Data Loss Prevention

 View Only
Back to Library

DLP 12.5 Endpoint Agent Stops Triggering any Incidents after deploying HIPAA and HITECH (including PHI) policy 

Sep 03, 2014 03:13 PM

Problem Statement: DLP 12.5 Endpoint Agent Stops Triggering Any Incidents after deploying HIPAA and HITECH (including PHI) policy. Agens triggers incidents when HIPAA and HITECH (including PHI) is disabled.

Solution:

  1. Enable IE channel in agent configuration if not already enabled.

  2. Trigger any policy using Internet Explorer.

  3. Set logging level to FINEST on an agent using agent management task.

  4. De-obfuscate edpa_ext logs on the endpoint agent using agent tool logdump.exe

    logdump.exe -log=edpa_ext0.log -p=<password > c:\edpaclean.txt                                                                                                         edpa_ext0 logs can be found in the agent install directory.

  5. You will see similar error messages in the de-obfuscated logs:-                                                                                                             09/03/2014 18:26:54 |  2120 | FINEST  | CoreServices.MessageLogger | MESSAGETYPE_DETECTION_REQUEST    {90C4C6F0-7CA5-44AA-8DF0-95E240F3BE0C}  09/03/2014 12:56:54  [

    Request Id #1767

    Detection Request Details :

                    Session Command : Session Open Request

                    Session Id : {EE1CC0E7-C8DD-442D-9DED-F19B59C696E9}

                    Request Type : Data In Motion Request

     

    Dim Detection Request Details :

                    Process Id : 7640

                    Process Path : \Device\HarddiskVolume1\Program Files\Internet Explorer\iexplore.exe

                    Application Name : Microsoft Internet Explorer

                    User : <username>

                    Domain : <domain>

                    Time Stamp : 09/03/2014 12:56:54

                    Dim Event Type : HTTP(S)

     

    HTTP(S) Details :

                    URL : <url>

     

    Network Info Details :

                    Source IP : <IP>

                    Source Port : 63816

                    Source Domain :

                    Destination IP : <IP>

                    Destination Port : 80

                    Destination Host Name : <domain>

    ]

    09/03/2014 18:26:54 |  2120 | FINE    | UI.UIProxy      | Received a Detection Request message (req#1767).

    09/03/2014 18:26:54 |  2120 | FINER   | UI.UIProxy      | Request message for user:<domain\username>

    09/03/2014 18:26:54 |  2120 | FINE    | UI.UIProxy      | Request type: DIM_EVENT_HTTP

    09/03/2014 18:26:54 |  2120 | FINER   | UI.UIProxy      | Added a detection request to the current transaction.

    09/03/2014 18:26:54 |  2120 | FINE    | UI.UIProxy      | Scan message dropped.

     

    09/03/2014 18:26:54 |  4116 | WARNING | GlobalDataIdentifierMatcher | Condition [-501] will not be evaluated because Identifier [[Identifier:51, Breadth:101]] could not be found

  6. Edit the HIPAA and HITECH (including PHI) policy.
  7. Recreate each condition that uses Randomized US Social Security Number (SSN) Data Identifier by first deleting the condition and saving the policy, and then creating the condition to use Randomized US Social Security Number (SSN) Data Identifier and saving.
  8. Trigger any policy using Internet Explorer and you should see incidents on the console.
  9. Reset the logging level, and revert IE channel configuration in the agent configuration.

 

PS: While this procedure uses IE for testing, the test can be done using any endpoint agent channel. You will still see corresponding errors in the logs.

 

 

 

Statistics
0 Favorited
1 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Related Entries and Links

No Related Resource entered.