EMEA Data Loss Prevention User Group

 View Only
  • 1.  How to detect Total Commander copying to Network Share?

    Broadcom Employee
    Posted Jun 04, 2014 06:27 AM

    Hi,

    I am trying to detect, when a user outside the internal network starts copying to the unauthorized network share. I have found, that copying through the Windows Explorer is OK, it is detected and blocked. But, when I use a Total Commander, it goes undetected.

    I have setup, the TOTALCMD.EXE is inside the Application Monitoring, with only "Filesystem Activity" set, but it did not help. (I do not want to monitor all files read by this process, only copies outside to the network share.)

    I am using DLP 11.6.3.

    Any ideas/solutions? (Searching through the forum did not help.)

    Thank you,

    Pavel



  • 2.  RE: How to detect Total Commander copying to Network Share?

    Broadcom Employee
    Posted Jun 04, 2014 02:19 PM

    Hello,

    You can exclude the users from installing that application. If you want to turn on application monitoring and then choose the File Open command for monitoring, you might be able to block a stream in the clear, but this is an all or none check box. We are not able to monitor some and not others. However, if encryption is used during the transfer, then we can't look at that traffic. How are the files copied from share to share?

    Best,

    Ryan



  • 3.  RE: How to detect Total Commander copying to Network Share?

    Broadcom Employee
    Posted Jun 06, 2014 03:22 AM

    Hi Ryan,

    Thank you for proposal. I can not ban this application. I only wanted to assure that people will not connect notebook at home, copying data to home samba network share. But, I realized the behavior of copying to network share (especially when mapped as a drive, i.e. M:) is not monitored within TOTALCMD, but only in EXPLORER.EXE. I do not wan to enable full application file monitoring, as this will make TOTALCMD useless.

    So, I do not see a solution for now.

    Best Regards,

    Pavel

     



  • 4.  RE: How to detect Total Commander copying to Network Share?
    Best Answer

    Broadcom Employee
    Posted Jun 06, 2014 03:38 AM

    Hi Pavel,

    We faced a similar challenge.

    Our solution was to use a rule that leveraged Agent location, (OCN), which enabled users to transfer files when connected to the corporate network, and block transfers when connecting to a "home network".

    Combine Application File Access (AFA) with OCN and this may meet your requirements.

    Let me know how you get on.

    Warm Regards

    Joel Greenwell



  • 5.  RE: How to detect Total Commander copying to Network Share?

    Broadcom Employee
    Posted Jun 23, 2014 06:26 PM

    Hi Joel,

    Thank you for the proposed solution. This is good idea. I will try to use it after installing the 12.5 version where the agent location detection is improved.

    Best Regards,

    Pavel