cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
JKBH1
Level 9
Report Inappropriate Content
Message 1 of 11

ePO 10 update 4 is not displaying incidents with URL destination when using Chrome in Standard Mode

Hi,

We have seen some web protection incidents do not display the URL destination in the Incident list, but the URL detail is available when the incident is opened.

McAfee KB91503 states this unreliable behavior is expected when Chrome is used in Incognito mode.  However, we are seeing the destination information is also missing when files are uploaded to Gmail and Outlook.live using Chrome in Standard mode (and not in triggered with Incognito Mode). The destination shows as ‘Not Available’ in the incident List view.

Is there is another McAfee configuration setting that will pull in the URL destination details, in the Incident List view? 

Thank you.

10 Replies
McAfee Employee LKS
McAfee Employee
Report Inappropriate Content
Message 2 of 11

Re: ePO 10 update 4 is not displaying incidents with URL destination when using Chrome in Standard M

I think DLP engineer would be the right person to comment on the reported issue. I will move this post to DLP forum.

McAfee Employee jsubbura
McAfee Employee
Report Inappropriate Content
Message 3 of 11

Re: ePO 10 update 4 is not displaying incidents with URL destination when using Chrome in Standard M

Hi @JKBH1 ,

Thank you for writing in here.

Additional information section with respect to the web protection rules shows you the URL information to which the data the uploaded. 

In chrome, to get the URL information you would need to have the DLP chrome extensions present in your client machine chrome browser. 

Kindly make sure you have the below option enabled in your windows client configuration. If its not checked then DLP will not be able to collect the URL information and the Additional information section would be blank.

"Chrome web extension - for identifying address bar URL"

client config.PNG

Some organization group policies would block the chrome extensions from being loaded by the applications. Kindly make sure that there are no such restrictions to load the DLP chrome extensions in your chrome browser. If you have the DLP Chrome extensions in your browser you can verify the same as below,

chrome dlp extension.PNG

 

dlp extension.PNG

 

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thank you

Regards,
Jithendran S
McAfee Employee
JKBH1
Level 9
Report Inappropriate Content
Message 4 of 11

Re: ePO 10 update 4 is not displaying incidents with URL destination when using Chrome in Standard M

Hi Jithendran S, 

Thank you for the quick reply and detailed explanation with screenshots.

Yes, that "Chrome web extension - for identifying address bar URL" checkbox has always been checked in the Windows client configuration settings and when we are using the Standard mode in Chrome. McAfee DLP is the only one managing our Chrome extensions in the firm. We have configured it without any restrictions. 

Also, below looks a new "feature" in DLP 11.4. I have not seen this in 11.2

When we checked and unchecked the Disable Incognito and Guest mode tickboxes, there is a warning message that enabling Chrome Incognito/guest mde could lead to unrealiable URL information (see KB91503).

Chrome_IncognitoGuest_Modes.png

 

 

Our analysts heavily rely on the URL information when investigating incidents. Is there anything else that the product can do to rectify this issue? 

Thank you.

McAfee Employee sbalamur
McAfee Employee
Report Inappropriate Content
Message 5 of 11

Re: ePO 10 update 4 is not displaying incidents with URL destination when using Chrome in Standard M

Hi @JKBH1 ,

This notification was already available in earlier version as well. Also could you please let me know is the URL is internal or External?

Can you try different combination out of three options in Web Protection Evaluation option available in Web Protection Settings in Windows Client Configuration policy and let us know the status.

If the issue still repeats i would request you to raise a case with Technical support for remote assistance.
Was my reply helpful?If you find this post useful, Please give it a Kudos!

Please don't forget to select "Accept as a solution" in my reply and together we can help other members?

Regards
Subramanian B
McAfee Employee
JKBH1
Level 9
Report Inappropriate Content
Message 6 of 11

Re: ePO 10 update 4 is not displaying incidents with URL destination when using Chrome in Standard M

Hi Subramanian B, 

The URLs we are getting in our incidents are all external links/sites.

As of what we've used in our testing, the only one that we have checked are these 2 options under Chrome in our Windows Client configuration settings are the following: 

x Chrome web extension - for identifying address bar URL

x Chrome Web Handler
    x Protect sensitive data upload and web application control
 
We are allowing users to browse in incognito and guest modes so we are not going to check both disable incognito and guest modes checkboxes.
 
KB91503 has stated that this issue happens in incognito or guest modes... but we have seen this happen in Standard mode as well. McAfee engineering should do more testing and revalidate what the KB has stated. Thank you.
McAfee Employee jsubbura
McAfee Employee
Report Inappropriate Content
Message 7 of 11

Re: ePO 10 update 4 is not displaying incidents with URL destination when using Chrome in Standard M

Hi @JKBH1 ,

Good Day! 

Thank you for the update. 

First things first. DLP 11.2 and DLP 11.4 extensions have more differences with respect to Google Chrome Web Post Protection Rules. In DLP 11.2 DLP would not be able to block the uploads to chrome however DLP would just monitor the upload. This is because of Google Chrome changed their design from chrome version 69 due to which none of the third party DLP vendors were able to block the uploads in chrome using their DLP solutions. 

Now from DLP 11.3 and DLP 11.4 Chrome file uploads are being blocked by DLP. However to gather the URL information Google has allowed us to use the Extensions concept in browsers. So if we have the DLP extensions in chrome we would be able to see the URL information.

You are correct, please find the DLP screenshots from DLP 11.1 and DLP 11.4,

chromedlp111.PNG

DLP 11.4 extension and DLP 11.3 extension will throw you a warning when Enabling the Incognito mode.

new chrome.PNG

 

The DLP Google Chrome extensions are not loaded in Google Chrome Incognito or Guest mode. So, DLP does not have the current browser URL and reports the last known URL.

The DLP Google Chrome extensions are loaded in Google Chrome's Standard (Normal) mode. So, DLP has the correct browser URL and reports reliable URL information.

We do not have any other options in here, its Google's code design to block extensions from loading and give user privacy when they use Incognito mode. In organizations, with respect to security guidelines its good to block the Incognito mode itself.

 

If your organization's requirement is heavily relying on the URL information for Incident analysis, then you would need to tick "Disable Incognito Mode " and "Disable Guest Mode" . If these are ticked then DLP will not allow the user to use Incognito Mode or the Guest Mode itself. 

 

 

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Regards,
Jithendran S
McAfee Employee
JKBH1
Level 9
Report Inappropriate Content
Message 8 of 11

Re: ePO 10 update 4 is not displaying incidents with URL destination when using Chrome in Standard M

Thanks very much for the response.

We are not able to accommodate disabling incognito or guest modes in Chrome at this time. We will have to come up with a customized filter for URLs to put in their daily dashboard.

Can we please update KBKB91503 to state that whether in Incognito, Guest or Standard mode, this issue of not being able to view the URL can happen. 

KB91503 currently states "Data Loss Prevention does not display reliable URL information when using Google Chrome in Incognito or Guest mode". As I have mentioned in my first post, our tests have shown that even in Standard mode--- it is not showing the URL info in the view list either.

McAfee Employee jsubbura
McAfee Employee
Report Inappropriate Content
Message 9 of 11

Re: ePO 10 update 4 is not displaying incidents with URL destination when using Chrome in Standard M

Hi @JKBH1 ,

Thank you for the update.

KB91503 - Is correct .

 

However if your tests show that URL Information is not visible in standard mode, then there could be only one cause as per my post earlier.

DLP Extensions are not loaded in chrome.

It is an issue if the URL information is not seen in the Incident Manager when chrome is being used in standard mode and when DLP Extensions are loaded successfully.

Kindly open up a service request with McAfee Technical Support, to work on this issue, McAfee Tech Support would require the client machine where the issue can be reproduced so kindly arrange the remote session of this client machine as well.

 

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Regards,
Jithendran S
McAfee Employee
JKBH1
Level 9
Report Inappropriate Content
Message 10 of 11

Re: ePO 10 update 4 is not displaying incidents with URL destination when using Chrome in Standard M

Thank you. A McAfee support case has been opened for this issue. 

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community