1 2 3 Previous Next 21 Replies Latest reply on Nov 6, 2014 8:35 AM by ninjaneer68

    DLP Protection Rules

    mullenjm

      Hello All,

       

      I'm attempting to lockdown CD/DVD devices using DLP. I was able to successfully control who has no access to them, who has read rights and who has the ability to write. I did this using User Assignment Groups with device rules and everything works great.

       

      For the User Assignment Group that has the ability to write, I want to add a protection rule that monitors what files they write, request justification and store evidence. I made the necessary protection rule and an application definition which includes our burning software of choice. However, when I open the application and burn a file to verify the policy is working correctly, it's as if the rule isn't applied at all. I'm never prompted for justification and the DLP logs don't show the files I burned. I've also noticed that users in the allow write User Assignment Group are unable to use the built-in windows burning utility.

       

      What am I doing wrong? I greatly appreciate any assistance!

        • 1. Re: DLP Protection Rules
          mullenjm

          We're currently using DLP 9.2 and ePO 4.5. Below are the steps I followed.

           

          1) Modified the default Media Burner Application Definition to include our Media Burner Application

          2) Created a Removable Storage Protection Rule & Enabled It

          3) Selected Media Burner Application Definition with Block, Monitor, Notify User, Request Justification and Store Evidence.

          4)  Assigned Removable Storage Protection Rule to appropriate User Assignment Group.

           

          However upon logging in the rule isn't applied at all. Could process strategy have anything to do with it?

           

          I'm also wondering if the known compatibility issue below applies. We do enforce UAC and our user assignment group only has one domain group. Unfortunately I can't disable UAC to verify this is our issue.

           

           

          540126
          Issue: On Windows Vista and Windows 7 with User Account Control (UAC) turned on, if a user assignment group has only one domain group, protection rules do not work when you apply a policy to a member of the assignment group or log in as any member of the domain group.

           

          on 5/23/13 11:58:52 AM CDT
          • 2. Re: DLP Protection Rules

            Bump!  This is exactly what I am experiencing as well.  Any help from the experts?

            • 3. Re: DLP Protection Rules
              mullenjm

              I spoke with McAfee support and found out that monitoring all files written to a device isn't possible. You have to create classification rules for certain types of files (wildcards won't work) and then do tagging based on those classification rules.

              • 4. Re: DLP Protection Rules
                ninjaneer68

                I don't know how true that is @Mullenjm. I set up a protection rule and only had it monitor explorer.exe WHen writting files to a USB Device. It recorded each file that was moved to the device.

                 

                I would also like to do the same with CD/DVD, but I haven't been able to figure out how to define the internal Windows 7 burner.

                • 5. Re: DLP Protection Rules
                  tonyw

                  CD/DVD drives modify the data as it's being written to disk and DLP is not able to track using a Removable Storage Protection rule.  DLP can track using an application file access protection rule.

                   

                  McAfee KnowledgeBase - How to monitor files copied to CD/DVD-R/W devices using Data Loss Prevention Endpoint 9.3.x

                  • 6. Re: DLP Protection Rules
                    ninjaneer68

                    tonyw

                     

                    Thanks for explaining why it doesn't work and the link for monitor files for CD/DVD-R/W

                    Its exactly what I was looking for

                    • 7. Re: DLP Protection Rules
                      tonyw

                      No problem.  Glad I could help!

                      • 8. Re: DLP Protection Rules
                        ninjaneer68

                        tonyw,

                         

                        I am just now getting to testing the above. THe only part I don't fully understand yet. I can't enable the rule unless I have a content cateogry or tag. I don't understand the tags and cateogries under the definitions. Can you tell me a generic overview of this or point me into the direction to read on it ?

                         

                        Any help is greatly appreciated

                        • 9. Re: DLP Protection Rules
                          tonyw

                          From the Product Guide -

                           

                          Tags:

                           

                          Tags give you a method for classifying content and reusing that classification.

                          Tagging rules assign tags to content from specific applications or locations. Once assigned, the tag

                          stays with the content as it is moved or copied, or included in or attached to other files or file types.

                           

                          Content Categories:

                           

                          Content categories, known as content tags in earlier versions of McAfee DLP Endpoint software, are

                          another way of classifying content. Content categories are used with classification rules to classify

                          content and registered document groups. They can also be specified directly in most protection rules.

                          1 2 3 Previous Next