Under the hood: a review of the program StaffCop Standard
Controlling employee activity on computers in the workplace is common practice in many companies. And it is not even the case that the head of security in his childhood secretly dreamed about the shape of the SS. From my own experience, I can say that many system administrators by default trust ordinary users no more than monkeys with a bunch of grenades on the central control panel of a nuclear power plant.
However, my story will not be from the point of view of a hired employee, but “from the back of the mirror,” because, regardless of the personal ethical desire, certain managers demand not only to watch employees during working hours at workplaces, but also to see “their eyes "What they see on their monitors is a fact: we are talking about the scale of demand sufficient to create an entire software segment for employee monitoring on the corporate software market, and the program StaffCop is only one of several available interested buyer alternatives.
')
The program exists in several configurations - StaffCop Standard, targeted at corporate users (companies, universities, schools), home version of StaffCop Home Edition, and the most powerful set of Security Curator. I tested the middle ground - StaffCop Standard. A netbook of the following configuration was used for the tests:
The first thing that immediately catches the eye is that the program is intended for corporate use. This, in the first place, can be seen on the interface oriented to professional users - an ordinary user is unlikely to understand all his intricacies on the fly. StaffCop Standard works on the network, which is also evident already at the first launch.
The main window of the administration panel
At the bottom of the administration panel are the tabs and the first one is “Screen”.
Here you can follow any user in real time:
"Your card is a bit!"
The next opportunity I was lucky to try was monitoring processes on a remote computer. It is located on the tab "Processes".
Immediately striking grouping applications by type:
Grouping programs
- and I would even be ready to praise this function if I hadn’t entered the settings and found that the application definition and grouping are in the list of process names (skype.exe, soffice.bin). Accordingly, you can add any application to the list, a la wow.exe, and add it to the "Internet applications" list. And even more so, if the game is protected from taking screenshots, then no one will pay attention to its launch (especially if it is not the system administrator who is engaged in tracking, but the immediate supervisor).
A useful additional feature here is the ability to remotely complete the process.
Lists of executable files
Keylogger is also included in the standard feature set. At its core, this is a potentially dangerous opportunity, because an unscrupulous employee can use it, like the entire program, to spy on us. But our goal is noble - to prevent the leakage of confidential data. And this part of the program successfully copes with its task. It is possible to see which hotkeys the user pressed:
Built-in keylogger
In addition, the program is able to memorize the data entered in the clipboard. Again, the feature is quite useful - you can use it to find out what the user is copying. It may be that it violates the rules of the corporate security system and copies the passwords so that it does not manually print, or this unfortunate user spreads trade secrets to competitors.
Clipboard content
In addition to all the goodies that I have already written about above, the program is capable of recording file system events and creating a report on the use of computer USB devices.
Record file system events
Accordingly, you can always see who brought the Trojan program and how much, what the entire network of the enterprise put.
"Who is there a flash drive inserted?"
And I was very pleased with the report generation system, which supports importing the report into HTML, PDF, CSV. In verbose mode, a chart is displayed in HTML that shows how much time was spent on the activity of a particular window. This allows you to quickly analyze the user's employment. For example, you can always find out if the user spends 70% of work time with an open “kerchief”.
User Activity Chart
In addition to all the above, the developers also declare shadow copying of files that fall into the clipboard (when the user is copying or cutting something) sent to print (the shadow copy is saved as an image), as well as files sent to social networks: photos, music video
Studying the program, I discovered two vulnerabilities that allow you to block its work - the first concerns access to the antivirus settings, the second - 64-bit systems.
First, Kaspersky Internet Security 2012 allows you to add the main modules to the Untrusted group in the application control, and StaffCop stops running. Although in guest access, under which practically all office workers in large companies are sitting, it will not be possible to do anything, you need to keep this in mind.
Ban from antivirus
The second vulnerability is related to the possibility of its detection in 64-bit systems. In the hidden mode of operation, the system should be as hidden from the PC user as possible so that it is difficult to determine what is being monitored behind the computer and cannot be detected in the processes. But in 64-bit systems, it cannot be completely hidden, so it can be detected and disabled in services, and the automatic launch can be disabled. Thus, it is possible to block StaffCop: it ceases to transmit any data to the server, while being determined "on the network", that is, as if some kind of communication error between the computer and the server.
Killed application service
However, Windows x64 is practically not common in the corporate segment, and StaffCop processes cannot be detected in 32-bit systems, so the vulnerability is very conditional. Hence the conclusion: admin access to a computer and control over its user are incompatible. However, it should be so clear.
For home there is a cheaper Home-version, positioned as parental control. It differs from the Standard version with the ability to install only on 1 PC and, accordingly, the impossibility of using the control functions over the local network. For the rest, it repeats all the functions of the older version.
In addition, there is a more "advanced" version of the application, which allows for more detailed audit of personnel - Security Curator. It disables the hidden work feature and users know that they are being monitored, and added useful features such as, for example, monitoring FTP activity, notification of policy violations via SMS, blocking the connection of USB devices, and blocking the launch of applications.
The main competitors of the application: LanAgent Standard, which provides almost the same functions at a slightly higher price, as well as Mipko Personal Monitor, which, unlike the above programs, has support for Mac OS X.
Comparison of program features .
Studying the topic, I found a comment on the topic on Habré (the punctuation and spelling of the author are preserved):
screenshots feature
sending messages over the network
activity graphing
possibility of remote completion of processes
not fully implemented support for 64-bit systems
Of course, such programs are not a panacea for irresponsibility or malicious intent. StaffSop Standard can only indicate the source of the leak. To prevent it, he can not. In the end, the most important thing is well-built processes and personnel management. Then the employer will be able to be calm for corporate secrecy and the occupation of employees during working hours. And StaffSop is needed to confirm his confidence.
However, my story will not be from the point of view of a hired employee, but “from the back of the mirror,” because, regardless of the personal ethical desire, certain managers demand not only to watch employees during working hours at workplaces, but also to see “their eyes "What they see on their monitors is a fact: we are talking about the scale of demand sufficient to create an entire software segment for employee monitoring on the corporate software market, and the program StaffCop is only one of several available interested buyer alternatives.
')
The program exists in several configurations - StaffCop Standard, targeted at corporate users (companies, universities, schools), home version of StaffCop Home Edition, and the most powerful set of Security Curator. I tested the middle ground - StaffCop Standard. A netbook of the following configuration was used for the tests:
Start
The first thing that immediately catches the eye is that the program is intended for corporate use. This, in the first place, can be seen on the interface oriented to professional users - an ordinary user is unlikely to understand all his intricacies on the fly. StaffCop Standard works on the network, which is also evident already at the first launch.
The main window of the administration panel
At the bottom of the administration panel are the tabs and the first one is “Screen”.
Taking screenshots from the screen and viewing user activity in real time
Here you can follow any user in real time:
"Your card is a bit!"
The next opportunity I was lucky to try was monitoring processes on a remote computer. It is located on the tab "Processes".
Immediately striking grouping applications by type:
Grouping programs
- and I would even be ready to praise this function if I hadn’t entered the settings and found that the application definition and grouping are in the list of process names (skype.exe, soffice.bin). Accordingly, you can add any application to the list, a la wow.exe, and add it to the "Internet applications" list. And even more so, if the game is protected from taking screenshots, then no one will pay attention to its launch (especially if it is not the system administrator who is engaged in tracking, but the immediate supervisor).
A useful additional feature here is the ability to remotely complete the process.
Lists of executable files
Keyboard interceptor (keylogger)
Keylogger is also included in the standard feature set. At its core, this is a potentially dangerous opportunity, because an unscrupulous employee can use it, like the entire program, to spy on us. But our goal is noble - to prevent the leakage of confidential data. And this part of the program successfully copes with its task. It is possible to see which hotkeys the user pressed:
Built-in keylogger
In addition, the program is able to memorize the data entered in the clipboard. Again, the feature is quite useful - you can use it to find out what the user is copying. It may be that it violates the rules of the corporate security system and copies the passwords so that it does not manually print, or this unfortunate user spreads trade secrets to competitors.
Clipboard content
In addition to all the goodies that I have already written about above, the program is capable of recording file system events and creating a report on the use of computer USB devices.
Record file system events
Accordingly, you can always see who brought the Trojan program and how much, what the entire network of the enterprise put.
"Who is there a flash drive inserted?"
And I was very pleased with the report generation system, which supports importing the report into HTML, PDF, CSV. In verbose mode, a chart is displayed in HTML that shows how much time was spent on the activity of a particular window. This allows you to quickly analyze the user's employment. For example, you can always find out if the user spends 70% of work time with an open “kerchief”.
User Activity Chart
Other buns
In addition to all the above, the developers also declare shadow copying of files that fall into the clipboard (when the user is copying or cutting something) sent to print (the shadow copy is saved as an image), as well as files sent to social networks: photos, music video
Security
Studying the program, I discovered two vulnerabilities that allow you to block its work - the first concerns access to the antivirus settings, the second - 64-bit systems.
First, Kaspersky Internet Security 2012 allows you to add the main modules to the Untrusted group in the application control, and StaffCop stops running. Although in guest access, under which practically all office workers in large companies are sitting, it will not be possible to do anything, you need to keep this in mind.
Ban from antivirus
The second vulnerability is related to the possibility of its detection in 64-bit systems. In the hidden mode of operation, the system should be as hidden from the PC user as possible so that it is difficult to determine what is being monitored behind the computer and cannot be detected in the processes. But in 64-bit systems, it cannot be completely hidden, so it can be detected and disabled in services, and the automatic launch can be disabled. Thus, it is possible to block StaffCop: it ceases to transmit any data to the server, while being determined "on the network", that is, as if some kind of communication error between the computer and the server.
Killed application service
However, Windows x64 is practically not common in the corporate segment, and StaffCop processes cannot be detected in 32-bit systems, so the vulnerability is very conditional. Hence the conclusion: admin access to a computer and control over its user are incompatible. However, it should be so clear.
Other versions
For home there is a cheaper Home-version, positioned as parental control. It differs from the Standard version with the ability to install only on 1 PC and, accordingly, the impossibility of using the control functions over the local network. For the rest, it repeats all the functions of the older version.
In addition, there is a more "advanced" version of the application, which allows for more detailed audit of personnel - Security Curator. It disables the hidden work feature and users know that they are being monitored, and added useful features such as, for example, monitoring FTP activity, notification of policy violations via SMS, blocking the connection of USB devices, and blocking the launch of applications.
Competitors
The main competitors of the application: LanAgent Standard, which provides almost the same functions at a slightly higher price, as well as Mipko Personal Monitor, which, unlike the above programs, has support for Mac OS X.
Comparison of program features .
Studying the topic, I found a comment on the topic on Habré (the punctuation and spelling of the author are preserved):
LanAgent - horror horror horror - put heavily removed even harder. In addition, sometimes it loads the system as an Avatar rendering ... Although reports seem to be nothing. Mipko - this horror is not able to be installed remotely normally. StaffCop - put simply - but the toli have something wrong with me - the toli in the program itself - but watching the computers in the console - is unrealistic - then they disappear - then they disappear.
Hamburg score
screenshots feature sending messages over the network activity graphing possibility of remote completion of processes not fully implemented support for 64-bit systemsOf course, such programs are not a panacea for irresponsibility or malicious intent. StaffSop Standard can only indicate the source of the leak. To prevent it, he can not. In the end, the most important thing is well-built processes and personnel management. Then the employer will be able to be calm for corporate secrecy and the occupation of employees during working hours. And StaffSop is needed to confirm his confidence.
Source: https://habr.com/ru/post/126093/
All Articles