Video Screencast Help

Outlook Add-In and Incident Generation

Created: 29 Jan 2013 | 6 comments

Hi everybody

Quite some time ago I found out that when the DLP Outlook Add-In gets disabled (manually or when in conflict with other Outlook Add-Ins doesn't matter), no incidents are being generated.
In fact, this means that any message sent through Outlook (2010) is completely (!!) bypassing the DLP agent.

We are using this feature as a response to display a warning or blocking message to our users as they are trying to send classified data via mail.
First, I thought the Add-In is used to only display these mentioned pop-ups. But it actually seems to provide the whole DLP functionality to Outlook (!!).
No Add-In = No DLP of mails sent through Outlook, even though the Agent and the service are active on the respective system.

Currently, we are using not the latest version of DLP (v11.0), but after reading the release notes of version 11.6 it seems this issue is not touched/solved/changed in any manner.
To me/us, this is actually quite a biggie and starts to raise quite some major concerns about the product.
I understand that this might not be the mostly reported issue and perhaps didn't even raise an incident at all. Bus as I think, this fact is not quite the way Symantec and - for sure - the customers want this feature to work, this needs to be looked at in a proper way.

If there is *any* possibility to make it impossible to deactivate the Add-In and therefor ensure the information chain is monitored, I would be absolutely greatful to know.
It even would help to know that this is an issue on the watchlist / waiting list to be solved, so this information can be passed to the management.

Any questions? Please don't hesitate to ask.

Cheers

Comments 6 CommentsJump to latest comment

Dor E's picture

Hi,
Is not the DLP agent enough for blocking or alerting users?
We are using only the agent and it seems that it's doing his job.
Why do you use the DLP outlook add-in as well?
Thanks a lot

flutti's picture

Hi Dor ECI

This is actually all about the Outlook Add-In.
My testing showed, the agent is not enough for blocking or alerting.
The Agent IS running in the background, but when the Outlook Add-In is not enabled in Outlook then nothing happens at the user side.
No incidents are generated, no warning, no blocking.

Cheers

Dor E's picture

Hi,
So i think that something is not working or configured as it should on your side.
I'm not familiar with outlook plug-in, but i can surely say that we are using DLP agent on our machines, and it's more then enough, once user takes action on his machine (Outlook, Browser, Office) and this action is not allowed by policy ==> Notification is been poped up immdietely.

flutti's picture

Hi Dor ECI

Thanks for the reply.
I really hope you are right, but to confirm this, could you do me a big favor and check the following:

  1. Open Outlook and disable the DLP Add-In (otlk2k3.dll) via settings
  2. Try to send a Mail with respective content that would generate an Incident and warning/blocking pop-up

If it still generates a warning/blocking pop-up and a incident in the back-end, it would mean something's wrong in our environment.
If not, this means that you might be in trouble as well ;)

Thanks in advance

Dor E's picture

Hi,
I would like to help you, BUT, as i said, i'm not familiar with Outlook add-in and we are not using it in ther organization.
We only using DLP agent on machines and it's providing the notification.
Can you please explain why do you use the outlook plugin?
I didn't find any documentation about it in the DLP admin guide.

Lucas Jóia's picture

Hi,

 

As I see in my environment, the DLP Add-In for Outlook is automatically installed and enabled when you install the DLP Agent.

I have the same issue here (no incidents, no blocking, no notification...) only using Outlook, but the Add-In is enabled and the agent installed.

This might be something bigger then the fact the Add-In is enabled or not...