Data Loss Prevention

Expand all | Collapse all

How to disable & remove DLP agents from Enforce console externally

  • 1.  How to disable & remove DLP agents from Enforce console externally

    Posted 11-23-2020 04:13 PM
    Hello

    I would like to be able to disable DLP agent on an endpoint and remove dlp agent from the Enforce console, both - without using standard method - via Enforce console. Can this be achieved somehow? I checked API documentation, but it is mostly about incidents, not about the thing I want.

    I need that because I have many computers to administer and I don't want to delete manually few thousand computers manually in the console... As far as disabling DLP is concerned - I want to give Regional Support temporary exception, so they can do backups/reimage with DLP disabled (if enabled, backup/reimage takes 8 hours instead of 1 like it used to be).

    thanks!


  • 2.  RE: How to disable & remove DLP agents from Enforce console externally

    Posted 11-24-2020 09:07 AM
    Removing or installing DLP agents cannot be done from the DLP Enforce console, use a software deployment solution such as ITMS (Symantec Software plugin), SCCM (MS), or SEP (Symantec), or Windows tools. However, you can disable DLP agents, read the Admin guide to learn how to manage DLP agents.
    DLP agents are tampered protected, and the only way to disable them is form the console, unless you want to manually run DLP agent tools and alter configuration. You can disable password protection to remove agents by users when creating agent installer packages. You can add any user to the console and give them permissions to disable agents, and you can organize agents by groups and potentially creating a configuration with every channel disabled when needed.
    I will suggest to check the documentation for the ITMS suite (Symantec management planform) to better control DLP agent. Read a document related to imaging computer with the Altiris agent installed.
    How to properly image a computer with Notification Server Client (Altiris Agent) installed https://knowledge.broadcom.com/external/article/178717/how-to-properly-image-a-computer-with-no.html
    So in summary, you cannot accomplish what you need using DLP console.
    Good luck,
    A.C.


  • 3.  RE: How to disable & remove DLP agents from Enforce console externally

    Posted 11-24-2020 11:07 AM
    @Alvaro Cervantes - thank you for your reply. However things you suggested do not apply to my enterprise.

    I do not want to install another agent on endpoints (we have already too many). And - I do not want to accomplish above in the console (as it is possible, you can disable DLP agent using Enforce console, you can also remove agents from the console level as well).

    My idea was to do that externally, without a console via script (if it has to connect to the Enforce console to gain permissions, that is ok). The thing is, I have around 40 000 computers to manage, some of them in time will be retired, decommissioned. But all of them will stay in the console as dead agents. And after some time, I will have to manually remove several thousand of them. Not from a computer (as it was shred into pieces), but from the console itself.

    The second problem is, I want to disable DLP agent temporarily and globally, without using Security Team resources, so again - in an automated way. Shutting down EDPA and WDP services is not an efficient way. And both services will be up after reboot. ​​


  • 4.  RE: How to disable & remove DLP agents from Enforce console externally

    Posted 11-24-2020 12:29 PM
    The first part of your issue, deleting agents from the console. In order to delete agents from DB, you have to do it from the console, and I don't see an issue with this method; you can select 1000 agent at a time and delete. Potentially, you could set the IsDeleted flag on agents in the DB to as many as you wanted, but you will have to know which ones; you could create a query to select all Windows 7 machines, for instance. But, you could screw up your DLP and Symantec will not assist with that.
    Second part of your issue, disabling agents temporary, that is not possible. Either you disable them, or not, you cannot disable an agent for certain amount of time. You can potentially disable the Tamper protection in the Agent configuration from the console, then you can do whatever you want with registry settings. You could use the Agent tools as well to disable agent, but I am not sure if you could run those commands as a script or GPO, that will be on you. Once tamper protection is disabled, the you could potentially change the registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EDPA Start Reg_DWord to 4 (disabled); default is set to 2 (automatically).
    Note: Proceed wat your own risk.

    Good luck,
    A.C.


  • 5.  RE: How to disable & remove DLP agents from Enforce console externally

    Posted 11-30-2020 06:52 AM
    Thank you for your reply. This is still not what I wanted to achieve, but at least now I know what to expect. It is a pity that agents cannot be deleted automatically from the console (for instance after 6 months of no activity). Automation is future.

    As far as disabling agent is concerned. Again - thank you for your reply. Maybe we will try with settings you wrote about. But here again it would be useful to have an option to disable agent via script for multiple machines, as sometimes agent does not report to the console (so I can't do anything with it like disable, move to a group etc), but on the computer agent is still running... if a Regional Support has to re-image 100 computers and we can't communicate with affected machines (because they're turned off and stored somewhere), we can't disable DLP agent or remove temper protection...

    thanks again