How to skip *.jar monitoring, but retain *.zip on DLP Agent?
Created: 29 Jan 2013 | 7 comments
I have found, that just simple removal of *.jar extension from Agent Configuration does not work. Because internally is JAR just a ZIP. DLP Agent stopped to monitor JAR's only after I had removed also the *.zip from the Monitoring Filter. But, this is not a good idea. Is there any possibility to tell DLP Agent to differentiate between JAR and ZIP?
Thank you.
Discussion Filed Under:
Group Ownership:
Comments 7 Comments • Jump to latest comment
Hi Pavel,
Sorry this doesn't look possible. As you've indicated, our true file type engine treats .zip and .jar as the same.
The alternatives as I see them (not knowing your use case exactly, just ideas)
Apply your policies to file types, for example;
Don't search for source code in files with .zip or .jar files
DO search for confidential tags in .zip or .jar files
Or, let it log then;
Under the Endpoint incidents filter out .jar files
Advanced Filerers & Summarization > Add filter > File Name Does No Contain Ignore Case > jar
Kind regards David
Hi David,
Thank you for your hints. I have more extensively tested in 11.6.1 the proposed variant with file type policy filter using a USB device copying. Unfortunately:
From my perspective, this is something the DLP Agent does not support currently. Some filtering rules happen too late in the extraction&detection process, so only limited performance gain is possible.
Best Regards,
Pavel
Hi Pavel,
I understand where you're coming from now, it's not necessarily the Policy triggering, rather the fact the user experience is impacted.
I've seen a couple of reasons this could be in effect (these again are working thoughts of mine)
1. make sure any endpoint protection solution isn't scanning files written to the DLP temp directory (sorry not got that to hand)
2. the file size is the issue, the .jar or .zip file may unpack multiple other .jar or .zip files. Here the agent treats each .jar or .zip as a separate count - example the maximum file size for inspection is 30MB, each .jar or .zip is treated as a separate count.
The only answer I can think of for the second point would be to reduce the maximum file size the DLP agent will inspect, see what happens if this is reduced to say 15MB, does this help?
IncidentHandler.MAX_INCIDENT_FILE_SIZE.int
I don't believe today there is a way to limit the files within the .zip to inspect to performance.
Kind regards David
Hi David,
Ad1.
We do not have any endpoint protection in place. Only McAfee VirusScan. Could you please help me, what is the DLP temp directory? I have failed looking into documentation.
Ad 2.
Unfortunately, I have come to the IncidentHandler.MAX_INCIDENT_FILE_SIZE.int, and I have also tweaked Detection.FILTER_TIMEOUT.int to 5000 and Detection.MAX_DETECTION_TIME.int 10000 . It worked a little, but crapping sometimes the ability to detect without helping with the user experience much.
And a *.jar file with many small classes inside will still fit most of the time and the only solution is, unfortunately, to skip all the *.zip files from extraction.
So, thank you for your help, but there is no solution for now.
Best Regards,
Pavel
Hi Pavel,
It's a shame these settings didn't resolve the situation.
To answer your question, our recommendation is to remove DLP agent processess and files from anti malware/antivirus scanning, these include;
The Agent installation folder at: C:\Program Files\Manufacturer\Endpoint Agent (temp folder is here as well)
Executables
(*) edpa.exe
(*) wdp.exe
(*) cui.exe
(*) kvoop.exe
(*) vfsmfd.sys
(*) vrtam.sys
This is covered in the System Requirements Guide 11.6.
Personally I think your issue is a little more in depth, and will be best handled by our support group. I know they'll check this prior to proceeding, so well worth carrying out.
Kind regards David
Hi Pavel,
u can exlude certain file types which are already defined in exception filetr of DLP. This u will get this in agent config setting in system tab. Also refer below
https://www-secure.symantec.com/connect/forums/exc...
https://www-secure.symantec.com/connect/forums/how...
https://www-secure.symantec.com/connect/forums/how...
Hi,
I know. But the filter applies only to the detection phase. Not to the extraction one. Tested on DLP Agent 11.6.1 with USB device copy.
Best Regards,
Pavel
Would you like to reply?
Login or Register to post your comment.