Data Loss Prevention

Hello,

First of all let me tell you the test case. This is simple, I want to build a policy with a detection rule and an exception. The test will be conducted for Network Prevent for Email integrated with MS Exchange 2007. The Exchange server adds a custom text (as a signature) to every outgoing mail. The custom text is a small text, like: "This email and any attachments to it contain confidential information and are intended solely for the use of the individual to whom it
is addressed.".

Now, my policy looks like:

Detection: DCM, keyword: "confidential"

Exception: "This email and any attachments to it contain confidential information and are intended solely for the use of the individual to whom it is addressed."

When I send an email with the word confidential in body/subject no incident is raised. When I remove the exception from that policy and resend an email with confidential in body/subject an incident is created.

First, I thought that the confidential word found in the custom text was the problem so I removed it leaving only: "This email and any attachments to it contain information and are intended solely for the use of the individual to whom it is addressed."

I restarted the test and I have the same problem. When I want to send an email that contains confidential body/subject no incident is created. When I remove the revised exception an incident is created.

Any ideas?

Which mode is the Prevent server in? Reflective or forwarding (in relation to the MTA that is)?

If the signature gets attached before Prevent sees the email, then it's going to ignore the email because it has the exception string in it. I think the exception means "ignore the incident if this string is in the message" rather than "look for this stringA (confidential) except for occurences in this stringB (signature)".

Hi,

The Network Prevent for Email is in reflect mode. I think that the signature is attached before the email message gets to DLP.

So, if I have a string as an exception, and one mail contains confidential data AND the string it will ignore the email?

Do you know if that is true for DLP 11? For now I can't test this with 11.

Yup that's how it works. I'd assume it goes for DLP 11 as well but I can't confirm.

To get the policy that I think you want...I think you may have to build a regex *sigh*...I hate those things.

I'll keep trying to think of a way to get it but I can't do any testing at the moment 'cause the server guys shut down the server I was using to test -__-

OK!

If you can come up with a regex like that it will be fabulous! I will make the tests :).

lol no guarantees but I'll try =P

This is what I got. I tested it with http://www.regextester.com/index2.html and these were my results with the following regex

^(?=.*?\bconfidential\b)((?!This email and any attachments to it contain confidential information and are intended solely for the use of the individual to whom it is addressed).)*$

The indented bits were the "emails" I tested with

----------------------------------------------------

This is a document with the word "confidential" in it.

This document also has a signature attached

This email and any attachments to it contain confidential information and are intended solely for the use of the individual to whom it is addressed.

PASS - MATCH

----------------------------------------------------

This is a document without any suspicious words

It also has the same signature attached

This email and any attachments to it contain confidential information and are intended solely for the use of the individual to whom it is addressed.

FAIL - NO MATCH

----------------------------------------------------

Please keep in mind that Symantec says that using a regex tends to be processer intensive and I don't know what kind of hit the users' PCs will take. I got the skeleton for the regex from http://www.regular-expressions.info/completelines.html

Hope this helps!

~xlloyd

Hi Stefan, anything further on this?

The regex I made was in JavaScript form...there are a couple others and I don't remember which one Enforce uses in their policies. Hope it works =]

No, it doesn't recognize the regex pattern :(.

Enforce didn't accept it or the testing failed?

Ok I found the regex guide in the Symantec Admin Guide...maybe the constructs are different =/

I'll try to reconstruct it...dunno how I'm gonna test it though...I'll figure it out ;]

Exact, Enforce won't accept it!

OK, thanks a lot!

Bwoy...it looks kinda sticky...can't say I didn't try though lol.

Ok I did something that I hope will work. I tested with a PHP/POSIX regex tester.

(?<!This email and any attachments to it contain.)confidential(?!.information and are intended solely for the use of the individual to whom it is addressed)

Now I'm not sure how robust this is...or how effecient it is. My disclaimer is be careful if you use it in a production environment. No max performance is guaranteed, and I'm no expert or Symantec employee or anything.

Hope it helps!

(Seriously...I've spend too much time on this...gotta get back to work lol)

By the way, the URL I used was

http://www.myregextester.com/index.php

It's an awesome regex tool that even explains what each construct does...highly recommended

How did this work out for you?

 (?<!This email and any attachments to it contain.)confidential(?!.information and are intended solely for the use of the individual to whom it is addressed) 

Just double-checking if you tested this modified one

~xlloyd

Tried it, but doesn't work as I want. Is no problem, I will use the policy as I did before. :)

Lol, darn...ah well =(

What exactly does it match in Enforce though?

I'm curious lol