1 Reply Latest reply on Aug 22, 2017 5:33 PM by jhenriks

    End Point DLP Web Prot Issue

    jhenriks

      We are experiencing what we believe is an issue and we are
      curious if others have experienced it and if so what they did to resolve it.

       

      The issue that we see is when multiple tabs are open in a
      browser instance the McAfee web protection rules analyze content against all
      websites loaded within the browser instance and not just the website where the
      data was entered.

       

      Because we have defined safe and unsafe URL lists we expect
      that this will cause a number of false positives.

       

      This is how we are set up and the test scenario that
      triggers the issue.

       

      Set up

      1. Create classification to be used for testing.  For our test we created a confidential
        key word of conf11.  Skip this step if you have a classification in place that can be used.
      2. Create a URL List classification definition containing one URL.  We use the URL of
        our EPO or our company homepage.  Make sure that the webpage used has some place to

              enter data.  A search box will work.  This url list will be added to an exception to the rule being created.

      1. Create Web protection rule:

      Name:  WP 1. content to any external [M,RJ,NU,SE]

      State: Enabled

      Condition

      ClassificationState:  - is one of – classification defined in step 1
                   And End-User: is any user (ALL)

      And web address (URL): is any URL (ALL)

      And upload type: is any data upload (ALL)

      Exceptions

      Name: Safe websites

      State: enabled

      Classifications: - is one of – classification defined in step 1

      And End-User: is any user (ALL)

      And web address (URL): is one of – URL list defined in step 2

      And upload type: is any data upload (ALL)

      Reaction

      Action:Action: Request Justification        Default Email Justification - OK (no action) | Cancel (block)

      User Notification: Default email protection user notification          Close after 5 seconds

      Report Incident: Report incident = checked           Store original email as evidence = checked

       

      This rule is define so that it will request justification when
      a user enters sensitive data onto a webpage that is not considered safe.  Safe URLs are included in the URL list and
      added as an exception.

       

      Sensitive content entered onto “Safe” website.

      1) Open URL from list defined in step 2 (Safe site)

      2) enter into search box(other data entry field works) the content for classification defined in step 1 

      3) select “search”, "enter" or applicable button

      ** Expected Result - searched with no issue

      ** Result – worked as expected

       

      Sensitive content entered onto “Safe” website with unsafe site open in another tab

      1) Open URL from list defined in step 2

      2) Open Gmail (https://mail.google.com) in a new tab within the same browser instance.  Only open and login to gmail.  Do not select compose.  This assumes that gmail is not defined as a "Safe" URL

      3) return to tab with website opened in step 1 and enter into search box(other data entry field works) the content for classification defined in step 1 

      4) select “search”  "enter" or applicable button

      ** Result – user is prompted for justification.  This is not the expected result

       

      Note: we have discovered if a user attempts to compose a message after opening Gmail the rule functions correctly.  It only seems to have an issue if the user opens the site not considered safe and does not compose a message.  

       

       

      Anyone else experienced this issue?  If so, what was done to resolve it?

       

      Thanks in advance.....