Data Loss Prevention

 View Only
  • 1.  Endpoint Prevent and Skype

    Posted Jul 02, 2014 06:04 AM

    Hi all,

    Looking for some help with a problem I've got.


    Trying to detect/block file transfers through Skype using DLP. We actually have another way to block Skype file transfers in the registry, but would like DLP to catch anyone who has disabled this.

    Skype IS configured in Application Monitoring and our DCM keyword policy is applied against Application File Access.

    If I try to transfer a file from the local C drive, the Endpoint Prevent monitor kicks in and successfully detects and blocks the file transfer. This is detected as an Endpoint File Application Access incident and brought up the standard "Blocked Activity" window (with the customisable options).

    However if I try to transfer a file from a network share, no incident is raised at all. DLP appears to completely miss the activity.

    Also please note - we had to change File Open to File Read in the Application Monitoring for Skype, in order to get the local drive incidents to trigger.

    Thanks,
    Nic



  • 2.  RE: Endpoint Prevent and Skype



  • 3.  RE: Endpoint Prevent and Skype

    Posted Jul 04, 2014 08:23 AM

    Hi Lion,

    I've already read those threads - they don't explain why the file transfer wasn't detected from a network share but was from a local drive.

    However the 12.5 release notes state:

    " 2093311:If an application is registered for Application Monitoring and opens a file residing on a network share, it will not be scanned and cannot be blocked if it contains sensitive information."

     

    I believe this was the cause of the issue.

     

    Thanks,
    Nic