cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
McADOC1
Level 7
Report Inappropriate Content
Message 1 of 6

Can DLP track when document opened on USB?

Hi,

i know dlp can track when a file is moved to/from a usb.  

if a file is opened, viewed and then closed, can it be tracked?

the action does NOT involve a save.

dlp 11.6.

Thanks.

5 Replies

Re: Can DLP track when document opened on USB?

Hello,

Yes, you can do that with an Application File Access Protection rule - however, you'll need to know which applications are going to be used to access the files. You should also be aware that this might cause a lot of false positives so proper tuning might be required using trusted processes. The following articles should be helpful:

https://docs.mcafee.com/bundle/data-loss-prevention-11.6.x-product-guide/page/GUID-B5300857-8FEB-435...

https://docs.mcafee.com/bundle/data-loss-prevention-11.6.x-interface-reference-guide/page/GUID-D1CA3...

https://docs.mcafee.com/bundle/data-loss-prevention-11.6.x-interface-reference-guide/page/GUID-8B27F...

McADOC1
Level 7
Report Inappropriate Content
Message 3 of 6

Re: Can DLP track when document opened on USB?

thanks for the follow up.

documentation vague.

i do not see a way to target only USB devices (or just trying to test with E drive).

i can select adobe and ms apps but classification is confusing.  do you know if i am able to target/select by usb device? 

Selecting all, i can put an exception on the next tab but unable to say 'No C Drive'...rather, how can i exclude that location?

track1.jpg

Re: Can DLP track when document opened on USB?

Hi McADOC1,

Looks like I got the wrong idea initially. In this case, do you have Device Control license active? If so, then you should be able in a rule set to go to the Device Control tab and create a Removable Storage File Access Device Rule:

image.png

 

The bad news here are that you have to define specific file extensions you want to monitor.

Alternatively, you could try using Removable Storage Protection rule and set the monitored Copy Direction to "Incoming - Copy to local drive", but I am not sure if this is going to work according to your expectations.

As for the Application File Access Protection rule, I believe you should be able to also create a new classification using "Location content fingerprinting Criteria", select "Mass storage devices and Floppy Disks" and enter any relevant data - if you want to capture as many files as possible, I believe you could use a "File Information" definition specifying file size greater than 1 KB.

Please let me know if any of the options above worked for you.

alex1759
Level 7
Report Inappropriate Content
Message 5 of 6

Re: Can DLP track when document opened on USB?

DLP is really more about the Content of the Docs than just a counter. But it CAN do it, I suspect a LOT of incidents though.

JaganA
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 6

Re: Can DLP track when document opened on USB?

@McADOC1 Sorry for the delayed response.

In simple, DLP can not track file Opened, Viewed and closed actions.

If you wish, use Application File Access Protection Rule which can monitor the files accessed / opened. Please be informed, this would trigger plenty of incidents.

JaganA
McAfee Employee

Was my reply helpful?
If yes, click "Accept as Solution" in my reply and together we can help other members?
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community