Data Loss Prevention

Hi all-
I am testing out DLP 10 Discover. I have a discover target set up to scan a network share and have provided it valid domain credentials to do the scan. When the scan is running, I am seeing thousands of login failures on my domain controller. Something is attempting to log on to the domain using the local Vontu account name (protect). There is no domain account for protect, so I get the "Username does not exist" error. I don't see anything relevant in the logs, and I'm not sure how to trace this back. The failures stop when I pause the discover scan.

Has anyone run into this before?

Thanks,
Chris

I forgot to mention that the scan runs fine and generates incidents appropriately based on the files in the network share.

What kind of installation method you used? Install as a single layer server? Or, the Enforce Server and Discover Server installed on separated machine? 

This is a single-tier installation while I'm testing.

I will try to help you but I need some information first:

1. Did you put domain credentials on the scan? and How did you insert the credentials
2. If so, did you user you supplied is a valid domain user?
3. could the user reach all of the locations it is supposed to? and does it have read and write privileges?
4. Do you have a domain user called "protect"?

I can try and offer you the following things without answers to my questions:

1. Try inserting credentials to the system keychain (you can do so by going to system->credentials)
2. Than try using these credentials in the scan, it might solve the issue.
3. Try scanning a local folder and see if it still generates login failures.

Some screen shots of the DC and the scan configurations would help,

Kind Regards,
Naor Penso

Hi Naor,

For the scan, I am using credentials I specified in System -> Credentials. I also tried a scan with the credentials specified in the scan config.
I used my domain user ID & password. My account does have read & write privileges for the share I was scanning. There is no domain user called protect.

I scanned a share and also my My Documents folder (which is on a network share) and got the login failures for both.

I scanned the local drive of the Vontu server and did not get any login failures.

I scanned my workstation's admin share (\\workstation\c$) using my supplied credentials and did not get any login failures.

For all the scans, even with the login failures, Vontu is able to scan the files on the share and generate incidents correctly. There are no scan errors.

I would rather not provide screenshots on a public forum.

Thanks for your help,
Chris

in the discover scan there should be an option to "download full error report" in the middle-right of the scan that errored out.  Additionally, there would be logs in the log directory <drive>\vontu\protect\logs  You can sort it by date and scroll to the bottom of the log file to determine any additional information.

If you think your user account does have access, try it with a higher level account, the permissions needed are Read, with extended write .  I know you have indicated that your account has permissions but just for testing reasons try an account with a higher level. 

Is your "my documents" folder on  network share that you have r,w access to? if you get login failures or errors, try \\10.10.10.10\share\foler  where 10.10.10.10 is the ip of the share.  

The error report is empty. The scan completes successfully. None of the scans have any errors. I checked the logs on the server, and nothing seems relevant to this problem.

I tried a scan using the IP of the share, and still had the login failures.

I specified my account, not protect to use when scanning. The login failures are for the protect account, and not my account which was used as the scanning credentials.

For the share that I am scanning, I am the owner and have full controll access to the share and all subfolders/files.