Topics Map > Office of Cybersecurity > Tools and Software > Spirion
Spirion (Identity Finder) - Administrator FAQ
This document contains frequently asked questions for the Spirion endpoint application and console.
Spirion FAQ
What does Spirion do exactly?
Spirion’s endpoint application scans the endpoint for potential restricted or sensitive data, collates the results, and sends the results to the console (and potentially the endpoint user) in an encrypted format. It is possible to take actions through the application such as shredding files, ignoring false positives, or quarantining files.
How long will a Scan take?
Scan time will change depending on the scan configuration (locations scanned, file types scanned, match types scanned for), the computer hard drive, and processing power. Scans can take from 1 minute to several hours depending on the above variables. Typically, scans on a workstation take 1 - 3 hours if configured appropriately (not scanning system files and Appdata) Most servers take 6 - 12 hours to scan, so the most common practice is to run the scan overnight or on a weekend.
File servers, databases, and other large storage space take longer to scan, and require more processing power than the machine you need to scan. Scanning on this scale requires a Discovery Team, a group of computers working together, to complete the scan. As of this writing, The Office of Cybersecurity initiates scans that require a Discovery Team. If you need to scan a large server or database, send an email to cybersecurity@cio.wisc.edu with the subject line of either "Spirion Database Scan" or "Spirion Scan of Large Server" as appropriate.
What Operating Systems are compatible with Spirion?
- Windows 10
- Windows 11
- Windows Server 2012 r2, 2016, 2019
- MacOS 13 Ventura
- MacOS 12 Monterey
- MacOS 11 Big Sur
- macOS 10.15: Catalina
- Red Hat Enterprise Linux 64 Bit, versions 5.1 and later
How do I go about getting set up with Spirion?
Please reach out to us at cybersecurity@cio.wisc.edu if you’d like to get set up on the Spirion Console and obtain installers for your IT department.
What is the console URL?
The url for the administrative console is datadiscovery.cybersecurity.wisc.edu.
It's too good to be true. Are there any disadvantages of doing this?
Without proper configuration such as filepath exclusions Spirion will often flag numerous false positives. This can be fixed by the IT administrator if they adjust their policies to exclude searching system files, appdata, and program files. Please feel free to reach out to us at cybersecurity@cio.wisc.edu if you have any questions regarding this process.
What are my options if I find what appears to be Sensitive Data in a search?
Your first step should be to verify whether the sensitive data is legitimate. Examine the filepath for the match. If the filepath for the file with the match is in the System or Appdata folder, it is likely a false positive. However, if the filepath leads to a user's data file, it is likely to indicate sensitive data. Best practice in most cases is to coordinate with the end user to determine whether the file is sensitive/restricted, and if the data is need for business purposes. Depending on those factors, the next step may be to delete the data or move it to a secure encrypted drive.
Can I schedule recurring scans? Can I set scans to search for different data types depending on the endpoints being scanned?
You can schedule scans to run on a one time, daily, weekly, or monthly basis. Results from these scans will come in to the console as they complete. You can create policies to apply to specific endpoints or endpoint tags – which allows you to change the types of data scans on those machines search for. This can be useful if you have a subset of machines on your environment that are more likely to handle restricted data – you can set the scans to search for additional data types that you wouldn’t necessarily want to search for across your entire environment.
Hey! I’m certain this match is a false positive!
If you believe a match to be a false positive you can select to ignore it (either within the Endpoint Application or from within the Console). If you wish to prevent this match from occurring on other machines you could add the filepath to the list of excluded search locations in your search policy as defined in the console.
Will the endpoint agent consume a lot of resources on users' endpoints?
Generally, the endpoint client consumes minimal resources, but resource intensity can increase greatly when a scan is running. During scans, the impact depends on what version of Spirion client is installed on the endpoint.
- Spirion 11.* and earlier: The performance of the machine will be significantly slower during the scan. If possible, the best option is to leave the machine to run a scan overnight, or at another time when resources are not otherwise in use.
- Spirion 12.*: This updated version of the client uses only as much processing power as is not otherwise in use. Thus, there is no perceptible impact on performance. If the user is doing processor-intensive work, the scan will slow and may even stop, but will resume automatically when resources are available.
To find which version is on your endpoints, check the Status tab in the console:
If using the client on an individual endpoint, select File, then Settings, then Resources. The version number is listed under License Information.
Will DoIT Cybersecurity staff be able to see any sensitive information or restricted data found on my endpoints?
DoIT Cybersecurity can see the same items that you can see in the console. For this reason, and others, we do not recommend configuring your policies to send full matches to the console (there is an option to send partial matches and one to send no match, just the match file location).
What if I have additional questions?
If you have additional questions, please email us at cybersecurity@cio.wisc.edu.