Endpoint Data Discovery
Last updated
Was this helpful?
Last updated
Was this helpful?
The Endpoint Data Discovery feature introduces a powerful tool for administrators to ensure the security and integrity of their organization's user machines. This functionality provides admins with a process to set up and execute scans across all endpoints (ie User Machine) within the network with the ability to schedule these scans at convenient times to avoid disrupting daily operations. Administrators can customize the scan by defining a root path from which the scan begins, and they have the flexibility to include or exclude specific directories, giving them precise control over which areas of the system are inspected. The feature is added under the Administrator tab along with other data sources. Currently this feature is only supported on Windows.
Endpoint Data Discovery details and configuration are located in the Data Sources section under the new page “Endpoint”.
In the configuration tab Admins can setup the various ways to start the scan, details of each property is as below:
Enabled
Enable or disable the scanning for all agents
Unselected (disabled)
Root path
The folder location to scan. It may be desired to scan the entire C: drive or to just scan the user folders, etc. This is a required field and must be populated for the scan to start. Must be in the format of an absolute Windows path
Empty
Scan schedule
How often the scan should run (every day, week, 2 weeks or month)
Every day
Scan on start
Enable to always start a scan on system start in addition to the scheduled time. This includes on the installation of the agent
Unselected (disabled)
Included file attributes
See Note below
Normal, ReadOnly, Hidden, Archive
Excluded file attributes
See Note below
System, Temporary, Device, ReparsePoint, SparseFile
Excluded file paths
File paths to exclude from scanning. For example, it may be desired to scan the entire C: drive, but to exclude the Windows and Program Files folders, etc
Empty
Note for Included/Excluded file attributes: Endpoint Discovery has been designed to only include relevant files and folders in the scan results and to exclude files and folders such as system files. It does this by filtering based on Windows file/folder attributes. These attributes have been chosen carefully to get the best scan results and should be left blank unless the user knows what they are doing. But if desired it is possible to alter these attributes to include system files/folders, exclude hidden files, etc. If the user wants to make modifications to the attributes, they can do so. More information on Windows file attributes can be found .
Under the Details tab you can view the list of all endpoints along with some basic info such as current scan status (not started, in progress, etc), if the endpoints are online or offline, and the number of files scanned. This is useful as an overview of the progress of scans.
Admins can click on the number Scanned files in the Endpoint details page and they will be navigated to list of files that were scanned. Additionally they can navigate to the Enterprise Search page and filter by the source “Endpoint”. Here the Admins can view all the details about the files scanned like if the files were classified or not, when was it last modified date, path of the file and many more useful information.
Note:
Initial scans for endpoints can be slow as the scanner will need to perform a hash of all file contents as well as to perform a classification check. This can take a long time for every file on an endpoint. Results are sent in batches however, so results will start to be seen shortly after starting the initial scan. Subsequent scans will be significantly faster as the scanner only processes new and modified files. Typically this should be a relatively small number of files, particularly if the scan is configured to run every day.
