Video Screencast Help

DLP Email Images

Created: 23 Aug 2012 | 9 comments

Hi All-

I am trying to create a policy to look for images and media files being sent out via email. I have the policy configured except I can't seem to find a way to exclude a certain image (our company logo) by name or anything. Has anyone been able to do this? Any suggestions?


Comments 9 CommentsJump to latest comment

DLPguyNJ's picture

-If it is an .EMF, .PIC, .TIFF, or .WMF file you have the ability to leverage IDM technology to do an exact match.

-You can use the metadata for a specific group of identified company logo approved files

-Or you can make the file name of a specific file an exception and then tell the employees within your company that the chosen file can be used in their emails.

Do those suggestions help? If you have questions about how to implement post back. If not, reply back and mark this as the solution, thanks.

SMyer's picture

I have the name of the image for our logo (and a couple of others that are common, but I can't figure out how to make an exception out of that. I created the exception on the bottom of the policy, but even when I added the name of the image it was still catching on the policy rules. Mind you, our logo name is image001.jpg (not so great for exceptions, but I am just trying to get a policy going).

DLPguyNJ's picture

make an Exception > File Properties > Message Attachment or File Name Match

Does that work for you?

stumunro's picture

DLP guy is correct in this, i have used it in a lab for testing it works.

stephane.fichet's picture


I do it often (for network monitor policies) and it works quite fine (DLP v11.1.2) :

- add an exception in the policy

- select file name exclusion

- enter your name file (avoid as much as you can joker because it is sometimes interpreted as a caracter)

- save

Does your message still matching on this image or on something else ? If it still doesnt work for you, you can post some screen copy of your policy and incident then we can have a deeper look at it.

other suggestion for exception :

When you define an exception on an image  take care to exclude only the matched component (upper part of exception definition) and not full message (this is the default value for file name exclusion).

If you are little bit paranoid, you can compund this exception rule using file size (to be sure it is your  company logo) and file type (to be sure no one rename an excel file) , so it can avoid than some people knowing this exception name their file image001.jpg. if you are definitely ready to be mister paranoiac, you can have a look at the binary part of your file and select two different set of bytes in the middle of the file then create a custom script (yes guy i am paranoiac :) )

DLPguyNJ's picture

@stephane.fichet - paranoia is healthy in this line of work, looking into the binary and making a custom script is a very in depth solution. How would you implement that script?

@SMyer - I believe that your best bet is using an IDM based on the information you have given us so far. Do you have experience with IDMs? You will have to use the 100% matching, but that seems to be what you are aiming for anyway.

stephane.fichet's picture

You have first to active Custom File Type Signature (you can find howto do that in DLP admin guide as i did it few months ago and dont remember how. I think i have updated something in properties files). Then when you will create a Policy and add a detection rule you will have a new type of rule "Custom file type signature" available.

Then to define your "script" check DLP Detection_Customization_Guide, it is a short PDF which describe quite well how to define this type of script. contact me if you want more details and some example but DLP doc give some that are well explained.

DLPguyNJ's picture

@stephane.fichet - Ok, i have you the custom file type signature tools and currently take advantage of that capability. When you mentioned "script" it made me think of something completely different, thanks for the clarification.

SMyer's picture

Thank you all so much for that! I was able to tune out our logo but now I am still getting hits for every other logo from other businesses. Is there any way to tune out something that is actually in the body of the email? I have it set to only look for attachments but it seems to think that a logo in a signature is an attachment.