Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Exception for HTTP (Intranet Web App)

Created: 02 Apr 2013 • Updated: 15 Apr 2013 | 19 comments
DLP Enthusiast's picture
This issue has been solved. See solution.

Dear All.

 

I have a scenario where u seris creating a lot of incident from a user. On contact he told us that he is pasting CC Number on an Intranet Webb Application for which the url is given below .

 

I have tried making an ecception for him by finding out the IP Addres of ther Server and making an exception is the User/Sender matche pattern. Unfortunately, it does not work . 

Can anyone suggest me a more accurate way of doing it.

 

URL: http://******/*****/****.aspx and the protocol violated is Endpoint HTTP. (Clipmboard monitoring has been disabled)

 

Regards..

Operating Systems:

Comments 19 CommentsJump to latest comment

Jsneed's picture

You may need to make the exception using the host name.  If you are using endpoint prevent then depending on where the traffic is intercepted the DLP product may not know the IP and doesn't do IP lookups.  If this is not your situation could you provide more details?  Is this network prevent or endpoint?

 

 

 

DLP Enthusiast's picture

@ Jsneed ..The product im using is Endpoint Prevent ..

Simpson Homer's picture

 

To achieve above task first u need to install network or endpoint components on which u wanted to blocj such content based on content/filetype.U can create test policy and configure to block (DCM) -keywords to block and apply on each componet i.e network or endpoint.

 

Open the policy in question that is triggering the incidents and blocking confidential information being sent.

1. Set an exception on the Detections tab of the policy for the relevant user's actions*. 
2. Open the policy in question. 
3. On the Detection tab click on the Add Exception button
4. Under Protocol check the option Protocol or Endpoint Monitoring
5. Then click on the Next button. 
6. Enter an Exception Name
7. Under Conditions select the options required by ticking each box required. eg. HTTP, SMTP, Local Drive, Removable Storage, Copy to Network Share, Clipboard,..etc.
8. Go to the bottom and select the dropped Also Match down box and look for and select Sender/User Matches Pattern
9. Click on Add button
10. A new box will appear on screen for Sender Pattern, enter the domain username of the users you want to exclude from the policy. 
11. Click OK button to finish.

Check the chapter on  'Authoring policies' in Admin Guide >

https://www-secure.symantec.com/connect/forums/cre...

https://www-secure.symantec.com/connect/articles/c...

https://www-secure.symantec.com/connect/articles/c...

https://www-secure.symantec.com/connect/articles/d...

https://www-secure.symantec.com/connect/forums/cre...

 

 

Currently, DLP does not support IP filter for Network shares. Network share uses UNC and for DLP it is not considered as network event. You can use IP filter for protocols such as HTTP/FTP traffic.

Endpoint File Copies to and from Network Shares does not currently have the ability to use filters to exclude specific destinations or sources. Advise User to put exception of copy to network share in policy in order to ignore monitoring of Endpoint File Copies to and from Network Share.

DLP Enthusiast's picture

I will explain the scenario once again with a snapshot attached.

We have already given exception on Clipboard Monitoring. But still a user is experiencing the Notify Message on his screen. The action he is doing is, he is pasting Credit Card no's on an Application which he is accessing via URL (Mentioned Earlier). When he pastes any credit card no, we get the incident as Endpoint HTTP. In the Incident details, Im getting the details of this particular user.

What we want : We want a solution to give exception to this perticular application only on Clipboard monitoring. That means, we do not want to monitor clipboard for this Application.

Now what I have with me is this URL. Please tell me the best possible way, how I can do this ..

hello.PNG
DLP Enthusiast's picture

@ KS Sharma .

Thanks for the Info .. So what I understood from the above links is that , If I add the IP Address of the App Server in the IP Filter, the perticular IP will not be monitored.

For Finetuning the Exception according to my requirement, I do not want HTTP traffic to be monitored. will the Adding of port no 80 along with the IP Address allow me to ignore only HTTP Traffic ? ..I want other protocols to be monitored though.

Clipboard has been already disabled in the Agent Configuration ? ..Will it follow the same Agent Configuration ? Because according to the business process, the users are to copy and paste credit card no's on that particular application and that Application Server hasn't been installed with an Agent. And we only have to give exception to Copy and Paste on that application and monitor all other activities ..

Please advise ..

 

zaferberber's picture

Hello

 

i got alot of incidents with http protocol,

how can i exclude "http://z.b.com/x.aspx" url for password files detection?

regards

DLP Enthusiast's picture

@ Zaferberber: Can you explain the process for the above mentioned URL .. What exactly has the URL to do with password files .. ? .. 

zaferberber's picture

@Muzammil

i have incident into the web traffic. When i check the incident it matches Password files Policy. i checked the http packet client send form with valu: xxxx     x is /et/password format.

it is false pozitive. How can i exclude spesific destination host or url for password files policies

 

regards

zafer

 

DLP Enthusiast's picture

Is every incident False Positive or just some of them ? ..

zaferberber's picture

Hi Muzammil,

 

password file policy works properly but for http content i belive it is false pozitive.

i want only exclude for http traffic for spesific destination

 

zafer

 

DLP Enthusiast's picture

@ Zafer.. Can you attach an Incident Snapshot ?

zaferberber's picture

is that possible to tell me how can i write exclude rule for http trafic for spesific destination

regards

zafer

kishorilal1986's picture

Hi muzami,

Did u saw the above my thread , That will help u for your recent query

DLP Enthusiast's picture

@Zafer..

Go to the Agent Configurations page and choose the Agent Configuration which is currently in use with the Endpoint.

You may be able to see "Domain Filter" field below "IP Filter".

Add the IP Address of the destination HTTP page with the port no (80) in the "Domain Filter"

Eg. *,-15.16.17.18:80,*

Please be careful with the Syntax that has to be followed for any entry into the Domain Filter.

 

SOLUTION
DLP Enthusiast's picture

@ KS,

Thank for your input and that was a real help . 

Thanks for your support and look forward for more solutions from you .

DLP Enthusiast's picture

The solution above I got it when I created a case with Symantec and they guided me with this..

The basic requirement for any application to be monitored is, it got to have a .EXE file and in my case for the Intranet App I did not have one because the user was accessing this App through Internet Explorer and making changes in IE would effect the usage of other applications. 

Symantec suggested me to go for Domain Filter instead of IP Filter along with the port no. So everyone can see the solution for the format we have to use in the Domain Filter feild.

I hope this can be a help to other ppl as well ..