Data Loss Prevention

 View Only

  • 1.  How to detect mail.163.com traffic

    Posted May 17, 2016 11:08 AM

    Hi All,

    163.com is a major web based email service in China. Using Endpoint Prevent and Network Monitor licenses (DLP 14.0.1), we are just able to see the traffic on Network Monitor, but we can't detect nor block anything at the Endpoint level.

    So the question is, do you have any idea how to block&detect protected data exchanged with http://mail.163.com ? The Process Monitor doesn't show the website invoking any process besides the IE or Chrome (the browsers used for testing).

    Any input is welcome.

     

    BR, 

    Morgado



  • 2.  RE: How to detect mail.163.com traffic

    Posted May 17, 2016 04:45 PM

    Hi Morgado. Nice to see you after a while (unless I may've missed a post or two from you recently)

    What if you create a log only policy applied to all endpoint detections servers & configure it to:

     - log all traffic going to163.com for both (a) HTTP and (b) HTTPS protocol

    Do you not see the traffic? Even though process monitor logs the traffic as chrome/IE.

    Best guess is Application Monitoring is not enabled in the policy or maybe not turned ON in the configuration/application monitoring settings & the traffic is passing using chrome/unsupported version of a different browser or even IE

    I suggest:

     - Check the System Requirements guide for 14.0.1 (http://www.symantec.com/docs/DOC8236). Page 53 of 63. IE 11 and chrome upto 50 is already supported -  Application Monitoring in that case would not come into picture however if you are trying with edge or a version of chrome beyonf v50 - application monitoring feature might need to be turned on.

     



  • 3.  RE: How to detect mail.163.com traffic

    Posted May 18, 2016 08:36 AM

    Hi Leadvue. I've been busy finding and dealing with new DLP version bugs :)

    Thanks for the tip. I will give it a try..

    I do not have the AFA activated yet due to the poor performance of some apps when are monitored. I was counting with the native 14v web monitoring (IE, Chrome, HTTP..) to do the job. Can't understand why it detects the traffic at endpoint level for all the websites tested until date and not for 163.com.

    By the way, using IE11 and Chrome50.

     

    Update: it seems the web traffic usage is monitored using the IE11 (created a policy only logging the activity of 163.com) but anyway the content uploaded is not caught. The exactly same web upload is then detected in the network, so let me think that it can't be encrypted.

     

    Cheers,

    Morgado



  • 4.  RE: How to detect mail.163.com traffic
    Best Answer

    Broadcom Employee
    Posted May 23, 2016 11:10 AM

    Unfortunatly, our DLP cannot detect mail.163.com by default.

    The mail.163.com use a Flash add-on to upload the attachment of the email which it used to speed up the file upload process. This upload is such kind of encryption that our DLP cannot de-encrypted.

    By using Wireshark to capture the package during the mail send by mail.163.com, you will find out the attachment are all a stream data which the DLP cannot detect the content.



  • 5.  RE: How to detect mail.163.com traffic

    Posted Jun 13, 2016 12:14 PM

    Thank you Yang,

     

    Any idea if Symantec will be able to address this "issue" in near future?

     

    Thanks,

    Morgado