Enterprise Recon Cloud 2.12.0

Download ER Cloud 2.12.0 User Guide (PDF)

All Documentation > ER Cloud 2.12.0 User Guide > How-to Guides > Scan Locations (Targets) Overview > Add Server Target > How To Scan Local Storage and Local Memory

How To Scan Local Storage and Local Memory

This section covers the following topics:

How Local Scan Works
Supported Operating Systems
Licensing
Scan Local Storage
Scan Local Process Memory
Unsupported Locations

How Local Scan Works

For a more detailed explanation on local scans, refer to the Scanning - How Local Scan Works section.

Supported Operating Systems

Local storage and local memory are included by default as available scan locations when adding a new server or workstation Target.

ER Cloud supports the following operating systems as local storage and local memory scan locations:

Environment (Target Category)	Operating System
Microsoft Windows Desktop (Desktop / Workstation)	Windows 10 32-bit/64-bit Windows 11 64-bit ^{Looking for a different version of Microsoft Windows?}
Microsoft Windows Server (Server)	Windows Server 2012/2012 R2 64-bit Windows Server 2016 64-bit Windows Server 2019 64-bit Windows Server 2022 64-bit ^{Looking for a different version of Microsoft Windows?}
Linux (Server)	Debian 11+ 32-bit/64-bit RHEL 7+ 64-bit Oracle Linux 8 64-bit Ubuntu 16+ 32-bit/64-bit ^{Looking for a different Linux distribution?}
UNIX (Server)	AIX 7.2+ FreeBSD 13 32-bit/64-bit ¹ FreeBSD 14 32-bit/64-bit ¹ Solaris 10+ (Intel x86) Solaris 10+ (SPARC)
macOS ¹ (Desktop / Workstation)	macOS Monterey 12.0 macOS Ventura 13.0 macOS Sonoma 14.0 Scans for macOS Targets locations Selecting "All local files" when scanning macOS Targets may cause the same data to be scanned twice. See Exclude the Read-only System Volume from Scans for macOS Target locations for more information. Scanning locations within the top-level Users (/Users) folder requires the "Full Disk Access" feature to be enabled for er2-agent. If locations within the /Users folder are scanned without enabling the required full disk access, these locations will be logged as inaccessible locations. For more information, refer to the Enable Full Disk Access section. ^{Looking for a different version of macOS?}

¹ Does not support scanning of Local Process Memory.

Microsoft Windows Operating Systems

Ground Labs supports and tests ER Cloud for all Windows versions supported by Microsoft.

Prior versions of Windows may continue to work as expected. However, Ground Labs cannot guarantee support for these versions indefinitely.

Linux Operating Systems

Ground Labs supports and tests ER Cloud for all Linux distributions currently supported by the respective providers.

Prior versions of Linux distributions may continue to work as expected. However, Ground Labs cannot guarantee support for these versions indefinitely.

macOS Operating Systems

Ground Labs supports and tests ER Cloud for all macOS versions supported by Apple Inc.

Prior versions of macOS may continue to work as expected. However, Ground Labs cannot guarantee support for these versions indefinitely.

Licensing

For Sitewide Licenses, all scanned local storage and local memory Targets consume data from the Sitewide License data allowance limit.

For Non-Sitewide Licenses, local storage and local memory Targets require Server & DB Licenses or Client Licenses, and consume data from the Server & DB License or Client License data allowance limit, depending on the Target operating system.

See Target Licenses for more information.

Scan Local Storage

Local Storage refers to disks that are locally mounted on the Target server or workstation. The Target server or workstation must have a Node Agent installed.

You cannot scan a mounted network share as Local Storage.

To scan Local Storage:

From the New Search page, add Targets. Refer to the Add Targets section.
In the Enter New Target Hostname field, enter the host name of the server or workstation.

Ensure the host name entered is accurate without spelling (or other typographical) errors. An incorrect or invalid host name will cause the scan for the Target to fail.
Click Test. The Test button changes to a Commit button.
Click Commit.

In Select Types, select Local Storage. You can scan the following types of Local Storage:

Local Storage	Description
Local Files	To scan all local files: Select All local files. Click Done. To scan a specific file or folder: Click Customise next to All local files. Enter the file or folder Path and click + Add Customised. Windows: C:\path\to\folder\file.txt; Unix and Unix-like file systems: /home/username/file.txt.
Local Shadow Volumes	Windows only To scan all local shadow volumes: Select All local shadow volumes. Click Done. To scan a specific shadow volume: Click Customise next to All local shadow volumes. Enter the Shadow volume root and click + Add Customised.
Local Free Disk Space	Windows only Deleted files may persist on a system's local storage, and can be recovered by data recovery software. ER Cloud can scan local free disk space for persistent files that contain sensitive data, and flag them for remediation. To scan the free disk space on all drives: Select All local free disk space. Click Done. To scan the free disk space of a specific drive: Click Customise next to All local free disk space. Enter the drive letter to scan and click + Add Customised. Scanning All local free disk space is only available for Windows environments.

Local Storage

Description

Local Files

To scan all local files:

Select All local files.
Click Done.

To scan a specific file or folder:

Click Customise next to All local files.
Enter the file or folder Path and click + Add Customised.

Windows: C:\path\to\folder\file.txt; Unix and Unix-like file systems: /home/username/file.txt.

Local Shadow Volumes

Windows only

To scan all local shadow volumes:

Select All local shadow volumes.
Click Done.

To scan a specific shadow volume:

Click Customise next to All local shadow volumes.
Enter the Shadow volume root and click + Add Customised.

Local Free Disk Space

Windows only

Deleted files may persist on a system's local storage, and can be recovered by data recovery software. ER Cloud can scan local free disk space for persistent files that contain sensitive data, and flag them for remediation.

To scan the free disk space on all drives:

Select All local free disk space.
Click Done.

To scan the free disk space of a specific drive:

Click Customise next to All local free disk space.
Enter the drive letter to scan and click + Add Customised.

Scanning All local free disk space is only available for Windows environments.

Recommended Least Privilege User Approach

Data discovery or scanning of data requires read access. Remediation actions that act directly on supported file systems including Delete Permanently, Quarantine, Encryption and Masking require write access in order to change, delete and overwrite data.

To reduce the risk of data loss or privileged account abuse, the Agent user provided for the intended Target should only be granted read-only access to the exact resources and data that require scanning. Never grant full user access privileges or unrestricted data access to any application if it is not required.

Exclude the Read-only System Volume from Scans for macOS Targets

Starting from macOS Catalina 10.15, Apple has introduced a dedicated, read-only System (/System) volume that is separate from the writable Data volume that stores the top-level Users (/Users) folder, Home (/home) folder, and more. This writable Data volume is mounted on the read-only System volume and is accessible through the path /System/Volumes/Data, which may cause the same data to be scanned twice for macOS Targets if both the System and Data volumes are included in a scan.

To avoid consuming data allowance that is twice the size of the data, you are recommended to:

Select specific folders or files when scheduling scans for macOS Targets, or
Use the Exclude Location by Prefix Global Filter (refer to the Setup Global Filters section) to exclude the /System/Volumes/Data path when scanning "All local files" for selected macOS Targets.

Scan Local Process Memory

During normal operation, your systems, processes store and accumulate data in memory. Scanning Local Process Memory allows you to check it for sensitive data.

To scan local process memory:

From the New Search page, add Targets. Refer to the Add Targets section.
In the Enter New Target Hostname field, enter the host name of the server or workstation.

Ensure the host name entered is accurate without spelling (or other typographical) errors. An incorrect or invalid host name will cause the scan for the Target to fail.
Click Test. The Test button changes to a Commit button.
Click Commit.
In Select Types, select Local Memory > All local process memory.
Click Done.

To scan a specific process or process ID (PID):

From the New Search page, add Targets. Refer to the Add Targets section.
In the Enter New Target Hostname field, enter the host name of the server or workstation.

Ensure the host name entered is accurate without spelling (or other typographical) errors. An incorrect or invalid host name will cause the scan for the Target to fail.
Click Test. The Test button changes to a Commit button.
Click Commit.
In Select Types, select Local Memory. Next to All local process memory, click Customise.
Enter the process ID or process name in the Process ID or Name field.
Click + Add Customised.

Unsupported Locations

ER Cloud does not follow or scan symbolic links or junctions. Each symbolic link or junction point that is skipped during a scan will have a log entry in the Scan Trace Log (if enabled).