Data Loss Prevention

Expand all | Collapse all

How to detect traffic

Jump to Best Answer
  • 1.  How to detect traffic

    Posted 05-17-2016 11:08 AM

    Hi All, is a major web based email service in China. Using Endpoint Prevent and Network Monitor licenses (DLP 14.0.1), we are just able to see the traffic on Network Monitor, but we can't detect nor block anything at the Endpoint level.

    So the question is, do you have any idea how to block&detect protected data exchanged with ? The Process Monitor doesn't show the website invoking any process besides the IE or Chrome (the browsers used for testing).

    Any input is welcome.




  • 2.  RE: How to detect traffic

    Posted 05-17-2016 04:45 PM

    Hi Morgado. Nice to see you after a while (unless I may've missed a post or two from you recently)

    What if you create a log only policy applied to all endpoint detections servers & configure it to:

     - log all traffic going for both (a) HTTP and (b) HTTPS protocol

    Do you not see the traffic? Even though process monitor logs the traffic as chrome/IE.

    Best guess is Application Monitoring is not enabled in the policy or maybe not turned ON in the configuration/application monitoring settings & the traffic is passing using chrome/unsupported version of a different browser or even IE

    I suggest:

     - Check the System Requirements guide for 14.0.1 ( Page 53 of 63. IE 11 and chrome upto 50 is already supported -  Application Monitoring in that case would not come into picture however if you are trying with edge or a version of chrome beyonf v50 - application monitoring feature might need to be turned on.


  • 3.  RE: How to detect traffic

    Posted 05-18-2016 08:36 AM

    Hi Leadvue. I've been busy finding and dealing with new DLP version bugs :)

    Thanks for the tip. I will give it a try..

    I do not have the AFA activated yet due to the poor performance of some apps when are monitored. I was counting with the native 14v web monitoring (IE, Chrome, HTTP..) to do the job. Can't understand why it detects the traffic at endpoint level for all the websites tested until date and not for

    By the way, using IE11 and Chrome50.


    Update: it seems the web traffic usage is monitored using the IE11 (created a policy only logging the activity of but anyway the content uploaded is not caught. The exactly same web upload is then detected in the network, so let me think that it can't be encrypted.




  • 4.  RE: How to detect traffic
    Best Answer

    Broadcom Employee
    Posted 05-23-2016 11:10 AM

    Unfortunatly, our DLP cannot detect by default.

    The use a Flash add-on to upload the attachment of the email which it used to speed up the file upload process. This upload is such kind of encryption that our DLP cannot de-encrypted.

    By using Wireshark to capture the package during the mail send by, you will find out the attachment are all a stream data which the DLP cannot detect the content.

  • 5.  RE: How to detect traffic

    Posted 06-13-2016 12:14 PM

    Thank you Yang,


    Any idea if Symantec will be able to address this "issue" in near future?