Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Dlp Query

Created: 24 May 2013 • Updated: 28 May 2013 | 12 comments
This issue has been solved. See solution.

Hello

If i stop the dlp service in services.msc and can try to copy the important information in my pen drive, how dlp will protect the information?

Comments 12 CommentsJump to latest comment

.Brian's picture

You can protect the service from being disabled:

https://www-secure.symantec.com/connect/forums/how...

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

SOLUTION
pete_4u2002's picture

the services cannot be stopped if tamper protection is enabled.

SOLUTION
technical_specialist's picture

Thanks a lot to clear my confusion.

pete_4u2002's picture

you may put solution against the thread that helped to answer your query.

technical_specialist's picture

Hello,

I have marked you both as a split solution. It's pending for admin approval. wink

kishorilal1986's picture

Dear All,

As per my knowledege, You cant stop the DLP services from Services.msc.As DLP services can be seen in this with named as EDPA and WDP and can be renamed but they cant be stopped in such way.

For stopping the services Symantec has exclusively created endpoint tools from that you need to use Shutdown_services.exe application. Then only you can do above things. There is no direct relation of SEP tamper protection with DLP agent service protection.

Please refer for more

http://www.symantec.com/connect/downloads/required...

kishorilal1986's picture

Dear Technical and Pete,

I am not agree with above solution as there is no relation of temper protection in symantec DLP agent.

DLP services cant be stopped by any above method , it can be stopped only by endpoint tools providede by symantec and having name of application Shutdown_services.exe. Please chcek once again. 

.Brian's picture

This ability exists in DLP 11.6

Thread here, check it

https://www-secure.symantec.com/connect/forums/how...

Also, shows on page 18 of the admin guide

https://www-secure.symantec.com/connect/sites/defa...

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

technical_specialist's picture

Hello KS,

Pete and Brain provide the same answer which has already marked by someone, it's mean that the person which has marked at last have found the option before paste as solution. I am not still deploy the symantec on our Site but these query provided by my senior to confirm for the security purpose.

He was agree on it then i have marked it as solution.

For the more information you can read the above Brain comment

Found the yang_zhang both comments

https://www-secure.symantec.com/connect/forums/how-protect-symantec-dlp-endpoint-agent-services-edpa-wdp

kishorilal1986's picture

Hi Technical, Brian and Pete,

I appreciate your responce on this but try to understand that the answer are not correct as per query.

I have read page no 65 and also refer the above links so I can say that When upgrading, Symantec Endpoint Protection (SEP) shows tamper protection alerts when edpa.exe restarts in the presence of the Symantec ManagementAgent.In such case EDPA are added in exception as per below to run edpa & wdp services.

Add edpa.exe and cui.exe to the SEP tamper protection
exception list. Use the following steps:
1. Log in to SEPM.
2. Go to Policies.
3. Under view policies click Centralized Exception.
4. ClickAdd a Centralized Exception Policy.
5. Click Centralized Exceptions.
6.AddTemper Protection Exception.
7. Enter the full path location of edpa.exe.
8.Repeat steps 1–7 to add cui.exe to the Exception List.
9. Save the new policy.
10.Assign the new policy to the client group.
Note: This workaround is only applicable for managed SEP
clients only. Currently,there is no solution for unmanaged
SEP clients.
.Brian's picture

Per the DLP Admin Guide, page 18:

untitled_18.JPG

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

John_Gruhn's picture

KSharma and Brian,

The anti tamper measures explanation in the Admin guide is not that precise. A better description of the tamper proofing is under the Advanced Agent Settings under the description for AgentTamperProtection.ENABLE_AGENT_TAMPER_PROTECTION.int which defaults to "7". The values are below from the on-line help.

This setting enables tamper protection on the Symantec Data Loss Prevention Endpoint agent.

A setting of 0 disables all tamper protection.

A setting of 1 prevents the agent and watchdog files from being deleted or modified.

A setting of 2 prevents the agent and watchdog services from being stopped.

A setting of 4 prevents the agent and watchdog services from being deleted from the operating-system registry.

A setting of 7 enables file, service, and registry protection.