Posted by Dana Balaštíková, Last modified by Michael Skoupý on 13 October 2020 12:35 PM
Safetica 9.8 introduces a new feature called Shadow Copy, which helps investigate situations when sensitive files are changed after an incident takes place. With Shadow Copy, the admin can download and display the exact copy of the file that triggered the incident. Shadow Copy is useful for incident verification to see whether or what kind of sensitive data was tampered with. It can also help you verify false positives during DLP implementation, since you can see exactly what files are captured by DLP policies.
Shadow Copy is an optional feature that is available in selected Safetica licenses.
How it works
When a DLP policy is violated, an exact copy of the file that was part of the incident is stored in a secure local storage on the endpoint. The admin can later download this file copy to verify what data were involved in the incident.
If an endpoint does not have connectivity to Safetica server, the admin must wait for it to connect before shadow copies are downloaded.
Shadow Copy is supported for general and data DLP policies and for most data channels. You can find a complete list here.
How to enable shadow copy creation
How to collect a shadow copy
3. In Maintenance > Information collection confirm with . The shadow copy will start downloading.
Local shadow copy storage parameters
Minimum required free space on endpoint: 500 MB (reserved on every endpoint).
Maximum storage size: 5 GB or less (if there is less than 10 GB of free space left on the endpoint).When the maximum storage size is reached, the oldest local copies are deleted as new ones are added.
Maximum size of one file: 50 MB.
This prevents situations when one big file would remove all older files from the storage.
To change the default shadow copy storage parameters, please contact your Safetica Partner.