Data Loss Prevention

 View Only

 How to exclude Symbolic Links from DLP Discover scanning?

Straffin's profile image
Straffin posted Jun 09, 2021 09:52 AM
Hello!

We've got a folder on a Discover Target that contains a recursive Symbolic Link that sends the DLP scan down a never-ending rabbit hole until it errors out with TOO_MANY_CONSECUTIVE_ERRORS. This solution *can't* be the only way to get around this as it suggests specifying "a file which contains all the files that the scanner should scan". We're scanning an NFS export of a mutli-PETAbyte NAS...listing the files to actually be scanned would be impossible to maintain and would result in a list of (TENS of? HUNDREDS of?) MILLIONS of files. Is there no way to simply tell the scanner to ignore Symbolic Links?
DLP Solutions's profile image
Trusted Advisor DLP Solutions posted Sep 23, 2021 01:33 PM
Straffin,

Congrats, you have found one of the biggest issues with scanning Linux/Unix. Sym links have been an issue since version 6, and when I even worked at Vontu.

There unfortunately is no simple way to fix this other than NOT allowing it to do a recursive scan of a top path.
Best option is to list out EACH directory and put that into the Scan target.

Use your awesome command line skills and run the "LS" command to output all of the directories into a txt file and C/P it to the scan target.
When you add them to the Target you can specify the DEPTH to scan.

\\share\marketing,,,1

This actually is a better way of doing a scan in my mind, because when you run reports based on the Scanned Path, it will show you EACH directory as a separate target path. Easier to report and triage. 

https://techdocs.broadcom.com/us/en/symantec-security-software/information-security/data-loss-prevention/15-8/discover-targets-vont_0180-d263e198/setting-up-and-configuring-v15915326-d263e427/adding-items-to-scan-v23020681-d263e4629.html



Straffin's profile image
Straffin posted Sep 23, 2021 04:08 PM
"Use your awesome command line skills and run the "LS" command to output all of the directories into a txt file and C/P it to the scan target."
...
"This actually is a better way of doing a scan in my mind, because when you run reports based on the Scanned Path, it will show you EACH directory as a separate target path. Easier to report and triage."

I'm guessing you missed the part where i stated that this was a multi-petabyte NAS and that such a list, even of only directories, would be hundreds-of-thousands of entries. Even if the DLP Interface could handle adding that many scan targets (which I sincerely doubt), it would need to be manually updated every scan. Hardly a sustainable solution...