Video Screencast Help

Symantec DLP issues

Created: 13 Jul 2012 | 9 comments

Dear All ,

 

Our company is doing a Poc for Symantec DLP below are the issues we want some clarification which can help us

 

1. Symantec is unable to protect or log an event if an unauthorized system accessed the network and try to access the files

2. Its not protecting files from being deleted edit or copy paste

3. Print screen cant be blocked

4. Policies are not working with Firefox browser

5. User can send files even define in policy through hotmail.com

 

I hope some one form your team will respond me back with a complete solution what we need here to resolve the issue

 

Thanks

Farasat

Comments 9 CommentsJump to latest comment

jjesse's picture

Are you working w/ a Symantec SE or a Symantec Partner on this proof of concept?  If so they hsould be able to address a lot of these questions.  If not I would reach out to your Symantec SE or Symantec Partner  quickly to help get this solved.

Could be faster than dealing with the forum to get your answers.

 

For blocking have you enabled a response rule w/ an Endpoint Block to actually get things blocked otherwise they will just get logged as incidents.  Often times during a proof of concept we only focus on creating the incident and not acutally blocking things.

Do you know how to create the necessary response rule?  If not we can help here but once again work w/ the SE/Partner to further help out

Jonathan Jesse Practice Principal ITS Partners

farasat12ka4's picture

Dear jjese ,

 

We are working with Symantec Partner . They are still not able to resolve this issue thats why i post on forum , We know rules they are already there please be specific to my points

 

1. Blocking of PrintScreen ( As per Your partner not supported )

2. Blocking of Specif UNC path

3, Tagging \location based policy

4. Blocking user from deleting some specific files in specific location

5. Prevent any web browser to work against policy , firfox will not support As per ur partner

6. We are able to send any document via hotmail.com symantec is not working there

 

Thanks

Farasat

jjesse's picture

Ok so I work for a Symantec Partner, sorry the one you are working can't help you out

any ways Print Screen can be blocked, it is a response rule that needs to be set and applied to each policy you need Print Screen blocked.  Are you popping up a notifciation as well?  (Another response rule that needs to be setup)

The DLP Endpoint Agent does integrate /w FireFox and IE (if you look at the Agent config you see that it lists Firefox specifically), hthough not sure what versions or if there is a version problem

Is network monitor in scope for the Proof of Concept? Is it seeing data to hotmail.com or is it a SSL connection?

 

Let me know if you more questions

Jonathan Jesse Practice Principal ITS Partners

farasat12ka4's picture

Thanks ,

 

Jesse can you provide me your contact details i will speak to you regarding this on phone direclty

jjesse's picture

Sent you a private message w/ my email

Jonathan Jesse Practice Principal ITS Partners

mdjainam's picture

Farasat,

Seek advise from the Symantec Account team on the selection of the partner or use partnerlocator.symantec.com

 

MD

farasat12ka4's picture

Dear Md,

 

I put the same question with mcafee they gave me the answers for technical queries rather than refering me to the teams, i think im looking for something technical answers from your team on forum

stephane.fichet's picture

hi,

 

 I agree with jjesse, most of actions listed in your message is working "fine" usually.

did you succeed monitoring action  ? If not your issue is not on blocking but should be on endpoint (agent or server) configuration.

First try to block something with a very simple policy (for example one keyword only) in order to check that everything is working well and then you can try to validate your use case.

 

 regards

Keith Reynolds - ExchangeTek's picture

1. Symantec is unable to protect or log an event if an unauthorized system accessed the network and try to access the files

 - Doesn't seem to be a DLP use case, does it?  This seems to be an IDS case. 

2. Its not protecting files from being deleted edit or copy paste

 - If you're talking about the Endpoint here, this is likely a configuration error.  DLP won't be able to stop a user from editing a file (before saving it), but could stop them from being able to open the file in the first place due to presence of sensitive data, or subsequently prevent them from saving the edited file if they added sensitive data to it in the course of editing it.  It can also stop the user from copying data to the clipboard in the first place...in which case, your only "edit" scenario is when someone manually types the data you are looking for into the document they are editing, which would pose a significantly smaller risk than anything else like being able to copy/paste.  You need to make sure all these vectors are turned on in your Endpoint configuration, and the appropriate response rules are enabled on your policies.

3. Print screen cant be blocked

- Right, and it will not be able to be blocked with DLP.  You would need to implement some type of device control for Print Screen, preferably through the Symantec Endpoint Protection (SEP) agent, or disable print screen altogether via the registry.  DLP can not detect data in print screen events.

4. Policies are not working with Firefox browser

- Presume you mean for HTTPS events.  Do you have HTTPS monitoring enabled and is the agent reporting in the DLP console that the Firefox plugin was installed (or that the install of the plugin failed?).

5. User can send files even define in policy through hotmail.com

 - Again, if it's Hotmail over HTTPS, it might be related to an unsuccessful install of the Firefox or IE plugin.  If it's over HTTP, I would look to ensure that the agent was successfully installed in the first place and that it has the current config.  Or, if you're talking about Network monitoring, not Endpoint, there could be other reasons why you're not seeing this traffic.

I agree with Jesse's comments above.  Any qualified partner that you are working with through the POC should be able to correctly demonstrate and/or talk to all the above points, and it's unfortunate that you seem to be working with one that does not know this well enough to be able to answer your questions.  I think that users, customers, and other partners on this board will do their best to try to help you, but for a POC situation, you really need someone that knows your configuration/set-up better than you would be able to describe on a message board.

Best of luck!

~Keith