User activity monitoring
I work in a large industrial organization and for about a month I have been immersed in the process of implementing a system for monitoring user activity, which I will discuss in this post.
So, the task is to centrally collect information about users: downtime, programs used during working hours, printing documents, working with external drives. On all computers Win XP SP3.
The following software was considered: BlackBoxPro from Asm Software, LanAgent from NetworkProfi and StaffCop from AtomPark Software. By the way, the last two products were developed in Russia. Nominally, in addition to the functionality we need, each program also allows you to intercept messages from instant messengers, mail, clipboard, keystrokes, screenshots, etc.
All three applications were tested first on virtual machines, then on not the most critical for the organization of real network machines, and the last stage was the implementation of the monitoring system on all user machines.
')
The main problem that arises when using this kind of software is the interaction with antivirus programs (we have three of them: Nod32, Symantec and Kaspersky) and firewall (personal windscreen). The fact is that antiviruses often take an agent part for spyware, which, by and large, is true. Thus, the main task of testing is to develop a list of exceptions for antiviruses and firewalls, since The recommendations made by the developers are far from our harsh reality.
At the very first stage, BlackBoxPro was immediately flagged. Since its server part loaded the processor 100% even in idle time, which, coupled with an unsuccessful (subjective) interface and a buggy remote installation of the agent, is not acceptable.
LanAgent demonstrated a good, stable operation: remote installation of the agent part, low user machine load, informative reports. But, it is impossible not to note one thing. Correct processing of user activity (the ratio of work and idle, blocking, input-output) is possible only after a reboot. In a specific case - only the next business day.
Staffcop also worked perfectly. Remote installation is implemented more conveniently than in LanAgent, subjectively, the user interface is more successfully implemented. However, the overall speed of work is significantly inferior to the competitor, since LanAgent generates reports on information that is already on the server, and the Staffcop again polls all agents. The reports are also very informative, but they lack a little clarity.
The initial stage generously gave me optimism, which completely disappeared from the very first attempts at remote installation of agents on real machines. If Staffcop, in the event of an error, honestly stated that the installation was not successful, then LanAgent, even if it was partially hacked by antiviruses, reported success. Consequently, there is no reason to speak of any correctness of the LanAgent information. And if we take into account that LanAgent starts to work correctly technologically only on the next working day (this is not a bug, but a feature =)), it may take more than a week to make some computers monitor normally. After the initial installation of the LanAgent agents, the probability that the monitoring will take place correctly is approximately 30% (here it was not possible to identify any patterns). The classic bug is that the counters are not started, but, as a result: negative computer time, unrecorded events and user activity are reported in the reports.
Staffcop works much better in this respect, but it’s not to say that it’s absolutely smooth. Remote installation of an agent takes from 30 seconds to 10 minutes (after repeated unsuccessful attempts, the agent can be installed absolutely normally - I couldn’t determine the factors that influence success,). The server side polls the agents correctly, no failure occurred. However, an error may be generated when generating reports, since Staffcop Report Builder cannot handle some characters, taking them for service.
I did not manage to find a system for monitoring user activity that would just be installed and just work. Based on a combination of factors, the final version was chosen Staffcop, which currently stands on a separate server and monitors more than 200 users. Installation of such a number of agents took about 20 hours, since in some cases the agent had to be installed more than 10 times in a row. In the same way, to obtain data from some agents (probably a problem of compatibility with drivers), it is necessary to perform multiple data collection and processing. Due to the inability to systematize the problems that arise, we are no longer talking about any automation of receiving reports. I hope that the developers in future releases will correct the shortcomings indicated above. And you can buy-put-use.
So, the task is to centrally collect information about users: downtime, programs used during working hours, printing documents, working with external drives. On all computers Win XP SP3.
The following software was considered: BlackBoxPro from Asm Software, LanAgent from NetworkProfi and StaffCop from AtomPark Software. By the way, the last two products were developed in Russia. Nominally, in addition to the functionality we need, each program also allows you to intercept messages from instant messengers, mail, clipboard, keystrokes, screenshots, etc.
All three applications were tested first on virtual machines, then on not the most critical for the organization of real network machines, and the last stage was the implementation of the monitoring system on all user machines.
')
The main problem that arises when using this kind of software is the interaction with antivirus programs (we have three of them: Nod32, Symantec and Kaspersky) and firewall (personal windscreen). The fact is that antiviruses often take an agent part for spyware, which, by and large, is true. Thus, the main task of testing is to develop a list of exceptions for antiviruses and firewalls, since The recommendations made by the developers are far from our harsh reality.
Virtual Machine Testing
At the very first stage, BlackBoxPro was immediately flagged. Since its server part loaded the processor 100% even in idle time, which, coupled with an unsuccessful (subjective) interface and a buggy remote installation of the agent, is not acceptable.
LanAgent demonstrated a good, stable operation: remote installation of the agent part, low user machine load, informative reports. But, it is impossible not to note one thing. Correct processing of user activity (the ratio of work and idle, blocking, input-output) is possible only after a reboot. In a specific case - only the next business day.
Staffcop also worked perfectly. Remote installation is implemented more conveniently than in LanAgent, subjectively, the user interface is more successfully implemented. However, the overall speed of work is significantly inferior to the competitor, since LanAgent generates reports on information that is already on the server, and the Staffcop again polls all agents. The reports are also very informative, but they lack a little clarity.
Testing on real machines
The initial stage generously gave me optimism, which completely disappeared from the very first attempts at remote installation of agents on real machines. If Staffcop, in the event of an error, honestly stated that the installation was not successful, then LanAgent, even if it was partially hacked by antiviruses, reported success. Consequently, there is no reason to speak of any correctness of the LanAgent information. And if we take into account that LanAgent starts to work correctly technologically only on the next working day (this is not a bug, but a feature =)), it may take more than a week to make some computers monitor normally. After the initial installation of the LanAgent agents, the probability that the monitoring will take place correctly is approximately 30% (here it was not possible to identify any patterns). The classic bug is that the counters are not started, but, as a result: negative computer time, unrecorded events and user activity are reported in the reports.
Staffcop works much better in this respect, but it’s not to say that it’s absolutely smooth. Remote installation of an agent takes from 30 seconds to 10 minutes (after repeated unsuccessful attempts, the agent can be installed absolutely normally - I couldn’t determine the factors that influence success,). The server side polls the agents correctly, no failure occurred. However, an error may be generated when generating reports, since Staffcop Report Builder cannot handle some characters, taking them for service.
Conclusion
I did not manage to find a system for monitoring user activity that would just be installed and just work. Based on a combination of factors, the final version was chosen Staffcop, which currently stands on a separate server and monitors more than 200 users. Installation of such a number of agents took about 20 hours, since in some cases the agent had to be installed more than 10 times in a row. In the same way, to obtain data from some agents (probably a problem of compatibility with drivers), it is necessary to perform multiple data collection and processing. Due to the inability to systematize the problems that arise, we are no longer talking about any automation of receiving reports. I hope that the developers in future releases will correct the shortcomings indicated above. And you can buy-put-use.
Source: https://habr.com/ru/post/122971/
All Articles