5 Replies Latest reply: Feb 5, 2013 9:59 AM by keithdrone RSS

    Host DLP file discovery - Not running?

    keithdrone

      Host DLP (9.2)  through EPO (4.6)

       

      We want to run the 'File discovery' first within our test-group, to tag and catagorize the information we have classified as sensitive.

      Unfortunately, we have no idea if it has functioned properly, or ran at all.

       

       

      Agent configuration -

      Discovery, Reporting, and Evidence modules enabled (all others disabled for now)

      Text extraction enabled, Alternate Streams enabled.

      Schedule set, date range set, at certain time every day (no indication on end machines if this occurs, such as processor utilization, etc)

       

      Discovery rules -

      SSN and Credit Cards tags/classifications created.

       

       

       

      We have several 'test' files on our test groups, and in other tests have shown that the DLP can monitor them when the appropriate protection rules are enabled (to email, USB drive, etc).

       

       

      Additionally, when queing the information from EPO for the target systems, it often does not show the correct 'file discovery' information when DLP product is selected. 

       

       

       

      Is there something else missing, we have most other options/protections/modules disabled for the time being, the idea is we run discovery, get the information tagged, then when it's moved/monitored there is less system utilization to identify the information since it's already been tagged.

        • 1. Re: Host DLP file discovery - Not running?
          dtr

          Hi keithdrone,

          I used the following workflow:

           

          1) Create a classification rule for creditcards

          2) activate the following modules:

               - Reporting

               - Evidence

               - Discovery

          3) Change the Discovery Settings in the global proberties as follows:

          dlp.PNG

          (last line must be marked for testing.) Every time a new agent configuration is pushed, discovery scan will run. You may disable this in a productive environment.

          4) Create a new discovery rule. Use the classification category defined in 1) (--> step 3 while editing the rule)

          5) Choose the reactions in step 5: for example tagging / monitor

          6) enrole the agent configuration

          7) make sure the dlp agent recieves the new config

          8) file should be tagged now

           

           

          Best regards

           

          Dennis

          • 2. Re: Host DLP file discovery - Not running?
            keithdrone

            Thank you Dennis;

             

             

            That is the method I used as well.    I've also confirmed that our 'test files' will trigger other rules on other test machines (such as notification, send to evidence, etc.)

             

             

            But following the intended discovery, we not only have no 'tagged' files (verified by using the 'Manual Tagging' feature on endpoints) but we see no evidence of any process 'crawling' the systems (Process Monitor/Explorer from Systernals used to verify)

             

            As a last ditch effort, I uninstalled the agent from one of the test-endpoints, wiped, fresh install, re-deployed with 'run immediately' option still set, and nothing occurred.

            • 3. Re: Host DLP file discovery - Not running?
              dtr

              Is the user on the test-system part of the group defined in the Discovery-Rule?

               

              Can you activate some other modules of DLP (for example Web Protection) to test if the DLP-Policy works in general?

               

              Best regards

               

              Dennis

              • 4. Re: Host DLP file discovery - Not running?
                keithdrone

                Dennis, thank you for your quick response.

                 

                Yes, we've verified that they work

                User popup, Justification, USB, Email, Web, File System, Printing, Clipboard, etc.    They all result in auto-tagging, notification, send to evidence, etc.

                 

                 

                 

                Within EPO 4.6, when we go to System Tree and view product details for DLP, it shows the 'next discovery 2/2/2013 at 11pm'.   This is incorrect, and has never changed regardless of the policies and schedules we attempt to apply.

                 

                 

                I've also verified using the DLP Agent Diagnostic Tool that the policies and 'discovery rules' are applied to the endpoints, but the tool does not appear to provide schedule information.

                 

                 

                CPU/Memory options are set liberally, only to pause if it hits 95% and no other programs are running on these test machines.

                • 5. Re: Host DLP file discovery - Not running?
                  keithdrone

                  This has been resolved.

                   

                  We had to access the policy for DLP from the EPO policies (such as from Policy Catalog or System Tree) for the DLP agent configuration.

                   

                  For whatever reason, this agent configuration overwrites the agent configuration specified in the DLP interface.

                   

                  If anyone knows how to sync these, that would be appriciated.