About Endpoint Security Shadow Copy - Frequently Asked Questions

Version 8

    Verified Product Versions

    Endpoint Manager 9.5Endpoint Manager 9.6Endpoint Manager 9.0 and OlderEndpoint Manager 2016.x

    Question 1:

    When a policy is applied on a Device Control and and Shadow Copy is enabled how to check in real time which files have been shadow copied (copied from PC to the USB stick)?


    This can be monitored from the LANDESK Management Console.  From the Console click on Tools-> Security and Compliance-> Security activity, expand Security activity-> select Device Control and Shadow copy files. A list of the files that are copied from the PC to an external device can be found there.



    Question 2:

    Can I change the default directory for Shadow Copy from %System%\Shadowcopy to a network/shared path e.g. \\ServerName\ShadowCopyFolder


    No, the path for Shadow Copy can be customized, but only to use other local directory. Further details: http://help.landesk.com/Topic/Index/ENU/LDMS/9.0/Content/Windows/security_device_control_h_help.htm



    Question 3:

    When a local copy of the PC to USB transferred information is made, it makes a copy in the root %System%\Shadowcopy and renames the file to an unreadable name with the extension *.tmp. How can I recover that file in order to see what has really been copied by the user?


    In order to restore a copied file, first the correspondence between the original file name and the .TMP file needs to be checked. It can be done using Management Console -> Tools-> Security and Compliance-> Security Activity-> expand Device Control-> Shadow Copy files.

    For every original file name, there is a corresponding column called "Cached file name" that indicates the correct .TMP file.

    Once verified, go to the Shadow Copy folder on the end client machine, copy the .TMP file outside of the Shadow Copy folder and the original file is ready.