Monitoring Settings
A
Written by Arick Disilva
Updated this week

Introduction to the Monitoring Settings

The Monitoring Settings screen lets you create/edit monitoring profiles for users, computers, departments, and Active Directory groups and precisely control how much information will be collected for each monitored system (such as Websites, Apps, Emails, etc.). You can track as much or as little as you want based on your organization's needs and alleviate any privacy concerns.

image-233__1_.png

Some use cases of using Monitoring Settings are:

  • Create Monitoring Profiles to enable social media monitoring for the marketing department but disable it for other departments.

  • Configure the Websites monitoring so that it automatically suspends monitoring and keystrokes logging when users visit their bank’s portal or open their personal emails.

  • Set up Applications monitoring in such a way that it only records activity within business applications such as QuickBooks or SAP and does not record the screen or keystrokes when the user is on Facebook.​

  • Set up scheduled-based monitoring, recording during rule violations only, auto-delete old recordings, etc. to minimize data storage requirements and comply with regulations like GDPR.

  • Speed up configuring monitoring settings for large teams by allowing you to assign AD groups and departments directly to a profile.

Teramind comes with a Default settings profile. This profile is used by default for all users and cannot be deleted.

You can also change the monitoring settings of a user from their Employee Profile.

Accessing the Monitoring Settings Menu

image-234__1_.png

1. Click the Gear icon near the top-right corner of the Teramind Dashboard.

2. Click Monitoring settings from the pop-up menu.

Creating a New Monitoring Profile

image-235.png

1. Click the NEW PROFILE button near the top-right corner of the main Monitoring Settings screen. A pop-up window will be displayed.

image-236.png

2. Give the profile a name.

3. Optionally, give it a description.

4. Click APPLY CHANGES. You will be taken to a different screen with a list of all monitored systems.

Note that, Teramind comes with some default settings for each of the monitored systems. You can change them according to your needs.

5. Click the EDIT PROFILE INFO button at the top-right corner to edit the profile's name and description.

6. Click the EDIT OBJECTS TO TRACK button at the top-right corner to add objects that will be tracked. This will open a pop-up window:

You can add Users, Computers, Departments, and Active Directory Groups to the profile. Note that a user can be a member of multiple profiles. In such cases, profile conflicts can arise. Please see the Addressing Profile Conflicts/Prioritization section below for more information.

7. Click the ADVANCED button to access advanced options (see the Advanced Monitoring Settings below for more information on advanced settings).

8. The Clock button allows you to apply a single monitoring schedule (date and time) to multiple monitored objects instead of setting them one by one. See the Monitoring Schedule section to learn more.

9. Click the YES/NO button in front of a monitored system to turn monitoring on or off for it.

10. Click the small Gear icon at the right side of an object to edit its settings. See the Editing the Settings for Monitored Systems section below to continue setting up individual monitoring objects).

Addressing Profile Conflicts/Prioritization

A user can be a member of multiple profiles. For example, a user can be a member of the Marketing profile. They can also be a member of an AD group that's part of another profile.

When this happens, you will see an Exclamation button near the top-right corner of the Monitoring Settings screen. Clicking the button will show you the profile conflicts:

You can unassign the conflicting profile(s) to fix the conflicts. If you leave the conflicts, the monitoring will be prioritized as follows (a lower number means higher priority):

  • Computer.

  • User/Custom profile.

  • AD Group. If a user is a member of more than one group, the group with the lowest group ID will be used.

  • Department.

  • Default profile.

Advanced Monitoring Settings

Be careful when making changes to the Advanced monitoring settings as it might disrupt Teramind’s tracking capabilities, make the system unstable, prevent users from accessing their network, etc.

mceclip1.png

1. Click the ADVANCED button to change advanced settings. This will pop up a window:

advanced monitoring settings.png

2. FILE DRIVER: if disabled, the tmfsdrv2 service will be stopped on the users’ computers. As a result, File Transfer report, Content Sharing Rules, Files-Based Activity etc. will not work. Please see the notes under *FILE DRIVER vs NETWORK DRIVER below.

3. NETWORK DRIVER: if disabled, the tm_filter service will be stopped on the users’ computers and the ‘Quick web proxy’ certificate will not be injected into the browsers. As a result, network-based activities will not be tracked and things like the IM report, Network-Based Rules, File Upload rules, etc. will not work. Please see the notes under *FILE DRIVER vs NETWORK DRIVER below.

4. DON'T TRACK DLP FOR PROCESSES: allows you to exclude certain process(es) from the DLP scanning (e.g., data discovery and classification) and DLP rules. For example, svchost.exe, System Idle Process etc. Note that, this is different from disabling monitoring for an application using the SUSPEND MONITORING WHEN THESE APPLICATIONS ARE USED option on the Applications Monitoring Settings. That option disables all monitoring for a process (activity will not be captured and app will be blacked out on the session recording). On the other hand, DON'T TRACK DLP... will only disables DLP scanning for a process.

5. EXCLUDE PROCESSES FROM FILE DRIVER: is similar to the FILE DRIVER option except it allows you to enter specific processes/apps that will be excluded from the file driver instead of all processes/apps. For example, entering winword.exe into this field will exclude Microsoft Word from the file driver, chrome.exe will exclude Google Chrome browser, etc. This could be helpful for troubleshooting purposes. Also, with this option, you can ignore processes you don't want to capture while keeping the file transfers monitoring active. Please see the notes under *FILE DRIVER vs NETWORK DRIVER below.

6. EXCLUDE PROCESSES FROM NETWORK DRIVER: is similar to the NETWORK DRIVER option except it allows you to enter specific processes/apps that will be excluded from the network driver instead of all processes/apps. For example, entering slack.exe into this field will exclude Slack from the network driver. This could be helpful for troubleshooting purposes. Also, with this option, you can ignore processes you don't want to capture while keeping the network monitoring active. Please see the notes under *FILE DRIVER vs NETWORK DRIVER below.

7. If the ALLOW APPLICATION RESTARTING is turned on, the Teramind Agent will automatically restart any open browsers when the DISABLE BUILT-IN PASSWORD MANAGER OF KNOWN BROWSERS option (see below) has changed so that the setting can take effect automatically. Otherwise, you will have to manually restart the browsers. It also allows you to restart the Mozilla Firefox and Tor browsers to inject the proxy certificate (required to monitor web traffic). Otherwise, you will have to manually restart the browsers.

8. Most modern browsers have a password manager that prompts you to save passwords from login forms on websites. While this is convenient, it's a security risk. The DISABLE BUILT-IN PASSWORD MANAGER OF KNOWN BROWSERS allows you to disable these built-in password managers. The user will not be able to override the option from their browsers. However, independent password managers such as LastPass will still work.

Please note that, if the ALLOW APPLICATION RESTARTING option (see above) is enabled, Teramind will automatically restart any open browsers so that the DISABLE BUILT-IN PASSWORD MANAGER OF KNOWN BROWSERS setting can take effect automatically. Otherwise, you will have to manually restart the browsers.

9. Under the RDP and clip blocking section, you will see several toggle options to enable/disable some functions in an RDP (Remote Desktop Protocol) session. For example, sharing of the printers, use of portable (USB) devices, etc. You can also disable screen snapshots and clipboard copy/paste operations for select apps.

Note that these settings aren’t available by default. Please reach out to your Customer Service Representative or Account Executive to active these features on your instance.

These settings apply to an RDP session only and not the user's computer. For example, if you enable the BLOCK PORTABLE DEVICES, Teramind will block devices such as USB drives, external webcams, etc. on the remote host computer not the user's computer.

10. If you enable the RESTRICTIONS option, you will see more options:

  • If you turn on the DISABLE ALL LOCAL ADMIN ACCOUNTS, EXCEPT BUILT-IN option, you can specify a new admin user and password. Then, when a admin logs in as a current Windows user, a new admin will be created and all existing admin accounts will be disabled.

  • The DISABLE WI-FI and DISABLE BLUETOOTH options will toggle the Wi-Fi and Bluetooth connections. Make sure the computer has an alternate method to connect to the internet (e.g., Ethernet) before enabling these options. Otherwise, the Agent will not be able to connect.

  • If you turn on the DISABLE USB DEVICES (EXCEPT KEYBOAD & MOUSE), then all the USB devices will be blocked except for keyboard and mouse.

11. If you have many users or a slow network, the MAX UPLOAD BANDWIDTH (KB/S) option will help you prevent overloading your network infrastructure by imposing a throttled bandwidth and the async upload of video/audio recordings. Furthermore, you can use the TIMEFRAME TO UPLOAD COLLECTED DATA option so that the uploads take place during off peak hours only. These options might also be useful if your end users have a slow connection. Here’s how the two settings work:

  • The MAX UPLOAD BANDWIDTH (KB/S) field allows you to set the maximum upload bandwidth (in kilobytes per second). If no value or a 0 value is set in the field, the bandwidth will be unlimited.

  • The TIMEFRAME TO UPLOAD COLLECTED DATA lets you specify a time range for the upload activity. You can drag the two slider dots = to adjust the time. If no timeframe is configured, the Agent will be able to upload data anytime.

Please note that restricting the Agent upload bandwidth/timeframe might delay the data availability on the Dashboard and impact some features. For example, playback of video recordings, OCR search, etc.

12. Click the APPLY CHANGES button to save the changes or the Cancel button to cancel them.

*FILE DRIVER vs NETWORK DRIVER

File Driver

  • App/Web Activities: Will be tracked on BI Reports > Applications & Websites, Monitoring > Web Pages & Applications.

  • Online Meetings: Some apps might be tracked, others not. For example, Skype and Google Chat calls will not be tracked. However, Zoom calls will be tracked.

  • Instant Messaging: Will not be tracked.

  • Emails: Emails including attachments from both desktop apps (e.g., Outlook desktop client) and web emails (e.g., Gmail web) will be tracked on BI Reports > Emails, Monitoring > Emailing.

  • File Transfer: Web Upload/Web Download will be tracked. No other local file activities such as Access, Read, Write, Rename, etc. will be tracked. File transfers through apps such as Zoom, Teams etc. will not be tracked. RDP transfers will not be tracked.

  • Behavior Rules: Any Content rules involving local files and the app will be ignored.

Network Driver

  • App/Web Activities: will be tracked on BI Reports > Applications & Websites, Monitoring > Web Pages & Applications.

  • Online Meetings: incoming meetings will be tracked on desktop meeting apps. However, meetings from the web (e.g., Zoom Web) will not be tracked.

  • Instant Messaging: Will not be tracked.

  • Emails: Emails and attachments from a desktop app (e.g., Outlook desktop client) will be tracked on BI Reports > Emails, Monitoring > Emailing. But web emails (e.g., Gmail web) will not be tracked.

  • File Transfer: Web Upload/Web Download will not be tracked. But Upload/Download will be tracked. For example, if you uploaded a file through Google Drive desktop version, it will be tracked as upload. However, if you uploaded a file through the web version of Google Drive, it will be considered as a Web Upload and will NOT be tracked. However, uploads/downloads from some desktop applications such Microsoft Teams are considered as web uploads/web downloads and will not be tracked.

  • Note that there might be several file activities tracked by Teramind for a single web upload/web download event. This is because the OS might undertake several separate file actions when it’s uploading and downloading a file. For example, it might take the data from the web server, writes a temporary file to the local disk, renames the temporary file, then completes the download with another write operation:

    network monitoring-2.png

    In the above case, if you disable the NETWORK DRIVER, only the Web Download activity will not be tracked. However, the other local file activities (Write, Rename, etc.) will still be tracked. If you don’t want to track these activities, you will need to disable the FILE DRIVER which deals with local file transfers.

  • RDP Transfers: if you copy from the remote client to remote host, the copy operation will be tracked as a “Write” action:

    network monitoring.png

    However, copying from the remote host to the remote client will not be tracked.

  • Network Monitoring: Network activities will not be captured on reports such as BI Reports > Network Monitoring, Monitoring > Network Monitoring.

  • Behavior Rules: Network-rules and File-rules for upload/download will not be tracked.

Editing / Copying / Deleting a Monitoring Profile

image-3.png
  1. You can locate which profile an employee belongs to by using the Search box at the top-left corner of the main Monitoring Settings screen.

  2. You can click the OPTIONS icons to turn the monitoring on/off for them.

  3. Click the small Users icon at the top-right corner to add/remove objects (e.g., users, computer, etc.) to/from the profile. The process is similar to creating monitoring profiles (see Step 6 under the Creating a New Monitoring Profile section).

  4. Click the Copy icon to create a duplicate copy of the profile.

  5. Click the small Gear icon at the right site of a profile to edit it. Follow Steps 5-6 in the Creating a New Monitoring Profile section above to learn how to edit the profile.

  6. Click the small X icon to delete the profile.

Editing the Settings for Monitored Systems

Monitoring Schedule

Each Monitored System has a simple scheduler under the TRACKING DAYS AND TIME section at the bottom of its settings panel. Using this scheduler, you can quickly specify when the tracking and recording of the Monitored System will take place.

image-241.png
  1. Click on a day to enable/disable it.

  2. Drag the two small Circles to adjust the time.

  3. Click the Reverse icon to reverse the time.

  4. Click APPLY CHANGES to save the settings.

Editing Screen Settings

Note that some of the options on the Screen monitoring settings (for example, DELETE HISTORY) are only available on the On-Premise version.

The ALLOW REMOTE CONTROL option determines if Remote Control and Freeze Input features will be available on the Session Player’s Live Mode Controls.

If the user is using a Hidden Agent, ASYNC SCREEN UPLOAD will force Teramind to use a queue for screen recordings instead of uploading them in real-time. It’s suitable for a slower network or a busy OCR server. However, you might experience some delay between the user activity and the recording appearing on the dashboard when ASYNC is enabled.

ASYNC SCREEN UPLOAD only works with the Hidden Agent. Ignore this setting if the user is using a Revealed Agent. Check out this article to learn more about the difference between the two agents.

RECORD LOCKED SESSIONS option allows you to continue recording even when the user locked their computer. A locked session can mean the user choosing the “Lock” (“Lock Screen” on Mac) command, a screen saver getting activated, or an RDP (remote desktop session) window minimized (see notes below)*.

By enabling RECORD ONLY WHEN BEHAVIOR RULE WAS VIOLATED in combination with the RECORD VIDEO rule action, you can capture the screen only when a rule is violated. This will help reduce the storage needed for the screen recordings or alleviate privacy concern.

Note that, you will have to enable the RECORD VIDEO option with the RECORD ONLY WHEN BEHAVIOR RULE WAS VIOLATED option. Otherwise, the video will not be recorded.

If UPDATE SCREEN ON EVENTS ONLY option is enabled, the screen on the Live Mode on the Session Player will only update the screen if any activity on the keyboard or mouse is detected or any behavior rule is triggered. Otherwise, the screen will remain still.

You can also control the FPS/frame rate by the MAXIMUM FRAMES PER SECOND option. The range is 1-4.

You should only enable the USE MODERN SCREEN GRABBING option on Windows 8 or above. If you are experiencing issues with screen captures, try toggling this option.

The GRAYSCALE / COLOR / HIGHCOLOR controls the color of the recordings. Note that HIGHCOLOR mode is only available on the On-Premise deployments. It also uses the most space.

The LIVE SCREEN SCALING controls the size of the recording.

Screen Scaling and OCR

Adjusting the LIVE SCREEN SCALING might affect the OCR accuracy and performance or make it inoperable.

On-Premise customers can specify when the recordings will be automatically deleted under the DELETE HISTORY AFTER. This will further reduce your storage requirements and help you comply with data retention policies. Note that, currently Teramind on AWS doesn't support the removal of screen recordings from AWS S3 buckets. If you have such a deployment, you will see a message, "Retention settings for cloud storage are not supported yet. Please setup retention policy manually in the cloud" under this setting and you won’t be able to edit the value in the field:

You can still use the Amazon S3 Lifecycle to manage your storage.

You can specify the MESSAGE DURING REMOTE CONTROL / MESSAGE DURING INPUT FREEZE when using those features in the Session Player’s Live Mode Controls.

*How Locked Session Monitoring Works

If RECORD LOCKED SESSIONS is turned ON:

  • The Agent will continue to track time.

  • The LIVE MONTAGE widget on the Dashboard, Session Player, Screen Snapshots report, etc. will display the OS lock screen or any active screen saver.

  • The Current Task column of the ONLINE EMPLOYEES widget on the Dashboard will show the currently active task and the Current Activity column will show nothing/blank.

  • The Last Login Time column on the Employees report will show, “Online”.

  • The time the user spends in lock mode will be counted towards Work Time: Time, Work Time: Idle Time and Login Sessions: Time (e.g., on the BI Reports > Productivity report).

  • On a Mac, the user will see a “Your screen is being observed” message near the top-right corner of the screen. If you want to hide from the user that their computer is being monitored, you should not enable this option on the Mac.

If RECORD LOCKED SESSIONS is turned OFF:

  • The Agent will not track time and stop any active task.

  • The LIVE MONTAGE widget on the Dashboard, Session Player, Screen Snapshots report, etc. will display a blank/black screen (if it’s a normal desktop) or the “SESSION LOCKED” message (if it’s a remote/RDP desktop and the RDP window is minimized).

  • The Current Task column of the ONLINE EMPLOYEES widget on the Dashboard will show, “No task” and the Current Activity column will show nothing/blank.

  • The Last Login Time column on the Employees report will show “Session locked”.

  • The time the user spends in lock mode will only be counted towards the Login Sessions: Time (e.g., on the BI Reports > Productivity report).

Editing Audio Settings

AUTOMATIC LEVEL ADJUSTMENT will automatically adjust the sound levels for higher/lower tones.

If the user is using a Hidden Agent, ASYNC AUDIO UPLOAD will force Teramind Agent to use a queue for audio recordings instead of uploading them in real-time. It’s suitable for a slower network or a busy server. However, you might experience some delay between the user activity and the recording appearing on the dashboard when ASYNC is enabled.

You can adjust the BITRATE to increase/decrease audio quality. Lower bitrate will require less CPU processing and storage.

You can toggle the MONITOR ALL INPUT DEVICES / OUTPUT DEVICES options to enable/disable recording for all microphones, speakers and line-in/out. By default, Teramind will capture the audio streams from the devices assigned as the default playback and recording device in Windows. If you enable this option, then audio streams from all recording/playback devices will be captured.

The MONITOR WHEN THESE APPLICATIONS USE MICROPHONE field will let you capture audio only when the microphone is used by select applications. You can use the following in the field:

  • Empty/No Value: audio will be recorded continuously, in all applications even if the input/output (I/O) device is not actually in use.

  • All: will record the audio in all applications, but only if the I/O device is currently in use.

  • Executable File Names/Apps: will record the audio in the specified applications and only if the I/O device is currently in use. For example, zoom.exe will only record audio when the microphone is activated in Zoom.

  • Text List/Regexp List: similar to the third option except that it will match the applications in the shared list.

Note that, this option doesn't affect the output playback/output audio.

ASYNC AUDIO UPLOAD only works with the Hidden Agent. Ignore this setting if the user is using a Revealed Agent. Check out this article to learn more about the difference between the two agents.

Editing Applications Settings

mceclip3__8_.png

You can turn monitoring on/off for the WINDOW TITLES. This gives you the ability to not track the title for apps which includes document name in their title. If you do not want Teramind to capture the document name, turning this option off can be helpful.

You can also turn monitoring on/off for CONSOLE COMMANDS (commands executed on the Windows Command Prompt or Terminal).

The MONITOR ONLY THESE APPLICATIONS field lets you select applications you want to monitor. If you enter an app in the field, all other apps will be blacked out on the Session Player/screen recordings. This option doesn’t impact worked time being tracked. It doesn't affect activities log either. Activities and keystrokes WILL be captured for non-monitored apps.

You can configure Applications settings to MONITOR only select applications; SUSPEND MONITORING* or SUSPEND KEYSTROKE monitoring when certain applications are used.

You can conditionally suspend monitoring*/keystrokes logging using the two …WITH CONDITION options. For example, you can suspend monitoring Firefox while it’s used from an IP approved by an access control list. Same way, you can suspend keystrokes logging of the Windows Installer when it’s launched from an IP range. For the CONDITION, you can select from a list of Any, a single IP, an IP range, list (Network Shared Lists), and cldr (Classless Inter-Domain Routing).

Finally, you can define the IDLE TIME* (used in the Productivity report, Agent Schedule-based rules and other places by Teramind).

*Notes About SUSPEND MONITORING… Settings

If you use the SUSPEND MONITORING WHEN THESE APPLICATIONS ARE USED or SUSPEND MONITORING WHEN THESE APPLICATIONS ARE USED WITH CONDITION option, the following will happen:

  • User activities on the specified apps will not be captured

  • Keystrokes will not be captured

  • The app windows will be blacked out in the video recording or during the live view mode of the session player (see the Dynamic Blackout section below for more information)

*Idle Time in Reports vs Rules

Note that the IDLE TIME THREHOLD is used to measure Idle Time, Productive Idle Time, Unproductive Idle Time, etc. on the Productivity, BI Reports > Productivity, BI Reports > Application & Websites, etc. reports. It doesn’t affect idle times in rules (for example, the Idle criterion in Agent Based-rules, the Time Idle and Total Time Idle criteria in Applications/Websites-based rules, etc.). The rule will be triggered independently from the IDLE TIME THRESHOLD value. For example, you can set your IDLE TIME THRESHILD to 30 minutes and create an Applications rule with the Time Idle criterion and set it to 10 minutes. In this case, the rule will trigger every 10 minutes the employee remains idle. However, on the various productivity reports, the idle time will only be recorded if the employee remains idle for more than 30 min.

Editing Websites Settings

MONITOR ONLY THESE WEBSITES field allows you to define websites or a list of websites, for which you want to record the screen and keystrokes. If you use this field, all other websites will be blacked-out in the Live Mode and recordings of the Session Player. Activities on other websites are tracked as the browser process (e.g., chrome.exe).

DON'T MONITOR WEB TRAFFIC FOR THESE WEBSITES* defines the websites for which you want to suspend recording. Screen and keystroke recording for all other sites will be enabled. Please see the notes below.

SUSPEND MONITORING WHEN THESE WEBSITES ARE VISITED* does not capture any activity, and keystrokes when the specified websites are visited. The browser window is blacked-out in the video recording or during the live view mode of the session player. Please see the notes below.

SUSPEND MONITORING WHEN WEBSITE CONTAINS CONTENT* – will suspend monitoring of a website if certain text/content is detected inside the loaded webpage. Keystrokes will not be recorded, and the screen will be blacked out. For example, by entering "password" in the field, you can dynamically suspend login pages of most websites. Note that, the text isn't case-sensitive.

The DON'T MONITOR WEB TRAFFIC FOR THESE IPS* prevents the Teramind Agent from injecting the Quick Proxy SSL certificate. See the notes below for more information.

The MONITOR WEB TRAFFIC FOR THESE IPS is the exact opposite of the ‘DON'T MONITOR WEB TRAFFIC FOR THESE IPS’ option.

Please be careful when using the two options above. You may accidentally turn monitoring on/off for other sites, as there may be several sites with the same IP.

The next three settings are the same as above, the only difference is, you use IP addresses instead of URLs. Please see the notes below.

SUSPEND MONITORING WHEN BROWSING TO IPS/DOMAINS NOT IN LIST* allows you to enter either IPs or domains you want to monitor (and suspend monitor of all other websites/IPs). Other suspension rules apply. Please see the notes below.

You can also SUSPEND KEYSTROKE … setting to suspend just the keystroke recordings.

You can suspend monitoring for all PRIVATE BROWSING (incognito) sessions. The browser window will be blacked out and the keystrokes will not be captured from that window. However, the full URL is still captured in the activity log. For this reason, keystrokes might still be captured as part of the URL. For example, when you use a search engine like Google.

You can turn off the MONITOR KEYSTROKES FOR PASSWORD FIELDS option to suspend capturing of keystrokes in password fields. For example, a login page containing a HTML input field such as <input type="password">*. See the notes below for more information.

MONITOR CONNECTION TO HOSTS WITH INVALID CERTIFICATES allows you to monitor websites that have an invalid certificate. In some situation this might be necessary. Because, by default, Teramind doesn't track connections to a website with a bad SSL certificate. So, for example, if your On-Premise server has a self-signed certificate, downloads from the Teramind Dashboard will not be recognized as web downloads. Adding the IP address of the server in the MONITOR CONNECTION TO HOSTS WITH IVALID CERTIFICATE* field will activate SSL traffic decrypting so that Teramind will be able to properly parse and present the information on the Dashboard. However, this is not a recommended method and this option should only be used as a last resort. Please see the notes below.

WSS PORT field lets you specify the port for web traffic redirection (Web Security Service). It’s used by the Teramind Agent's network filter driver to monitor web traffic. Generally, you don’t need to change the default port. However, in rare situations, you might need change it. For example, if an application is using the default/same WSS port, you can assign a different port to the Agent using this field.

*Notes About PASSWORD FIELDS

  • Password field detection might not work on websites that use Java-based widgets.

  • Password field detection will only work if it's masked (e.g., the text field doesn't show the typed password, instead it shows special symbols like * or ) or if the name property of the field contains 'pass'. Otherwise, the Agent will capture all the keystrokes entered in the password field even if the MONITOR KEYSTROKES FOR PASSWORD FIELDS option is disabled.

*Summary of Websites Exclusion Options

DON'T MONITOR WEB TRAFFIC FOR THESE WEBSITES

  • Quick Proxy certificate IS injected

  • Does NOT appear in the activity log

  • Keystrokes ARE captured

If, for example, you enter microsoft.com in the DON'T MONITOR WEB TRAFFIC FOR THESE WEBSITES field, then the agent will not monitor activity for microsoft.com or other pages/subdomains like www.microsoft.com, support.microsoft.com, or accounts.microsoft.com.

SUSPEND MONITORING WHEN THESE WEBSITES ARE VISITED

  • Quick Proxy certificate IS injected

  • Does NOT appear in the activity log

  • Keystrokes are NOT captured

  • The browser window is blacked-out in the video recording or during the live view mode of the session player (see the Dynamic Blackout section below for more information)

DON'T MONITOR WEB TRAFFIC FOR THESE IPS

  • Quick Proxy certificate is NOT injected

  • Behavior rules NOT enforced

  • Appear in the activity log

  • Keystrokes ARE captured

Any webpages entered in this field will appear in the activity reports (e.g., Monitoring > Web Pages & Applications). This field will accept IPs, an IP with mask, or a domain name (excluding the http:// or https:// prefix). If you enter a domain instead of an IP address (e.g., microsoft.com), a domain lookup will be performed to query a list of IPs that correspond to the domain. Also, adding a primary domain such as microsoft.com will NOT prevent the certificate from being injected for sub-domains, (e.g., support.microsoft.com, accounts.microsoft.com, etc.). This field also doesn't work with a wildcard, so, entering *.microsoft.com is not a valid entry. However, regular expressions are supported. Here are some example:

  • To match only subdomains, excluding www:

    ^(?!www.)(?:.*\.)google\.com

  • To match only root domain with or without www:

    ^(www.)?google\.com

SUSPEND MONITORING WHEN BROWSING TO THESE IPS

  • Quick Proxy certificate IS injected

  • Does NOT appear in the activity log

  • Keystrokes are NOT captured

The browser window is blacked-out in the video recording or during the live view mode of the session player (see the Dynamic Blackout section below for more information)

*DON’T MONITOR WEBSITES / IPS

Use the DON’T MONITOR WEB TRAFFIC FOR THESE IPS / WEBSITES fields if you want to prevent the Teramind Agent from injecting the Quick Proxy SSL cert. Use them if it looks like the agent’s cert if causing an issue with a website.

The difference between these two fields are:

  • WEBSITES: if we include host name here, then Teramind will not intercept traffic from these sites. But in case of HTTPS we still inject HTTPS certificate and recode encrypted data. This may lead to network issues.

  • IPS: this may contain IPs, IP with mask, or domain name of the site (excluding http:// or https:// prefix). For domains, it works by requesting list of IPs that corresponds to this domain. Please be careful that, when using this field, you may accidentally turn off monitoring for other sites, as there may be several sites with the same IP. If the IP is in this list, then Teramind will not recode encrypted data, and there will be no influence on the HTTPS traffic.

What sites to include in “DON’T MONITOR WEB TRAFFIC…”?

Site that resides on some domain name sometimes uses resources from other domains. To exclude all sources for the problem, you need to exclude all used resources. You can get a list of the domain names by turning off the Teramind Agent, run Chrome, Open “Developer Tools”, select “Network” tab, set “Disable cache” = true, “Preserve log” = true, right click on the header of the table with the network requests, select “Domain”, then reproduce situation that leads to an issue, and capture all domain names (from the Domain column) that were involved in the loading process.

*MONITOR CONNECTION TO HOSTS WITH INVALID CERTIFICATES

This option will allow all hosts to work with invalid certificates. This is not a recommended thing to do as it may help disguise invalid certificate and allow phishing attacks. As an alternative, you can also use a Match Regular Expression condition regexp/.*/ on any rules that require an URL/website address such as below:

photo_2020-10-14_13-22-08.jpg

Dynamic Blackout

Also known as screenshot redaction, blurring, censoring, abridged, etc.

dynamic-blackout.png

When you use any of the SUSPEND MONITORING… settings for any application or website, Teramind will automatically blackout the relevant application window in the video recording or during the live view mode of the session player (check out the Session Player section to learn more about session recording and live view).

The blackout feature works on both single monitor and multi-monitor setups.

Editing Emails Settings

You can use the settings to CAPTURE INCOMING / OUTGOING emails, CAPTURE EMAIL CONTENT and SAVE OUTGOING / INCOMING ATTACHMENTS etc. Note that, the options like the SAVE OUTGOING ATTACHMENTS, SAVE INCOMING ATTACHMENTS, CAPTURE EMAIL CONTENT etc. are dependent on the CAPTURE INCOMING and CAPTURE OUTGOING options. For example, if you disable the CAPTURE INCOMING option, then enable the SAVE INCOMING ATTACHMENT will not capture the incoming email attachments.

You can specify which email systems will be captured using the CAPTURE EMAIL THROUGH option. Teramind supports the most popular email clients such as Outlook, Gmail, Yahoo etc. - both desktop and web versions.

You can use regular expressions to ignore any attachments you do not want captured using the IGNORE ATTACHMENT... option. For example, to ignore music and video files, you can use something like this: /\.(mp3|mp4|avi)/gi. Note that, the emails will still be captured.

If you specify any value in the DELETE ATTACHMENTS AFTER (DAYS) field, then all the attachments will be removed after the specified days. The default value of 0 means the attachments will not be removed.

The IGNORE EVENTS OLDER THAN (DAYS) option allows you to cut off monitoring and capturing of emails older than certain days. This option is sometimes useful for clients like Outlook which may scan older emails if emails are moved, or archival policies are run. In such situations, by default, the Agent will capture any emails being accessed. This setting tells the Agent to ignore scanning older emails. However, behavior policies or rules for these old emails will still get triggered which might create false positives. To avoid that, you can enable the IGNORE EVENTS EVEN IF BEHAVIOR POLICIES MATCH option. This will prevent triggering of unexpected rule violations and false alerts by ignoring older emails. The default value for this option is 0, which means, all emails are captured.

The IGNORE EMAILS IF ALL DOMAINS MATCH (REGEX) option can be used to prevent monitoring of emails if all email addresses to/from/bcc/cc are all in the list of certain domain(s). The aim is to exclude corporate /internal emails from being monitored. For example: .*teramind.co will ignore all emails from teramind.co. These emails will also be excluded from any active policies and rules. Note that, all emails addresses (in to/from/bcc/cc, etc.) fields have to be in same domain(s) for this filter to work. Here are some examples:

1: Outgoing internal email:

2: Outgoing internal email with one external recipient:

3: Incoming internal email:

4: Incoming external email with an external recipient in the CC field:

In the above examples, only emails 1 and 3 will be ignored from monitoring because email 2 and 4 contains other domains (gmail.com and yahoo.com).

Editing File Transfers Settings

BASIC SETTING

On the BASIC SETTINGS tab, you can specify WHAT TO TRACK such as: LOCAL FILES, NETWROK FILES, LOCAL DOCUMENTS, NETWORK DOCUMENTS, EXTERNAL DOCUMENTS, CD/DVD BURNING, EXTERNAL DRIVES (i.e. USB / pen drives) etc.

You can select which file types to track under the FILE TYPES TO TRACK section. For example, TXT, DOC, XLS, PPT etc.

If the files you want to track aren’t available under the FILE TYPES TO TRACK option, you can use the FILE EXTENSIONS LIST TO TRACK field to manually enter file extensions. For example, “.odm”, “pkg”, etc.

You can specify which applications should be monitored for upload/download activities in the TRACK DOWLOADS AND UPLOADS FROM THESE APPLICATIONS field.

If you don’t want any locations (i.e. folders) to track, you can specify them in the DO NOT MONITOR THESE LOCATIONS field.

You can use the DO NOT MONITOR THESE LOCATIONS (REGEX) field to exclude multiple locations matching the regex pattern. For example: .*upload.*. You can also use local folder (e.g., Documents), network folder (e.g., \\corplan\Shared Drives), environmental/system variable, (e.g., %APPDATA%) and wildcards (e.g., c:\user\*\appdata) in the fields.

image-254.png

ADDITIONAL SETTINGS

On the ADDITIONAL SETTINGS tab, you can specify which file operations to track such as COPY (see notes below), RENAME, UPLOAD, DOWNLOAD, DELETE etc.

Note that Teramind cannot track the copy operation for a file from one network server to the same network server (e.g. source and destination is the same). For example, copying of a file from \\103.247.55.101\source_folder to \\103.247.55.101\destination_folder cannot be tracked. Copy to and from same local drives is detected as usual.

Also copying of an empty file cannot be tracked since it will be impossible for the system to distinguish between the file create and copy operations due to the zero size of the file.

Editing Printed Doc / Printer Settings

If you use a printer that requires login permission, use the PRINTER TRACKING ACCOUNT USER and the TRACKING ACCOUNT PASSWORD to specify the credentials. Otherwise, Teramind will not be able to monitor it.

You can turn CAPTURE ACTUAL DOCUMENT on/off to enable/disable capturing of the actual document. If you disable this option, the document name will still be captured and displayed on reports like the BI Reports > Printing but not the document itself.

The MAXIMUM CAPTURE DOCUMENET SIZE (no. of pages) field works a bit differently on Windows and Mac. On Windows, this option will determine maximum how many pages will be captured. For example, if you set the value to 50 pages, and the user prints a document containing 55 pages, the Agent will capture only the first 50 pages of the document and ignore the rest. On Mac, the Agent will NOT capture the document at all if it exceeds the specified maximum size. Document name will be captured though.

With the MONITORING_SETTINGS_EXCLUDED… option , you can add regular expressions to exclude any printers matching the name. For example, .*epson.

If you specify any value in the DELETE PRINTED DOCS AFTER (DAYS) field, then all the captured documents will be removed after the specified days. The default value of 0 means the documents will not be removed.

You can automatically clean the print spooler for a print server from the Computers > Computer’s details > Computer settings screen.

Editing Keystrokes / Key Logging Settings

image-256.png

You can turn CLIPBOARD tracking on/off from the Keystrokes settings panel.

Editing Instant Messaging / IM Settings

You can specify which messaging APPLICATIONS to track. Teramind supports the popular IMs such as Facebook, Skype, Slack etc.

You can TRACK INCOMING MESSAGES only or TRACK OUTGOING MESSAGES only or both.

IGNORE EVENTS OLDER THAN (DAYS) option allows you to cut off capturing IM conversations older than certain days. Users might browse older messages on the IM client. With this option, you can instruct the Agent not to capture those messages reducing noise in your monitoring reports.

IGNORE EVENTS EVEN IF BEHAVIOR POLICIES MATCH option allows you to determine if the rule engine should also ignore older messages. This will prevent the triggering of unexpected rule violations and false alerts by ignoring older messages.

Editing Social Media Settings

image-258.png

You can specify which messaging APPLICATIONS to track. Teramind supports the popular social media platforms such as Facebook, Twitter, LinkedIn etc. You can track NEW COMMENT, EDIT COMMENT, NEW POST, EDIT POST activities in those applications.

Editing Network Settings

You can turn SSL on to monitor secure connections (i.e. HTTPS / port: 443)*.

TRACK NETWORK CONNECTIONS option allows you turn network monitoring on/off*.

DON'T DISABLE TEREDO is applicable to Windows only. If enabled, this option will prevent Teramind from disabling Teredo. It’s used for secure communication over IPv6. If you encounter any problem with IP tracking, try toggling this setting.

TRACK ONLY THESE IPS allows you to monitor specific IP(s) only. You can enter IP addresses (e.g., 192.168.1.22) or use Network-based Shared Lists.

DO NOT TRACK THESE IPS does the opposite of TRACK ONLY THESE IPS.

TRACK ONLY THESE PORTS allows you to track only certain ports. For example, 25, 443, etc.

DO NOT TRACK THESE PORTS: does the opposite of TRACK ONLY THESE PORTS.

TRACK PROCESSES - allows you to specify which network processes to track. You can use process names (e.g., chrome.exe, com.apple.safari, etc.), Text-based Shared Lists or Regular Expressions (Regex)-based Shared Lists.

*Difference Between the TRACK NETWORK CONNECTIONS, SSL and
Overall Network Monitoring Setting

  1. If you turn off the TRACK NETWORK CONNECTIONS option, no network activities will be tracked. However, the Teramind proxy certificate will be injected. Websites and other network-based interceptions will work. Network-based behavior rules will work too.

  2. If you turn off the SSL option, but leave the TRACK NETWORK CONNECTIONS option on, then packets will be intercepted back and forth, but the Teramind proxy certificate will not be injected. Which means, you might lose the ability to track web-based emails such a Gmail, file uploads/downloads to/from the web, instant messaging, and social media, etc.

  3. If you turn off the entire Network monitoring - no certificate will be injected, no network tracking will take place, and Network-based behavior rules will not work.

  4. Also note that, if you turn of the network monitoring completely, you will still be able to web activities in the activity logs such as the BI Reports > Applications & Websites report. However, the Agent’s ability to intercept that traffic without a proxy cert will be affected.

Note that TRACK ONLY THESE IPS and TRACK ONLY THESE PORTS have higher priority than the DO NOT TRACK THESE IPS and DO NOT TRACK THESE PORTS settings. For example, suppose you specified the IP 162.11.23.1 in the TRACK ONLY THESE IPS field but then used a Shared List in the DO NOT TRACK THESE IPS which had these IPs: 162.11.23.0, 162.11.23.1, 162.11.23.2, etc., then 162.11.23.1 will be monitored (and rest of the IPs in the Shared List will not be monitored).

Editing Offline Recording Settings

The first option, OFFLINE RECORDING BUFFER LENGTH (HRS) allows you to specify how long the Teramind Agent will continue to record user actions while the user is disconnected from the internet or Teramind server. By default, the buffer is set to 24 hours, but you can increase or decrease the time as needed. Note that, you cannot enter a 0 value in the field. If you want to disable offline recording completely, turn off the OFFLINE RECORDING option from the main monitoring settings (Monitoring Settings > Monitoring profile).

The OFFLINE RECORDING BUFFER SIZE (MB) is optional and can be used to limit how much recording will be kept offline (in megabytes). Default value of 0 means, there will be no limit.

Note that, if you use both the OFFLINE RECORDING'S BUFFER LENGTH (HRS) and the OFFLINE RECORDING BUFFER SIZE (MB) options, the lowest value will be prioritized. For example, if you specify a 24-hour buffer length but a 10-MB buffer size, the Agent will only capture a few minutes of screen recordings (depending on the screen resolution, number of desktops/monitors, user activity, etc.). Same way, if you specified a 999999-MB buffer size but only a 1-hour buffer length, only 1 hour's worth of screen recordings will be captured even though the buffer can possibly hold a much longer duration of recordings.

Note that, currently only the Hidden Agent supports offline recording.

Editing OS States Settings

mceclip0__27_.png

These settings will enable event notifications for operating system states such as Lock, Sleep and Screen Saver to any SIEM integration (syslog event) you might have. These settings do not affect the monitoring of these event.

Editing Online Meetings Settings

mceclip1__19_.png

With these settings you can specify which online meeting apps to track. Teramind supports monitoring of AirCall, Microsoft Teams, RingCentral, Zoom, 8x8.

Editing Registry Settings

The Registry doesn’t come with any additional settings except for the monitoring schedules.

If the Registry monitoring is turned on, you will be able to detect registry entries such as programs, keys and values with Activity-based rules. Please see the Rules Guide for more information.

Editing Geolocation Settings

By default, every time a user changes their location it’s reported.

With the TIME THRESHOLD, you can specify a threshold (in seconds) to configure how often the location data will be reported instead. This can be useful in situations where the location changes too often and you don’t want your Geolocation report to be flooded with the information. For example, when you are traveling on a train or in a taxi with a laptop, your location may change every minute and the Geolocation report will show all the updates. With this setting, you can set a wait time before changing a location update.

The default value is 600 (or 10 minutes). A value of 0 will disable this option.

Editing Camera Usage Settings

Camera Usage doesn’t come with any additional settings except for the monitoring schedules. If the Camera Usage is turned on, you will be able to detect when users are using their webcams.

Editing OCR Settings

The OCR LANGUAGES allows you to pick one or more languages to process.

The PROCESS SCREEN RECORDS AFTER allows you to pick a starting date from which the recordings will be processed. Any recordings before this date will not be processed. This option can be useful if you didn't originally have the OCR feature enabled on your instance and activated it later.

Did this answer your question?