EMEA Data Loss Prevention User Group

 View Only
  • 1.  How to skip *.jar monitoring, but retain *.zip on DLP Agent?

    Broadcom Employee
    Posted Jan 29, 2013 10:45 AM

    I have found, that just simple removal of *.jar extension from Agent Configuration does not work. Because internally is JAR just a ZIP. DLP Agent stopped to monitor JAR's only after I had removed also the *.zip from the Monitoring Filter. But, this is not a good idea. Is there any possibility to tell DLP Agent to differentiate between JAR and ZIP?
    Thank you.



  • 2.  RE: How to skip *.jar monitoring, but retain *.zip on DLP Agent?

    Broadcom Employee
    Posted Feb 04, 2013 06:39 AM

    Hi Pavel,

    Sorry this doesn't look possible. As you've indicated, our true file type engine treats .zip and .jar as the same.

    The alternatives as I see them (not knowing your use case exactly, just ideas)

    Apply your policies to file types, for example;

    Don't search for source code in files with .zip or .jar files

    DO search for confidential tags in .zip or .jar files

    Or, let it log then;

    Under the Endpoint incidents filter out .jar files

    Advanced Filerers & Summarization > Add filter > File Name Does No Contain Ignore Case > jar

    Kind regards David



  • 3.  RE: How to skip *.jar monitoring, but retain *.zip on DLP Agent?

    Posted Feb 07, 2013 07:25 AM

    Hi Pavel,

    u can exlude certain file types which are already defined in exception filetr of DLP. This u will get this in agent config setting in system tab. Also refer below

    https://www-secure.symantec.com/connect/forums/exclude-file-types-0https://www-secure.symantec.com/connect/forums/scan-engine-52-specific-file-exclusions-not-file-extensions-or-type

    https://www-secure.symantec.com/connect/forums/how-can-i-exclude-type-files-specific-directory

    https://www-secure.symantec.com/connect/forums/how-completely-exclude-optical-drive-scanning-file-contents-while-they-are-accessed

     



  • 4.  RE: How to skip *.jar monitoring, but retain *.zip on DLP Agent?

    Broadcom Employee
    Posted Feb 07, 2013 07:43 AM

    Hi David,

    Thank you for your hints. I have more extensively tested in 11.6.1 the proposed variant with file type policy filter using a USB device copying. Unfortunately:

    • Filtering using *.zip or *.jar is not effective, because the DLP Agent first extracts the files and than starts to scan the content itself.
    • What I understand from Sym. DLP Agent file filtering: The extraction phase is always processed and utilizes the client machine and steals time from the user. The filter itself is used only later during detection. Which means: user action is delayed, but no event is generated. That is nice, but does not help with performance.

    From my perspective, this is something the DLP Agent does not support currently. Some filtering rules happen too late in the extraction&detection process, so only limited performance gain is possible.

    Best Regards,

    Pavel



  • 5.  RE: How to skip *.jar monitoring, but retain *.zip on DLP Agent?

    Broadcom Employee
    Posted Feb 07, 2013 07:47 AM

    Hi,

    I know. But the filter applies only to the detection phase. Not to the extraction one. Tested on DLP Agent 11.6.1 with USB device copy.

    Best Regards,

    Pavel

     



  • 6.  RE: How to skip *.jar monitoring, but retain *.zip on DLP Agent?

    Broadcom Employee
    Posted Feb 07, 2013 09:03 AM

    Hi Pavel,

    I understand where you're coming from now, it's not necessarily the Policy triggering, rather the fact the user experience is impacted.

    I've seen a couple of reasons this could be in effect (these again are working thoughts of mine)

    1. make sure any endpoint protection solution isn't scanning files written to the DLP temp directory (sorry not got that to hand)

    2. the file size is the issue, the .jar or .zip file may unpack multiple other .jar or .zip files. Here the agent treats each .jar or .zip as a separate count - example the maximum file size for inspection is 30MB, each .jar or .zip is treated as a separate count.

    The only answer I can think of for the second point would be to reduce the maximum file size the DLP agent will inspect, see what happens if this is reduced to say 15MB, does this help?

    IncidentHandler.MAX_INCIDENT_FILE_SIZE.int

    I don't believe today there is a way to limit the files within the .zip to inspect to performance.

    Kind regards David



  • 7.  RE: How to skip *.jar monitoring, but retain *.zip on DLP Agent?

    Broadcom Employee
    Posted Feb 08, 2013 06:32 AM

    Hi David,

    Ad1.

    We do not have any endpoint protection in place. Only McAfee VirusScan. Could you please help me, what is the DLP temp directory? I have failed looking into documentation.

    Ad 2.

    Unfortunately, I have come to the IncidentHandler.MAX_INCIDENT_FILE_SIZE.int, and I have also tweaked Detection.FILTER_TIMEOUT.int to 5000 and Detection.MAX_DETECTION_TIME.int 10000 . It worked a little, but crapping sometimes the ability to detect without helping with the user experience much.

    And a *.jar file with many small classes inside will still fit most of the time and the only solution is, unfortunately, to skip all the *.zip files from extraction.

    So, thank you for your help, but there is no solution for now.

    Best Regards,

    Pavel

     



  • 8.  RE: How to skip *.jar monitoring, but retain *.zip on DLP Agent?

    Broadcom Employee
    Posted Feb 12, 2013 06:06 AM

    Hi Pavel,

    It's a shame these settings didn't resolve the situation.

    To answer your question, our recommendation is to remove DLP agent processess and files from anti malware/antivirus scanning, these include;

    The Agent installation folder at: C:\Program Files\Manufacturer\Endpoint Agent (temp folder is here as well)

    Executables
    (*) edpa.exe
    (*) wdp.exe
    (*) cui.exe
    (*) kvoop.exe
    (*) vfsmfd.sys
    (*) vrtam.sys

    This is covered in the System Requirements Guide 11.6.

    Personally I think your issue is a little more in depth, and will be best handled by our support group. I know they'll check this prior to proceeding, so well worth carrying out.

    Kind regards David