I would like to know is there any limit adding sender eg: abc@abc.com and recipients abc@abc.com in policy detection rule .. if i will add 10000 pid domains or more than that in the policy detection rule then is there any impact on dlp email traffic or any other issues.
need to create whitelist recipient domains list like abc.com, xyz,com ... list will be approx 1000 domains.
Business Requirement: i have to add this list in the exception rule of a policy in the recipient section. so that no incident will generate if a mail goes to any of these domains. now the problem is i have 20 policies so i have to manually update the domains list one by one in 20 policies. There are changes on weekly basis depending on company requirement if i need to add one more domain then i have to open 20 policies one by one and add the extra domain in each policy.
solution required: is there any way i can create the list one time and use the path of that list in the form of excel file or any other way in DLP so that update will be done only in one list and further it will automatically be updated in the 20 policies. in simple words i am asking a centerlized list can be created and use the path of that sheet in 20 policies and no need to open the 20 policies and update the recipient section one by one.
Hello,
Using DLP endpoint is created 2 incidents for one action.
One with filename
One with path
Plz help
Does anyone have a solid and working script to pull back the loggedin user for web incidents using powershell? We have been trying to get something working with python to no avail as well as powershell. We have a powershell script that works when you manually do the 'lookup' but does not work automatically when new incidents are generated. if you have anything working and are willing to share we would be very appreciative.
Morning,
I am trying to create some DI's with the following format
[B][A][D]/d{2}/d{6}/[L][R][O] or BAD/12/345678/LRO
ie three letters (but specific letters only ie in this case BAD/2 numbers/6 numbers/three letters (and specific ones ie LRO)
I put the above statement into the DI but it does not seem to work the way i expect it to. There are no variations I want to search for ie wide/narrow etc. all the documents I want to detect have the exact same format ie the above.
I cannot see anything obviously wrong but thought I would post here for help. Secondly I would also like to find keywords. is this better to go within the DI or as part of the policy that uses the DI. The keywords are a couple of sentences. eg. This is a sentence, Not another sentence. where both phrases comma seperated would need to be searched for but the whole phrase not just part of it.
Thanks for any help and advice.
I am working on a project where the incident response would like to be moved to the department head but am running into an issue: How do I automatically assign users to roles?
Active Directory attributes are populated including Manager and Department so I can create roles with the correct conditions
I can then assing a user to the correct role
So Joe can be assinged to the Human Resources role and then review only incidents from people within his department or he is flagged in AD as the Manager of.
Now here's the problem... I have 1500 departments and 1500 managers. How do I automatically (programatically) assign user to a role and more importantly how do I update Joe's role when he is no longer the manager of HR, but the manager of Customer Service.
Thanks
Trusted Advisor
hi jesse,
I think that only way to do what you want is to update DLP database using a home made script (in older DLP version i was able to mimic browsing through DLP UI pages to perform some extract automatically but it was so tricky and so many update in following version that it does not work anymore). There is two tables to be updated :
UserRoleMapping : in order to assign user to role
ProtectUser : in order to update defaultroleid field
(may be there is some other table to update but i dont think so, it has to be tested)
So your script has to access AD information (directly or via falt file) then analyze who should have which profile and then check in DB if everything is ok or not. If there is something to be updated you may go through a third party system to request the update (or validation) or do it automatically in the DB. You should implement some control to be sure that role is existing (for example after a new organisation definition)...
Of course updating directly DLP DB is never a good solution, but when it is the only one this could be a solution waiting for DLP tool to get this new capabilities.
Regards
PS : i can perform some test on my side as i am sure many DLP customers would be interested in it (in europe managing departement and country segregation looks sometimes crazy)
FICHET Stéphane
Associate & Consultant | ID-LOGISM
SOLUTION(clear)
Can anyone tell me if upgrading IE to version 11 on the DLP Enforce and other discover and prevent servers has any adverse effects? I know it does not affect clients connecting and IE itself is rarely used on these boxes, but we are trying to bring the browser level up to the supported level from Microsoft. I wanted to be sure that IE components being upgraded do not interfere with the DLP components. Thanks.
The Symantec Education Services team is beginning development of the new DLP 14.5 SCS exam. We invite you to participate in the development of the exam by submitting real world scenarios and questions that you think would be great on our certification exam!
A few rules:
SCS exams are being enhanced with the inclusion of advanced question types that measure outcomes. If you draft ideas / questions, please avoid questions that measure basic knowledge of features and functions. Rather, we seek questions that require problem solving skills and measure real-world use cases. If you think you have great ideas for questions about Data Loss Prevention, email Orlando_Martinez@Symantec.com to see the draft exam objectives and offer ideas / questions & answers that you would like to see on the DLP 14.5 SCS exam.
Please note: By submitting 20 or more quality items that make it to our final exam, you are choosing to opt-in to being listed as a contributor on the study guide. You can opt-out at any time by contacting us through this post or by emailing Orlando_Martinez@Symantec.com or Global_Exams@Symantec.com.
Thank you for your interest in the Symantec Certification Program!
Train. Certify. Succeed!
http://go.symantec.com/certification
In this video, we demonstrate how to install the new standalone IT Analytics Server v2.1 with the Symantec Data Loss Prevention content pack.
Bay Dynamics recently announced the availability of the standalone IT Analytics Server 2.1, which includes an enhanced web based cube browser. This video walks you through how as an existing Symantec customer, you can leverage IT Analytics Server to visualize your cube data and take advantage of its benefits.
Please join us for the next Tri-State Data Loss Prevention User Group meeting on Wednesday,Sept. 14 from 2:00 pm to 5:30 pm at Great American Insurance (Dixie Terminal) in Cincinnati.
Lunch will be served!
Agenda
5:30 – Happy Hour at The Yard House (95 E. Freedom Way)
Currently i have an enforce server ver 11.6 (E-A) and DB 10.2.0.5 (D-A), which are outdated with H/W & OS and hosted in location A.
We have upgraded Hardware available on location B, so plan is to upgrade Enforce server on ver 12.0 (E-B)and DB on ver 11.2.0.3 (D-B) on location B.
Considering resource availability i need to plan reallocation of services and application upgrade on new platform (in terms of OS).
Below are activities phases, Please suggest if i can plan this in better way.
Phases:
Queries:
Thanks.
Hi All,
Need help to understand the cause of this issue.
I am getting the connection drop of like 2-3% at Mail traffic prevent servers. TLS is enabled on all email prevents, but not sure about MTA.
When i checked the wireshark of prevent servers, i can see data transaction after EHELO and getting 421 connection refuse error after data exchange.
Downward MTA --> Load Balancer --> VIP of 6 Email prevent --> Load Balancer -->Upward MTA--> Exchange
##########################Example of 5204###############################################
Jul 19, 2016 9:13:30 AM com.vontu.mta.rp.ESMTPPeer close
INFO: (SMTP_CONNECTION.1204) Forward connection closed (tid=24 cid=22,521 local=192.168.11.78:2961 remote=192.168.10.124:25)
Jul 19, 2016 9:13:30 AM com.vontu.mta.rp.RequestProcessorHandler handleLine
FINER: RPT(25)|R: 250 2.0.0 Ok
Jul 19, 2016 9:13:30 AM com.vontu.mta.rp.ESMTPPeer close
INFO: (SMTP_CONNECTION.1205) Service connection closed (tid=24 cid=22,516 local=192.168.11.78:25 remote=192.168.10.123:7706 messages=26 time=11.08s)
Jul 19, 2016 9:13:30 AM com.vontu.mta.rp.RequestProcessorHandler handleLine
FINER: RPT(25)|S: MAIL FROM:<> SIZE=14569
Jul 19, 2016 9:13:30 AM com.vontu.mta.rp.RequestProcessorHandler handleLine
FINER: RPT(25)|S: RCPT TO:<w@rcpt.com> ORCPT=rfc822;w@rcpt.com
Jul 19, 2016 9:13:30 AM com.vontu.mta.rp.RequestProcessorHandler handleLine
FINER: RPT(25)|S: DATA
Jul 19, 2016 9:13:30 AM com.vontu.mta.rp.ESMTPRequestProcessorThread _handlePeerDisconnect
SEVERE: (SMTP_CONNECTION.5204) Peer disconnected unexpectedly (tid=24 cid=22,516 local=<> remote=<> reason=End of stream)
Jul 19, 2016 9:13:30 AM com.vontu.mta.rp.ESMTPRequestProcessorThread run
INFO: RPT(24) Waiting for new connection
Jul 19, 2016 9:13:30 AM com.vontu.mta.rp.RequestProcessorHandler handleLine
FINER: RPT(25)|R: 250 2.1.0 Ok
Jul 19, 2016 9:13:30 AM com.vontu.mta.rp.RequestProcessorHandler handleLine
FINER: RPT(25)|R: 250 2.1.5 Ok
Jul 19, 2016 9:13:30 AM com.vontu.mta.rp.RequestProcessorHandler handleLine
FINER: RPT(25)|R: 354 End data with <CR><LF>.<CR><LF>
################################# Example of 5202#########################################################################
Jul 19, 2016 9:08:40 AM com.vontu.mta.rp.ESMTPRequestProcessorThread messageCommitted
INFO: (SMTP_MESSAGE.1300) Message complete (tid=24 cid=22,452 message_id=<13494681262a4bb9ers4aab3d59b18c9a@CY1PR64MB0092.021d.mgd.msft.net> dlp_id=155fd744b8d size=13,772 sender=<za@sender.com> recipient_count=2 disposition=PASS code=250 estatus=<> text=<2.0.0 Ok: queued as 69C1320114> rtime=0.02s dtime=0.02s mtime=0.03s)
Jul 19, 2016 9:08:40 AM com.vontu.mta.rp.ESMTPRequestProcessorThread messageComplete
FINE: RPT(24): message complete .. RECEIVING -> COMPLETE
Jul 19, 2016 9:08:40 AM com.vontu.mta.rp.RequestProcessorHandler handleLine
FINER: RPT(24)|R: 221 2.0.0 Bye
Jul 19, 2016 9:08:40 AM com.vontu.mta.rp.ESMTPRequestProcessorThread _handlePeerDisconnect
INFO: (SMTP_CONNECTION.1202) Peer disconnected (tid=24 cid=22,453 local=192.168.11.78:8148 remote=192.168.10.124:25)
Jul 19, 2016 9:08:40 AM com.vontu.mta.rp.ESMTPPeer close
INFO: (SMTP_CONNECTION.1204) Forward connection closed (tid=24 cid=22,453 local=192.168.11.78:8148 remote=192.168.10.124:25)
Jul 19, 2016 9:08:40 AM com.vontu.logging.operational.api.PropertyFileOperationalLogWriter generateLogMessage
WARNING: Argument number mismatch for key SMTP_CONNECTION.5202: layout requires 5 args, but was passed 4
Jul 19, 2016 9:08:40 AM com.vontu.mta.rp.ESMTPRequestProcessorThread _handleIOException
INFO: (SMTP_CONNECTION.5202) Sender connection error (tid=24 cid=22,452 local=192.168.10.123:50092 remote=An existing connection was forcibly closed by the remote host reason={4})
Jul 19, 2016 9:08:40 AM com.vontu.mta.rp.ESMTPRequestProcessorThread _handleIOException
WARNING: RPT(24): Handling servicing op IOException on RPT(24)[22452|S:[/192.168.11.78:25 -> /192.168.10.123:50092] with peer RPT(24)[22453|R:[{- UNCONNECTED -}] as disconnect.
Jul 19, 2016 9:08:40 AM com.vontu.mta.rp.ESMTPRequestProcessorThread _handlePeerDisconnect
INFO: (SMTP_CONNECTION.1202) Peer disconnected (tid=24 cid=22,452 local=192.168.11.78:25 remote=192.168.10.123:50092)
Jul 19, 2016 9:08:40 AM com.vontu.mta.rp.ESMTPPeer close
INFO: (SMTP_CONNECTION.1205) Service connection closed (tid=24 cid=22,452 local=192.168.11.78:25 remote=192.168.10.123:50092 messages=1 time=0.03s)
Jul 19, 2016 9:08:40 AM com.vontu.mta.rp.ESMTPRequestProcessorThread run
INFO: RPT(24) Waiting for new connection
Jul 19, 2016 9:08:40 AM com.vontu.mta.rp.RequestProcessorHandler handleLine
FINER: RPT(26)|S: RSET
======================================================================
Thanks / Bhupesh
Please join us for the next San Francisco Bay Area Data Loss Prevention User Group meeting on Thursday,Sept. 15 from 11:00 a.m. to 2:30 p.m. at the Symantec offices in Mountain View.
Lunch will be served!
Agenda
Hi All,
I'm new to administrating Sym DLP so please bear that in mind and I didn't set-up our current enviroment. My enviroment, we are currently using mutiple network monitors which utlize napatech cards - we are tapped into the network.
What I'd like to do is dedicate a network monitor to only receive mirrored outbound traffic from a PGP server thats sits in the DMZ - problem (that team will configure their appliance/application to send SMTP traffic in clear-text to my network monitor). Any information to below Q's help. My questions are:
Is the detection server able receive this traffic type if forwarded rather utlizing our tap?
What port number does netowrk monitor listen on for traffic and can I port forward directly to network monitor?
Since the Napatech card is a direct line, can I configure (check mark in the UI)
Can Napatech card be confiured to have an IP address?
Hello all,
I want to automatize an export of incidents in XML format by batch.
The only solution i'm thinking of is to use the web API but that doesn't work.
I used this command
ReportingAPI.exe URL=https://enforceserver/ProtectManager/services/v2011/incidents?wsdl USER=toto PASSWORD=mypassword INCIDENT_ID=00051847 but the answer is :
NullReferenceException: Object reference not set to an instance of an object.. Details:
System.NullReferenceException: Object reference not set to an instance of an object.
at ReportingAPISample.src.Violations.IncidentViolations.isRequested(Dictionary`2 arguments)
at UpdateAPISample.Program.Main(String[] args)
at ReportingAPISample.src.Violations.IncidentViolations.isRequested(Dictionary`2 arguments)
at UpdateAPISample.Program.Main(String[] args)
The only command that works is this :
ReportingAPI.exe URL=https://enforceserver.fr.world.socgen/ProtectManager/services/v2011/incidents?wsdl USER=toto PASSWORD=mypassword REPORT_ID=25430 but the response is only the ID of incidents :
22734
22737
22736
22821
22842
22841
22844
22843
22846
22845
...
How can i used this exe to export xml ?
Regards
Hi,
I'm curious to know if it possible to auto-provision user accounts or roles using LDAP.
Example: new user joins the team. They are put into an active directory security group. Can that AD group be mapped to an active role used in Vontu and avoid manual intervention?
This version of DLP Endpoint Agent 14.5.01 (MP1) add support for Chome and the Chrome extension is visible on the browser interface (see the below image).
Is it possible to hide this extension in the endpoint interface?
Hi,
Two questions. For network monitor implmentation i'm wondering what is preferred and why you chose each; Copper or Fiber > see below as to why i'm asking.
Also, we may implement a new enviroment (isolated) and trying to determine if we really need to purchase napatech cards (way less traffic). Considering using the four, four port NIC instead. Other then dropped packets, would their really be an cons to this. I understand the benfefits of high speed capture card, but With the amount of data, i'm thinking it won't be neccesary. What are your thoughts?
Thanks in adavnce.
Hi,
I need to know if I can install IT Analytics on the same server for which hosts Enforce and Oracle DB? And if i can install in on the same server which hosts just the DB (two seperate envrioments.
I'm assuming I would have to do a reintall of DLP? Any conflicts here?
Any information would be appreciated.
Thanks
