Chapter 5: Monitoring

Chapter 5: Monitoring

5.1 Request Table

If the GUI is running and a non-whitelisted program attempts a file modification, the request will be displayed in the request table, and an administrator may control the file access. If a request isn't answered within 1 minute, access is denied automatically. Access can be manually set by clicking the "Set Access" drop-down list in the Access column and choosing an access option.

The following options are available:

• GRANT – Allows the running process to modify the specified file object

• DENY – Denies the running process from modifying the specified file object

• AUTHORIZE PID – Write access is granted to all files for the specified process until its termination (NT kernel and system processes are excluded.)

• WHITELIST PROGRAM – The whitelisted program is permanently allowed to modify existing files.

5.2 Status Information

An overall status is shown in the “Monitoring” window in the tab "Status."

5.3 Access Log

BlockyforVeeam® logs all modification requests and responses on protected files to the file C:ProgramDataGrauDataBlockyAccessControl.log. The content of the log file is also displayed in the “Monitoring” window in the "Logging" tab.

5.4 License Information

To show the license status select the tab "License Info" from the “Monitoring” window.

5.5 Alert Notifications

To check for notifications select the tab “Notifications” from the “Monitoring” window.

5.6 Windows event logs

Further status information is available in the Windows application and system event logs.

5.7 Raw volume access

Some Windows System Services may perform raw volume access on certain volumes, for example, Windows components svchost.exe, vssvc.exe, or vds.exe. On Blocky- protected volumes, some of these raw volume accesses are handled by Blocky and will be denied as these components are usually not whitelisted. This results in unauthorized access event or, if the GUI is running, the raw volume access is displayed in the request table. See below for a notification example.

The components svchost.exe and fsdmhost.exe must be whitelisted when using NTFS Deduplication. When using Shadow Copy, either manually or via scheduling, you have to whitelist the components svchost.exe and vssvc.exe. occurred 2 times. (threshold settings: Count: 1 / TimeInterval:0 min)

additional information:

PID: 1724, App: C:\Windows\System32\vds.exe, File: \Device\HarddiskVolume3, User: NT AUTHORITY\SYSTEM

PID: 1724, App: C:\Windows\System32\vds.exe, File: \Device\HarddiskVolume3, User: NT AUTHORITY\SYSTEM