Windows - Shadow Copy - Statistics
Purpose
This solution is designed to audit the complete Shadow Copy statistics and size information on all machines set to audit. The data is populated into a dataview and can be reviewed manually. There is currently no alerting for this solution, but it can easily be added if requested.
Associated Content
| Content | Type | Function |
|---|---|---|
| Script - Shadow Copy - Audit Complete Statistics [DV] | Script | This script records data related to Shadow Copy for individual systems into a Custom Table - plugin_proval_shadowcopystats. |
| Dataview - Windows - Shadow Copy State [Script] | Dataview | This dataview displays an endpoint's Windows Shadow Copy information where the Script - Shadow Copy - Audit Complete Statistics [DV] ran to gather the data. |
| Monitor - Execute Script - Shadow Copy - Audit Complete Statistics | Monitor | This monitor detects machines where the last Shadow Copy detected is older than the number of days set in the System Property Proval_ShadowCopyMaxAgeInDays. |
| Custom Table - plugin_proval_shadowcopystats | Table | It stores information about Windows shadow copies gathered by Script - Shadow Copy - Audit Complete Statistics [DV]. |
| △ Custom - Execute Script - Shadow Copy - Audit | Alert Template | This alert template is created to run with the Monitor - Execute Script - Shadow Copy - Audit Complete Statistics and schedule Script - Shadow Copy - Audit Complete Statistics [DV] on the detected agents. |
Implementation
-
Import the following content using the ProSync Plugin:
-
Reload the system cache:
-
Configure the solution as outlined below:
- Navigate to Automation → Monitors within the CWA Control Center and set up the following:
- Monitor - Execute Script - Shadow Copy - Audit Complete Statistics
- Set up with "△ Custom - Execute Script - Shadow Copy - Audit" Alert Template
- Right-click and Run Now to start the monitor
- Monitor - Execute Script - Shadow Copy - Audit Complete Statistics
Note: If the partner has a threat locker or any blocking application, please get the below file hash whitelisted for the solution to work properly without blocking.
MD5 FileHash:
E69A5AD2CDCF7B20C7205D4A7BEC08C4 - Navigate to Automation → Monitors within the CWA Control Center and set up the following:
FAQ
Q: What should I do if information for an endpoint is not present in the dataview?
A: Run the "Script - Shadow Copy - Audit Complete Statistics [DV]" against the Windows machine and re-check the dataview after the successful completion of the script.