Data Loss Prevention

  • Private Community
 View Only

  • 1.  Symantec DLP: Endpoint Agent Configuration (Web-browsers)

    Posted Nov 05, 2013 09:38 AM

    In Symantec Data Loss Prevention there is a great opportunity to configure Agent Configuration for Endpoint. Among other options there are web-browser checkboxes. The question is: What kind of policies will work if these checkboxes will be checked?

    e.g. I have a DCM policy that is based on filetype (e.g. PowerPoint). The policy doesn't block nothing and in endpoint Agent Configuration the options are checked as on the screenshot.

    Agent.JPG

    When I copy the .pptx file to the USB Flash storage the incident is generated, if I try to sent the same file as attachment using Gmail - it doesn't generate any incidents.

    Please share your insight on the problem above and also I'd appeciate the short list of examples what has worked for you in this particalar type of scenario (when the Agent Configrstion is configured with all items chacked in the Web sectuion)?



  • 2.  RE: Symantec DLP: Endpoint Agent Configuration (Web-browsers)

    Posted Nov 05, 2013 11:34 AM

    Hi UFO

     

    For the first question, if you are just monitoring then DCM, VML, IDM and EDM will work (two tier detection for IDM and EDM). If you wish to respond (notify or block) we only support DCM and VML policy rules. (single tier detection on the agent itself)

     

    IE(HTTPS) and Firefox(HTTPS) install a small plugin into the browser in order to get visibility of the secure traffic. Browser versions are critical - an older DLP agent will not work with the new browser versions. For example IE 8 support came in agent version 11.  ie v9 support came in 11.6.3

    The release notes for your version should provide supported browser verions.

    If you are on a supported browser for your agent , can you try :

    • sending via a website other than gmail
    • sending over HTTP

    this at least will narrow down the possible issues

    Steve Randall

     

     

     



  • 3.  RE: Symantec DLP: Endpoint Agent Configuration (Web-browsers)

    Posted Nov 06, 2013 02:56 AM

    Steve, thank you for detailed response. I didn't know about browser plugin. I am testing different DCM scenarios right now and will come back with the results later. My SDLP version is 12.



  • 4.  RE: Symantec DLP: Endpoint Agent Configuration (Web-browsers)

    Posted Nov 06, 2013 05:06 AM

    Quick question: is there any way to validate that the browser plugin has been installed successfully? Does agent healthy state mean that the plugin is OK too?



  • 5.  RE: Symantec DLP: Endpoint Agent Configuration (Web-browsers)

    Posted Nov 18, 2013 03:44 AM

    I have one idea why does this scenario is not working. Probably it is AV software settings. Will check the rules for AV and report then. If you have any suggestions on particular settings for AV (it is SEP 12), please let me know.

    So far I will whitelist:

    • folder: C:\Program Files\Manufacturer\Endpoint Agent 
    • edpa.exe
    • wdp.exe 
    • cui.exe
    • kvoop.exe
    • vfsmfd.sys
    • vrtam.sys