EMEA Data Loss Prevention User Group

I have found, that just simple removal of *.jar extension from Agent Configuration does not work. Because internally is JAR just a ZIP. DLP Agent stopped to monitor JAR's only after I had removed also the *.zip from the Monitoring Filter. But, this is not a good idea. Is there any possibility to tell DLP Agent to differentiate between JAR and ZIP?
Thank you.

Hi Pavel,

Sorry this doesn't look possible. As you've indicated, our true file type engine treats .zip and .jar as the same.

The alternatives as I see them (not knowing your use case exactly, just ideas)

Apply your policies to file types, for example;

Don't search for source code in files with .zip or .jar files

DO search for confidential tags in .zip or .jar files

Or, let it log then;

Under the Endpoint incidents filter out .jar files

Advanced Filerers & Summarization > Add filter > File Name Does No Contain Ignore Case > jar

Kind regards David

Hi Pavel,

u can exlude certain file types which are already defined in exception filetr of DLP. This u will get this in agent config setting in system tab. Also refer below

https://www-secure.symantec.com/connect/forums/exclude-file-types-0https://www-secure.symantec.com/connect/forums/scan-engine-52-specific-file-exclusions-not-file-extensions-or-type

https://www-secure.symantec.com/connect/forums/how-can-i-exclude-type-files-specific-directory

https://www-secure.symantec.com/connect/forums/how-completely-exclude-optical-drive-scanning-file-contents-while-they-are-accessed

Hi David,

Thank you for your hints. I have more extensively tested in 11.6.1 the proposed variant with file type policy filter using a USB device copying. Unfortunately:

• Filtering using *.zip or *.jar is not effective, because the DLP Agent first extracts the files and than starts to scan the content itself.
• What I understand from Sym. DLP Agent file filtering: The extraction phase is always processed and utilizes the client machine and steals time from the user. The filter itself is used only later during detection. Which means: user action is delayed, but no event is generated. That is nice, but does not help with performance.

From my perspective, this is something the DLP Agent does not support currently. Some filtering rules happen too late in the extraction&detection process, so only limited performance gain is possible.

Best Regards,

Pavel

Hi,

I know. But the filter applies only to the detection phase. Not to the extraction one. Tested on DLP Agent 11.6.1 with USB device copy.

Best Regards,

Pavel

Hi Pavel,

I understand where you're coming from now, it's not necessarily the Policy triggering, rather the fact the user experience is impacted.

I've seen a couple of reasons this could be in effect (these again are working thoughts of mine)

1. make sure any endpoint protection solution isn't scanning files written to the DLP temp directory (sorry not got that to hand)

2. the file size is the issue, the .jar or .zip file may unpack multiple other .jar or .zip files. Here the agent treats each .jar or .zip as a separate count - example the maximum file size for inspection is 30MB, each .jar or .zip is treated as a separate count.

The only answer I can think of for the second point would be to reduce the maximum file size the DLP agent will inspect, see what happens if this is reduced to say 15MB, does this help?

IncidentHandler.MAX_INCIDENT_FILE_SIZE.int

I don't believe today there is a way to limit the files within the .zip to inspect to performance.

Kind regards David

Hi David,

Ad1.

We do not have any endpoint protection in place. Only McAfee VirusScan. Could you please help me, what is the DLP temp directory? I have failed looking into documentation.

Ad 2.

Unfortunately, I have come to the IncidentHandler.MAX_INCIDENT_FILE_SIZE.int, and I have also tweaked Detection.FILTER_TIMEOUT.int to 5000 and Detection.MAX_DETECTION_TIME.int 10000 . It worked a little, but crapping sometimes the ability to detect without helping with the user experience much.

And a *.jar file with many small classes inside will still fit most of the time and the only solution is, unfortunately, to skip all the *.zip files from extraction.

So, thank you for your help, but there is no solution for now.

Best Regards,

Pavel

Hi Pavel,

It's a shame these settings didn't resolve the situation.

To answer your question, our recommendation is to remove DLP agent processess and files from anti malware/antivirus scanning, these include;

The Agent installation folder at: C:\Program Files\Manufacturer\Endpoint Agent (temp folder is here as well)

Executables
(*) edpa.exe
(*) wdp.exe
(*) cui.exe
(*) kvoop.exe
(*) vfsmfd.sys
(*) vrtam.sys

This is covered in the System Requirements Guide 11.6.

Personally I think your issue is a little more in depth, and will be best handled by our support group. I know they'll check this prior to proceeding, so well worth carrying out.

Kind regards David