haven't changed the default file retention settings.
You can exclude files and folders from backup at various levels in your Code42 environment:
- Use Organization Defaults to apply global exclusions for individual organizations:
- In the Code42 console, go to Administration > Environment > Organizations.
- Select an organization.
- From the Actions menu, select Device Backup Defaults.
- From the General tab, scroll down to Global Exclusions.
- Enter a string to exclude and click the plus icon. If you don't see the option to add exclusions, deselect Use device defaults from parent at the top of the General tab.
- Click Save.
- Use Device backup settings to modify settings for specific agents:
- In the Code42 console, go to Administration > Environment > Agents.
- Select an agent.
- From the Actions menu, select Edit device backup defaults.
- From the General tab, scroll down to Global Exclusions.
- Enter a string to exclude and click the plus icon.
- Click Save.
There are several ways of specifying which files and folders should be included or excluded from the backup file selection:
- Use substitution variables to specify the types of files or locations in the directory field instead of identifying each user folder by name, for example.
- Specify filename patterns using wildcards
- Specify file extensions or file types to exclude. For example, add “mp3” to the exclude list to prevent all .mp3 files to be ignored for backup.
- Use regular expressions (regex) to designate files to be excluded from backup. Each expression you provide is always matched against the absolute path of the file, so take the full file path into account when you exclude files this way.
Restore
Backup agent only
Users can restore files from the Code42 agent or from the Code42 console, or you can restore files for users if you have the proper permissions. Users should typically restore files with the Code42 agent whenever they have access to one of their devices. The Code42 console is convenient for restoring files when users are not near one of their devices, but these restores are limited to 250 MB.
Performance
Backup agent only
Code42 complements the functionality of antivirus or endpoint detection and response (EDR) applications. However, when the Code42 agent and these other applications are installed on the same device, they may compete for locked files and system resources. This can cause a large amount of CPU resources to be used on the device.
To reduce this usage, configure the Code42 agent to exclude other endpoint security programs. You can also configure the Code42 agent to exclude the cache files created by antivirus and EDR applications from backup.
See Best practices for using Code42 with EDR software if you are using applications like:
- Carbon Black Cb Defense
- Carbon Black Cb Response
- CrowdStrike Falcon
- Kaspersky Endpoint Security for Business
- McAfee AntiVirus
- McAfee Endpoint Threat Defense and Response
- Sophos Intercept X
You can also change the amount of CPU used.
Cold storage
Backup agent only
When a user or device is deactivated, its data is not deleted. Instead, it is moved into cold storage. Cold storage is a temporary holding state for archives after they are deactivated but before they expire and are permanently deleted.
The amount of time archives are kept in cold storage depends on the action that places the archives in cold storage:
- Conclusion of service - Data is held in cold storage for 14 days before deletion.
- Deactivation - If you deactivate individual users, devices, or organizations, the data is held in cold storage per the cold storage retention settings configured in the Code42 console.
When an archive's cold storage retention period is over, it becomes an expired archive. Expired archives are marked for deletion and are not recoverable.
For more information on our data retention policy, see Data retention in the Code42 cloud.
Yes. Archives associated with deactivated users and devices remain in cold storage for the retention period defined in the Code42 console. During that time, the archives continue to consume user licenses. As an administrator, you can can free up licenses by purging archives from cold storage. Once a user's archives are purged, the associated license becomes available for other users within 24 hours.
Archive maintenance
Backup agent only
Archive maintenance is a regularly scheduled task that runs on each backup destination. The purpose is to maintain archive integrity and optimize the size of the archives. When archive maintenance runs, it:
- Checks backup archives for corrupted files and repairs any detected corruption.
- Prunes file versions and removes deleted files according to the frequency and version settings.
- Purges files that are no longer selected for backup.
Archive maintenance locks the archive, so users won't be able to restore until maintenance is complete.
An archive may change size after archive maintenance because it removes file versions and deleted files according to the frequency and version settings.
Reporting
Backup agent only
To send device backup reports to administrators only, follow these steps:
Step 1: From the Code42 console, set your reporting settings
- Select Administration > Environment > Organizations.
- Select an organization.
- From the Actions menu, select Device Backup Defaults, then click the Reporting tab.
- Update your settings.
Step 2: Shut off backup status email notifications for your end users
- Select Administration > Environment > Organizations.
- Select an organization.
- From the Actions menu, select Device Backup Defaults, then click the Reporting tab.
- Deselect all the options on that tab.
Contact support
Ask your Code42 Customer Success Manager (CSM) to make you an "administrative support contact." You can contact your CSM directly to update this information on your account.
If you have additional questions that our online resources don't address, our Technical Support Engineers are happy to assist. See Contact support: create a ticket, chat, or call.
Resources
There are several different ways to get more information:
- Check out our support site to get all of our documentation.
- In the Code42 console, click the Help icon in the upper-right to display a reference article about that page.
- Our customer community is where you can view and subscribe to technical updates and announcements.
- Advance your Code42 knowledge through instructor-led or virtual classes.