Why Choose CPTRAX for File System Auditing?

You have many choices when selecting a file system auditing and control solution for your Windows network. We created CPTRAX for Windows to give you a better choice. The following information has been prepared to provide a technical review of file system auditing methods and how CPTRAX for Windows is a better choice. The file system auditing methods that are compared to CPTRAX for Windows are:

Unique among Windows File System Auditing products, CPTRAX provides an integrated approach that fully connects with the server's communications channels. This allows CPTRAX to record all details regarding file system activity.

Benefited by kernel-level development design experience stretching back to the late 1980's and all versions of Windows since, CPTRAX offers a better choice for Windows File System Auditing. With CPTRAX you will receive reports that include:

• File/Folder name
• Event Type
• Account (user) and Domain name plus Distinguished Name
• Account SID
• Time of Event
• Permissions changed with full change details
• Owner changed and new owner identity
• For remote events, name of workstation where user was
• For remote events, IP address of where user was
• For remote events, Share name access was initiated upon
• For terminal server sessions, remote workstation where user was
• For terminal server sessions, IP address of where user was

And, unlike any other commercial Windows File System Auditing product, CPTRAX offers active blocking of undesirable create, delete and modification activity.

Additionally, the deep level of experience and expertise provided by the Visual Click Software Team gives you the power of CPTRAX without requiring any superfluous technologies on your servers such as the .NET framework, SQL Server, specific MSI Installer versions or any other add-on. While SQL is not required, we do offer the option of sending all activity records to an existing Microsoft SQL Server.

CPTRAX vs. Windows Event Log Readers

Several file system auditing products available rely upon Windows Event Logs to provide input for their reporting. And, many of these products require you to do your own Event Log "auditing" configuration. This is performed via a tedious manual process that involves visiting each folder (directory) to audit, select audit options and repeat for each user and/or group to audit.

What if you only want to know when certain files are changed? You could define auditing on select files, but, files are often deleted and re-created as part of normal operations making it difficult if not logistically impossible to audit at the file level. Not to mention new files would not be audited at all until auditing was established for each new file. All this means auditing options must be defined at the folder / directory level. Thus, if you simply wanted to track only activity upon XLS or DOC files you cannot define it within the Windows Event Log system. And it is the Windows Event Log system that many file system auditing products rely upon. Most of these tools offer report filtering so you can receive reports of just what you want but the Event Log files will be full of data you did not want to track.

All of this puts the Windows file system auditing process in charge of you because you have to constantly work for what you want and need.

Event Log details include:

CPTRAX adds the following, which Event Log details do not include:

• For remote events, name of workstation where user was
• For remote events, IP address of where user was
• For remote events, Share name access was initiated upon
• For terminal server sessions, remote workstation where user was
• For terminal server sessions, IP address of where user was
• Account's Security Identifier or SID
• Account's Distinguished Name or LDAP style name
• Permissions that were changed (when DACL is updated)
• Account Name of new Owner
• Renames are not tracked, only the original filename is recorded as being deleted but no create is recorded for the new filename (or folder name)

And, lastly, Event Log readers do not have the ability to block undesirable file actions.

CPTRAX versus: Polling and Snapshot Captures

Some of the available file system auditing products gather file system activity independently of Windows Event Logs via polling and snapshot captures. These products do not require auditing to be configured within the Windows event system. Some of these products include the option to add events to the Windows Event Log based upon activity independently gathered.

As implied by this section's header, polling and snapshot capture file system activity auditing products only report on what is found after the fact. Though some of the products in this group claim to have real-time auditing abilities, it is still based on polling technology. The limitations are consequential as only the bare minimum of file system activity is revealed. On the plus side, due to the lack of direct involvement in auditing file system activities, polling and snapshot products will record fewer events that the Windows Event Log system.

Polling/Snapshot details can include:

CPTRAX adds the following, which Polling/Snapshot details do not include:

• All File/Folder Events occurring between polling or snapshot periods
• Account (User) performing event / action
• Name of workstation where user was
• IP address of where user was
• For remote events, Share name access was initiated upon
• For terminal server sessions, remote workstation where user was
• For terminal server sessions, IP address of where user was
• Account Security Identifier or SID
• Account Distinguished Name or LDAP style name
• File/Folder Renames
• File Open / Read events
• File Change events as they occur

And, lastly, Polling and Snapshot Capture products do not have the ability to block undesirable file actions.

CPTRAX versus: File System Drivers

A few of the available file system auditing products use a kernel-level File System Driver to gather file system activity independently of Windows Event Logs. These products do not require auditing to be configured within the Windows event system.

These File System Driver products gather events by being directly involved with file system actions as each occurs. File System Drivers are kernel-level agents that, when in use, become part of the Windows file system. This means each file system activity is passed through the agent before it is applied to the affected file or folder. This "low level" of involvement with the Windows file system means nothing is missed. However, the only critical detail tracked is the name of the user (or other account) performing the file action. This means details of remote access are not recorded, no workstation name, no IP address.

File System Driver recorded details include:

CPTRAX adds the following, which File System Driver recorded details generally do not include:

• No direct indication of action was performed locally or remotely
• For remote events, name of workstation where user was
• For remote events, IP address of where user was
• For remote events, Share name access was initiated upon
• For terminal server sessions, remote workstation where user was
• For terminal server sessions, IP address of where user was

And, lastly, File System Driver products do have the innate ability to block undesirable file actions, but we have not found any such commercial products that offer this functionality.