Agent and employee computer monitoring
The Agent is a module of Ewida Audit. It is responsible for monitoring employee computers, ongoing auditing, and some functions related to work within the company network. Everything works in a way that is typical for a Windows desktop application and its modules installed on workstations and local infrastructure.
To configure Agent monitoring settings, open Program Settings and select the Agent tab shown on the left side. This is where you define how monitoring works, along with schedules, exceptions, and blocking rules.
Installation
The installation tab mainly serves an informational purpose. It shows the current status of Agent Server and the basic information about Agent modules that should be taken into account when configuring the environment, for example in firewall rules.
Before starting actual monitoring, it is worth making sure that communication between the Agent, Agent Server, and the console is working correctly. Without that, some data may not be transmitted or refreshed as expected.
General settings
Show the Agent icon on the monitored computer
This option enables the Agent icon in the system tray of the monitored computer. This lets the user see that the Agent is running and check whether monitoring is currently active. It is especially useful when the company wants monitoring to be clearly visible to employees.
Show monitoring information to the user
This setting controls an additional message informing the user when monitoring starts and ends. If the goal is full visibility of the Agent’s operation on the user side, it is worth keeping both options enabled. If monitoring is meant to run without messages and without the icon, both settings should be turned off.
Downloading monitoring data from the server
When Ewida Audit starts, it communicates with Agent Server and retrieves current logs. In the settings, you can define the interval at which the running application will read data from the server again.
Monitoring data maintenance
This option lets you define how long logs are kept. The program automatically performs maintenance at startup and removes older entries according to the selected settings. It is worth choosing this period carefully so that you keep the history you actually need without collecting unnecessary excess data.
Monitoring and scanning schedule
Scanning schedule
The Agent can perform not only monitoring, but also periodic computer scanning, meaning auditing. The schedule can be disabled completely, with scanning started only manually from the console. If the company wants data to be refreshed regularly, however, you can define how many days should pass between scans and what time the scan should start.
Monitoring schedule
Employee computer monitoring can also run on a schedule. You can define the days of the week and the start and end times of monitoring. This is a practical solution when monitoring should work only during specific business hours, for example from 9:00 AM to 5:00 PM.
Schedules make it easier to align the Agent with company rules and limit data collection to periods when it is actually needed.
Blocked applications
In this section, you can build a blacklist of applications that should be blocked automatically by the Agent. The mechanism is based on program detail filters. The more identifying data you provide, the more precise the rule matching will be.
You can also indicate only the vendor if the goal is to block a whole group of that vendor’s products. This way of configuring the rules makes it possible to match the level of detail to the company’s actual needs.
User message after an application is blocked
After an application is blocked, an informational message can be shown to the user. The content of that message can be configured, which makes it easy to adapt it to company rules or security policy.
Excluded hosts
The excluded hosts tab lets you specify computers for which the blocking rules above will not apply. This is useful, for example, for administrative, test, or service workstations.
Process monitoring
General
The general settings in this section help you find a sensible balance between measurement accuracy and the effect of monitoring on computer performance. Depending on your requirements, you can choose either greater detail or a lighter operating mode.
Process classification
Processes can be grouped to make logs and reports easier to read. For example, browser processes can be assigned to the Internet group, while work-related tools can be assigned to the Work group. This kind of division makes later analysis easier.
Excluded processes
In this part, you can define processes that should be ignored. This often applies to Windows system processes or applications whose monitoring does not provide meaningful information in a given organization.
Excluded hosts
As in other sections, you can also define hosts excluded from these settings.
USB monitoring, authorization, and media blocking
The settings in this section apply to USB device monitoring as well as media authorization and blocking rules. This is an important area wherever the company wants to control the use of USB drives and other external storage devices.
A detailed description of this topic is available in a separate article: blocking USB drives and ports in Ewida Audit.
Printer monitoring
In this section, you can completely disable printer monitoring or specify device names that should be ignored. This is useful when some printers should not appear in the logs or are not relevant from a monitoring perspective.
Excluded hosts
The excluded hosts tab lets you specify computers not covered by these settings. This makes it possible to apply the rules selectively without imposing them on all workstations.
Device monitoring (WMI)
Device monitoring is based on a quick scan of computer devices and components when the Agent starts. The mechanism uses WMI classes and makes it possible to detect hardware configuration changes without running a full audit every time.
The default set of scanned devices is taken from the audit settings. You can also exclude selected WMI classes if monitoring them is not necessary or generates too much data in a given environment.
Excluded hosts
Here as well, you can specify hosts that should not be covered by these settings.
Software installation monitoring
This section is responsible for recording changes related to software installation and uninstallation. This makes it possible to track when new software appears on monitored computers or when it is removed.
Excluded software
You can build a list of filters that exclude specific programs from installation and uninstallation monitoring. This is useful when some changes have no operational importance or concern components the company does not want to include in the logs.
Excluded hosts
As in other areas of configuration, you can also specify hosts excluded from these rules.
How to approach Agent configuration
It is best to implement monitoring settings in stages. At the beginning, it is worth enabling the basic functions, checking the quality of the data, and only then extending the monitoring scope to additional areas such as application blocking, USB, or Internet monitoring.
This approach makes it easier to assess which data is actually needed and which only increases the number of logs without providing real operational value. In a Windows desktop environment, where the Agent runs directly on workstations, a well-chosen configuration has a major impact on both the clarity of the results and the ease of administration.
Summary
Agent settings in Ewida Audit make it possible to adapt monitoring to the rules followed by a specific company. You can control schedules, the scope of collected data, exceptions, application blocking, and monitoring of software and hardware changes.
Thanks to this, Ewida Audit can work both as a tool for ongoing auditing and as part of continuous monitoring of employee computers, as long as its configuration is properly matched to the organization’s real way of working.