Hello,

Is it possible to configure DLP Endpoint Prevent to make a copy of printed sensitive documents? If a user copy sensitive document to removable storage, in the incident snapshot I can see/open the orginal file but when a user print the same file then the snapshot doesn't contain the file. I configure a "retain original message" response rule to the detection rule which monitor print protocol but the the file still doesn't there.

Thanks,

Laszlo

Hello,

As far as I know it's not possible to retain the attachments if the protocol is print.

Best regards,

Hello,

In the documentation I haven't seen any restriction about this.

I agree. Just saying from my experience dealing with retention within response rules.

I'm afraid that you are right because other endpoint incidents are contain the attachments without any response rule...

Hello,

Even if you put this response rule :

I have tried that, but still not have the attachment in printer incidents.

Hello

I want to discard original message and attachments for the SMTP channel,

Check the option Discard original message option but still it showing in incidents

But unable to please help me out

Lazlo,

There is no current way to get printer incidents to save the attachments.. this has been a request for a while and do not think it will happen.

It will require a change to the dirvers that the Endpoint uses.

What I reccomend is to increase the amount of 'Matched" data to be shown in the Incident body. This way you will see more of what was around the match and go from there.

Try to change the following settings and see if it helps.

Increase Highlight Match Counting

Edit the Manager.properties file in the config directory on the Enforce Server.

### Configuration for highlighting of violations on incident snapshots

# The maximum number of highlights that are shown in a chunk.

# If there are more than this number of highlights, then they are broken into separate chunks.

com.vontu.manager.incidents.matches.maxHighlightsPerViolation=50

# The maximum number of non-violating characters to show between highlighted violations in a chunk.

com.vontu.manager.incidents.matches.maxCharactersBetweenHighlights=1000

# The maximum number of non-violating characters to show before the first highlight in a chunk

# or after the last highlight in a chunk.

com.vontu.manager.incidents.matches.maxCharactersSurroundingHighlights=100

Good luck!!

Ronak

PLEASE MARK AS A SOLUTION IF POSSIBLE

Heathu,

In order to NOT collect the original message for SMTP incidents you will need to create a response rule to do so and then associate it to the policy.

Keep in mind that this will ONLY remove the capability of clicking on the attachment name or the link at the bottom of an the incident to see the files or the original message.

See the attchment on how to configure it...

Good Luck

Ronak

PLEASE MARK AS A SOLUTION IF POSSIBLE

Thanks Ronak,

I'll try that.

Laszlo

Hi Ronak,

We've checked this policy again and imagine that we can open the file from the Endpoint/Print-Fax incident snapshot.

I've attached a screenshot of the incident (I removed some field because of sensitive data, but this is surely an Endpoint Printer/Fax incident). If we click on the Body icon, the file can be opened. Another strange thing that is all of the file in this kind of incidents are pdf.

Any idea how it is possible?

Laszlo

I think this has to do with the fact it is a PDF file. This may have been a file Printed to a PDF printer..

So the print spool engine will need to process the whole file and save it as a PDF file. 

I would check if this is a small file as opposed to a large file.

I am not sure if the number of pages or size of the file will have an effect on it.

Test it out and see.

Ronak