Data Loss Prevention

 View Only
  • 1.  Can DLP read/scan the outlook emails x-header?

    Posted Sep 24, 2015 10:46 AM

    Hello Guys,

     

    Do you know if Symantec DLP can read or scan keywords injected in X-header of outlook emails? I have a third-party soft which tags the email x-header after it's written, but the DLP seems not be able to read such tags even with metadata ON in agent config and server settings.

     

    Thanks,



  • 2.  RE: Can DLP read/scan the outlook emails x-header?

    Trusted Advisor
    Posted Sep 25, 2015 07:25 AM

    hello morgado,

     

     Which DLP detection type are you using endpoint or network (prevent or monitor) ?

    if it is with endpoint it is possible that third party software tag it after DLP analysis (could you share name of the software ?)

     

    If it is with network detection server you should not have any issue as your are able to access full SMTP message. YOu could test it by adding a new policy which detect a dedicated keyword and then send an email outbound with this email, you will be able to see SMTP message in DLP incident by using "Open original message" link at bottom of incident detail page.

     Regards



  • 3.  RE: Can DLP read/scan the outlook emails x-header?

    Posted Sep 25, 2015 08:38 AM

    Hi Stephane,

    Using endpoint prevent. Well.. it could be after the DLP analysis, and to avoid that I tested sending emails to myself and then resending them outside corporate network (i.e.) or using mails tagged with x-header transferred to removable storage - of course with the proper detection: keyword match.

    The software used is the Boldon James Classifier.

     

    Thanks! 



  • 4.  RE: Can DLP read/scan the outlook emails x-header?
    Best Answer

    Posted Sep 25, 2015 08:40 AM

    Hi Morgado,

    it's working with Network detection.

    I create an eml with an X-header :

    X-Sender: thomas.le-parco-ext@sgcib.com
    X-Receiver: thomas.leparco@...
    X-Company: My Company
    MIME-Version: 1.0
    From: thomas.le-parco-ext@...
    To: thomas.leparco@...
    Date: 25 Sep 2015 14:33:48 +0200
    Subject: Test X-Header
    Content-Type: multipart/mixed; boundary=--boundary_0_92ff627c-a1d2-4b65-8436-3ad5469dbae8

    and drop it on DLP Network after created a policy with simple keyword :

    X-header.png

    And there is an incident for it:

    X-header2.png

    You could improve policy to first detect the X-header and then search for keyword.

     



  • 5.  RE: Can DLP read/scan the outlook emails x-header?

    Trusted Advisor
    Posted Sep 26, 2015 10:29 AM

    hi morgado,

     

     what i use to do when i am testing new rule in a DLP policy is always adding a very simple rule (one keyword like Testfor DLP) and adding this specific keyword in my test (email or document).

     So like that i am able to know if it is my new rule who is not working or any other technical issue by checking if there is an incident and on which part of message/doucment policy has matched.

     

     regards



  • 6.  RE: Can DLP read/scan the outlook emails x-header?
    Best Answer

    Posted Sep 28, 2015 09:31 AM

    Hi there,

    The question does not concern the policy itself. Seems that the dlp outlook addin is not capable to analyse the string injected in the x-header at endpoint level (endpoint prevent), therefore is not able to generate an incident nor trigger a response rule when the email leaves the machine. I can see it's working on network channel/level.

    Thanks,

     



  • 7.  RE: Can DLP read/scan the outlook emails x-header?

    Posted Sep 29, 2015 05:21 AM

    It's weird because Boldon James Classifier indicate in his website that it's compatible with Symantec DLP solution by using metadata...