You need to monitor a specific application to generate incidents when it accesses a file which contains sensitive information. This can be especially useful to monitor or block file uploads via messaging/meeting applications such as Webex. In modern applications it is quite common that multiple executables are used for different parts of the application and so monitoring one of it, for example the parent process, may not be enough to reach satisfactory detection results This article describes a method how to determine the name of the executable used when a file upload is attempted. As an example Webex messaging feature will be used.
15.8 or later.
1. Download and unzip Process Monitor tool from SysInternals.
2. Launch the ProcessMonitor executable as an administrator - by right clicking on it and using the "Run as administrator" button.
3. In the filters window which will be displayed right after the tool is launched enter the name of the file which will be used for testing. Use the "Path", "ends with" and "Include" options. Once fields are filled hit the "Add" button. The screenshot below shows an example where the name of the file which will be uploaded is "afac.txt".
Note: If the filters are not automatically displayed then those can be opened by clicking on the funnel button in the top tools bar of the application:
4. Once the filter is added it will become active in the list in the bottom section of the window with a green mark, which indicates to include, next to it and a checkbox marked.
5. Click OK in the filters window. Ensure that Process Monitor capturing is enabled. It will be indicated by a highlight of the square icon in the tools bar. If the it is not highlighted then click on the icon to start the capture:
6. Attempt to upload the file with the application of interest. In this example Webex messaging feature is used.
7. Once done stop the trace by clicking on the square Capture button once more to deactivate it. It's highlight will disappear.
8. If everything went well a trace of all applications touching the configured file name will be visible in the bottom section of Process Monitor. Look for executable names related to the application. System executables such as Explorer.exe can be ignored. In the below screenshot it is visible that the file C:\temp\afac.txt file was opened by CiscoCollabHost.exe:
9. With this information it is visible that CiscoCollabHost.exe should be added to the Global Application Monitoring to allow the agent to monitor or block files which are opened during a file upload with Webex messaging. It can be added using the process described in the document linked below: