We use Host DLP 9.2 Patch 2 (ePO 4.6.6). And we want to use Removable Storage File Access Protection Rules.
We have deployed rule with following conditions:
Connected device IS "All USB with NTFS-or-FAT"
Connected device IS NOT "Encrypted with McAfee Encryption"
The file being accessed IS any of: " '.EXE','.COM','.TMP', etc"
The following whitelisted applications will be excluded from this rule: "WhitelistApps".
In group WhitelistApps we add some applications: winword.exe, excel.exe.
As you can see we want to block access to TMP files because we have some reasons to consider this files as dangerous.
But if we try save Winword file (some.docx) direct to USB-drive, this operation is blocked by DLP.
In "Process Monitor" (from Sysinternals Suite) we see:
Process Name: winword.exe
Result: ACCESS DENIED
Detail: Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, Write, AllocationSize: n/a
Does anybody have any idea, why whitelisted application does not excluded from blocking?
UPD. The problem persist on Windows 7 Ult SP1 and Windows XP Pro SP3. And with any application (not only winword.exe).
Message was edited by: DimSys on 12/12/13 11:55:35 AM ALMT
Message was edited by: DimSys on 12/12/13 2:11:17 PM ALMT
Looks like everything is working as expected. You are excluding winword.exe but not .tmp files. Office creates .tmp files before saving files. I do not see how you can save office files without excluding .tmp files.
It's looks like my mistake.
In Product Guide we see "...Whitelisted Application definitions can be included in the rule to exempt specifically named files
from the blocking rule."
I have thought it means whitelisted apps can EXECUTE a blocked files.
But in fact the whitelisted apps can be EXECUTED from removable storage.
Am I right at now?
Message was edited by: DimSys on 12/13/13 9:38:17 AM ALMT
That's right. Whitelisted applications are excluded/exempted from rules and that's what the Product Guide says. Does not mean they are allowed to execute blocked files.
May be it'll better to rename this feature to "Whitelisted Files"? Because customers can block not only EXE but any type of files. For example BAT or VBS and this is not an application files.
And I think it's needed an additional feature that will allow to exclude some Applications (Word, WinRAR etc.) to have ACCESS to blocked files on removable storage (like in situation described in my first post).
How to submit a Product Enhancement Request (PER)