3 Replies Latest reply on Mar 26, 2015 4:29 AM by M Bagheryan M

    NCPR blocks Skype completely

    M Bagheryan M

      Here is the Scenario which I have with DLP. Anybody know what is going on with this new release?

       

      The complete application (Skype) itself was blocked down.

      Remote in and found that NCPR was blocking all the traffic from and to Skype.

      The rule was set with no restriction and with one tag included; the tagging rule was set for all kinds for files (no restrictions).

      Found many incidents in the incident manager as the rule is triggered with the applied tag.

      Edited the tagging rule with only some certain file types and rebooted the machine; now able to login to skype and the tagged files are blocked as well.

      But once a file is blocked by DLP, skype is not able to connect back; informed that, if once DLP blocks a data flow, DLP hooks that particular process, and which needs to restarted to continue working.

      Restarted the application; but still the same.

      Rebooted the client; Skype is not accessible and DLP still generates events.

      I confirmed that, the same rule when applied on a fresh client machine gives the same result.

      That is, the application Skype is completely blocked by DLP, even when no attachments are sent.

      Activated DLP Agent Bypass and skype was able to connect to the network and got disconnected soon when the Bypass time expired.

       

      <<I already Collected the log and it is possible to share depends on replies.>>

        • 1. Re: NCPR blocks Skype completely
          M Bagheryan M

          This rule is blocking the file not the functions run on it.

          • 2. Re: NCPR blocks Skype completely
            palex

            Hi, M Bagheryan M!

            If you say about Network Communication Protection Rule, I can say the following:

            If you put a lock function of the network connection, then the rule is triggered to protect the network connection is blocked until the end of the work blocked the application (program).

            This feature DLP Endpoint, and here we can not do anything. If you want, we can make a request for revision, because I like it a lot are not satisfied.

            About blocking Skype: Most likely you have set incorrectly self protection rule:
            1. Skype creates a bunch of network connections, for example, if you block him sending messages, it will send a bunch of messages on different network ports. First on the 443, then at 43HHH, 33033 and so on.
            2. These compounds are generated every second (on average), so if you block the network connection, then "drown" in a large number of messages on the console DLP.

            I can suggest a few options:
            1. Monitoring sending-receiving files over AFAPR.
            2. Copy the entire database when you run Skype on Skype endpoint computer. And then hand-database search with the help of other programs.

            If you want to talk on this subject, write me.

            • 3. Re: NCPR blocks Skype completely
              M Bagheryan M


              Thanks for comment.

               

              Just for additional info:

               

              1. If you want to block all type of attachment over IM, it will block the program not drop the attachment.

              2. For blocking the attachments you can use it by mentioning the types of files specified.

               

              Note: 2* : It will block the program during the attaching the file, and if you want to revive the program, you have to cancel the file transferring first then quit and start the program again.

               

              Enjoy.

              M. B. M