Video Screencast Help
Scheduled Maintenance: Symantec Connect is scheduled to be down Saturday, April 19 from 10am to 2pm Pacific Standard Time (GMT: 5pm to 9pm) for server migration and upgrades.
Please accept our apologies in advance for any inconvenience this might cause.

questions on DLP

Created: 24 Jan 2012 | 7 comments
prasad.ganta's picture

Hi All,

            I am very much new to Data Loss Prevention solution and have some queries....

 

1. Can Images sent as attachments can be blocked/monitored...?

2. Create policies to block/monitor anyone sending data through remote desktops..?

3. Images in any document say word/pdf/ppt and soon can be scanned by DLP solution...?

I tried searching the same in KB articles to find out any article related to above queries but could not find the relevant one. Please look into the queries and do the needful.....

Thanks in Advance....

Comments 7 CommentsJump to latest comment

xlloyd's picture

Hello,

1. Yes, images can be blocked and monitered using filetype matching. I wouldn't recommend you do this because even though they can be blocked, they can't be scanned for confidential information so you have no way to tell if the image contains confidential information (except using the filename, directory, etc.)

2. Yes, this can be done. If someone from outside the organization connects to an internal computer using RDP, Teamviewer, etc, the Endpoint agent or Network Prevent for Web will stop confidential information from being sent to the outsider's computer.

3. No, images inside documents won't be scanned. However, if a Visio diagram is embedded into a ppt or word document (using a Visio file, not a picture file like a jpeg or png) then it will be detected as a Visio file properly.

Scanning images for confidential information isn't yet a part of Symantec's DLP offering (or any other DLP offering that I know of). It would be pretty difficult and processor-intensive to scan images for confidential information as that would require optical character recognition which is not know for it's accuracy.

Hope this helps! If you have any other questions, feel free to ask.

If this post has helped you, please vote up or mark as solution
prasad.ganta's picture

Hi,

            Thanks for the reply.......

In reply to question 3, I have some doubt... i.e.,

Eventhough the image in a document is not scanned, can we block those documents if it contains images...?

To answer 1, say user has changed the image extension(.jpeg) to some other extension to .txt and has sent that image as an attachment. Now how can we detect/protect those kind of actions....?

Is there any limitation such as only these kind of remote desktop softwares/tools are monitored...?

Thanks in Advance...

stephane.fichet's picture

hi,

 

 dont worry about file name extension modification. If you use filetype matching detection rules, it didnt use the filename extension but the so called binary magic byte of the file to check the type of file. So DLP will detect it as an image event with a txt extension.

That means you can also define a policy which check if extension and filetype are in agreement in order to detect user sending attachment and changing filename extension to try to bypass DLP control ot to hide what they are sending outside.

 regards 

xlloyd's picture

Hi Prasand,

What I meant was that you can scan for the presence of an image, but you can't detect confidential data stored in that image. If you want, you can block all outgoing emails that contain images. As Stephane said, even if the file extension is changed, DLP will still be able to detect that it is an image.

In terms of limitations, at one point it would only have been able to block file transfer using FTP or HTTP but now since the new version, they have made a new feature that prevents applications from even using the file.

One the endpoint agent is installed on the computer and the appropriate protocols are monitored, it will stop the data loss from happenning. If using Network Prevent for Web, then it will only be able to block those files being transferred out of the organization but using Endpoint Agent will be able to stop data from being transferred even from inside the organization.

If this post has helped you, please vote up or mark as solution
sacrificeme's picture

Yeah, lack of capability with scaning images, i think Symantec will buy some company who scaning images to text and implement this technology in DLP 12 =))) Russian analog alrd doing image content analize..

prasad.ganta's picture

Hi All,

           Thanks for all the replies and image is blocked irrespective of attachment. It is able to block in Gmail not in yahoo and hotmail. why is it behaving in this way...? any configuration change to be made....

How we need to configure DLP to block/monitor data transfer during access of local from remote location through RDP/Team viewer and soon....?

 

Hi Prakash,

                  If all the 3 options are possible, which will help us endpoint / network to achieve all of them.If possible please suggest possible steps to succeed in all the 3 scenarios....

Thanks in Advance...