3 Replies Latest reply on Mar 27, 2014 8:41 AM by omar_tx

    Wrong User Flagged in DLP Block event

    omar_tx

      In one of my dashboards i have 90% of my DLP Agents stating that "Agent is not running - User is logged off." Does the user need to be logged in for DLP to take action on the rules/policies applied?  Before you answer, please read why i am asking this.  I had an incident recently where a user plugged in an iPhone, which is unauthorized in our network and set to block.  The user wasn't logged in and never did log in because he only did this to charge his phone.  We didn't received an event that day. Now the next day, a different person logged on to the computer and that's when we received the event that the iphone was blocked.  The event time was also during the time the user logged in, not when the phone was actually plugged in.  Unfortunately, we ended up targeting the wrong user because of this until the actual person who plugged the phone in came forward.  Can someone shine the light on me as to why this may have happened? Does the user need to be logged in for DLP to report and/or take action on the rules/policies applied?  As an added detail, in my DLP dashboard i have about 90% of my agents stating "Agent is not running - User is logged off."  Any help will be appreciated.

       

      Message was edited by: omar_tx on 3/19/14 10:41:45 AM CDT
        • 1. Re: Wrong User Flagged in DLP Block event

          The DLPe Agent is active only when a user is logged on to the computer.

          Ensure that the DLP MA Properties Reporting Server Task is running properly. This task affects the Agent Status Query/Dashboard Monitor.

           

          Message was edited by: vimalnavis on 3/26/14 6:42:43 PM CDT
          1 of 1 people found this helpful
          • 2. Re: Wrong User Flagged in DLP Block event
            trevorw2000

            What you're reporting has always been my experience with DLP.  Thankfully none of our end users have figured that out.  I was caught off guard once when we went to confront someone who allegedly plugged in an Android phone and they pointed out that they own an iPhone..  Thankfully we have a limited number of shared workspaces, but we're more cautious when inquiring about a device plug-in now that we understand that the event gets tied to the logged in user at the time the agent reports back to ePO.

            • 3. Re: Wrong User Flagged in DLP Block event
              omar_tx

              vimalnavis, i checked to make sure and yes we do have the DLP MA Properties Reporting Server Task running.  trevorw2000, i guess this is something we just have to deal with.  Thank you both for your responses..