Notification of major bypass flaw with DLP, allows users to easily bypass controls
This is to let other users of McAfee Host DLP know about a bug/issue within Host DLP (tested in 9.3 and 9.3 patch1).
The text-extractor has a built in time-out value of 30 seconds before 'releasing' the file along its way regardless of the intended policy response.
This means, if your users are sending large files (Excel files are very susceptible for obvious reasons) to email, or USB, and the scan takes more than 30 seconds the file goes along its way regardless of whether its protected or not.
Additionally, the 'intended' action (such as block, or require justification) is still logged. So if your EPO shows that 1,000 credit card numbers were blocked, this may not be accurate.
I've put in a PER request for the ability to customize this timeout value, and to ensure that the end user is not notified incorrectly (such as requiring justification, the user could click 'cancel' and beleive they have NOT sent/copied the file but actually they have and the logs show it was blocked though it was not). I've also been working with support to request an updated version/hotfix/whatever for a customized value.
While 30 seconds may seem excessive to worry about, consider that scan time increases on slower systems or systems with other CPU processes running. Additionally, files such as DataBases that could contain data required to be blocked/inspected could definately pass the timeout.
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.
Community Help Hub
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.