This question would get better attention in the McAFee Web Gateway forum, as the block page of which you speak is actually configured in the MWG interface, not in anything involving the network DLP goodies.
That said, I'm experienced in both, and while block pages are relatively easy to figure out how to customize, it's a pretty involved procedure to modify email notifications...to the point I'd not advise anyone doing it alone the first time.
You'd be well served opening a service request with the (in my experience) very helpful McAfee Web Gateway Team if you haven't already.
the nature of the beast
Most modern Web Applications use Ajax to upload data in the backend 'outside' of the visible content of the browser. What then happens is that the ICAP Server will issue a 403 which the ICAP client then sends back to the browser. As the file transfer happens outside of the visible portion of the web page, the page is not able to display the block message and can only state that 'something' happened while transferring the data.
so what could we do to notify the users that there upload or whatever has been blocked? right now I'm planing to send email notifications to the users.
obviously there could be a lot of confusion when a generic error is displayed rather than specifically notifying the user on what really happened
Andre Sabban wrote:
I think the eMail notification is the easiest approach. Most peoply have their Mail client running all day long and will immediatly see the notifications. Much better would be a client side tool MWG could talk to to display an error message, but we don't have this at the moment.
+1 to email notification... so long as some sort of throttling can be baked in as you wouldn't want to email DOS someone if some sort of uploader kept trying a bunch of times, or if several post requests that get blocked are triggered.
As for client software, I can see the lure from a technical end user communication and notification standpoint, but speaking on behalf of other multi-product administrators ... honestly I and our Windows admins want another piece of McAfee software on my endpoints like I need a hole in my skull. ;-) But you're right that out of band notification is definitely a plus in situations like these.
MWG has "duplicate mail prevention", which should do the job pretty good. You can tell it to send 1 mail within 10 minutes or similar :-)
In a perfect world MWG would tell a locally install VirusScan Enterprise, ePO Agent or whatever already runs on a client to show a dialog or write something into a dashboard that is available for the end user... or windows provides an API who authenticated services could talk to (like the "net send" popups that were fun a few years ago :-)).
I assume with all the Web2.0 stuff there will be something in the future.
I incorporated a similar technique in one of my demonstration videos.
At about the 8:00 mark, you will see me try to download an attachment but it is blocked and doesn't save because of malware. You'll notice that outlook notification pops up at that point and gives details of the blockage.
I had recorded a similar segment for DLP, but it's on the cutting room floor and never made it into the final, but the mail notification was the same.
The challenge to doing this is deriving the email address from the authenticated user. If the logon name is the same as the email address like:
Then it's pretty easy to derive the destination mail address with a string manipulation.
However, if it's not the same as the logon,like:
you will probably have to do an LDAP lookup to get the email address attribute.
Email notification with throtling was what I'am planing to use. will have to run a LDAP query to get the email of the violater.
I had to crash the following discussion to find the answer for the LDAP query thing