Video Screencast Help

DLP Scanning BitLocker Placeholder File - Uses All C: Drive space

Created: 11 Oct 2012 | 5 comments

Hi

I have come across an issue when using DLP (client version 11.1.0.07015) with Microsoft BitLocker on Windows 7 64bit.

As I understand, when I write a file to a removable drive, DLP will create a snapshot (.SNP) file in "C:\Program Files\Symantec\Endpoint Agent\temp" to scan it. 

The problem is that when I connect and encrypt my 300GB external USB hard disk drive, BitLocker will create a "placeholder" file to reserve free disk space on the disk (I believe it does this to make encryption more efficient on drives formatted with NTFS or exFAT).  When this file is written, DLP attempts to scan the file, and attempts to copy the 294GB placeholder file to the above location.

The problem is that my C: drive is only 120GB in size, so the creation of the .SNP file uses up all of my available hard disk space, and stops encryption from completing.

I have also noticed that the DLP agent also behaves the same if I copy a very large single file from a network share to a removable drive.

So it seems that DLP cannot scan a file being copied to a removable drive, if the file size is larger than the amount of free disk space on the clients C: drive.

If anyone knows of any configuration that could prevent this behaviour I would be very interested to know.

Thanks!
 

 

Comments 5 CommentsJump to latest comment

Keith Reynolds - ExchangeTek's picture

First off, I'd look at creating an exception for BitLocker as an application.  I'm not too familiar with how exactly it operates, but at a minimum you should be able to get the executable name that's firing for BitLocker from the Endpoint Agent logs.  Then add it as an application in DLP under Application Monitoring, and make sure it's set to not monitor filesystem activity. 

~Keith

 

cornishrich's picture

Hi Keith

Thanks for your suggestion. I ran process explorer on a system whilst I was encrypting a USB drive and it seems that the encryption is performed at a kernel level by "fvevol.sys" running under the "System" process.

The DLP logs report the following when I start encryption

agent_event.subcategory.ad_usergroupresolution_failed, Extended Value: NT AUTHORITY\SYSTEM

10/12/2012 13:02:41 |     0 | SEVERE  | DetectionRequestAddTask |  | [WIN32 ERROR 5]  Access is denied.

As encryption appears to be a process deep within the OS I am not sure if it will be possible to isolate this tasks and make it an exception without impacting other legitamate DLP scanning activity.

Keith Reynolds - ExchangeTek's picture

You may be right.  I'm sorry I don't have an answer for you on this, but I am interested in trying this out in my lab.  I can't commit to doing this right away, but once I do, I'll certainly post up any results on here, even if it's just confirmation of the same thing that you're seeing.  Will keep you posted when I'm able to do that.

BTW...I don't think that's the right log entry in your agent log.  Seems to be just the log entry for the AD Resolution.  If it's not logging anything, it may be a matter of increasing the log level on that agent to see if we can see something that way.  If you want me to take a deeper look, which I'm willing to do, private message me on here and I'll give you my email address and you can send the whole log file to me if you want.  Doesn't take much to at least put another pair of eyes on that log file as a start. 

Regards,

~Keith

 

Jsneed's picture

Is the agent store size set in the agent configuration tab of the agent configuration?

 

Resource Consumption on the Endpoint Host

Agent Store Size
  • % of Total Available Disk Space

 

stumunro's picture

here is a screen shot in wht jsneed is referring to

Capture.JPG