Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

DLP Skype support

Created: 14 Nov 2012 • Updated: 07 Dec 2012 | 5 comments
Atif's picture
This issue has been solved. See solution.

Hi Fellas,

We are working on DLP POC but unable to detect and block keyword being sent through Skype. We opened support ticket with Symantec for that and we were informed that Skype uses encryption and is not supported by DLP.

But I believe that DLP Endpoint agent should detect the keyword being written on Skype message window before being sent. Encryption kicks in once we press Enter key but before pressing Enter, DLP endpoint agent should detect it. Please correct me if I am wrong and also suggest the way out.

Regards,

Atif

Discussion Filed Under:

Comments 5 CommentsJump to latest comment

AMyers6671's picture

You might be able to add the program to the list of watched applications. However, just typing in a program won't cause DLP to catch/create an incident. Something has to happen with that data; whether copy/paste, printed, saved, etc.

Skype is encrypted communication. You may have better luck trying to proxy it and use SSL MITM but I'm not sure even that would work.

Aaron

If this post has helped you, please vote up or mark as solution to help others looking for the same data.

 

pete_4u2002's picture

thumbs up to abpve suggestion.

Skype is not covered under DLP for IM monitoring. However you need to set the Application Monitoring

Article ID: 54937 for more details.

Atif's picture

Thanks guys for your feedback. Is it possible to intercept Skype traffic through Network Prevent for Web integrated with Symantec Web Gateway provided all http https traffic is going through SWG?

Could not find mentioned article. Can you please provide full URL to that?

 

kishorilal1986's picture

Hi Atif,

Application monitoring lets you monitor third-party applications for IM, email, or HTTP/S clients. By default, Symantec Data Loss Prevention only monitors first-party applications such as AIM, Microsoft Outlook, or Mozilla Firefox. Examples of third-party applications include Skype, Mozilla Thunderbird, or Google Chrome. Any application that is not specifically monitored by Symantec Data Loss Prevention must be added to the Application Monitoring page before Symantec Data Loss Prevention can begin monitoring.

 

Steps to add an application Monitoring

1. From the Application Monitoring page, click Add Application.

2. For name, enter a name for the fingerprint.

3. Enter the name of the binary file, "firefox.exe", for example. Note that for the fingerprint to work correctly, you must include an escape character ("\") between the application name and the file extension, due to the way the regex is used to read the filename.  e.g., firefox\.exe

4. Enter an internal name, "Firefox", for example

5. Enter the original filename of the application itself, "firefox\.exe", for example. See note in step 3.

6. Leave the Publisher Name blank, unless absolutely necessary, as it increases resources used by the Agent.

7. Choose the elements to be monitored (print, network, etc).

8. Save the fingerprint and allow the changes to propagate to the Agents.

NOTE: You may also use the utility included with the Endpoint Agent tools,GetAppInfo.exe, to help determine the *Binary Name, *Internal Name, *Original Filename, or Publisher Name.

Running GetAppInfo in windows mode will open a UI which allows you to browser to the executable intended for monitoring.

Note that you must provide at least one of these names correctly for monitoring to work.

SOLUTION
Atif's picture

Thanks Kishorilal for excellent explaination.