Video Screencast Help
Scheduled Maintenance: Symantec Connect is scheduled to be down Saturday, April 19 from 10am to 2pm Pacific Standard Time (GMT: 5pm to 9pm) for server migration and upgrades.
Please accept our apologies in advance for any inconvenience this might cause.

How to detect the activities "open a file" and "read a file" on Endpoint Prevent DLP11.1.1

Created: 19 Oct 2011 | 4 comments
Kengo's picture

Hi all,

Please tell me the way to detect the activities "open a file" and "read a file" on Endpoint Prevent DLP11.1.1.

"Symantec Data Loss Prevention Endpoint Performance Guide Version11.1" says "You can specify either File Open or File Read actions" on p.38.

So I want to know the way.

 

Which way is the best practice?

 

SIncerely,

Comments 4 CommentsJump to latest comment

yang_zhang's picture

In case of FILE READ, we don’t do detection if it matches any of the following conditions if the file reads are:

    less than 64 bytes.
    256 bytes but total length of file is _not_ 256 bytes.
    512 bytes but total length of file is _not_ 512.
    131072 bytes but total length of file is _not_ 131072 bytes.

If FILE OPEN option is chosen, we don’t have these restrictions.

If a forum post solves your problem, please flag it as a solution. If you like an article, blog post or download vote it up.
Kengo's picture

Hi yang_zhang,

Thank you for your comments.

 

I understood there are restrictions under detecting FILE READ.

But I don't know the way to configure the settings.

where can I choose FILE READ and FILE OPEN options?

I can't find them on administration screen.

 

Sincerely

Artem's picture

Hello, Kengo.

You can choose FILE READER or FILE OPEN on the application monitoring page:

  1. Go to the page System > Application Monitoring
  2. Click Add or Edit application
  3. Activate Monitor Application File Access
  4. Choose File Open or File Read (screen001)

 

You also need activate Application File Access in the Agent configuration:

  1. Go to the page System > Agent Configuration
  2. Click Edit configuration
  3. Activate Application File Access (screen002)
  4. Click Save and Apply

 

And if you use Protocole rule in policies, you need activate Application File Access in the policies:

  1. Go to the page Manage > Policy List
  2. Click on the Rule
  3. Open Endpoint monitoring condition
  4. Activate Application File Access (screen003)
  5. Click OK
  6. Click Save
screen001.jpg screen002.jpg screen003.jpg
Kengo's picture

Hello Artem,

Thank you very much.
I almost understood it.

 FILE READER or FILE OPEN detection is configured on application-based settings.
So I can't easily configure to detect every  FILE READER or FILE OPEN activities unlike printer/fax, ftp and so on. If I want to detect every FILE READER or FILE OPEN activities, I need to configure every application settings on (screen001), right?

Sincerely,