Video Screencast Help

DLP Image printing

Created: 28 Jun 2011 | 13 comments
Polunin Sergey's picture

Hello,

We're planning to use symantec dlp to monitor print jobs, no blocking is required.

In our test environment everything works fine, except printing images (jpeg, bmp, etc).

The IDM profile is ok - word, excel and other documents are detected correctly, but not images. What can be wrong? Can't find any limitations in product's manual.

Comments 13 CommentsJump to latest comment

xlloyd's picture

Hi Polunin,

How are you trying to identify the picture? What is your detection rule like?

~Xavier

If this post has helped you, please vote up or mark as solution
Polunin Sergey's picture

Well, I've tried many ways:

- by IDM. I've created Profile with many files including my pictures.

- by Attachment/File Type. I've selected Bitmap, JPEG, Portable Network Graphics etc.

- by Attachment/File Name. Match *.bmp, *.jpg, *.jpeg.

Tried to combine them and seperate - nothing works.

It's strange because incidents with copying them to usb flash drives work perfectly, it's just print jobs that are not detected.

xlloyd's picture

Hmm, that really is strange. I'm going to set it up myself and try it out.

If this post has helped you, please vote up or mark as solution
xlloyd's picture

The agent catches the incident if I select Printer/Fax for protocol...but once I select Filetype picture.

I think I figured out the issue. I think that detecting on print jobs only does so based on content being printed, not the name of the file being printed. So it'd work if you do Excel, Word, PDF, etc because those all contain text that you're matching against your IDM database...not file names.

I'm sure that if you were to try to attach a picture to an email, then it'd catch it because attachement is being done on either the file itself, or its contents. Print only matches against what exactly is being printed. All this is just supposition, mind you, but I can't think of anything else 'cause I set it up and the same thing happens with me. I'll test again if I come up with any ideas.

If this post has helped you, please vote up or mark as solution
Polunin Sergey's picture

This looks like a breach - i can get a confidential document, copy/paste it to mspaint and then safely print without being detected.

xlloyd's picture

That's why you'd monitor the clipboard to prevent copy/paste of text and disable print screen to prevent taking a screen shot wink

Hmm strange...I'm almost sure there was a way to disable print screen. I'm looking for it now but I can't find it =/

If this post has helped you, please vote up or mark as solution
xlloyd's picture

I guess the sys admin would have to get a bit extreme and disable print screen on all devices.

I actually dug up an idea I posted last year about this exact same thing:
https://www-secure.symantec.com/connect/idea/dlp-a...

And here's a post about preventing print screen (it's long but read to the end)
https://www-secure.symantec.com/connect/forums/how...

If this post has helped you, please vote up or mark as solution
Mohammed Mazher's picture

I don't think DLP has capabilites to monitor images- not there yet- :)

xlloyd's picture

True, but if they can protect the data from even becoming an image then it'd be a good start. That's where controlling the print screen feature comes in =] (...or at least should come in if I could find it)

If this post has helped you, please vote up or mark as solution
Lippi's picture

 

 

 

Print/fax jobs cannot currently be blocked based on the file name, size or type except for PDF. This is because the original file name is not always reported directly to the agent by the print driver.

I recommends that you create policies to block print jobs based on the contents of the file, instead of its name.

 

Att,

Lippi

UFO's picture

Making up the testing environment for this case. It seems an interesting one.
Guys, when saying that DLP does not block images printing do you base this statement on some document by Symantec? Or was it only your personal experience. If there's a problem - we should test it all over, report to Symantec (like xllod's ideas for example), and find some workarounds for that until it gets fixed by Symantec. Agree?

STS: DLP

Polunin Sergey's picture

I'm in a conversation with techsupport right now, so i guess i'll get an official statment for this case soon.

Polunin Sergey's picture

Finally, https://kb1-vontu.altiris.com/article.asp?article=54665&p=5

 

Article ID: 54665

Detecting images with print/fax on Endpoint

 

Applies To

 • Endpoint Prevent 11.0
• Vontu Endpoint Prevent Endpoint Prevent

 

Problem Summary

 Why am I not able to detect images while printing?

 

Solution

 The print fax prevention feature can only intercepts text data. It intercepts text data at application level itself before it is rasterized and sent for printing.