Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
1390 Views 5 Replies Latest reply: Feb 5, 2013 9:59 AM by keithdrone RSS
keithdrone Apprentice 56 posts since
Jan 28, 2013
Currently Being Moderated

Jan 30, 2013 3:42 PM

Host DLP file discovery - Not running?

Host DLP (9.2)  through EPO (4.6)

 

We want to run the 'File discovery' first within our test-group, to tag and catagorize the information we have classified as sensitive.

Unfortunately, we have no idea if it has functioned properly, or ran at all.

 

 

Agent configuration -

Discovery, Reporting, and Evidence modules enabled (all others disabled for now)

Text extraction enabled, Alternate Streams enabled.

Schedule set, date range set, at certain time every day (no indication on end machines if this occurs, such as processor utilization, etc)

 

Discovery rules -

SSN and Credit Cards tags/classifications created.

 

 

 

We have several 'test' files on our test groups, and in other tests have shown that the DLP can monitor them when the appropriate protection rules are enabled (to email, USB drive, etc).

 

 

Additionally, when queing the information from EPO for the target systems, it often does not show the correct 'file discovery' information when DLP product is selected. 

 

 

 

Is there something else missing, we have most other options/protections/modules disabled for the time being, the idea is we run discovery, get the information tagged, then when it's moved/monitored there is less system utilization to identify the information since it's already been tagged.

  • dtr Newcomer 6 posts since
    Jan 7, 2013
    Currently Being Moderated
    1. Feb 1, 2013 3:33 AM (in response to keithdrone)
    Re: Host DLP file discovery - Not running?

    Hi keithdrone,

    I used the following workflow:

     

    1) Create a classification rule for creditcards

    2) activate the following modules:

         - Reporting

         - Evidence

         - Discovery

    3) Change the Discovery Settings in the global proberties as follows:

    dlp.PNG

    (last line must be marked for testing.) Every time a new agent configuration is pushed, discovery scan will run. You may disable this in a productive environment.

    4) Create a new discovery rule. Use the classification category defined in 1) (--> step 3 while editing the rule)

    5) Choose the reactions in step 5: for example tagging / monitor

    6) enrole the agent configuration

    7) make sure the dlp agent recieves the new config

    8) file should be tagged now

     

     

    Best regards

     

    Dennis

  • dtr Newcomer 6 posts since
    Jan 7, 2013
    Currently Being Moderated
    3. Feb 1, 2013 7:55 AM (in response to keithdrone)
    Re: Host DLP file discovery - Not running?

    Is the user on the test-system part of the group defined in the Discovery-Rule?

     

    Can you activate some other modules of DLP (for example Web Protection) to test if the DLP-Policy works in general?

     

    Best regards

     

    Dennis

More Like This

  • Retrieving data ...

Bookmarked By (1)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points