Data Loss Prevention

 View Only

  • 1.  DLP v11 and HTTP monitoring

    Posted Dec 04, 2013 10:41 AM

    Hi everybody

    In our environment, we use endpoint discovery with keyword matching policies. SMTP (Outlook) and HTTP (IE, Mozilla FF) traffic gets monitored. If sensitive data is found to leave the network, the users will receive a user cancel warning.

    So far so good.

    I currently ran - by accident - across the following, possible issue:

    On some clients, the HTTP traffic is either not getting checked or simply not generating a correlating warning message if sensitive data is POSTed. The OS and IE-version (IE8, IE9, IE10) do not matter (tested WXPSP3 x86 and W7SP1 x64).

    How do I come to this conclusion:

    To partially test the functionality of the DLP agents on the clients, we use a test-policy with a particular keyword to search for. On the clients that do not generate these warning messages when detecting the keyword in HTTP traffic as they should, a correct warning message is displayed when trying to send out a mail including the test-keyword.
    Means: The DLP agent is installed correctly on the machine and receives the test-policy. The HTTP traffic is not checked or no warning is displayed.

    How did I test this:

    To generate a warning message in IE, I used the pages requestmaker.com or hurl.it where I tested a POST action containing the test-keyword.

    Is there any way on how to determine why on some clients the warning messages are not getting displayed? And if it can be determined, next step would be to fix it ...

    Any input is appreciated.



  • 2.  RE: DLP v11 and HTTP monitoring

    Posted Dec 04, 2013 11:04 AM

    Still new to DLP, but I just fired off a test using requestmaker.com and captured the HTTP traffic on our DLP Network Monitor.  We don't use Endpoint Discovery.  I would suspect that if you want to monitor ALL HTTP traffic, Network Monitor is the server you would want to use, not an Endpoint Discovery one.

    But again, I'm still new at this and maybe ED *should* be doing what you want it to do.



  • 3.  RE: DLP v11 and HTTP monitoring

    Broadcom Employee
    Posted Dec 04, 2013 11:48 AM

    can you post the screenshot of the page where you upload or the Request Headers Sent: information from the page.



  • 4.  RE: DLP v11 and HTTP monitoring

    Posted Dec 05, 2013 01:52 AM

    @ RonCaplinger:
    We use Endpoint Discovery only, so there's not a Network Monitor infrastructure or similar available.

    @ pete_4u2002:
    Sure, I tested it on two different webpages. requestmaker.com and hurl.it. You can find both screenshots attached. Please note that [test-keyword] is a placeholder. What should happen is that a warning gets displayed which the user may ignore or cancel.
     



  • 5.  RE: DLP v11 and HTTP monitoring

    Trusted Advisor
    Posted Dec 12, 2013 01:25 PM

    On the systems that are NOT working.

     

    I would reinstall the Agents and make sure you run the installer as an Administrator. Open an "Administrator" command line and run the MSI package..

    I have seen it that many times that an application is open during the insatllation process and the 'hooks' to get done properly.

    Hope this makes sense.

    If this solves your questions please marked as solved.

    Ronak