Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Endpoint User Justification Question

Created: 14 Dec 2012 | 2 comments

We currently have the endpoint agent installed across our enterprise and are notifying users when they copy certain types of data.  We are using the notifications as a type of survey, and we have seen many reponses where DLP logs SPECIAL: No User Response or N/A.  Does anyone know the list of conditions that can cause this?

Comments 2 CommentsJump to latest comment

kishorilal1986's picture
Hi Jsneed,
 
Please read below u will understand the reason
 
 
This symptom can occur if you login as user-A and try to do an operation as user-B. For example, login to a system as user ‘protectuser’ and execute the ‘runas /user:<administrator> copyfile.bat’ (here copyfile.bat copies a file from local drive to USB). If there is a block/notify response generated in this case, it will have N/A as the user justification. This is because the CUI.exe process is for each session, in this case for ‘protectuser’. But when the response gets generated for administrator, it doesn’t have a session and therefore no pop-up (note that block happens as expected in this case).
 
Also, there are 2 issues related to User Justification displaying ‘N/A’ which are fixed in V11.0. The Etracks are as given below:
 
2104974 - "User Justification" field in Notify policy violation incident displayed as "N/A" on violating block and notify policies one after another.
2111214  -     User Justification in ‘User Cancel and Notify’ incidents shown as N/A when ‘Block, Notify and User Cancel’ policies are violated together
 
 
Jsneed's picture

Kishorilal,

Thank you for your reply.  I know for a fact that these files are not being copied by another user.  They are copied by one user using the standard windows copy/paste.  They copied 2200 files all at the same time to two different devices.  800+ of these files ended up with SPECIAL: No User Response as the user justification. Also we are running endpoint agent 11.5.1

Jeremy