Hi All,

Can any one please tell me how many exceptions can I add to a policy ? In my case DLP crashes if there are more than 14 exceptions in a policy. Is there any solution for this?

Regards,

Tejas

I need trust process can run and call sub-process.

The other process can be deny.

I set the policy content below...

I can deny non-trust process, but can't allow trust process call sub-process.

Such as

cmd.exe is trusted updaters process.

cmd.exe call putty.exe can't be run.

log is deny_ps.

How can i do?

Thanks

I've been attempting to write a 'catch all' for any EXE which I can apply to a policy for testing.   I've attempted the following strings, under both Binary name and Original File Name.    This is for the Endpoint Agent.

*\.exe

*.exe

Symantec is sponsoring the 2014 Information Security Summit featuring two days of information security presentations, focused sessions, and hands-on workshops. Pre-conference training is available and will be held on October 27-29 with the conference taking place on October 30 – 31, 2014 at LaCentre in Westlake, Ohio.

Click HERE to see our current Brochure.
For more information click here!

• To access the agenda from the web, go to:  GUIDEBOOK FOR THE WEB
• To download the mobile app to your phone go to: GUIDEBOOK FOR YOUR PHONE

  EVENT REGISTRATION IS OPEN!
   

• Conference Registration - Attendees can register HERE
• Pre-Conference Training– Attendees can register HERE
• Click Here for Conference Location Information.
• Click Here for Suggested Hotel Information.

We Hope To See You At The Summit!

IT Analytics DLP pack offers several predefined cubes out-of-the-box.  As part of the DLP pack, the custom attribute name and custom attribute value dimension are included.  These two dimensions contain data for custom attributes defined within DLP, however they need to be used hand-in-hand for the data in the cubes to make any sense.  For users who leverage custom attributes in DLP, there is a method by which this data can be added to IT Analytics as custom dimension attributes to make browsing the cube using particular custom attributes easier. This involves the download and installation of the IT Analytics DLP Custom Attribute Utility (.zip file attached to this article) and a simple configuration to add custom attributes as a dimension to the cubes.

This utility is provided as an optional configuration to IT Analytics and is separate from the Symantec Management Platfrom so that it can be updated on as needed basis. Any issues and requested enhancements to the utility should be sent directly to the author. In the event of future upgrades to subsequent versions of the Symantec Management Platform, this utility will need to be run again to include any custom attributes previously added to the default set of cubes.

NOTES: After adding or removing DLP custom attributes, affected cubes will require processing. 

Adding new DLP connections after custom attributes have been added using the DLP Custom Attribute utility will invalidate the DLP cubes.  To remediate, re-run the DLP Custom Attribute Utility to remove and add the custom attributes.

To successfully install and use the IT Analytics DLP Custom Attribute Utility the following prerequisites must be met:

• .NET Framework 4.0
• Must be run on the machine hosting the Symantec Management Platform
• db_owner access to Symantec CMDB database
• Administrator access to the IT Analytics Analysis Services database
• Be a member of the Symantec Administrators role in the Symantec Management Platform

Installing the IT Analytics DLP Custom Attribute Utility

1.     Download the DLPCustomAttributeUtility.msi file attached to this article.

2.     Extract and open the DLPCustomAttributeUtility.msi file.

3.     The IT Analytics DLP Custom Attribute Utility Setup Wizard screen will be displayed.  Click Next to continue.

4.     Select the installation folder for the IT Analytics DLP Custom Attribute Utility and decide whether or not the utility can be accessed by other users on the computer, then click Next.

​

5.     Click Next to confirm installation and install the IT Analytics DLP Custom Attribute Utility.

6.     Click Close to finish the installation

Adding a DLP Custom Attribute as a Dimension to the Cubes

1.     Launch the IT Analytics DLP Custom Attribute Utility by navigating to Start > All Programs > Bay Dynamics > IT Analytics DLP Custom Attribute Utility > DLP Custom Attribute Utility

2.     Wait for the IT Analytics DLP Custom Attribute Utility to initialize.

3.     Select Add Custom Attribute to launch the Add DLP Custom Attribute Wizard.

4.     Wait for the Add DLP Custom Attribute Wizard to load the available custom attributes.

5.     Select one or more Custom Attributes to add and click Next (hold down the CRTL key to select more than one attribute).

6.     Verify the information is correct on the Summary screen and click Next to add the selected attribute(s).

7.     Wait for utility to finish adding the custom attribute.

8.     Click Finish to close the Add DLP Custom Attribute Wizard.

9.     After you have finished adding dimensions, you must reprocess the modified cubes for the changes to take effect. From the Symantec Management Console, navigate to: Settings > Notification Server > IT Analytics Settings > Processing to reprocess cubes.

10.     Open the modified cube by going to Reports > All Reports > IT Analytics > Cubes. In the Pivot Table Field List you should see the new dimension that was just added.

11.     You can now use this dimension when creating pivot table views, the same way you use any other default dimension.

Removing Custom Attribute Dimension(s) from the Cubes

1.     Launch the Custom Attribute Utility by navigating to Start > All Programs > Bay Dynamics > IT Analytics DLP Custom Attribute Utility > DLP Custom Attribute Utility.

2.     Wait for the DLP Custom Attribute Utility to initialize.

3.     Select Remove Custom Attributes to launch the Remove DLP Custom Attribute Wizard.

4.     Select the custom attribute(s) you want to remove the dimension from and click Next. (hold down the CRTL key to select more than one attribute)

5.     Verify the information is correct on the Summary screen and click Next.

6.     Wait for the custom attribute(s) to be removed.

7.     Click Finish to close the Remove DLP Custom Attribute Wizard.

8.     After you have finished removing dimensions, you must reprocess the modified cubes for the changes to take effect. From the Symantec Management Console, navigate to: Settings > Notification Server > IT Analytics Settings > Processing to reprocess cubes.

Any ideas or a published roadmap for the support of Symantec DLP for SharePoint 2013?

We are looking for an enhanced feature that allows DLP Prevent/Protect functionality with the SharePoint 2013 Web API, to empower customers to block and prevent data from reaching the SharePoint space.

The following important changes are being made to the Symantec Data Loss Prevention (DLP) and Data Insight (DI) Knowledgebase.

The content for both products is moving to a new location, to the same Technical Support Knowledge Base for other Symantec products.

Please note:

• All previously available content will be migrated to the new location.
• Links to articles in the old location, e.g., https://dlp-kb.symantec.com/article.asp?article=56741&p=4, will serve up a page that includes a link to the new technote location, e.g., http://www.symantec.com/business/support/index?page=content&id=TECH222019
• Newly migrated articles (known as 'Technotes' in the Symantec Knowledge Base) will contain a 'Legacy ID' entry. The Legacy ID is the Article ID from the original Knowledgebase.

Note for Data Loss Prevention customers:

• Unlike the previous knowledgebase, best practice within the new KB recommends using the product selector to identify the Symantec product during the search. At the time of the migration, no option to select the family of all Data Loss Prevention products was available, only options for specific DLP servers, e.g., Data Loss Prevention Network Monitor. This has now been corrected.
• To allow the Knowledge Base to be searched for all DLP products, begin entering "Data Loss Prevention" into the product selector field. The web site's auto-fill option will show "Data Loss Prevention Family" at the top of the list of suggestions. If chosen, the resultant search page will then show DLP Family in the product selector field, and search results will include technotes relevant to all DLP components.

If you have any questions or need more information, please contact Symantec Technical Support at http://www.symantec.com/business/support/contact_techsupp_npid.jsp

Thank You,

Symantec DLP Technical Support

http://www.symantec.com/data-protection | 1.800.342.0652

Working with a customer to install SMG and Prevent for Email 11.6 using the DLP Connect feature that comes with SMG 10.5.  The mail flow is as follow:

GMAIL > SMG > DLP (Reflective mode) > SMG > GMAIL.

Two response rules have been created and associated to a DLP test policy:

If high:  Add header x-block; SMG action: delete message

If medium or Low: Add header x-encrypt; SMG action: redirect to encryption gateway

Send notification to sender on either action

The customer's objective is to route email back on premise to inspect content before it goes out of Gmail.

Integration works as expected the first time an email is sent; an incident is generated and actions are taken accordingly.  When we tried resending the same message (go to sent folder and forwarding the message); the incident is not generated and message is delivered by SMG to the final destination.

After going through the logs with support we discovered the following header in the Prevent for Email server RequestProcessor0.log:

INFO: (SMTP_CONNECTION.1201) Connection accepted (tid=2c cid=1 local=PE server remote=x.x.x.x:50934)
Jan 29, 2015 9:45:50 AM com.vontu.mta.rp.ESMTPRequestProcessorThread connectNextHop
INFO: (SMTP_CONNECTION.1203) Forward connection established (tid=2c cid=2 local=PE server:1644 remote=x.x.x.x:25)
Jan 29, 2015 9:45:50 AM com.vontu.mta.rp.RequestProcessorHandler handleLine
FINER: RPT(2c)|S: EHLO Bypass_loop_detection

That EHLO Bypass_loop_detection is the only thing that I see different from a regular email that generates an incident but I need to identify where is this coming from,  I don't think the problem is with DLP since the policy works every time a new email is sent.  But there seems to be a condition somewhere to bypass DLP when the message is being resend (my working theory).

About to test two things to troubleshoot this scenario:

1. Disabling the SMG option to bypass DLP when it is not available since this is the only place I can see that a bypass function could be triggered.

2.  Currently the 2 Prevent servers connected to SMG are using the same metric (they both are 1).  This suppose to provide load balancing capabilities, but I am wondering if I could be running into a bug with this.

3.  About to run the SMG finer logs to try to identify the source of the bypass_Loop_detection command

We also have Gmail investigating on their end.

Any feedback will be greatly appreciated.

-Leo

Hi,

I've been searching for an option that allows me to restrict editing attribute values when runing smart response rules.

Example:

All: Set Attribute

Attribute - Resolution

Value - Dismissed

I would like to know if there is a chance to block value content without configure "special" roles for this (when runing RR). Therefore, it would be possible to configure this value only when we configure response rule.

BR.

Hi Everyone,

Could you guys help me? I Need help to create a .bat or cmd script that:

1. check if the service is running edpa.exe
2. if so, does not install the agent
3. if not, run the agent installation script

The purpose is to add this at a script logon at machines.

Does anyboby already made it? or Know how to write ir?

Thank you so much!

Best Regards!

I'm looking to understand what settings are required to perform HTTP monitoring? 

As I understand, in the Agent Configuration, Agent Monitoring tab the "Web" channel checkbox for "HTTP" must be checked.

Assuming that is correct, what, if any, impact do the Application Monitoring settings have to do with what is and isn't detected with HTTP?  For example, within Application Monitoring there is the option for "Network Access" to be checked. Microsoft IE is listed and "Network Access" is checked, however Chrome is not listed.  Yet, in our environment we see HTTP incidents from both IE and Chrome.  So my question is does checking "Network Access" for Application Monitoring have impact on HTTP monitoring? 

Neither the help or admin guide is clear, and it doesn't seem nessaccary because Chrome incidents are detected despite Chrome not being registered in Application Monitoring.

Any help would be appreciated.

Hello everyone,

I'm deploying a bunch of DLP Agents and using Altiris site with Software Management.

After creating the software release and uploading the software media, I add the command line from install_agent.bat

e.g. of the command line for DLP Agent

msiexec /i AgentInstall.msi /q INSTALLDIR="%PROGRAMFILES%\Manufacturer\Endpoint Agent" ENDPOINTSERVER="192.168.0.253:10443" TOOLS_KEY="D23DA21E708384A63E816AE042B0A064DBEB5148E707285BADBFDC72126B8A0038104D5CDBDDB667215A66D6DF0C86DAECA498BEC7E0975C263BF22B261B77146BC3C4A1EC226" SERVICENAME="EDPA" WATCHDOGNAME="WDP" ARPSYSTEMCOMPONENT="1" ENDPOINT_CERTIFICATE="endpoint_cert.pem" ENDPOINT_PRIVATEKEY="endpoint_priv.pem" ENDPOINT_PRIVATEKEY_PASSWORD="8CE39EBCE5F121E004AEB4E66C35C886A2A0994F79916A72F35AA9D5D3E5D9466E8E93E4A113D7620AD601E30A35078DB7BC8088A5F8F0B53E75223C18CBD25120796FE33C96D9F6AB0917D4DF25624972CA1C51A78163777C6BDAB06B099567B8F71" ENDPOINT_TRUSTSTORE="endpoint_truststore.pem" LOGDETAILS="Yes" /L*v %SystemDrive%\installAgent.log

But is not fully copied on to the field where the command line is:

The only command line copied is the following, and not the complete one:

msiexec /i AgentInstall.msi /q INSTALLDIR="%PROGRAMFILES%\Manufacturer\Endpoint Agent" ENDPOINTSERVER="192.168.0.253:10443" TOOLS_KEY="D23DA21E708384A63E816AE042B0A064DBEB5148E707285BADBFDC72126B8A0038104D5CDBDDB667215A66D6DF0C86DAECA498BEC7E0975C263BF22B261B77146BC3C4A1EC226" SERVICENAME="EDPA" WATCHDOGNAME="WDP" ARPSYSTEMCOMPONENT="1" ENDPOINT_CERTIFICATE="endpoint_cert.pem" ENDPOINT_PRIVATEKEY="endpoint_priv.pem" ENDPOINT_PRIVATEKEY_PASSWORD="8CE39EBCE5F121E004AEB4E66C35C886A2A0994F79916A72F35AA9D5D3E5D9

I know this is a limitation of the command line text box on Altiris page. But is there a way i can change this???

How do you set up the DLP Agent with Software Management (especifically this step)???

Thanks in advance.

Hi All,

I have created an endpoint policy to prevent user from sending email if matching keyword found only in an attachment not in body of email. But the problem is policy is working fine but pop up comes when matching word found in body of email which i dont want. I only want pop up to comes if matching keyword detect in attachment only.. right now it is showing pop for both body and attachment keyword is detecting fine but why it is detecting in body mail this is the problem.

following are the details i have configured:

add policy> content match >> keyword "confidential">>on whole words>>match on "Only attachment" is selected rest other options "Envelope", Subject, Body are unchecked as i only want detection in attachment.

along with AND condition below

protocol and endpoint monitoring >> email /SMTP is selected only.

Response rule - > prevent user pop up block options with multiple options

Now this policy works like this confidential word matching in body or attachment it shows pop up but i have only selected attachment in keyword match option then why it is picking from body mail.. i only want detection in attachment not in body.

Please suggest whats wrong with this..

I would like to know is there any limit adding sender eg: abc@abc.com and recipients abc@abc.com in policy detection rule .. if  i will add 10000 pid domains or more than that in the policy detection rule then is there any impact on dlp email traffic or any other issues.

need to create whitelist recipient domains list like abc.com, xyz,com ... list will be approx 1000 domains.

Business Requirement: i have to add this list in the exception rule of a policy in the recipient section. so that no incident will generate if a mail goes to any of these domains. now the problem is i have 20 policies so i have to manually update the domains list one by one in 20 policies.  There are changes on weekly basis depending on company requirement if i need to add one more domain then i have to open 20 policies one by one and add the extra domain in each policy.

solution required: is there any way i can create the list one time and use the path of that list in the form of excel file or any other way in DLP so that update will be done only in one list and further it will automatically be updated in the 20 policies. in simple words i am asking a centerlized list can be created and use the path of that sheet in 20 policies  and no need to open the 20 policies and update the recipient section one by one.

Hello,

Using DLP endpoint is created 2 incidents for one action.

One with filename 

One with path

Plz help

Does anyone have a solid and working script to pull back the loggedin user for web incidents using powershell? We have been trying to get something working with python to no avail as well as powershell. We have a powershell script that works when you manually do the 'lookup' but does not work automatically when new incidents are generated. if you have anything working and are willing to share we would be very appreciative.

Morning,

I am trying to create some DI's with the following format 

[B][A][D]/d{2}/d{6}/[L][R][O] or BAD/12/345678/LRO

ie three letters (but specific letters only ie in this case BAD/2 numbers/6 numbers/three letters (and specific ones ie LRO)

I put the above statement into the DI but it does not seem to work the way i expect it to. There are no variations I want to search for ie wide/narrow etc. all the documents I want to detect have the exact same format ie the above.

I cannot see anything obviously wrong but thought I would post here for help. Secondly I would also like to find keywords. is this better to go within the DI or as part of the policy that uses the DI. The keywords are a couple of sentences. eg. This is a sentence, Not another sentence. where both phrases comma seperated would need to be searched for but the whole phrase not just part of it.

Thanks for any help and advice.

Can anyone tell me if upgrading IE to version 11 on the DLP Enforce and other discover and prevent servers has any adverse effects?  I know it does not affect clients connecting and IE itself is rarely used on these boxes, but we are trying to bring the browser level up to the supported level from Microsoft. I wanted to be sure that IE components being upgraded do not interfere with the DLP components.  Thanks.