FileActivityWatch v1.70 Copyright (c) 2018 — 2023 Nir Sofer |
See Also
- FileAccessErrorView — Show file open / read / write / delete errors on Windows
Description
FileActivityWatch is a tool for Windows that displays information about every read/write/delete operation of files occurs on your system.
For every file, FileActivityWatch displays the number of read/write bytes, number of read/write/delete operations, first and last read/write timestamp, and the name/ID of the process
responsible for the file operation.
System Requirements
This tool works on any version of Windows, starting from Windows Vista and up to Windows 11. Both 32-bit and 64-bit systems are supported.
Elevation (‘Run As Administrator’) is required to use this tool.
Versions History
- Version 1.70:
- Added ‘File Extension’ column.
- Version 1.68:
- Added ‘Black Background’ option (Under the View menu). When it’s turned on, the main table is displayed in black background and white text, instead of default system colors.
- Version 1.67:
- Added ‘Sort By’ toolbar button.
- Version 1.66:
- Added ‘Always On Top’ option.
- Version 1.65:
- Fixed some high DPI mode issues (Toolbar, Properties Window).
- Added option to change the sorting column from the menu (View -> Sort By). Like the column header click sorting, if you click again the same sorting menu item, it’ll switch between ascending and descending order. Also, if you hold down the shift key while choosing the sort menu item, you’ll get a secondary sorting.
- Version 1.61:
- Added ‘Process Services’ column, which displays the services of the process (Only when the ‘Process Grouping’ option is ‘Group by process ID’).
- Version 1.60:
- Added ‘Drives Summary’ option to the ‘Files/Folders Mode’ option, which allows you to display a summary of all activity of a drive in one item, instead of displaying every filename separately.
- Fixed to display the drive letter properly when USB drive is inserted while FileActivityWatch is active.
- Version 1.55:
- Added ‘Files/Folders Mode’ to the ‘Advanced Options’ window, which allows you to display a summary of all activity of a folder in one item, instead of displaying
every filename separately.
- Added ‘Files/Folders Mode’ to the ‘Advanced Options’ window, which allows you to display a summary of all activity of a folder in one item, instead of displaying
- Version 1.50:
- You can now choose the unit of the Read/Write Bytes columns: Bytes, kB, KiB, MB, MiB.
- Version 1.45:
- You can set any variable appears saved in the .cfg file from command-line. For example, this command set a filter to display only file operations of .txt files :
FileActivityWatch.exe /FilenameFilterMode 1 /FilenameFilterStr «*.txt» - Added ‘Align Numeric Columns To Right’ option (It’s turned on by default).
- You can set any variable appears saved in the .cfg file from command-line. For example, this command set a filter to display only file operations of .txt files :
- Version 1.40:
- You can now specify «*.» as wildcard to specify filename without extension.
- Explorer context menu inside FileActivityWatch: When you right-click on a single item while holding down the shift key, FileActivityWatch now displays the context menu of Windows Explorer, instead of the FileActivityWatch context menu.
- Version 1.35:
- Added ‘Process Grouping’ option (In ‘Advanced Options’ window — F9): ‘Don’t group by process’, ‘Group by process ID’ (Default), ‘Group by process filename’.
- Version 1.31:
- Added ‘Skip Activity of EtwRTNT Kernel Logger.etl’ option (Turned on by default). The activity of this file is a side effect of the system tracing that FileActivityWatch uses to get the file activity data , so it’s now hidden by default.
- Version 1.30:
- Added option to filter by process name (In ‘Advanced Options’ window — F9).
- Version 1.27:
- Added ‘Put Icon On Tray’ option.
- Version 1.26:
- Fixed to display properly files on a remote network drive.
- Version 1.25:
- Added option to filter by filename wildcard (In ‘Advanced Options’ window — F9).
- Version 1.21:
- Added ‘Add Header Line To CSV/Tab-Delimited File’ option (Turned on by default).
- Version 1.20:
- Added command-line options to save the report of FileActivityWatch into a file without displaying any user interface.
- Version 1.10:
- Added ‘File Properties’ (Ctrl+Enter), ‘Open File Folder’ (F8), and ‘Explorer Copy’ (Ctrl+E).
- Version 1.09:
- Added ‘Save All Items’ option (Shift+Ctrl+S).
- Version 1.08:
- You can now resize the properties window, and the last size/position of this window is saved in the .cfg file.
- Version 1.07:
- Added option to choose another font (name and size) to display in the main window.
- Version 1.06:
- Added ‘Automatically Scroll Down On New Items’ option.
- Version 1.05:
- Added new columns: ‘Read+Write Bytes’ and ‘Read+Write Count’.
- Version 1.00: First release.
Known Issues
- This tool cannot detect read/write activity if the file was opened white the tool was not running.
Start Using FileActivityWatch
FileActivityWatch doesn’t require any installation process or additional DLL files. In order to start using it, simply run the executable file — FileActivityWatch.exe
Immediately after running FileActivityWatch, the main window displays all read/write/delete operations made by applications running on your system.
Under the Options menu you can choose which type of operation to trace: ‘Capture Read Events’, ‘Capture Write Events’, and ‘Capture Delete Events’.
You can also turn off all events tracing by unchecking the ‘Capture Events’ option (F2).
At any time, you can press Ctrl+X (Clear List) in order to clear all items accumulated in the main window of FileActivityWatch.
Mark Files With Active Read/Write
When the ‘Mark Files With Active Read/Write’ option is turned on, every item with read/write/delete operation in the last few seconds is marked as follows:
- Green — Read operation
- Yellow — Write operation
- Red — Read+Write operation
- Blue — Delete operation
FileActivityWatch Columns
- Filename:The filename that had read/write/delete operation.
- Process ID:The ID of the process responsible for the read/write/delete operation.
- Process Name:The name of the process responsible for the read/write/delete operation.
- Process Path:Full path of the process.
- Read Count:Number of read operations.
- Write Count:Number of write operations.
- Delete Count:Number of times that the file was deleted by the specified process.
- Read Bytes:Total number of bytes read from the specified file by the specified process.
- Write Bytes:Total number of bytes written to the specified file by the specified process.
- First Read Time:Date/time when the first read operation was detected.
- First Write Time:Date/time when the first write operation was detected.
- Last Read Time:Date/time when the last read operation was detected.
- Last Write Time:Date/time when the last write operation was detected.
Command-Line Options
/CaptureTime <Milliseconds> |
Specifies the capture time in milliseconds for the save command-line options (/stext, /stab, /scomma, and so on…) The default is 10000 milliseconds (10 seconds). |
/cfg <Filename> |
Start FileActivityWatch with the specified configuration file. For example: FileActivityWatch.exe /cfg «c:\config\faw.cfg» FileActivityWatch.exe /cfg «%AppData%\FileActivityWatch.cfg» |
/stext <Filename> | Save the report of FileActivityWatch into a simple text file. |
/stab <Filename> | Save the report of FileActivityWatch into a tab-delimited text file. |
/scomma <Filename> | Save the report of FileActivityWatch into a comma-delimited text file (csv). |
/shtml <Filename> | Save the report of FileActivityWatch into HTML file (Horizontal). |
/sverhtml <Filename> | Save the report of FileActivityWatch into HTML file (Vertical). |
/sxml <Filename> | Save the report of FileActivityWatch into XML file. |
/sjson <Filename> | Save the report of FileActivityWatch into JSON file. |
/sort <column> |
This command-line option can be used with other save options for sorting by the desired column. The <column> parameter can specify the column index (0 for the first column, 1 for the second column, and so on) or the name of the column, like «Filename» and «Process Name». You can specify the ‘~’ prefix character (e.g: «~Write Bytes») if you want to sort in descending order. You can put multiple /sort in the command-line if you want to sort by multiple columns. |
Translating FileActivityWatch to other languages
In order to translate FileActivityWatch to other language, follow the instructions below:
- Run FileActivityWatch with /savelangfile parameter:
FileActivityWatch.exe /savelangfile
A file named FileActivityWatch_lng.ini will be created in the folder of FileActivityWatch utility. - Open the created language file in Notepad or in any other text editor.
- Translate all string entries to the desired language.
Optionally, you can also add your name and/or a link to your Web site.
(TranslatorName and TranslatorURL values) If you add this information, it’ll be
used in the ‘About’ window. - After you finish the translation, Run FileActivityWatch, and all translated
strings will be loaded from the language file.
If you want to run FileActivityWatch without the translation, simply rename the language file, or move
it to another folder.
License
This utility is released as freeware.
You are allowed to freely distribute this utility via floppy disk, CD-ROM,
Internet, or in any other way, as long as you don’t charge anything for this and you don’t
sell it or distribute it as a part of commercial product.
If you distribute this utility, you must include all files in
the distribution package, without any modification !
Disclaimer
The software is provided «AS IS» without any warranty, either expressed or implied,
including, but not limited to, the implied warranties of merchantability and fitness
for a particular purpose. The author will not be liable for any special, incidental,
consequential or indirect damages due to loss of data or any other reason.
Feedback
If you have any problem, suggestion, comment, or you found a bug in my utility,
you can send a message to nirsofer@yahoo.com
FileActivityWatch is also available in other languages. In order to change the language of
FileActivityWatch, download the appropriate language zip file, extract the ‘fileactivitywatch_lng.ini’,
and put it in the same folder that you Installed FileActivityWatch utility.
Language | Translated By | Date | Version |
---|---|---|---|
Brazilian Portuguese | Paulo Guzmán | 08/10/2018 | 1.08 |
Dutch | Jan Verheijen | 24/12/2023 | 1.70 |
French | Largo | 23/12/2023 | 1.70 |
French | Eric FICHOT | 28/07/2019 | 1.31 |
German | «Latino» | 21/04/2025 | 1.70 |
Greek | geogeo.gr | 13/10/2018 | 1.08 |
Hungarian | Timinoun | 03/08/2024 | 1.70 |
Italian | Styb | 03/01/2024 | 1.70 |
Japanese | youzeeen | 21/11/2020 | 1.61 |
Persian | ZendegiyeSabz | 29/12/2023 | 1.70 |
Polish | Hightower | 31/12/2023 | 1.70 |
Portuguese Brazil | igorruckert | 06/04/2018 | 1.00 |
Romanian | Jaff (Oprea Nicolae) | 28/12/2018 | 1.20 |
Russian | Dmitry Yerokhin | 09/01/2024 | 1.70 |
Simplified Chinese | DickMoore | 02/02/2024 | 1.70 |
Simplified Chinese | 林师兄 | 14/09/2019 | 1.35 |
Slovak | František Fico | 08/01/2024 | 1.70 |
Spanish | Ricardo A. Rivas | 18/11/2020 | 1.61 |
Traditional Chinese | Danfong Hsieh | 23/12/2023 | 1.70 |
Turkish | HARUN ARI | 22/12/2023 | 1.70 |
FileActivityWatch is a new portable program for Windows by Nirsoft that displays all read, write and delete operations of files on the operating system.
The program is compatible with all versions of Windows starting from Windows Vista and supports 32-bit and 64-bit editions of the operating system.
Since it is portable, you may run it without installation. Just download the small archive from the Nirsoft website and extract it on the system once the download completes.
You may run FileActivityWatch from any location. Note that the app displays an UAC prompt on start which you need to accept to continue.
FileActivityWatch
The portable program monitors file activity on the system by default and updates the list of files in the interface automatically. It lists file names, process id and name, read and write bytes, and additional information about each recorded event.
Tip: Use the keyboard shortcut F2 while the program is active to start and stop the file event monitoring. Use the Options menu to toggle the monitoring of read, write or delete events individually.
Events are color-coded for easier identification:
- Green background — read operations
- Yellow background — write operations
- Red background — read and write operations
- Blue background — delete operations
A click on a column header sorts the data based on the parameter. You can sort by filename, process id, process name, or any other parameter that is available.
A built-in search, accessible via an icon, the shortcut Ctrl-F or the View menu, lets you filter the data; useful if FileActivityWatch ran for a prolonged period of time as a lot of data is record and displayed when it runs.
FileActivityWatch comes with the usual Nirsoft options that are included in all of Nir Sofer’s programs. You can export the data or a selection to XML, HTML, TXT or CSV files,
Closing Words
FileActivityWatch is a specialized program. You can use it to monitor file activity on Windows machines, and filter the monitoring on top of that. You could use the tool to monitor all delete operations that happen on the system.
The program lacks options to monitor only specific folders or files; the option to limit the monitoring would be very useful as it would reduce the size of the log and provide an option to focus on specific files or directories only.
Related articles
- A detailed Windows Resource Monitor guide
- LogFusion: free realtime log monitoring for Windows
- Monitor Deleted Files In Realtime With Delete Extension Monitor
- Monitor Registry And File Changes with What Changed
- Windows Files Monitor records any file system change in its interface
Summary
Author Rating
Software Name
FileActivityWatch
Operating System
Windows
Software Category
Administration
Landing Page
Advertisement
Как определить программы, записывающие на диск непонятые файлы? Как выявить, куда программы записывают свои рабочие файлы? Как узнать, какие программы своей работой сильно нагружают диск? А какие, возможно, влекут ненужную перезапись данных? Дабы получить ответы на эти вопросы, необходимо отследить оперируемые Windows файлы в реальном времени — во время активной нагрузки на диск, работы интересующей программы или вообще в процессе работы системы, в зависимости от ситуации.
Сделать это можно штатными и сторонними средствами. Рассмотрим их.
Мониторинг ресурсов Windows
Самый простой способ отследить оперируемые операционной системой файлы – её штатная утилита «Монитор ресурсов», она есть в любой версии Windows.
В этой утилите открываем раздел «Диск». И смотрим блок «Работа диска». Здесь будут отображаться активные процессы с указанием путей читаемых и записываемых файлов, скоростей их чтения и записи.
Утилита не особо информативна. Плюс к этому, не всегда идентифицирует процессы сторонних программ, относя их к общему процессу System.
Более годно мониторинг оперируемых Windows файлов реализован в сторонних утилитах.
FileActivityWatch
Бесплатная портативная FileActivityWatch – утилита из числа множества инструментов администрирования Windows известного проекта NirSoft. Фиксирует оперируемые файлы в хронологическом порядке с момента своего запуска, фиксирует с указанием даты и времени вплоть до секунд. Отображает пути файлов, их процессы, прочитанный и записанный объём, число операций чтения, записи и удаления, время первой и последней операции чтения и записи, а также прочие сведения.
С помощью контекстного меню на выбранных оперируемых файлах можем скопировать информацию о них в буфер, сохранить эту информацию в текстовый файл или получить в виде отчёта в HTML-файле. Также можем открыть в проводнике Windows папку с расположением файла.
Скачать утилиту:
https://www.nirsoft.net/utils/file_activity_watch.html
Moo0 File Monitor
Ещё одна бесплатная утилита для мониторинга в реальном времени файлов, с которыми Windows проводит операции — Moo0 File Monitor. Существует в портативном варианте. Оперируемые файлы отображает в хронологическом порядке с момента своего запуска с указанием даты и времени вплоть до секунд. Показывает имя файла, его путь, размер. Если файл создавался, переименовывался или удалялся, содержит отметку об этом действии.
На панели инструментов утилиты можно выбрать отдельные логические диски для отслеживания, убрав галочки с ненужных. Двойной клик по строке выбранного файла откроет его расположение в проводнике Windows. Результаты мониторинга при необходимости можно сохранить в HTM-файл с помощью кнопки внизу «Сохранить журнал».
Скачать утилиту:
https://rus.moo0.com/?top=https://rus.moo0.com/software/FileMonitor/
[yasr_overall_rating] [yasr_visitor_votes]
This tutorial explains how to count file read, write operations by applications in Windows. AppReadWriteCounter, freeware by Nirsoft is a very powerful software that monitors all the reading and writing operations by the running applications in real-time and show you the details. On its main interface, you can clearly see the stats like read count, write count, read bytes, write bytes, read speed, write speed, product name, its version, and description, etc. You can see all these stats in realtime and even export them to HTML, CSV, TXT file easily.
AppReadWriteCounter is a good tool to monitor read and write operations by suspicious applications like ransomware. If an unknown application is doing so much read and write operations on files, then you will know that. And then you can take further steps to block that. However, this software doesn’t show you the read, write operations that a process was doing earlier. It can only show you the R/W stats after you run the software.
AppReadWriteCounter is a powerful software to monitor file operations by running applications in Windows. You can use it anytime to actively monitor any application that is doing file operations. You can exactly see how often an application is reading or writing files along with other detailed stats.
Here are the steps to use this software to monitor file operations by applications in real-time.
Step 1: Download this software from this URL. After that, open it up and then it will automatically start scanning running processes. Wait for a few seconds and it will load the list of all running operations along with their stats of file operations.
Step 2: If you want to export the file operation details, then you can select the programs from the list or export them all in one shot. After selecting programs, simply right-click anywhere and select “Save Items” option. Here you are allowed to save the report in TXT, CSV, HTML format.
In this way, you can easily count file read, write operations by applications in Windows. And this software, AppReadWriteCounter does great job when it comes to see the file reading and writing stats of any application. You can use this tool to detect a suspicious process which is doing so much abnormal read and write operations. And later you can block that either using Controlled Folder Access or any other process blocker tool.
FInal thoughts
AppReadWriteCounter is a very good software to count file read, write operations by applications in Windows. You can actively monitor every read and write operation by a process and see how much bytes of data it has read or written. This is very useful tool for testing your applications or monitoring suspicious ones.
File monitoring software shows who accessed a file on your network, along with when, and what they did. In this article we’re going to look at the best file activity monitoring software tools.
Network Security and Administration Expert
Updated: November 30, 2024
File activity monitoring software tools use deep packet inspection to see how users are interacting with files throughout the network.
Controlling access to sensitive files should be a component of any complete cybersecurity strategy. Stopping unauthorized individuals from stealing confidential data is important for preventing sensitive information from being stolen.
File monitoring software shows who accessed a file, when, and what they did.
Here is our list of the best file activity monitoring software tools:
- ManageEngine ADAudit Plus EDITOR’S CHOICE This package relates actions on a server to the user accounts in Active Directory, it implements user activity tracking for insider threat detection, and it protects AD objects from tampering. Available for Windows Server, AWS, and Azure. Start a 30-day free trial.
- SolarWinds Server & Application Monitor (FREE TRIAL) A server management tool that includes file tracking utilities. See real-time stats on individual files as well as drive metrics. Download the 30-day free trial.
- Site24x7 Infrastructure (FREE TRIAL) This cloud-based system monitor includes monitoring routines for all types of servers, including those used for storage. This includes services to add extra protection to stores of sensitive data. Start 30-day free trial.
- ManageEngine Endpoint DLP Plus (FREE TRIAL) This software package provides protection for files on multiple sites and tracks the users that access sensitive data. Runs on Windows Server. Start a 30-day free trial.
- ManageEngine DataSecurity Plus A file monitor that tracks file access and changes per user.
- Teramind A file activity monitor that records the users that access or modify any file on the system.
- PA File Sight A real-time file monitoring system that logs the source of any file-changing activity.
- FileAudit A real-time file monitoring system that includes alerts to key supervisors.
Related post: Best File Integrity Monitoring (FIM) Tools
The Best File Activity Monitoring Software Tools
Our methodology for selecting a file monitoring tool
We reviewed the file activity monitoring market and analyzed tools based on the following criteria:
- Logging of all file access events
- Registration of user account and the date of time of any access
- The ability to identify only certain files or directories for protection
- The option to set alerts on file changes
- A backup facility that automatically restores tampered files
- The ability to black file copies
- An option to try the service for free as an assessment
- A price set at a fair value for the quality of services offered
1. ManageEngine ADAudit Plus (FREE TRIAL)
ManageEngine ADAudit Plus is a tool for ensuring data integrity by tracking user activities on servers, particularly on files. While this system doesn’t include a sensitive data discovery and classification service, it will protect sensitive data along with all other files.
Key Features:
- User Behavior Analysis: Creates a baseline of regular activity per user
- Alerts on Unusual Activity: Sudden changes in behavior could indicate account takeover
- File Activity Monitoring: Records the user involved in a file access or content changes
- Real-Time Active Directory Monitoring: Track and audit all changes to Active Directory objects, such as user accounts, groups, and organizational units (OUs).
- Advanced Reports & Dashboards: Pre-configured and customizable reports provide insights into AD user activities, security events, and system performance.
Why do we recommend it?
ManageEngine ADAudit Plus is a package of activity recording services. The name implies that the system operates on Active Directory. However, this is misleading because the tool lays down user activity records, referencing AD for user identities. This is a file activity monitoring tool that can be used for data loss prevention.
ADAudit Plus is available for AWS and Azure as well as for Windows Server. Each deployment will scan Active Directory and note its current status. If changes are made to objects in that system, the ADAudit Plus service raises an alert, which enables you to reverse those changes, which might include the addition of user accounts.
The file integrity monitor ties in with Active Directory. Thus, when a user accesses a file, the ManageEngine service logs that action. It also logs whether changes were made to the file during that session.
A major incentive to get ADAudit Plus is to comply with data security standards. The tool includes a compliance reporting module that can be tailored to the expectations of SOX, HIPAA, PCI-DSS, FISMA, and GLBA.
Who is it recommended for?
This package is suitable for businesses that need to prove protection standards compliance. The software runs on Windows Server, AWS, or Azure. There are two paid editions: one for LANs and the other for WANs. There is also a Free edition but that just processes data collected during the free trial of the paid versions.
Pros:
- Refers to Active Directory: Can use either Active Directory or Azure AD to verify file access permissions
- USB Tracking: Logs file movements onto and off a USB memory stick
- Compliance Reporting: Provides GDPR reports
- Group Policy Audit: Track changes to Group Policy Objects (GPOs), including modifications, deletions, and creation of policies.
- Historical Data Search: Search historical audit data to track trends, analyze security incidents, and provide historical context for compliance audits.
Cons:
- Focused on Windows: This system works almost exclusively on Windows-based systems
The ManageEngine ADAudit Plus runs on Windows Server, AWS, and Azure. There are three editions for ADAudit Plus: Free, Standard, and Professional. The Free edition will monitor 25 workstations, while the Standard edition will monitor activity on servers as well as workstations. The Professional edition adds on Active Directory monitoring. You can get the Professional Edition on a 30-day free trial.
EDITOR’S CHOICE
ManageEngine ADAudit Plus is our top pick for a file activity monitoring tool because this service combines file access monitoring with comprehensive Active Directory auditing. This allows organizations to not only track who is accessing critical files but also monitor changes to user permissions and group memberships, ensuring tighter security and better compliance management. One of the important services of ADAudit Plus is its real-time file access monitoring, which logs every read, write, and modification event on files and folders. This enables IT administrators to quickly detect unauthorized access or suspicious activity, ensuring sensitive data remains secure. The tool also tracks who accessed the files, when, and from which device, giving organizations full visibility into their data access patterns. ADAudit Plus offers customizable alerts to notify administrators of unusual activity, such as unauthorized access to sensitive files or failed login attempts. This proactive approach to monitoring enhances security by enabling swift responses to potential threats. Through its intuitive interface, ADAudit Plus provides access to compliance reporting for standards like GDPR and HIPAA, and cross-domain support. The package offers a scalable, powerful solution for organizations of all sizes, making it the ideal choice for file activity monitoring in Active Directory environments.
Download: Get a 30-day FREE Trial
Official Site: https://www.manageengine.com/products/active-directory-audit/download.html
OS: Windows Server
2. SolarWinds Server & Application Monitor (FREE TRIAL)
SolarWinds Server & Application Monitor is an application and file monitoring tool that tracks file changes in real-time. From the dashboard, you can view file characteristics like content, size, age, and count. These monitors keep you updated on changes within the network. For example, file age monitor tells you when the file was last modified.
Key Features:
- On-Premises Software: Runs on Windows Server
- Tracks File Changes: Maintains monitors on files
- File Attributes: Logs file size, age, and name
- Folder Monitoring: Notes changes in file counts
- Checksum Tracking: Stores the MD5 checksums of files
Why do we recommend it?
SolarWinds Server & Application Monitor provides tracking for server activity to ensure that resources do not run out. Part of the functions of the tool involves counting files and if the count unexpectedly changes, there could be unauthorized activity. This is a particularly important function for guarding archives and log file directories.
The fast-track system configuration of SolarWinds Server & Application Monitor makes it ideal for SMEs. After installing the software the program will start to automatically discover connected devices. In less than an hour, you can have a functional file monitoring platform with monitoring templates included out-of-the-box.
Of course, you don’t have to catch everything in real-time: SolarWinds Server & Application Monitor does it for you. Monitors like the file count monitor alert you if the number of files within a directory exceeds the configured threshold. The alerts function highlights potentially malicious activity so that you can take a closer look. Alerts can be customized so that you choose what parameters should be used.
The SolarWinds Server & Application Monitor identifies all activity on files in real-time, while also keeping track of all server resource utilization. The monitor includes an alerting system so key technical staff can get on with other tasks without missing key events occurring on the file system and the server in general.
Who is it recommended for?
SolarWinds Server and Application Monitor isn’t a dedicated file integrity monitor but it does notice file creation or deletion actions. This is a supplementary service, while the main focus of the package is to prevent applications from performing badly by watching their activities and spotting server resource shortages.
Pros:
- Folder Alerts: Place limits on file counts per folder and alert if this threshold is approached or hit
- File Alerts: Get an alert if specific files are changed
- File Server Monitoring: Track the performance of and activity on file servers
- Multiple Platforms: Scans across the network to monitor physical, virtual, and cloud servers
- Crosses OSs: Runs on Windows Server but can access other servers running other operating systems
Cons:
- Windows Only: This software won’t run on Linux
If you require a file monitoring solution with application monitoring capabilities then SolarWinds Server & Application Monitor is highly recommended. SolarWinds Server & Application Monitor starts at a price of $2,995 (£2,349). There is also a 30-day free trial.
SolarWinds Server & Application Monitor
Download a 30-day FREE Trial
You can enhance file activity tracking by also using the SolarWinds Log Analyzer. You can buy both the Server & Application Monitor and the Log Analyzer in the Log and Systems Performance Pack. Both tools appear in a single console, so you don’t have to keep switching windows in order to keep track of events on your system. The pack installs on Windows Server. Download the 30-day free trial.
Log and Systems Performance Pack
Download a 30-day FREE Trial
3. Site24x7 Infrastructure (FREE TRIAL)
Site24x7 is a cloud-based system monitoring platform that covers networks, servers, and applications. The service is packaged in different bundles and Site24x7 Infrastructure is one of them. This is a flexible plan and you choose which aspects of physical and virtual infrastructure you want the tool to monitor. One of the options is its file monitoring capabilities.
Key Features:
- Cloud-Based: A SaaS platform
- Full Stack Observability: Monitors networks, servers, and applications
- Tracks File Changes: The administrator specifies files for special monitoring
- Folder Monitoring: Sets folder size limits and alerts when that level is approached
Why do we recommend it?
Site24x7 Infrastructure watches over servers and services and it includes a file activity monitor. This tool is good for tracking the activities of users around stores of sensitive data. The system watches over file storage space and makes sure that there is still enough available for natural file creation processes, such as log file creation.
The file and directory monitoring system in Site24x7 includes comprehensive tools for protecting stores of sensitive data. This is an excellent data loss protection service because it includes active checks on changes in files as well as general file storage performance statistics.
The system can be set to pay extra attention to specific directories. It will track any changes to files including file permission changes – which is a sign of hacker activity. In this mode, the Site24x7 service will raise an alert and write to a log every time files are created, deleted, or modified in a nominated directory. The service also scans directories to highlight files that have not been accessed in a long time, which lets you know which files are good candidates for archiving or deletion.
This service will perform general monitoring tasks on file storage, such as tracking the growth rate of directories and recording metrics such as the number of files per directory or per device. You can centralize the monitoring of all of your servers in one overview that offers a drill-down path to see statistics on each individual location.
Who is it recommended for?
Site24x7 provides packages of monitoring systems, so you don’t just get the Infrastructure Monitoring system, you also get network monitoring and application monitoring, plus other utilities, such as log management. This makes the tool great value for money because it covers all of your monitoring needs.
Pros:
- Log File Access: Record the user account involved and the content that changed
- Alerts for Folder Creation: Also writes to a log file if a directory is created
- Log File Monitoring: Alerts if log files get corrupted
- Cross-Platform Monitoring: Monitors servers running Windows and Linux and also cloud platforms
Cons:
- Cloud Only: No on-premises version
Site24x7 is a subscription service and you can get it on a 30-day free trial.
Site24x7 Infrastructure
Start 30-day FREE Trial
4. ManageEngine Endpoint DLP Plus (FREE TRIAL)
ManageEngine Endpoint DLP Plus provides protection for the files that hold sensitive data and controls the movement of those files while tracking user activity. This system can be adapted to identify data based on a specific data protection standard, such as PCI DSS, HIPAA, or GDPR.
Key Features:
- Sensitive Data Discovery: Can be tailored to specific data protection standards
- Control of Data Movements: Emails, cloud uploads, file transfer protocols, and USB sticks
- Granular Controls: Operates permissions by user groups
Why do we recommend it?
ManageEngine Endpoint DLP Plus is a data loss prevention package. It scours all data stores for sensitive data and then classifies the instances that it finds. The process can be adapted to suit the requirements of a specific data protection standard. The tool then controls all movements of that sensitive data.
The DLP package routinely scans all endpoints for instances of sensitive data and categorizes all examples that it finds. The base package operates on a LAN but that functionality can be extended to multiple sites. Files that are found to contain sensitive data are protected by containerization, which makes them impossible to access directly or move.
Within the console for Endpoint DLP Plus, the administrator needs to define a list of trusted applications. These will be able to get access to the contents of protected files and they should themselves be protected by access rights credentials. Data access actions within these applications get logged with each instance attributed to a user account. If data access is unusual, an alert is raised and all of the activities of that account get logged for an investigation into an insider threat or account takeover.
Data movements are also tracked and controlled, while not banned. In some instances, copying or transferring files and extracts is necessary, so specific users are permitted to perform specific actions. These controls extend to USB devices, print queues, email systems, and cloud upload facilities.
Who is it recommended for?
This system will appeal to businesses that need to comply with a data protection standard, such as PCI DSS, GDPR, or HIPAA. There is a Free edition that will scan up to 25 endpoints. That is suitable for small businesses. The paid package can operate over a LAN or a WAN. The software runs on Windows Server.
Pros:
- Data Identification: Keywords, regex, and fingerprinting
- Insider Threat Detection: User behavior analytics
- Data Containerization: Protects files with encryption
Cons:
- Windows Software: Not available for Linux
Endpoint DLP Plus runs on Windows Server. You can get the Free Edition to manage data on up to 25 computers. The paid plan is called the Professional Edition and you can get it on a 30-day free trial. If you decide not to buy at the end of the trial, the package switches over to the Free Edition.
ManageEngine Endpoint DLP Plus
Get the 30-day FREE Trial
5. ManageEngine DataSecurity Plus
ManageEngine DataSecurity Plus is a file monitoring software platform that displays file and user activity on a network. You can see who accessed the file, when, and what they accessed. There are also several visual displays like graphs and pie charts that show you a more complete overview.
Key Features:
- Data Risk Assessment: Sensitive data discovery and classification
- File Server Auditing: File access logging
- Data Movement Tracking: Through emails, peripherals, or cloud uploads
Why do we recommend it?
ManageEngine DataSecurity Plus is a very similar package to the Endpoint DLP Plus system. With this tool, you get sensitive data discovery and classification and also control over data movement channels. The tool also manages file servers to ensure junk temporary files are cleared out and that file access permissions are sufficiently controlled.
For instance, you can see a pie chart of All File and folder changes which is broken down into Create, Delete, Modify, Permission Change, Overwrite, Rename, and Move. You can also view the most active users, most accessed files, and most modified files within the file server.
One premium feature included with ManageEngine DataSecurity Plus is file access analytics. File access analytics highlight access trends, monitor access times and detect anomalous file access. For example, the tool can identify if a file was accessed outside of working hours and if the user was authorized to access the content.
The built-in auditing and regulatory compliance of ManageEngine DataSecurity Plus are also extremely useful. The tool is compliant with PCI DSS, HIPAA, GDPR, SOX, GLBA, and FISMA. By auditing access privileges you can better control access to files and ensure you don’t leave yourself open to penalties or other liabilities.
Who is it recommended for?
This tool, like Endpoint DLP Plus is good for those businesses that need to prove compliance with data security standards. It also tracks Web services and identifies when workers are spending time on non-business sites, such as social media systems. The package includes four modules, which are charged for individually.
Pros:
- Controls Data on Cloud Systems: Identifies shadow copies of files
- Ransomware Detection: Identifies malware by behavior
- File Copy Protection: Prevents sensitive data files from being copied
Cons:
- Software for Windows Server: Not available for Linux
For ManageEngine DataSecurity Plus file server auditing the price starts at $745 (£584) per year. The price includes file integrity monitoring, tracking file interactions, alerts, detect/quarantine ransomware and more. You can download the 30-day free trial version.
6. Teramind
Teramind is a file activity monitoring software designed specifically for user activity monitoring. The product monitors file access, creation, deletion, and write operations. User activity is monitored through screen recording and textual logs so you can take a closer look at user activity to verify its legitimacy.
Key features:
- Behavior Analysis: Focuses on insider threats
- Tracks User Access: Records Web and application access
- Content-Based Access Controls: Some users are blocked from accessing files with sensitive data
Why do we recommend it?
Teramind is a cloud platform that provides data loss prevention by focusing on insider threats. This remit also extends to combating account takeover. Data theft or sabotage requires the use of genuine user accounts. That makes intruders and disgruntled employees difficult to spot. This service deploys user behavior analytics to identify suspicious activity.
There is also a notifications system to keep you updated on developments in the network. For example, the notifications system tells you when files are uploaded to the cloud either as an email attachment or through a cloud service like Google Drive, Dropbox, or OneDrive. You also can block uploads to the cloud storage if you believe an activity is malicious in nature.
Who is it recommended for?
Teramind is priced per technician and there are three plans that make the system suitable for use by businesses of all sizes. This is a cloud-based package and so you don’t need to find server space or maintain the software. All of these factors make this an affordable system for data protection.
Pros:
- Selective Controls: Doesn’t block authorized users from doing their jobs
- Redaction: Prevents employees from seeing data without deleting it
- Optical Character Recognition (OCR): Can identify words in images
Cons:
- User Scrutiny: Mainly built to spy on employees
Teramind is available as an on-premises or cloud-based solution. Each has three product versions: Teramind Starter, Teramind UAM, and Teramind DLP. The on-premises versions start at $60 (£47) per month for 10 endpoints up to $150 (£117) per month for 10 endpoints. The cloud-based versions start at $60 (£47) per month for five users up to $150 (£117) for additional content-based data exfiltration rules.
7. PA File Sight
PA File Sight is a file monitoring solution with real-time file monitoring capabilities. The software monitors for file creation, deletion, modification, and movement of files. It also monitors the IP address, data/time and computer name of the interactions to help identify different users and spot suspicious activity. You can start monitoring as soon as you finish the setup process, which can be completed in just a matter of minutes.
Key Features:
- Protects Files: Blocks changes to files by unknown programs
- Application Whitelisting: Maintains a list of authorized software and blocks all others from running
- Controls User Actions: Blocks actions, such as file copying according to the user’s status
Why do we recommend it?
PA File Sight provides data protection. It looks out for ransomware activity and also blocks unauthorized access to files or movements of data. The system works by fencing all files and preventing all programs from running. The administrator then whitelists specific applications and they should have their own access credentials requirements.
The program also has automated alerts. PA File Sight alerts you on changes made to files so that you can detect log tampering. Alerts come with a range of supporting information including user account, user IP address, computer name, target file, what the activity was and the date/time. Having this information available to refer to helps to put all the necessary information in one place so that you can start to address an attack.
When it comes to auditing, PA File Sight is an excellent choice. Not only is it compliant with PCI, HIPAA, FISMA AC-19, SOX, and ISO 27001/27002, but it also has reports. Reports can be generated in text, HTML, PDF or .CSV. Reports show specific users, specific time range, and the time period.
There are two versions of the product available to purchase: PA File Sight Ultra, and PA File Sight Lite. The Lite version starts at $199 (£156.18) for 1-9 licenses and can monitor file activities, and generate alerts. The Ultra version starts at $599 (£470 )for 1-9 licenses and can do everything the Lite version can but adds integration for Microsoft SQL Server, reports, advanced alerts, and the ability to block external drives.
Who is it recommended for?
Businesses that need to protect data from attacks need this tool. That description encompasses just about every business currently in operation because loss or damage to operational data can mean ruin to a business. For example, ransomware can prevent a business from continuing. This software runs on Windows Server.
Pros:
- Protects Against Ransomware: Malware isn’t allowed to run
- Selectively Block Access: Controls access to cloud platform and USB devices
- Activity Alerts: Draws the administrator’s attention to risky user behavior
Cons:
- Available for Windows Server: Won’t run on Linux
8. FileAudit
FileAudit is a real-time file monitoring tool that has been designed to help monitor how employees interact with files. The platform monitors file changes, read-write, deletion, and ownership. Having this information on hand makes sure that you can immediately discover and address cyberattacks before the damage is done.
Key Features:
- Tracks File Access: You can tailor this activity to specific files or specific locations
- Identifies Endpoints: Records the device that file access was made from
- Logs Activity: Records both successful and blocked file access events
Why do we recommend it?
IS Decisions FileAudit is a software package that protects files on Windows computers and cloud platforms. The system scans files on OneDrive, SharePoint Online, Google Drive, Dropbox, and Box. this system tracks user activities and spots irregular activity when accessing files. It also tightens up permissions and access rights.
There are also automated email alerts to notify you about user actions. Alerts are generated for certain events like the deletion of a file or if a user has been denied access to a file. Staying on top of this information helps to diagnose suspicious behavior as early as possible.
There are four versions of FileAudit available to purchase: Team, Small, Medium, and Enterprise. The Team version costs $50 (£39) per month for 100 users and one server. The Small version costs $85 (£66) for 500 users and three servers.
Who is it recommended for?
You will need to be running Windows on all of your on-site files servers, specifically, this tool operates on the NTFS system. The cloud platform protection is an add-on service for which there is a fee. You can’t have the cloud protection system by itself. The four plans for the system cater to businesses of all sizes.
Pros:
- NTFS Permissions Tracking: Records changes to the permissions system
- Cloud Scanning: Extends monitoring to cloud drives, such as Dropbox, Sharepoint Online, OneDrive, and Google Drive
- Log Analysis: Data viewer with analytical tools
Cons:
- Operates on Windows Server and Cloud Platforms: Doesn’t protect data on Linux servers
The Medium version costs $140 (£109) for 1000 users and five servers. The Enterprise version supports over five servers with more than 1000 servers (but you’ll need to contact the sales team directly). You can download the free version here.
Selecting the right file activity monitoring software
File activity monitoring is part and parcel of document management in an enterprise environment. Tools like SolarWinds Server & Application Monitor and ManageEngine DataSecurity Plus have been built with this purpose in mind. Each tool is easy to use with simple configuration and an overhead perspective of file interactions.
The file access analytics feature included with ManageEngine DataSecurity Plus is useful for those enterprises that want to automate some of their threat detection. Automation pays dividends to response time when reacting to malicious activity.
File Activity Monitoring Software FAQs
What is File Integrity Monitoring?
File integrity monitoring is an ongoing automated process that validates the status of files held on a system through indicators such as file size and last modified date. Any changes to files should be logged and unauthorized changes rolled back.
Why is deep packet inspection vital to file activity monitoring?
Deep packet inspection is a network monitoring part of file integrity monitoring. It is able to add information about the user who tries to modify a file, such as location and home device.
Can file activity monitoring prevent data loss?
File activity monitoring is able to add to existing DLP technology by protecting the contents of files and monitoring access to it. Thus, it is able to catch unauthorized file access, blocking theft, deletion, corruption, or alteration of the contents.