How to use the DLPe Application File Access Protection Rule
Hello, in this document, we’re going to talk about one of the cool features with DLPe. In DLPe, we have the ability to block files that match certain criteria’s from being accessed by an application. These criteria are fully customizable and can be anything from a single word to an advanced pattern, and there are many built in criteria’s such as social security numbers or credit card numbers. After you’ve selected a criteria, you can ensure that specific applications, such as ftp programs, cannot access files that match up with your selected criteria.
We’re just going to create a policy to block the ftp software Filezilla from accessing Social Security Numbers, pop up a message, and report on that to ePO so that we can see that it was blocked.
Our first step is to create a criteria that will identify Social Security Numbers and prevent those from being accessed.
Select Menu | Data Protection | Classification
Here, we’ll want to create a new classification by clicking on the New Classification in the bottom left.
Let’s name this classification “Contains Social Security Numbers Classification” and click OK
Now, let’s select Action | New Classification Criteria
We’ll Name this Classification Criteria “Social Security Numbers Criteria”
Since we’re adding a criteria for Social Security Numbers, we’ll want to click on the arrow next to Advanced Pattern.
Then, we’ll click on the three dots next to the field and in the popup menu, we’ll type in Social Security in the Filter Items box and hit go. Put a check next to Social Security Number and then click OK at the bottom.
Now that that’s assigned, you can click Save to save your criteria. Lastly, you have to save this classification by clicking on Actions | Save Classification.
Now that we have our classification created, we can go to our DLP Policy Manager to assign this classification. Go to Menu | Data Protection | DLP Policy Manager.
First, we’ll want to create a new rule set. Click on Actions | New Rule Set and name this rule set “Prevent SSN from being accessed Rule set”. Now, click on your new rule set.
Click on Actions | New Rule | Application File Access Protection. Let’s name this rule “Prevent SSN from being accessed Rule”. We’ll also need to change the state from Disabled to Enabled. Let’s also change the severity from Warning to Major.
In the bottom section, we’ll want to use our newly created classification. In the Classification section, click on the three dots on the right hand side. Select the Contains Social Security Numbers Classification and then click OK.
In the Applications section, we’ll want to select the application that we want to block access to Social Security Numbers. In this case, I’m going to click on the three dots to the right of the field. In the window that pops up, I’m going to click on New Item.
In the name section, I’m going to enter Filezilla. There are many options available, but I’m just going to click on the arrow next to the Original Executable File Name. Next, I’m going to use the dropdown to select Contains and enter filezilla.exe into the box and click save.
Lastly, I’m going to put a check next to Filezilla and click OK.
Now, let’s move to the Reaction tab by clicking on “Reaction”. Here, let’s use the dropdown to change the Prevent Action be to Block. In the User Notification section, click on the three dots to open the User Notification dialog box. Now, check the “Default application file access protection user notification” and click OK. Lastly, let’s check the Report Incident box and then click save at the bottom right. We can now close the DLP Rule Set.
Lastly, let’s check the Report Incident box and then click save at the bottom right. We can now close the DLP Rule Set.
Next, we’ll want to assign this policy by clicking on the Policy Assignment Tab. Click Actions | Assign a Rule Set to policies. In the drop down, select your “Prevent Social Security Numbers from being accessed” rule set and assign it to the My Default DLP Policy. Then Click OK. This will assign it to all systems with the My Default DLP Policy.
After you’ve assigned the policy, you’ll need to apply the selected policy by clicking Actions | Apply Selected Policies, and then Make sure that the My Default DLP Policy is checked and click OK.
Okay, let’s go ahead and wake up the agent again so that the new policies are sent down to the client system. I’m just going to perform a collect and send props from the client.
Now that the DLP Policy has been sent to the client system, let’s test it out.
Here are two text files, one with an SSN and one without.
I’m going to open up Filezilla and connect to my ftp server. When I copy a file without an SSN number, it will complete successfully. When I try to copy over the file with the SSN, it will move the file over but all of the data will be removed. This protects against the loss of sensitive data.
Reviewing DLPe Incidents
Even though McAfee DLPe has blocked these attempts to copy, as an administrator you’ll want to see these blocked incidents. You can also configure the policy not to block and only report when a copy attempt is made.
To review the incidents, go to Menu | Data Protection | DLP Incident Manager. In the DLP Incident Manager, you can see that there was an attempt to copy the SSNs. You can review the details of the incident by clicking on the Incident ID number in the first column. Additionally, you can create an automated email or a reviewer with the Incident Tasks tab.
As we can see, the Application File Access Protection rules provide you have a lot of flexibility as to what you can do. For example, you can create a rule that prevents multiple potentially dangerous applications from having access to sensitive data while ensuring that applications that require it will still have access.