Data Loss Prevention

 View Only

  • 1.  Hidden Text MS Office Word || Password-protected ZIP [SymcDLP 11]

    Posted Feb 15, 2011 04:26 AM

    Hello again,

    I feel the need to update this older topic: https://www-secure.symantec.com/connect/forums/dlp-105-and-hidden-textcolumns-ms-office

     

    So, in that topic I had 2 problems:

    1st, the hidden text in MS Office Word wasn't detected by SymcDLP 10.5

    and

    2nd, the password-protected ZIP archive wasn't detected by SymcDLP 10.5

     

    OK, now the results with Symantec Data Loss Prevention 11:

    In the 1st case the problem IS solved, the hidden text in MS Office Word is detected, an incident is created. Good!

    In the 2nd case the problem IS NOT solved, an password-protected ZIP is not detected. Attached you can find a screenshot with my simple policy and a step-by-step creation of encrypted ZIP. I made the test twice, first with 7zip and then with WinRAR. The result is the same, no incident!

     

    Additional info: The Endpoint agent monitors clipboard (copy-paste)! The encrypted MS Word/PowerPoint is detected and an incident is created. So, I think there is a problem just with "Password-Protected ZIP Archive".

    Attachment(s)

    pdf
    Problem_Pass-Protected ZIP.pdf   6.59 MB 1 version


  • 2.  RE: Hidden Text MS Office Word || Password-protected ZIP [SymcDLP 11]

    Posted Feb 15, 2011 09:37 AM

    Ok based on the problem steps recorder document, I saw that you copied from the desktop and pasted back to the desktop. I wouldn't expect that to generate an incident because there would be no data loss there to prevent (the confidential information is still on the same computer).

    Have you tried to copy it to a USB drive, or send it in an email? Make sure that the Endpoint agent is actually monitoring those "protocols" as well. If that doesn't work, I'd be surprised 'cause I remember testing this before and it worked.

    Hope this helps smiley

    ~xlloyd



  • 3.  RE: Hidden Text MS Office Word || Password-protected ZIP [SymcDLP 11]

    Posted Feb 15, 2011 10:34 AM

    No, everything is correctly configured. If clipboard is monitored then it doesn't matter where you paste the source.

    In this way I tested hidden text in Word and Word and PowerPoint encryption (copy-paste onto desktop) and incidents are created. Is the same test platform.



  • 4.  RE: Hidden Text MS Office Word || Password-protected ZIP [SymcDLP 11]

    Posted Feb 15, 2011 10:54 AM

    Oooh...that's weird...it never happened for me. Then again, I don't remember testing it like that anyway lol.

    I know about the clipboard not mattering where you paste the source, that's fine 'cause you can paste into an email just as easily as you can paste into a file on your PC so it's better to just lock it down. As for the encrypted files and such...well I dunno =/

    Maybe someone else can help out. You should give the USB drive a try anyway...just in case.