Data Loss Prevention

 View Only
Back to Library

Complete Process of Deploying and Enabling of Endpoint FlexResponse plug-in 

Jan 17, 2014 02:48 AM

Symantec Data Loss Prevention provides a set of response rule actions that you can specify to remediate an incident. These provided actions include logging, sending an email, blocking an end-user action, notifying a user, and other responses.

You can also use Endpoint FlexResponse plug-ins to provide additional response actions. These plug-ins contain custom instructions for remediation actions that are executed on endpoint computers. Endpoint FlexResponse rules are only applicable to Automated Response rules. You cannot create Endpoint FlexResponse rule actions for Smart Response rules.

Symantec Data Loss Prevention customers can contact Symantec or Symantec partners to obtain Endpoint FlexResponse plug-ins. In addition, developers with a knowledge of the Python programming language can create custom Endpoint FlexResponse plug-in scripts using a Symantec-provided API. These custom remediation actions can include encryption, applying Digital Rights Management (DRM), or redacting confidential information.

You use the Endpoint FlexResponse utility to deploy Endpoint FlexResponse plug-ins on endpoint computers in your Symantec Data Loss Prevention deployment where you require Endpoint FlexResponse actions. You can deploy the plug-ins manually using the Endpoint FlexResponse utility, or you can use system management software (SMS) to distribute the utility and deploy the plug-ins. After you deploy an Endpoint FlexResponse plug-in on an endpoint computer, you use the Enforce Server administration console to add an Endpoint: FlexResponse action to a response rule, and then you add the response rule to an active policy.

below figure of Endpoint FlexResponse plug-in process shows the sequence of activities that result in an Endpoint FlexResponse action.

Flexresponse.PNG

Endpoint FlexResponse provides you with additional flexibility to remediate incidents.Whenyou first install Endpoint Prevent, you have a fixed set of response rule actions available to use. By installing Endpoint FlexResponse plug-ins, you can remediate incidents in a variety of ways. For example, these additional remediation methods could include encryption, applying Digital Rights Management (DRM), or redacting confidential information (which are available separately from Symantec partners). After you install an Endpoint FlexResponse plug-in, you can then configure a response rule to perform the desired function..

Note: Contact a Symantec partner or Symantec sales representative to obtain Endpoint FlexResponse plug-ins.

You can use Endpoint FlexResponse rules on the following types of endpoint destinations and protocols:


■ Endpoint Discover
■ Hard drive monitoring
■ USB-connected devices
■ SMTP
■ HTTP(S)
 

After you have installed the Endpoint FlexResponse plug-in, you can add it as a response rule action in your policy.

Note: Endpoint FlexResponse rules are only applicable to automatic response rules. You cannot create Endpoint FlexResponse rule actions for manual remediation policies.

You can create credentials for the Endpoint FlexResponse plug-ins. These credentials can be Endpoint-specific, or they can apply to all of your detection servers. You can use credentials to assign specific users access to the remediated data.

Deploying Endpoint FlexResponse

Procedure Step 1 : Obtain the Endpoint FlexResponse plug-in. Contact a Symantec partner or Symantec sales representative. Endpoint FlexResponse plug-ins are not available with the default Symantec Data Loss Prevention installation. 

Procedure Step 2 : Configure any Endpoint credentialson the Enforce Server. This step is optional --

Procedure Step 3 : Deploy the plug-in to your endpoint computers using the FlexResponse utility and third-party systems management  oftware (SMS).  here I will explain you about Deploying process of Endpoint FlexResponse plug-ins on endpoint computers......

You can deploy Endpoint FlexResponse plug-ins to endpoint computers only after you have installed the Symantec DLP Agents. See the Symantec Data Loss Prevention Installation Guide for information on how to install the agents. Endpoint FlexResponse plug-ins must be installed on your endpoint  mputers. Endpoint FlexResponse response rules cannot operate if the plug-in is not installed on each of your endpoint computers. Use a silent nstallation method to install the Endpoint FlexResponse plug-in. Silent installation methods involve systems management software (SMS), which can distribute  oftware to all of your endpoint computers. You may need to create SMS scripts to access the installation folder. Installing the Endpoint FlexResponse plug-in is a two-part process:

Now Install the Endpoint FlexResponse plug-in and the FlexResponse utility on your endpoint computers.

Before you can deploy your Endpoint FlexResponse plug-in, the endpoint computers in your organization must first be able to access the physical plug-in
.zip file. You can either place the plug-in .zip file somewhere on a central network share, or you can install the file physically on each endpoint computer. If you use the central network share method, you must ensure that all of your endpoint computers can access the network share. Use the following  rocedure if you want to install the plug-in .zip file physically on each endpoint computer. This procedure only instructs you how to access the plug-in .zip file. After you access the file, you must deploy it.

See your individualSMSapplication documentation for more information on how to install using SMS.

To install Endpoint FlexResponse plug-ins

1 In your systems management software package, specify the plug-in(s) that you want to install.

2 Specify the installation parameters such as the installation directory. Plug-ins can be installed anywhere on the endpoint computer because they are deployed to the correct Symantec DLP Agent database later.

3 Specify the msiexec properties.

4 Install the FlexResponse utility to all of your endpoint computers as well. The FlexResponse utility is only available through Symantec and Symantec partners.

Now the next step is Load the Endpoint FlexResponse plug-in using the FlexResponse utility.

The Endpoint FlexResponse utility manages Endpoint FlexResponse plug-ins. The Endpoint FlexResponse utility is not part of the default Symantec Data Loss Prevention download. The utility is only available through Symantec or Symantec partners.

Endpoint FlexResponse plug-ins must be in a .zip package format. You cannot deploy the plug-ins if they are in any other format.
You must use the utility from the Symantec DLP Agent installation tools directory.

To load Endpoint FlexResponse plug-ins
1 From a command window, navigate to the Symantec DLP Agent installation tools directory. <Agent installation directory>\flrinst.exe
2 Enter the following command: -op=install -package=<Plug-in name> where <Plug-in name> is the specific name of the plug-in .zip file.
3 Repeat step 2 until you have loaded all of your plug-ins.
4 Using yourSMSapplication, remove the utility from your endpoint computers.

Procedure Step 4: Enable Endpoint FlexResponse actions on your Enforce Server. Before you can use Endpoint FlexResponse plug-ins in your response rules, you must enable Endpoint FlexResponse functionality through the Enforce Server. By default, Endpoint FlexResponse functionality is not enabled. Enable Endpoint FlexResponse functionality through the Advanced Agent Settings.

To enable Endpoint FlexResponse functionality
1 Go to: System > Agents > Agent Configuration and open the configuration for editing.
2 Click the Advanced Agents Settings tab.
3 Find the PostProcessor.ENABLE_FLEXRESPONSE.int setting.
4 Change the setting to 1.
5 Click Save and Apply.

 If you want to Uninstal Endpoint FlexResponse plug-ins usingthe FlexResponse utility


Use the following procedure to uninstall Endpoint FlexResponse plug-ins from your endpoint computers:

To uninstall Endpoint FlexResponse plug-ins from endpoint computers
1 Using a command prompt window, navigate to the Symantec DLP Agent installation tools directory. <Agent installation directory>\flrinst.exe
2 Enter the following command: -op=uninstall -package=<Plug-in name> where <Plug-in name> is the full path where the plug-in resides and the
specific name of the plug-in .zip file.
3 Repeat step 2 until you have uninstalled all of the plug-ins.

If you want to Retriev Endpoint FlexResponse plug-ins from a specific endpoint computer:


Use the following procedure to retrieve a specific plug-in from an endpoint computer.

You can only use the retrieve function on a single endpoint computer at a time. The plug-in appears in the Symantec DLP Agent installation directory
as a .zip file. Inside the .zip file is the plug-in in a .txt format. You can make edits to the plug-in in the .txt file. If you do make edits, you must re-deploy the plug-in to the endpoint computer before the edits take effect. Modified plug-ins only affect the individual endpoint computers where they were modified.
To retrieve an Endpoint FlexResponse plug-in from a specific endpoint computer:

1 On the endpoint computer, open a command prompt window.
2 Navigate to the Symantec DLP Agent installation tools directory: <Agent installation directory>\flrinst.exe

3 Enter the following command:-op=retrieve -package=<Plug-in name> where <Plug-in name> is the specific name of the plug-in .zip file.
4 Look in the Symantec DLP Agent installation directory for a .txt file that contains the same name as the plug-in.

Next is Retrieving a list of ndpoint FlexResponse plug-ins from an endpoint computer

Use the following procedure to retrieve a list of plug-ins that have been installed on a specific endpoint computer. You can only use the list function on individual endpoint computers. You cannot use the list function on a set of endpoint computers. The list of endpoint computers contains only the name of the plug-in package. The list does not contain any type of description about the plug-ins. It is recommended that you use descriptive names for your plug-ins so that you can recognize them within the list. To retrieve the list of Endpoint FlexResponse plug-ins from an endpoint computer
1 On the endpoint computer, open a command prompt window.
2 Navigate to the Symantec DLP Agent installation tools directory: <Agent installation directory>\flrinst.exe
3 Enter the following command: -op=list The list of installed Endpoint FlexResponse plug-ins appears in the Command
prompt window.

Last and final Procedure Step 5: Add Endpoint FlexResponse actions to your policies.

for more information please refer below link.....you will get the more idea about this...

https://www-secure.symantec.com/connect/articles/dlp-policy-block-uploading-file-type-web-httphttps

Statistics
0 Favorited
7 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Comments

IGSmith
Sep 30, 2016 09:02 AM

I just ran through this again, this time on v14.5. I had a couple of quirks that I thought I would describe here in case it helps someone else.

First, I needed the 14.5 flrinst.exe file, which makes sense. The 11.5 file I used on 12/12.5 produced a "Cannot read keystore" error when attempting to install the plugin.

 

Second, I have all 64 bit machines and so I tried to use the nsplugin_flexresponse_x64 package. Though this package would install, DLP would return a "remediation failed (1)" message. The operationlogs\flexresponse0.log file claimed a total success, but there was no encryption. Once I installed the nsplugin_flexresponse package (presumably 32bit), the encryption initiated from the DLP console succeeded on the endpoint.

 

One thing to note also is that by the default the response rule has two ACL parameters (admin = local_user, group_admin = <0xkeyid>). The PGP netshare ACL on the file will only actually include that key if the public key exists on the local machine's keychain. Not a big deal if there is an org ADK in place, but without an ADK, the local user will be the only one who can decrypt the file.

 

Migration User
Mar 12, 2014 05:46 AM

Endpoint FlexResponse utility (flrinst.exe) is not available to customers on FileConnect.

Customers should Symantec Sales or Symantec Partner in order to obtain Endpoint FlexResponse installer. This information is clearly mentioned in Admin guides of version 11, 11.1 and 11.5.

Viewing extended log files:
The logdump.exe tool lets you view the extended log files for Symantec DLP Agents. Extended log files are hidden for security reasons. Generally, you only need to view log files with Symantec Data Loss Prevention support personnel. Without this tool, you cannot view any Symantec DLP Agent log files.
To run the log dump tool
◆ From the Symantec DLP Agent installation directory, run: logdump -log=log_file [-p=password]
where log_file is the log file you want to view and password is the specified tools password. All Symantec Data Loss Prevention extended log files are present in the Symantec DLP Agent installation directory. The files have names of the form edpa_extfile_number.log. After you run this command, you can see the de-obfuscated log. From this view, you can print the contents of another log.


To print the contents of another log
1 From the command window, run: logdump -log=log_file -p=password > deobfuscated_log_file_name
2 Enter the password again to print the log.


ActionResult:

The ActionResult class enables you to set metadata about the remediation action of the plug-in. The implementation of the Execute() method in the plug-in code must return an ActionResult object, which encapsulates the remediation status. The values you set in this class display in the Incident History tab when you view the Incident details in the Enforce Server administration console. When you use the setRemediationStatus() method to set a value of 1 to indicate that the remediation failed, the Incident Details portion of the Incident page displays the Agent Response as "FlexResponse Error".

For example, the following code returns a successful remediation:

def Execute(incident, config, environment, logger):
...
result = dlpdata.ActionResult()
result.setRemediationStatus(0)
result.setRemediationLocation("local file system")
result.setRemediationDetailResult("File was encrypted")
return result
The following code returns an unsuccessful remediation:
def Execute(incident, config, environment, logger):
...
result = dlpdata.ActionResult()
result.setRemediationStatus(1)
result.setRemediationLocation("local file system")
result.setRemediationDetailResult("failed to encrypt file")
return result

1 ] setRemediationStatus(Int) :
Sets one of the following values in the implementation of the Execute() method
.
■ 0—indicates that the remediation was successful. Displays in the Incident history summary with the label FlexResponse Action Successful. The text that the script sets with the setRemediationDetailResult() method displays below the heading.

■ non-zero—indicates that the remediation was not successful. Displays in the Incident history summary
with the label FlexResponse Action Failed. The text that the script sets with the setRemediationDetailResult() method displays below the heading.

2] setRemediationLocation(String) :

Sets a string value for this method that indicates the location where the remediation took place. Whenthe remediation is successful, displays in the Incident history summary under the heading FlexResponse Remediation Location. Does not display if the remediation failed.

3 ] setRemediationDetailResult(String) :

Sets a string value that describes the remediation activity. Displays in the Incident history summary
under the heading FlexResponse Action Successful or FlexResponse Action Failed. Also displays in the incident list with a red "x" icon for failed remediations and displays a green "check" icon for successful
remediations.

 

IGSmith
Mar 11, 2014 11:20 AM

I've done all of this and am seeing an error.

"[nsplugin_flexresponse] Failed to encrypt. Interal Error = -11984 (Remediation Status = 1)"

 

I also found a log file on the Endpoint in c:\program files\manufacturer\endpoint agent\operationlogs\FlexResponse0.log. This log file appears to be encrypted. I can't read it, which may or may not help me fix this issue.

 

Questions:

1. How can I read the log?

2. Is there a specific version of the flrinst.exe file that I would need with DLP 12? I happen to have the flrinst.exe with a product version of 11.5.05030

3. If I do need a newer version of flrinst.exe, where do I get it?

Migration User
Feb 18, 2014 06:33 PM

Best article i've seen so far. Does anyone know the password for flrinst.exe?  I've tried "VontuStop" but i'm wondering if Symantec has changed the password on version 12.

 

Thanks

PrinceAshish
Jan 20, 2014 04:16 AM

Hi,

nice and helpful artical, can you please explain step by step Last and final Procedure step 5 for my better understanding, so i can add endpoint flexresponse actions to my policies.

Thanks,

princeashish

Related Entries and Links

No Related Resource entered.