Endpoint Data Discovery

The Endpoint Data Discovery feature introduces a powerful tool for administrators to ensure the security and integrity of their organization's user machines.

This functionality provides admins with a process to set up and execute scans across all endpoints (such as, User Machine) within the network with the ability to schedule these scans at convenient times to avoid disrupting daily operations.

Administrators can customize the scan by defining a root path from which the scan begins, and they have the flexibility to include or exclude specific directories, giving them precise control over which areas of the system are inspected. The feature is added under the Administrator tab along with other data sources. Currently this feature is only supported on Windows.

Scan Configuration and Monitoring

Endpoint Data Discovery details and configuration are located in the Data Sources section under the new page Endpoint.

Endpoint Configuration

In the configuration tab Admins can setup the various ways to start the scan, details of each property are as below:
Table 1.
     
Enabled Enable or disable the scanning for all agents Unselected (disabled)
Root path The folder location to scan. It may be desired to scan the to just scan the user folders, etc. This is a required field a populated for the scan to start. Must be in the format of a Windows path Empty
Scan schedule How often the scan should run (every day, week, 2 weeks Every day
Scan on start Enable to always start a scan on system start in addition to time. This includes on the installation of the agent Unselected (disabled)
Included file attributes See Note below Normal, ReadOnly, Hidden, Archive
Excluded file attributes See Note below System, Temporary, Device, ReparsePoint, SparseFile
Excluded file paths File paths to exclude from scanning. For example, it may be the entire C: drive, but to exclude the Windows and Program etc Empty

Note for Included/Excluded file attributes: Endpoint Discovery has been designed to only include relevant files and folders in the scan results and to exclude files and folders such as system files. It does this by filtering based on Windows file/folder attributes. These attributes have been chosen carefully to get the best scan results and should be left blank unless the user knows what they are doing. But if desired it is possible to alter these attributes to include system files/folders, exclude hidden files, etc. If the user wants to make modifications to the attributes, they can do so. More information on Windows file attributes can be found here.

Endpoint Details

Under the Details tab you can view the list of all endpoints along with some basic info such as current scan status (not started, in progress, etc), if the endpoints are online or offline, and the number of files scanned. This is useful as an overview of the progress of scans.

Viewing Scanned Files

Admins can click on the number Scanned files in the Endpoint details page, and they will be navigated to list of files that were scanned. Additionally, they can navigate to the Enterprise Search page and filter by the source Endpoint. Here the admins can view all the details about the files scanned like if the files were classified or not, when was it last modified date, path of the file and many more useful information.

Note: Initial scans for endpoints can be slow as the scanner will need to perform a hash of all file contents as well as to perform a classification check. This can take a long time for every file on an endpoint. Results are sent in batches however, so results will start to be seen shortly after starting the initial scan. Subsequent scans will be significantly faster as the scanner only processes new and modified files. Typically, this should be a relatively small number of files, particularly if the scan is configured to run every day.