Data Loss Prevention

Hi Guys,

We are observing many false positive incidents for our internal websites which are triggered by our http/https protocol endpoint policy.

After reading some discussions on forum I have tried to exclude some internal websites using -*www.domain.com, format in 

Hi Guys,

Please suggest.

Thanks & Regards,

Tanmay.

You can create compound match conditions for policy rules and exceptions.

The detection engine connects compound conditions with an AND. All conditions in the rule or exception must be met to trigger or except an incident.

You are not limited to the number of match conditions you can include in a rule or exception. However, the multiple conditions you declare in a single rule or exception should be logically associated. Do not mistake compound rules or exceptions with multiple rules or exceptions in a policy.

You can add one or more additional match conditions to a policy rule at the Configure Policy - Edit Rule screen.

You can add one or more additional match conditions to a rule or exception at the Configure Policy - Edit Rule or Configure Policy - Edit Exception screen.
 

please refer the thread..

https://www-secure.symantec.com/connect/forums/whitelisting-urls-endpoint-monitoring-symantec-dlp

Thanks.

Tanmay,

For endpoint you have two options. 

1. Go to System - > Agent Configuration:  Choose your current agent config. In the agent configuration screen add your domains/IP blocks. Here is what our current filters look like.

2.  Add an exception to the policy that is being hit.  Caution:  Using this method with large sets of sites will cause extreme memory usage.

Thank you so much Lion Shaikh and jsneed for your suggestions.

I have added one url for testing in http filter of active agent configuration in below syntax:

I have added * for filtering everything that is followed after initial URL

-http://<URL>*

Even after this we are getting incidents for this particular URL

Am I doing something wrong here?

Thanks in advance for your suggestions.

Here is an example of the syntax of the filter:

-sales.symantec.com,+*symantec.com,*

HTTP requests to sales.symantec.com are ignored, and all of the requests that are sent to any other symantec.com domain are inspected. The last asterisk in the filter filters out all other domains like www.xyz.com. 

Please try this step

In the SEPM console, in the system navigation bar, click Policies.
In the View Policies navigation bar, select Intrusion Prevention.
In the Tasks list, click Add a Custom Intrusion Prevention Signatures.
In the Custom Intrusion Prevention Signatures window, set the Name of the policy to allow <domain.com>(just an example, you can choose the website that you need to allow).
Under the Signature tab, in the Signature Groups section, click Add.
In the Intrusion Prevention Signature Group dialog, add the Group Name and Description as shown below, and then click OK.
Group Name: allow domain
Highlight the newly created Signature Group (allow domain), then in Signature for this Group section, click Add.
In the Add Signature window, fill in the following information shown below:
In the Content section add the following text:

rule tcp, dest=(80), msg="<domain.com>", content="www.domain.com"
Click OK to close the Add Signature window.
Click OK to close the Custom Intrusion Prevention Signatures window.
When prompted to assign the policy, click Yes.
In the Assign Intrusion Prevention Policy window, click the Global group, and then click Assign.
Click Yes to confirm policy changes.
Click OK to close the Intrusion Prevention Policies Changes dialog.
ALLOW domain policy now appears in the console under Intrusion Prevention Policies.

Any recipient email (for SMTP/MSN IM/FTP) or IP addresses (for UTCP), user names (for Yahoo IM/AIM), or URLs (for HTTP) to be evaluated.

You can use filters to include (inspect) or exclude (ignore) messages from specific senders or to specific recipients. You must precede each entry with a plus sign (+) or minus sign (-) to include or exclude matching results. For example:

Any email address mask that starts with a plus sign (+) keeps matching messages for inspection. If you add the sender filter +*@abc.com, all messages that are sent from anyone in the abc.com domain are inspected.

Any email address mask that starts with a minus sign (-) excludes matching messages from inspection. If you add the recipient filter -*@xyz.com, all messages that are sent to anyone in the xyz.com domain are not inspected.

If you add an asterisk (*) to the end of the filter expression, any message not explicitly matching any of the filter masks is ignored. For example, if you add the sender filter +*@abc.com,*, all messages from anyone in the abc.com domain are inspected, but all other messages are ignored.

You can also include asterisk wildcards elsewhere in the address strings. The specific filter syntax depends on the protocol. For example, for email addresses you can use wildcards anywhere in the filter string as follows:

+*@symantec.com inspects all email to/from symantec.com.

+*.symantec.com inspects all email to/from any subdomains of symantec.com.

-*symantec.com excludes all email to/from any email address ending in symantec.com.

-phil@fakedomain.com excludes all email to/from phil@fakedomain.com.

The order in which filters are evaluated is from left to right. For example, if you add the recipient filter

-ceo@xyz.com, +*@xyz.com,*,all messages that are sent to ceo@xyz.com are ignored, and all messages that are sent to anyone in the xyz.com domain are inspected. The last asterisk tells the filter to ignore all other messages.

If the sender and recipient filters conflict, the resulting message is ignored. For example, this situation can happen if the sender filter for a particular message evaluates as "inspect" and the recipient filter evaluates as "ignore."

If a recipient filter has multiple exclusion masks, recipients can match any of the exclusion masks and the message is excluded. For example, if the recipient filter is -*@xyz.com, -*@abc.com, all the messages that are sent to xyz.com and abc.com domains are ignored. Also, the messages that are sent to either xyz.com or abc.com (but not both) are ignored. If messages have any additional recipients in other domains, the messages are inspected.

You can monitor messages sent from the xyz.com domain but ignore message sent to that domain by adding the following filters:

L7 Sender Filter: +*@xyz.com, *
L7 Recipient Filter: -*@xyz.com

If you need an endpoint exception for all policies:

You just need to enter the IP or the domain in the Agent Configuration Domain filter box like this:

-symantec.com

no http://, no * at the end

If you need it in specific policies, but for all detection channels, you can the exception as Recipient exception.

Regards,

Barnabas

Hi Lion Shaikh,

good comment have you found any article for the same please update thanks.

Regards

MK

Hi Tanmay,

My understanding is that you wanted to exclude few HTTP,HTTPS sites as a part of your Endpoint Agent monitoring . First of all any changes you do under System>Settings>Protocols is not going to make any difference on your endpoints.

1)Please go the agent configuration under System>Agents>Agent configuration

Now go to your agent configuration and add the Exclusions of your websites under Filter by Network properties

2) create a Exception in your policy itself using the condition as " Reciepient matches pattern"

Add your websites under Newsgropu pattern option as "company.com".

This should solve your problem.

Did this get solved?