cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Level 10
Report Inappropriate Content
Message 1 of 7

DLP Actual action vs Expected Action

I have a scenario where I am transferring a file from desktop to removable media (with or without FRP encrypted/decrypted/installed) and am expecting DLP to block the transfer. DLP does throw up the block notification but it does not actually block the transfer.

 

The DLP event on the server shows that it did not block.

Actual Action: No Action

Expected Action: Block

 

Does anyone know how to determine why this happens?

6 Replies
Highlighted

Re: DLP Actual action vs Expected Action

Hello

that works as designed.

Block actually means delete afterwards.

File will be copied to the drive and after this action will happen, dlp can make action defined in the rule.

The thing is that the device must be reachable by the DLP. So in case that popup will appear and you will unplug the drive and after that click on block, then no action will happen because the file cannot be deleted by DLP, because the drive isnt connected.

Highlighted
Level 10
Report Inappropriate Content
Message 3 of 7

Re: DLP Actual action vs Expected Action

There is no justification or user choice available. The rule action is simply "Block." I would expect it to be copied and immediately deleted or not copied at all.

Highlighted

Re: DLP Actual action vs Expected Action

The thing is that in background after successful copy you can see FCAG.exe consuming CPU what actually means that DLP is doing the classification of the files and after that will decide what to do with the file. During whole process the file must remain reachable for the DLP processes.

If you are using keywords in classification then it takes time until DLP will finish analysis of all files. Also in client configuration in section for removable media devices you can find timeout after which the analysis will end and allow the copy of the file. That you can see in DLP incident manager as time out.

 

Instead of using Data Protection Rules, Device Control is more useful where read only can be set for recognized removable media devices. MTP devices are excluded from this rule unfortunately (mobile phones, tablets...) for this devices only Data Protection rules can make something like read only access.

No action can also happen when user will terminate the copy. 

Definitely the workflow is:

User copy data to USB, data are stored to USB, DLP will start analysis of the copied files, does signification and rules check. If the rule is matched then will do the configured action. During the whole operation files must be reachable for the DLP.

Highlighted
Level 10
Report Inappropriate Content
Message 5 of 7

Re: DLP Actual action vs Expected Action

What you are saying does not mesh with what I am seeing. The file I am testing with is a 1kb text file with a trigger string in it. It's lightweight and quick. My guess is that I have something misconfigured.

I can't control by specific device due to the fact that I need to allow so many models of removable media.  In fact that is one of the issues I have with DLP. The device control rules don't work with data control rules which is really what I need. I can already control device access via other means. What I need is to simply find data outbound to removable media and block/delete if a rule is triggered.

 

I think I will ask support.

Highlighted

Re: DLP Actual action vs Expected Action

As per my understanding, you have created DLP rule(Removable storage protection rule) & its configured in block mode with all file types in classification. 

If yes, it should block the file transfer from Desktop to External device. but it is not blocking.

Expected action : (Block)action which is defined in rule

Actual action : action taken on endpoint while file copy.

I suspect, this is because of wrong configuration in Windows client configuration policy(Policy catalog --> Data loss prevention 11.x --> Windows client configuration policy). Check the below settings,

1. Check Data protection is enabled or not(Device control with full content tracking)

2. Check the analyzing time & action defined if time exceeds threshold in Removable media session.

 

Kindly let me know if you have any other queries... 

Highlighted
Level 10
Report Inappropriate Content
Message 7 of 7

Re: DLP Actual action vs Expected Action

Here are my settings:

Policy catalog --> Data loss prevention 11.2 --> Windows client configuration policy

Device Control: block and allow charge, enforce immediately

Operational Mode and Modules: Device Control and full content protection, everything checked except for discovery - email, and outlook section.

Removable Storage Protection: normal delete mode, file analysis max time = 30 seconds, if time exceeded = block.

 

Interesting logs (there is no StormShield):

c:\programdata\mcafee\dlp\temp\logs\session#1\HDLP_agent_(11.9.2019)(8.17-12).log

2019-09-11 13:00:19.728 [10992] [WARNING][AgentStormShieldService::isPrerequisitesInstalled(301)]> Failed to find StromShield Util path in the registry
2019-09-11 13:00:19.728 [10992] [ERROR][AgentStormShieldService::checkConnectedUser(184)]> StormShield product doesn't installed
2019-09-11 13:00:19.728 [10992] [ERROR][AgentStormShieldService::getFileInfo(109)]> Unable to get connected user
2019-09-11 13:00:19.728 [10992] [ERROR][AgentStormShieldService::isFileEncrypted(158)]> getFileInfo failed for file c:\users\<username>\desktop\dlptest.txt user
2019-09-11 13:00:20.332 [10992] [OERROR] [Monitoring Service] [EvidenceService::renameEvidenceFileToRepBufFile] Error rename file in repbuf: {00000000-0000-0000-0000-000000000000}.xml.dlpenc.rep

c:\programdata\mcafee\dlp\temp\logs\session#1\HDLP_te_(11.9.2019)(8.17-18).log

2019-09-11 13:00:20.259 [10340] [OERROR] [Rights Management Service] [`anonymous-namespace'::myLoadFailureHook] Cannot find a DLL to load ("msipc.dll")
2019-09-11 13:00:20.259 [10340] [OERROR] [Rights Management Service] [McAfee::DLP::RMS::ADRMSWrap::init] Cannot load the required DLL.
2019-09-11 13:00:20.259 [10340] [OERROR] [Rights Management Service] [MsDRMTextExtractorHelper::ensure_ready] Cannot initialize AD RMS; DRM error=18.
2019-09-11 13:00:20.693 [10340] [OERROR] [Text Extractor] [KvManager::createKvFile] Failed to fpOpenFile (c:\users\<username>\appdata\roaming\microsoft\windows\recent\automaticdestinations\f01b4d95cf55d32a.automaticdestinations-ms). Error - 13. Time Spent: 0 milliseconds

 

based on the logs I am tempted to completely remove and then reinstall agent and DLP on this test machine.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community