Answer the question
In order to leave comments, you need to log in
E
E
e1s2015-09-18 14:18:42
e1s, 2015-09-18 14:18:42
How to check if some kind of employee monitoring program is worth it?
Is it possible to check whether there are programs for monitoring an employee on the computer? There are admin rights. In particular, he is interested in SecureTower and the most popular solutions that are used on the market.
2 answer(s)
@sivabur
@mink_h
and in turn paste it into the address bar of the explorer - press Enter .
If the client is present - in the open window you will see his files and traces of vital activity.
This method has been tested on OS Windows 7 and higher.
3. Register.
When installing the Secure Tower client, the following registry key will be created:
Within this key, if it exists, there will be several subkeys. Some additional information can be gleaned from them : installation path , current version , server address and connection port .
4. Network.
Default, to communicate with the server, Secure Tower uses port 10500 .
5. Processes.
As in the case of directories and files, the client is very good at masking its processes (if it wants to) in the Windows Task Manager.
Here is a list of the most likely processes:
In order to "squeeze" them, you need to run the good old Process Monitor and open the Process Tree - no one has left it yet.
6. Skype
As you know, many DLP-systems are able to intercept Skype messages (some, especially advanced ones, even record conversations). You probably want to ask: How do they do it? After all, the Skype protocol is securely encrypted, and no one (practically) managed to get close to decrypting it.
In fact, the decryption of data transmitted via closed protocols does not even come at all. The Secure Tower client pulls data directly from Skype itself.
Method number one: it (the client) registers one of its modules as a trusted Skype application. The latter retrieves data using a documented and open API.
You can check Skype for intruders by selecting the menu item Tools -> Settings... -> Advanced -> Advanced settings -> Control access of other programs to Skype (tested for Skype 6.20.0.104). The API Access Control
window will list all applications that have access to your Skype data. Perhaps, by opening this window, you will find a lot of new and interesting things!
Currently, this method is practically not used, because. everyone (to the edge became insolent) switched to method number two.
Method number two : Skype stores the history of SQLite database correspondence in the best traditions of the genre - in clear text.
DB file location path:
It is this file that periodically pulls the DLP client.
Run Process Monitor and create a new filter:
Click OK and wait until it works. In a perfectly clean system, except for Skype itself, no one should access this file. If "living creatures" are started in the system, it will not take long to wait.
It is always worth considering the fact that developers are not sitting idly by, DLP systems are constantly being improved (more complicated, more new bugs are generated) and the methods described above may not work for new versions.
In addition, a lot depends on the security policies according to which the client is configured. Separate modules (interception of Skype messages, control of https traffic, etc.) can be disabled and, accordingly, each individual item cannot give a 100% result.
To detect this kind of software, you should always use an integrated approach that includes checking on all points. In addition, using some of these methods, it is possible to track not only Secure Tower, but also its "competitors".
PS In conclusion, I appeal to everyone who is interested in this issue: if you know other methods (methods, actions, etc.) for detecting DLP clients, write here (I think that the author of the question will not mind). Any information will always be useful!
S
sivabur, 2015-09-20 @sivabur
Ask the management of colleagues, usually there is no point in hiding such things.
B
Beard, 2016-06-17 @mink_h
Good day!
I would like to share my observations - maybe it will be useful to someone.
All of the following will apply to the Falcongaze SecureTower.
Despite the fact that the client tries to hide his presence by any means, everything secret sooner or later becomes clear.
1. Certificate substitution.
We tear off in the browser any resource that uses https and look at the certificate data. With the DLP client installed, the " Certification Path " section will contain a certificate signed by Falcongaze SecureTower.
During installation, the SecureTower client adds its certificate to the trusted root certificate store (Trusted Root Certification Authorities ).
In general, with any suspicions, this repository can be periodically viewed - suddenly you find something interesting.
2. Location of files.
If you search for files and directories of the client installation visually, or using the search mechanism in Explorer (any other file manager) - most likely nothing will be found.
But there is a way out, everything turns out to be much simpler - we take the paths:
C:\Program Files\Falcongaze SecureTower
C:\Program Files (x86)\Falcongaze SecureTower #для x64
C:\Users\%username%\AppData\Local\Falcongaze SecureTowerand in turn paste it into the address bar of the explorer - press Enter .
If the client is present - in the open window you will see his files and traces of vital activity.
This method has been tested on OS Windows 7 and higher.
3. Register.
When installing the Secure Tower client, the following registry key will be created:
Within this key, if it exists, there will be several subkeys. Some additional information can be gleaned from them : installation path , current version , server address and connection port .
4. Network.
Default, to communicate with the server, Secure Tower uses port 10500 .
5. Processes.
As in the case of directories and files, the client is very good at masking its processes (if it wants to) in the Windows Task Manager.
Here is a list of the most likely processes:
FgstEpaCss.exe
FgstEpaCssHlp.exe
FgStEPAgentSvcHost.exeIn order to "squeeze" them, you need to run the good old Process Monitor and open the Process Tree - no one has left it yet.
6. Skype
As you know, many DLP-systems are able to intercept Skype messages (some, especially advanced ones, even record conversations). You probably want to ask: How do they do it? After all, the Skype protocol is securely encrypted, and no one (practically) managed to get close to decrypting it.
In fact, the decryption of data transmitted via closed protocols does not even come at all. The Secure Tower client pulls data directly from Skype itself.
Method number one: it (the client) registers one of its modules as a trusted Skype application. The latter retrieves data using a documented and open API.
You can check Skype for intruders by selecting the menu item Tools -> Settings... -> Advanced -> Advanced settings -> Control access of other programs to Skype (tested for Skype 6.20.0.104). The API Access Control
window will list all applications that have access to your Skype data. Perhaps, by opening this window, you will find a lot of new and interesting things!
Currently, this method is practically not used, because. everyone (to the edge became insolent) switched to method number two.
Method number two : Skype stores the history of SQLite database correspondence in the best traditions of the genre - in clear text.
DB file location path:
It is this file that periodically pulls the DLP client.
Run Process Monitor and create a new filter:
----------------------------------------
| Column | Relation | Value | Action |
----------------------------------------
Path contains main.db IncludeClick OK and wait until it works. In a perfectly clean system, except for Skype itself, no one should access this file. If "living creatures" are started in the system, it will not take long to wait.
It is always worth considering the fact that developers are not sitting idly by, DLP systems are constantly being improved (more complicated, more new bugs are generated) and the methods described above may not work for new versions.
In addition, a lot depends on the security policies according to which the client is configured. Separate modules (interception of Skype messages, control of https traffic, etc.) can be disabled and, accordingly, each individual item cannot give a 100% result.
To detect this kind of software, you should always use an integrated approach that includes checking on all points. In addition, using some of these methods, it is possible to track not only Secure Tower, but also its "competitors".
PS In conclusion, I appeal to everyone who is interested in this issue: if you know other methods (methods, actions, etc.) for detecting DLP clients, write here (I think that the author of the question will not mind). Any information will always be useful!
Similar questions
D
T
I
I
N
Nicholas2019-07-09 06:14:26
How to organize information security when working in the 1C system?
2Reply
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question