Data Loss Prevention

 View Only
  • 1.  agent config path variables

    Posted Jun 15, 2020 10:56 AM
      |   view attached
    ​Hello, we are using v15.7; been using since v14.6.  My question is regarding Endpoint Agent configuration Channel filters.  I want to update the paths to ignore for detection based on incidents I've seen.
    In the admin guide it focuses on paths to "monitor" but is vague on "ignore" paths so I'm not sure if the rules are the same.
    My question is, does the character "*" at the end of an entry signify a wildcard meaning any subfolder or is it just a poor choice by the vendor for entry delimiter?
    If it is a wildcard I can improve my settings; if not then I'll leave as is. I've attached a screen shot.


  • 2.  RE: agent config path variables

    Broadcom Employee
    Posted Jul 01, 2020 07:30 PM
    I've been searching through our help guides and see they don't answer your question specifically, but I've always understood (given the default filters) that the * character is a wildcard meaning that it is inclusive with any subfolder within the path you specify.  Since your post was made a couple of weeks ago, I want to inquire if you've already tested the filter changes you had in mind, and if the results came out as you were expecting.

    Don't forget that anytime to make modifications to the agent configuration, you must also update the agent group so that the new configuration rolls out to the agents.  This is done under System > Agents > Agent Groups.


  • 3.  RE: agent config path variables

    Posted Jul 07, 2020 09:35 AM
    It's ironic because the out-of-box default setting uses redundant entries then.  See the two above for "$localappdata$"
    thanks


  • 4.  RE: agent config path variables

    Broadcom Employee
    Posted Jul 09, 2020 01:15 PM
    Thanks for pointing out the multiple entries including $localappdata$.  While these might appear redundant, note that one of the entries includes the ".." (double-dot) in the path, meaning it is looking at the relative path for the parent directory of $localappdata$.  To illustrate, try this in a command prompt on a Windows workstation... Type "cd %localappdata%", then hit enter to see the path change in the command prompt respective to your user account.  Now type "cd %localappdata%\.." and you'll see the command prompt change to the parent directory of what we saw from the first command.


  • 5.  RE: agent config path variables

    Posted Jul 09, 2020 02:01 PM
    What witchery is this?? LOL.  i'll have to brush up on my DOS i guess but it's still redundant no?
    %localappdata% = C:\Users\me\AppData\Local  (this includes many sub-directories including temp) 
    %localappdata%\..\Temp\* = C:\Users\me\Appdata\local\Temp\*


  • 6.  RE: agent config path variables

    Broadcom Employee
    Posted Jul 09, 2020 02:38 PM
    %localappdata%\..\Temp\* = C:\Users\me\AppData\Temp\* (since the ".." took it to the parent directory of %localappdata% so "Local" is no longer part of the path).  On my workstation, this path actually doesn't exist so I believe this most likely is a carryover from older DLP versions.  In fact, I found a DEV ticket in the system going back to 2009 where the new filter "$LocalAppData$\..\Temp\*" was mentioned as replacement to the older filter "%USERPROFILE%\Local Settings\Temp\*"