7 Replies Latest reply on Jan 19, 2017 4:54 PM by epoNovice

    DLP 9.4 Query

    epoNovice

      Hi All,

       

      I'm just testing after upgrade from DLP 9.3 to 9.4.  I've migrated all my policies over successfully.  I'm turning them on one by one to test them out.

       

      My Removeable protection (monitoring file copy) is working fine however I have a rule for "Monitoring Devices Connected"  This is not generating events in the Incident Mangager for any device connected.

       

      I've restarted the PC after full policy update.

      Reporting service is on within the Client configuration.

      My rule has no exclusions.

      Tried a few different USB's

       

      The only classification I have is to define a device as anything that has "file system access" and is Read/write.  This was working fine in 9.3

       

      Any ideas ??

       

      Cheers

        • 1. Re: DLP 9.4 Query
          bchavez

          hi,

          if you want to protect a copy of a sensitivity content from pc to usb? you need to create a removable storage protection rule for that, if you need to block or monitor devices you need to create a removable storage device rule in the device control tab.

           

          greetings.

          1 of 1 people found this helpful
          • 2. Re: DLP 9.4 Query
            hhoang

            I have tested the below configuration and it worked for me:

             

            Win7

            DLPe 10.0.100

             

            Rule config:

            End user:  any user (ALL)

            Removable storage device definition:  File system access - Read/Write

            No exceptions

            Reaction: Block

             

            To clarify, the client system shows the correct policy revision ID that your server has?  If you create a brand new rule native to 9.4 (as opposed to the converted rule from 9.3) with the same configuration does that work?  If you are using the "any user" option - can you specify the user ID that you are logged in with during testing to see if that works?

            1 of 1 people found this helpful
            • 3. Re: DLP 9.4 Query
              epoNovice

              Thanks guys I got this all sorted - I believe there was some configurations options that didn't not convert correctly from 9.3 so starting fresh rules was the best way to go.

               

              Now another.  I have a Removable Storage protection rule for all Removable storage which is "Monitoring File transfer of office files and PDF".  This is working correctly and sending the events to EPO when these file types are copied.

               

              When I start to test copies of large numbers eg - 3000 to 5000 files this is taking huge amounts of time even before the transfer starts.  I think this is down to the Content Classifier and Text Extractor settings but the time its taking dosn't seem reasonable.  This is still also an issues when I do an Agent Bypass and try the copy.

               

              We do have cases where people need to copy large amounts of files to Approved Storage by the time its taking seems unreasonable.

               

              Any ideas ??

              • 4. Re: DLP 9.4 Query
                hhoang

                DLP will analyze content of all files being transferred.  Depending on the content that may take some time.  For the use case you are describing the workaround would be to disable the 'Advanced file copy protection' module.  This is found in your Client configuration policy > Operational mode and modules > Removable storage protection advanced options > Advanced file copy protection.

                 

                This module is a driver that sits in front of the windows file copy handler (i.e. DLP will analyze content before Windows is allowed to move/copy the file).  If you disable this option the file will be copied to its destination, analyzed at the destination, and then remediated (blocked, encrypted, etc. based on your policy) at the destination.  This is inherently less secure since the file is allowed to be copied so you will need to weigh security vs. performance and which is more important.

                1 of 1 people found this helpful
                • 5. Re: DLP 9.4 Query
                  epoNovice

                  Mate you are a genius.  Thats fixed the performance hit.  I tested and the copy begun straight away.  I also took the USB out straight away and when I hit send events it only sent 530 (out of 5000) so I imagine the DLP "check" only starts once the transfer of all files is completed ?

                   

                  Are you able to confirm if this is a new function since DLP 9,3 as we haven't upgraded yet and I've noticed that when I was copying Bulk data as a test in 9.3 and sending events straight away it was never the full total I copied.  I'm guessing this was because the DLP check was still happening on the storage device after the transfer ??

                   

                  Thanks for your help !

                  • 6. Re: DLP 9.4 Query
                    hhoang

                    I would imagine you are correct but I am not 100% sure if that mode 'waits' for the entire transfer to complete before analysis or if it is on an individual file basis.  The option was added in one of the later patches of 9.3 but I don't recall which patch offhand.  If it is included in your version of 9.3 it would be found in the agent configuration section under 'Miscellaneous' and it will be listed as 'File copy handler'.

                    1 of 1 people found this helpful
                    • 7. Re: DLP 9.4 Query
                      epoNovice

                      thanks for your help