1 Reply Latest reply on Jan 13, 2014 12:18 PM by vimalnavis

    Notification of major bypass flaw with DLP, allows users to easily bypass controls

    keithdrone

      This is to let other users of McAfee Host DLP know about a bug/issue within Host DLP (tested in 9.3 and 9.3 patch1).

       

      The text-extractor has a built in time-out value of 30 seconds before 'releasing' the file along its way regardless of the intended policy response.   

       

      This means, if your users are sending large files (Excel files are very susceptible for obvious reasons) to email, or USB, and the scan takes more than 30 seconds the file goes along its way regardless of whether its protected or not.

       

      Additionally, the 'intended' action (such as block, or require justification) is still logged.   So if your EPO shows that 1,000 credit card numbers were blocked, this may not be accurate.

       

      I've put in a PER request for the ability to customize this timeout value, and to ensure that the end user is not notified incorrectly (such as requiring justification, the user could click 'cancel' and beleive they have NOT sent/copied the file but actually they have and the logs show it was blocked though it was not).   I've also been working with support to request an updated version/hotfix/whatever for a customized value. 

       

       

      While 30 seconds may seem excessive to worry about, consider that scan time increases on slower systems or systems with other CPU processes running.  Additionally, files such as DataBases that could contain data required to be blocked/inspected could definately pass the timeout.