The File activity tab in the Threat Indicators dashboard lists Windows clients with file-related anomalies, including the creation and deletion of a large number of active files as well as backed up files. The anomaly thresholds are based on historical activity and machine-learning algorithms to help reduce false positives from typical activity on the file system.
File activities on the client computer are checked every 5 minutes, and any abnormal activity is reported to the administrator by an alert and event. For the first 7 days, the client computer is monitored and analyzed for daily activity. After 7 days, a baseline of file activities is established and alerts and events are sent to the administrator when a large number of abnormal file activities is detected.
Up to 30 days of file activities are maintained in a database on the client computer for use by the monitoring algorithm.
Note
For a given point in time, the system only saves tracking activity on a maximum of 50 folder paths. However, if there is activity on more than 50 paths, their history can be found in the client's cviomonitor.log file.
The File Activity tab contains information for the following types of anomalies: