Data Loss Prevention

Hi All,

We are using Symantec DLP 15 in a test environment. There are 2 policies being tested on endpoints. The channels being tested are as can be seen in the image Removable Media, Copy, Paste, Outlook. All channels except for Outlook are being successfully monitored and policy being applied by DLP Endpoint Agent. Only in case of Outlook (Version 2013) when we upload senstive attachments or write sensitive content in body of the email there is no incident being generated i.e Endpoint Agent does not monitor it.

Then for testing, we changed the setting of Microsoft Outlook in Application Monitoring to following,

So that content being read in Outlook should be monitored however after testing it there is still no monitoring being done by the Endpoint Agent.

Then lastly, we changed the setting of Microsoft Outlook in Application Monitoring to following,

Now, incase of attachments of sensitive information the Endpoint Agent monitors and applies the policy. However still when we write the sensitive content in the body of the subject it is not monitored and email is sent.

What we need to understand is when to use,

a) Only Enable Outlook Checkbox in Agent Configuration

b) Enable Read in Application File Access, Application Monitoring

c) Enable Write in Application File Access, Applicaition Monitoring

Thanks !

Muhammad,

You may want to make sure that the agent did install correctly. You should look at the Endpoint Agent events in the console.

You should see that it did initialize the Outlook hooks when the laptop reboots.. you will see the same for the Browser hooks too.

You may see an error that it failed for Outlook.. if thats the case then that is the issue.

Make sure to reboot the laptop.

Otherwise try to re-installing the agent. Make sure to "run as Administartor" when you install it. 

Good Luck

Ronak

PLEASE MAKRED SOLEVED WHEN POSSISBLE

Hi Ronak,

I uninstalled the DLP Agent 15 and then confirmed that the Agent Configuration had the Outlook Check Box ticked and then downloaded the Agent Package and Installed the DLP Agent 15. I searched the term outlook but couldnt find any mention of it in relation to hooks. The Agent was installed using PowerSheel (Administrator). Emails have been sent with confidential keywords and attachments. What should I check further ? 

The Agent Configuration has Outlook checked. The Application File Access is unchecked.

The Application Monitoring Profile for Microsoft Outlook has been reverted to Default Settings.

[Edit]

Found the following from the edpa_ext0.log from the EndpointAgent folder.

06/07/2018 11:33:46 |  4952 | INFO    | Clipboard.ClipboardConnector | Reloading
06/07/2018 11:33:46 |  4192 | INFO    | Outlook.OutlookConnector | Reloading
06/07/2018 11:33:47 |  4192 | SEVERE  | Outlook.OutlookConnector | CancelInstallActions: failure | [SYMRESULT 0x80010203]
06/07/2018 11:33:47 |  4192 | SEVERE  | Outlook.OutlookConnector | Error during shutdown. Error Code: 0x80010203
06/07/2018 11:33:47 |  4192 | SEVERE  | Outlook.OutlookConnector | Plugin manager shutdown failed. Error Code:2147549699

Although the Events Page in Enforce UI is not showing any Outlook Related Events for Endpoint Agent.

What could be the possible reason for OutlookConnector plugin failing ?

Hello! Were you able to get this resolved? I opened a ticket with Symatnec a week ago. They asked for logs and told me they would review and get back with me ASAP. Unfortunately, I still can't get the plug-in (otlk.dll) to load in Outlook.

Thanks!

I'm running into a similar scenario with Endpoint Prevent v15 MP1. I worked with Symantec tech support last week. We uninstalled and reinstalled the agent. I've provided logs to Symantec as well. They told me they would review my logs and get back with me. That was a week ago today. Although I've contacted the support rep via email, updating the ticket and voicemail, I've yet to receive an update from them.

Based on the troubleshooting with the support rep, the otlk.dll is not loading for some reason. They mentioned it could be GPO settings or Registry restrictions that are not allowing the dll to load in Outlook.

So frustrating. The documentation is limited for the Outlook plug-in and support is disappointing me once again.

Should I get a response from Symantec, I will post the response here.

Thanks!

Hello, the issue has not yet been resolved. Thank you for offering to share the solution you get from Support and if before that I have a solution, I will post that. Thank you !