New York Data Loss Prevention User Group

 View Only
  • 1.  DAR scanning question

    Posted Mar 23, 2010 09:44 AM

     

    Good morning all,

    We have been scanning our servers to determine if certain data resides on them. Currently, the scan runs all files on the server and then returns the number of matches it found. In an effort to minimize the time it takes to scan all of our servers, we'd like to run the scan and as soon as a given number of matches is found, that particular server scan terminates and the scan moves onto the next server.

    We've reached out to support and they informed us that this is not an available feature in our current version - 8.1. We're upgrading to 9.0.3 next month and then to 10.x this summer. Does anyone who has already upgraded know if this functionality is in any of the newer versions? If not, any ideas as to an effective work-around?

    We've been running a work-around the last few weeks but we've encountered issues. We have six separate scans scheduled each night during the week to run in series on a given scanner. Each scan is schedule to start, run 2 hours, then pause until the morning. 15 minutes later, the next scan kicks off (18:00 - 20:00, 20:15 - 22:15, 22:30 - 00:30 and so on).

    If we let the scans start and pause on their own, we run into the same problem every night. The 18:00 to 20:00 scan starts and pauses with no issue; the 20:15 scan then starts but never pauses as scheduled at 22:15.....it ends up running all nigh and therefore none of the other scans start. In the morning, our scanning resource can not stop the scan and gets the following error message:
    Failed to contact the scan manager. Make sure Vontu Monitor Controller service is running. I then have to log in as system administrator to restart the service for the resource to be able to stop the scan.

    However, if he logs into the system at 22:00 and manually pauses the scan and starts the next one...the remaining scans start and pause automatically as scheduled. He did this last week for 3 consecutive scanning nights and all worked just fine. The error has been consistent....every time he doesn't pause the scan manually at 22:00, it keeps running all night and the service needs to be restarted. I've looked at the logs and did not see any errors between 22:00 and 23:00.

    Any ideas/thoughts?



  • 2.  RE: DAR scanning question

    Posted Mar 23, 2010 03:43 PM

    In Symantec DLP version 10 there is a possibility to preform the action you are requiring. It is called "inventory scanning".  You can create a Threshold in which after X incidents the system would go on to the next server/scanning target.

    Here is a snapshot:





    Here is the description in the documentation (Page 302 in the DLP Administration Guide): 


    "Inventory Scanning Enter the number of incidents to produce before moving on to the next item to scan (a file share fromthe ScannedContent tab). To audit whether confidential data exists on a target, without scanning all of it, set up Inventory Mode for scanning. Setting incident thresholds can improve the performance of scanning by skipping to the next item to scan, rather than scanning everything.

    After the incident threshold has been reached, the scanning of this item is stopped, and scanning proceeds to the next item. Because the process is asynchronous, a few more incidents may be created than specified in the incident threshold. 

    Select Content Root (the default), or Machine.

    The content root is one file share on the list from the Scanned Content tab.
    When the incident threshold is reached, the scan moves to the next file share.

    Select the Machine option to count by physical computer (from the specified shares on a computer).
    When the incident threshold is reached, the scan moves to the next item on the list to scan. If that item is on the same physical computer as the previous item, it is skipped.

    Note that the physical computer name must be literally the same, for the

    item to be skipped. For example, \\localhost\myfiles and

    \\127.0.0.1\myfiles are treated as different computers, even though

    they are logically the same."

    I have checked and this feature exists in Symantec DLP Version 9.1 as well, I do not know about older versions.

    Kind Regards,
    Naor Penso




  • 3.  RE: DAR scanning question

    Posted Mar 25, 2010 04:46 PM
    I have confirmed that this is available in 9.0.53.5 as well.