Data Loss Prevention

I have upgraded my agents to 11.5 and I have now started seeing issues with the agents locking IE up at random times or when someone will copy and paste something. I pulled the logs for a particular agent but I am not quite sure what this means. I am actually getting a lot of complaints about systems since the upgrade from 11.1 to 11.5

Some of the techies have realized that by doing an end process on edpa.exe that whatever was locked up all of the suddent unfreezes and then the watchdog kicks in and restarts the service. Has anyone else seen this behaviour yet?

02/27/2012 11:03:51 |  3780 | WARNING | DetectionRequestAddTask | Metadata contains invalid content length 0 for file C:\Program Files\Endpoint\Endpoint Agent\temp\2412146037034179.VEP
02/27/2012 11:03:51 |  3780 | WARNING | DetectionRequestAddTask | Metadata contains invalid content length 0 for file C:\Program Files\Endpoint\Endpoint Agent\temp\2412146037034199.VEP
02/27/2012 11:03:51 |  3780 | WARNING | DetectionRequestAddTask | Metadata contains invalid content length 0 for file C:\Program Files\Endpoint\Endpoint Agent\temp\2412146037034211.VEP
02/27/2012 11:03:53 |  3780 | WARNING | DetectionRequestAddTask | Metadata contains invalid content length 0 for file C:\Program Files\Endpoint\Endpoint Agent\temp\3400479030034277.VEP
02/27/2012 11:03:53 |  3780 | WARNING | DetectionRequestAddTask | Metadata contains invalid content length 0 for file C:\Program Files\Endpoint\Endpoint Agent\temp\3400479030034309.VEP
02/27/2012 11:03:53 |  3780 | WARNING | DetectionRequestAddTask | Metadata contains invalid content length 0 for file C:\Program Files\Endpoint\Endpoint Agent\temp\3400479030034325.VEP
02/27/2012 11:03:54 |  3780 | WARNING | DetectionRequestAddTask | Metadata contains invalid content length 0 for file C:\Program Files\Endpoint\Endpoint Agent\temp\3400479030034342.VEP
02/27/2012 11:03:57 |  3780 | WARNING | DetectionRequestAddTask | Metadata contains invalid content length 0 for file C:\Program Files\Endpoint\Endpoint Agent\temp\1721274717034498.VEP
02/27/2012 11:03:57 |  3780 | WARNING | DetectionRequestAddTask | Metadata contains invalid content length 0 for file C:\Program Files\Endpoint\Endpoint Agent\temp\1721274717034536.VEP
02/27/2012 11:03:57 |  3780 | WARNING | DetectionRequestAddTask | Metadata contains invalid content length 0 for file C:\Program Files\Endpoint\Endpoint Agent\temp\1721274717034556.VEP
02/27/2012 11:03:57 |  3780 | WARNING | DetectionRequestAddTask | Metadata contains invalid content length 0 for file C:\Program Files\Endpoint\Endpoint Agent\temp\1721274717034571.VEP

How many agents have you upgraded?

Do you see the same problem exists in all of the agents or any particular one?

Hello Syed, sorry I did not reply back. Right now most of my company is upgraded to 11.5 and I have not seen the issue since the upgrade. Now I do have one user that is having this issue where when I pull the logs on his machine I see a ton of these errors....

3/27/2012 13:40:01 |  3496 | WARNING | DetectionRequestAddTask | Metadata contains invalid content length 0 for file C:\Program Files\Endpoint\Endpoint Agent\temp\391629156706588864.VEP
03/27/2012 13:40:01 |  3496 | WARNING | DetectionRequestAddTask | Metadata contains invalid content length 0 for file C:\Program Files\Endpoint\Endpoint Agent\temp\315914869206588878.VEP
03/27/2012 13:40:01 |  3496 | WARNING | DetectionRequestAddTask | Metadata contains invalid content length 0 for file C:\Program Files\Endpoint\Endpoint Agent\temp\315914869206588893.VEP
03/27/2012 13:40:02 |  3496 | WARNING | DetectionRequestAddTask | Metadata contains invalid content length 0 for file C:\Program Files\Endpoint\Endpoint Agent\temp\315914869206588906.VEP
03/27/2012 13:40:02 |  3496 | WARNING | DetectionRequestAddTask | Metadata contains invalid content length 0 for file C:\Program Files\Endpoint\Endpoint Agent\temp\315914869206588922.VEP

I did not paste all of it but you can get an idea from here. I have pulled the logs on several other machines including mine and it is only this guys machine. I do not have EDM on and the user claims that when issues occur he is opening google chrome and it locks chrome up. He has to go in task manager and end edpa.exe and as soon as he does chrome becomes responsive. I do not have a policy to monitor chrome. Just really odd as I am not sure what exactly these warnings mean.

Any help is appreciated.

Hi Mike,

As syed asked, How much agents u have upgraded?

Also tell me, is your all DLP components(enforce, email prevent etc.) is upgraded?

Please check first is there any conflict or compatibility issues within the all components of DLP.

Let me know the status.

Regsrds

Kishorilal

Hi Mike,

Try adding Google Chrome and see what results do you get

Follow the steps on how to add

For this example, we'll use Google's Chrome browser (chrome.exe)

To do this, you'll need to add the Chrome executable into the Application Monitoring through the Enforce web console.

First login to the Enforce web console and go to System > Agents > Application Monitoring

Look for an application entry labeled "Chrome or Google Chrome".  If you do not see an entry for Google's Chrome, click "Add Application"

Fill out the "Name" field.  Use something to descibe the application, such as "Google Chrome".

Also fille out the "Original Filename" field.  This field is the executable filename for the application you would like the endpoint to monitor.

For chrome, you would enter "chrome\.exe".  Note the \ before the .exe and that this is required in the filename for any executable.

Next select the following options that apply under "Application Monitoring Configuration"

• Network Access
• Print/Fax
• Send to Clipboard
• Filesystem Activity

Now click "Save" and you have completed adding firefox to application monitoring for the endpoint agent.

Just to note, you can also use this process to add in other applications such as Google's Chrome web browser.

For Firefox specifically, there's one last thing to configure.  In the Enforce web console, go to System > Agents > Agent Configuration

Click on the configuration that's currently setup for your endpoint agents.  Note, if you have multiple configuration, this will need to be configured in each agent configuration.

hi Mike,

Which IE version u r using, since symantec DLP ver 11 onwards , it does not support old IE() before IE 6.). I think ur IE is old ver so crashes. try to ues as Syed suggested or upgrade current IE 8 onwards.

Hey Syed, the logs that I recently pulled from were from a desktop running Windows XP and agent 11.5.0 and I did have chrome.exe in the application monitoring list but I have no policy using it.

The computer I pulled the logs from the user is using chrome saying his computer is locking up and when he ends edpa.exe chrome then unlocks.

I have removed monitor application file access and see what goes on.

Hi Mike,

Was this agent upgraded from older version to new one (11.5) or was this the fresh installation of agent 11.5?

If it was from in-place upgrade then request you to uninstall the agent and freshly install the new agent 11.5 as the other agents doesnt have any problem reporting the similar issue.

Hope for the best result otherwise I will research and will get back to you on this tomorrow.

Mike,

Please check your endpoint prevent config/policies. As these policies or endpoint config are blocking/monitoring the web protocols, thats why when you kill the services its working.chek the below two things

1)Endpoint config for monitoring

2)Policies applied for endpoint protocols.

UPDATE: ok so far I did go ahead and do a clean uninstall and reinstalled the 11.5 and the logs look much better now.

It is a bit strange since the user was on 11.1 before and our script we used to upgrade the clients was to uninstall the old and install the new. Maybe something somewhere became confused. They are windows machines so.....

But after looking at the new logs I feel comfortable to say this is resolved.

Thanks everyone.

Hi Mike,

I'm glad that the issue got resolved :)