File Shadowing
File shadowing enables you to track the data that is being read, written to, or written from a device.
When you enable file shadowing for a device, Ivanti Device Control either creates copies of the files or the filenames that have been read, written to, or written from the device, depending on the file shadowing configuration. Tracking data that is written or read from a device allows you to take prompt action against users, systems, or groups if you discover data transfer violations. File shadowing also allows you to closely monitor specific users or systems.
File shadowing data collected while a user is disconnected from the network is transferred to the server as soon as the user has reconnected.
File shadowing is a powerful feature that requires careful use. Creating copies of transferred data can be a data-intensive task, which can require a hard disk drive with the capacity to hold hundreds of megabytes or gigabytes of copied data. In addition, transferring large amounts of copied data at one time can cause network saturation for slower network connections. Weigh these considerations carefully when deciding whether to shadow files for all the devices in your network or specific device classes or systems in your network.
Removable devices include secondary hard disks. Applying a file shadowing policy to the entire Removable Storage Device device class may consume a large amount of storage space.
When editing a file previously copied to a shadowed device (in the same user’s session), no read shadow data is created since Windows saves the file in its cache and, therefore there is no new read operation request. This does not apply if the file initially resides in the device or in a new user session (the cache is empty).
When defining shadowing permissions, there may sometimes be priority conflicts, if the priorities are not clearly defined.
Lower priority policies with shadowing enabled retain the shadowing function even when a higher priority policy is applied with shadowing disabled.
Supported Device Classes for File Shadowing
A subset of the device classes available in Device Control support file shadowing. Device Control supports file shadowing for the following device types:
- COM/Serial ports (full)
- LPT/Parallel ports (full)
- CD/DVD drives (file name only)
- Printers (full)
- Modems/Secondary network access devices (full)
- Removable storage devices (file name only)
- Floppy disk drives (file name only)
Supported Formats when Shadowing
Current CD recording standards allow for a bewildering array of formats, ranging from plain user data in a simplified ISO file system to a UDF/ISO+Joliet bridge DVD with interleaving, extended attributes, security descriptors, and associated files.
Common recording software uses only a small subset of those combinations, and Ivanti Device Control concentrates on those; the following table offers an overview of what is and what is not supported in each of the two possible shadow modes.
|
Format |
Full shadow mode |
File name only shadow mode |
|---|---|---|
|
Audio tracked (not interpretable) |
|
|
|
Scrambled tracks (not interpretable) |
|
|
|
Raw-mode data (not interpretable) |
|
|
|
Packet writing, Mount Rainier |
|
|
|
ISO, ISO/Joliet |
|
|
|
UDF |
|
|
|
UDF+ISO/Joliet bridge |
|
|
|
ISO+El Torito bootable CDs |
|
|
|
ISO+Rock Ridge extensions |
|
|
|
High Sierra Group format |
|
|
|
Apple HFS |
|
|
|
Legend:
|
||
Printed Content Shadowing
You can shadow content printed from all local and network printers in your environment that use the Microsoft Windows Print Spooler service.
Printers often handle sensitive documents and information, outputting them in a hard copy format that can be impossible to control. They can be left in a printer tray for anyone to see or intentionally carried out of the organization. You can monitor if endpoint users are printing unauthorized or undesirable documents and create an audit trail for compliance purposes by selecting the Shadow settings option when creating a Printer Device Class Policy or Device Collection Policy.
A Printer policy with shadowing enabled captures the PRN file sent to the printer. When a user prints a file, a Shadow copy is stored on the endpoint in C:\Windows\sxdata\shadow folder and renamed with the extension .dat.final. The file is then moved to C:\ProgramData\Lumension\LEMSSAgent\logs and uploaded to the Ivanti Endpoint Security Server to the location set in Tools > Options >Device Control > Server shadow directory.
You can view the contents of a PRN file by reprinting it or opening it in a print spooler file viewer application.
Viewing a shadowed print file
You can view a shadowed file sent from an endpoint to a printer by re-printing it or opening it in a utility for viewing print spooler files in formats appropriate for your printer.
Prerequisites:
You have selected a file from <install_dir>\DeviceControl\Shadow.
When shadowing is enabled for a printer, the PRN file used by the printer to generate the printout is saved and logged on the endpoint. Shadowing also provides enforcement for printing operations using the Print Spooler API, both for local and remote printers
Important: Only print jobs sent to printers that use the Microsoft Windows Print Spooler service are shadowed.
|
Option |
Description |
|---|---|
|
Printing a shadowed print file on a physical printer |
Note:
|
|
Opening a shadowed print file using a utility for viewing print spooler files in formats appropriate for your printer. |
As the PRN file contains both the printout content and commands necessary to control the specific printer used, an external viewer is required. Download and install a viewer, then associate it with the PRN file extension. |
The contents of the shadowed print file are displayed and can be reviewed.