Can someone please advise, on a policy to do the following:
Monitor all objects plugged into the USB bus and report them to DLP Monitor.
Block .exe from running on USB flash drives.
You need to create 2 different rules:
One for USB device monitoring and another for File access protction rule..
Create usb definiton (choose bus type - USB) - > create removable storage rule - > monitor only -> assignment group -> enable rule
Check this out for the file access protection :
- Amiya Bisoi
all seems to be working ok to a point now, DLP monitor doesnt report any file names though when theyve ben copied to USB devices etc. - should this be the case (ive set this up with a protection rule)?Message was edited by: mcafeee on 08/07/10 03:59:58 CDT
Is there an option for storing evidence? If yes - do you have a tick mark for that?
Give a quick try for monitoring specific files rather than all files and see if you see any changes! That seems to be un-usual not getting the file trace in monitor.
No, there's no way to capture just the file name without capturing the file as well.
The file name on it's own is really not enough for any investigation - what if someone just renamed every sensitive file to a benign name? You'd think your rule was broken if all the files were called "lunch menu.docx".
thanka for the response, we've kinda got a workaround now though...we've changed the agent to hit-highlighting in agent config and its just grabbing the file name now.