Screening Files

Updated: February 27, 2008

Create file screens to block files that belong to particular file groups from being saved on a volume or
in a folder tree. A file screen affects all folders in the designated path. For example, you might create a
file screen to prevent users from storing audio and video files in their personal folders on the server.

You can configure File Server Resource Manager to generate e-mail or other notifications when a file
screening event occurs.

A file screen can be either active or passive:

 Active screening prevents users from saving unauthorized file types on the server.

 Passive screening monitors users saving specific file types and generates any configured
notifications, but does not prevent users from saving files.

A file screen does not prevent users and applications from accessing files that were saved to the path
before the file screen was created, regardless of whether the files are members of blocked file groups.

To simplify the management of file screens, we recommend that you base your file screens on file
screen templates. A file screen template defines a screening type (active or passive), a set of file
groups to block, and a set of notifications to be generated when a user attempts to save an
unauthorized file. File Server Resource Manager provides several default file screen templates, which
you can use to block audio and video files, executable files, image files, and e-mail files—and to meet
some other common administrative needs. To view the default templates, select the File Screen
Templates node in the File Server Resource Manager console tree.

For additional flexibility, you can configure a file screen exception in a subfolder of a path where you
have created a file screen. When you place a file screen exception on a subfolder, you allow users to
save file types there that would otherwise be blocked by the file screen applied to the parent folder.

In this section:

 Working with File Groups

 Creating a File Screen

 Creating a File Screen Exception
 Monitoring File Screening

Working with File Groups

Before you begin working with file screens, you must understand the role of file groups in determining
which files are screened. A file group is used to define a namespace for a file screen or a file screen
exception, or to generate a Files by File Group storage report.

A file group consists of a set of file name patterns, which are grouped into files to include and files to
exclude:

 Files to include: files that belong in the group.

 Files to exclude: files that do not belong in the group.

For example, an Audio Files file group might include the following file name patterns:

 Files to include:*.mp*: includes all audio files created in current and future MPEG formats
(MP2, MP3, and so forth).
  Files to exclude:*.mpp: excludes files created in Microsoft Project (.mpp files), which would
otherwise be included by the *.mp* inclusion rule.

File Server Resource Manager provides several default file groups, which you can view in File
Screening Management by clicking the File Groups node. You can define additional file
groups, or change the files to include and exclude. Any changes that you make to a
file group affect all existing file screens, templates, and reports to which the file group
has been added.

Note

For convenience, you can modify file groups when you edit the properties of a file screen, file
screen exception, file screen template, or the Files by File Group report. Note that any changes
that you make to a file group from these property sheets will affect all items that use that file
group.
To create a file group
1. In File Screening Management, click the File Groups node.

2. In the Actions pane, click Create File Group. This opens the Create File Group
Properties dialog box.

(Alternatively, while you edit the properties of a file screen, file screen exception, file screen
template, or Files by File Group report, under Maintain file groups, click Create.)

3. In the Create File Group Properties dialog box, type a name for the file group.

4. Add files to include and files to exclude:

 For each set of files that you want to include in the file group, in Files to include,
type a file name pattern, and then click Add.
Standard rules for wildcard characters apply. For example, *.exe selects all executable
files.
 For each set of files that you want to exclude from the file group, in Files to
exclude, type a file name pattern, and then click Add.

Note that standard wildcard rules apply—for example, *.exe selects all executable files.

5. Click OK.

Creating a File Screen

In the following procedure, you will create a new file screen, and in the process save a file screen
template based on the custom file screen properties that you defined. The new template will be
applied to the file screen so that a link is maintained between the file screen and the template. In a
similar way, you can save a new quota template based on the custom properties of a quota you
create.

To create a file screen

1. In File Screening Management, click the File Screens node.

2. Right-click File Screens, and click Create File Screen (or click Create File Screen in the
Actions pane). This opens the Create File Screen dialog box.

3. Under File screen path, type the name of or browse to the folder that the file screen will
apply to. The file screen will apply to the selected folder and all of its subfolders.
4. Under How do you want to configure file screen properties, click Define custom file
screen properties, and then click Custom Properties. This opens the File Screen Properties
dialog box.

5. If you want to copy the properties of an existing template to use as a base for your new file
screen, select a template from the Copy properties from template drop-down list. Then click
Copy.

6. Under Screening type, click the Active screening or Passive screening option. (Active
screening prevents users from saving files that are members of blocked file groups, and generates
notifications when users try to save unauthorized files. Passive screening sends configured
notifications, but it does not prevent users from saving files.)

7. Under File groups, select each file group that you want to include in your file screen.

If you want to view the file types a file group includes and excludes, click the file group label, and
then click Edit. To create a new file group, click Create.

Additionally, you can configure File Server Resource Manager to generate one or more notifications
by setting the following options on the E-mail Message, Event Log, Command, and Report
tabs.

8. If you want to generate e-mail notifications, on the E-mail Message tab, set the following
options:

 To notify administrators when a user or application attempts to save an

unauthorized file, select the Send e-mail to the following administrators check box,
and then enter the names of the administrative accounts that will receive the
notifications. Use the format account@domain, and use semicolons to separate multiple
accounts.
 To send e-mail to the user who attempted to save the file, select the Send e-mail
to the user who attempted to save an unauthorized file check box.
 To configure the message, edit the default subject line and message body that are
provided. The text that is in brackets inserts variable information about the file screen
event that caused the notification. For example, the [Source Io Owner] variable inserts
the name of the user who attempted to save an unauthorized file. To insert additional
variables in the text, click Insert Variable.
 To configure additional headers (including From, Cc, Bcc, and Reply-to), click
Additional E-mail Headers.
9. If you want to log an error to the event log when a user tries to save an unauthorized file, on
the Event Log tab, select the Send warning to event log check box. Optionally, edit the default
log entry.

10. If you want to run a command or script when a user tries to save an unauthorized file:

On the Command tab, select the Run this command or script check box. Then type the
command, or click Browse to search for the location where the script is stored. You can also enter
command arguments, select a working directory for the command or script, or modify the
command security setting.

11. If you want to generate one or more storage reports when a user tries to save an
unauthorized file:

On the Report tab, select the Generate reports check box, and then select which reports to
generate. The reports will be saved in the default location for incident reports, which you can
modify in the File Server Resource Manager Options dialog box. Optionally, you can choose
 one or more administrative e-mail recipients for the report or e-mail the report to the user who
attempted to save the file.

12. After you have selected all of the file screen properties that you want to use, click OK to close
the File Screen Properties dialog box.

13. In the Create File Screen dialog box, click Create to save the file screen. This opens the
Save Custom Properties as a Template dialog box.

14. To save a template that is based on these customized properties, click Save the custom
properties as a template and type a name for the template. This option will apply the template
to the new file screen, and you can use the template to create additional file screens in the future.

15. Click OK.

Creating a File Screen Exception

Occasionally, you will need to allow exceptions to file screening. For example, you might want to block
video files from a file server, but you need to allow your training group to save the video files for their
computer-based training. To allow files that other file screens are blocking, create a file screen
exception.

A file screen exception is a special type of file screen that overrides any file screening that would
otherwise apply to a folder, and all its subfolders, in a designated exception path. That is, it creates an
exception to any rules derived from a parent folder. To determine which file types the exception will
allow, file groups are assigned.

To create a file screen exception

1. In File Screening Management, click the File Screens node.

2. Right-click File Screens, and click Create File Screen Exception (or click Create File
Screen Exception in the Actions pane). This opens the Create File Screen Exception dialog
box.

3. In the Exception path text box, type or select the path that the exception will apply to. The
exception will apply to the selected folder and all of its subfolders.

4. To specify which files to exclude from file screening:

 Under File groups, select each file group that you want to exclude from file
screening.
 If you want to view the file types that a file group includes and excludes, click the file
group label, and click Edit.
 To create a new file group, click Create.
5. Click OK.

Monitoring File Screening

In addition to the information in your file screen notifications, you can monitor file screening by
viewing file screens in the File Screens Results pane and by generating a File Screening Audit report.

Viewing file screening information

To view file screening information in the File Server Resource Manager console tree, click File
Screening Management, and then click the File Screens node.

 For each file screen, the Results pane displays the following information: the path that the file
screen was created for, the type of file screen (file screen or exception), the file groups
 included in the file screen, the template on which the file screen is based, and whether the
current configuration of the file screen matches the configuration of the template.
 For the selected file screen, the description area lists all file groups that are being blocked on
the file screen path. This includes file groups that are blocked by the current file screen as
well as file groups blocked by file screens created higher in the file screen path.
 To filter the Results pane display to the file screens that affect a specific path:
1. Click Filter at the top of the pane.
2. In the File Screen Filter dialog box, under File Screen path, click either the
Parents of the following folder option or the Children of the following folder
option.
3. Type or browse to the path.
4. Click OK.

File Screening Audit report

Use the File Screening Audit report to identify individuals or applications that violate file screening
policy. For instructions on generating a File Screening Audit report, see Generating Storage Reports

later in this guide.

Important

Before you run a File Screening Audit report, in the File Server Resource Manager Options
dialog box, on the File Screen Audit tab, verify that the Record file screening activity in
auditing database check box is selected.