Data Loss Prevention

 View Only

  • 1.  Why does DLP Enforce Server time-out when accessing WMI

    Posted Jul 14, 2014 02:08 PM

    Why does DLP Enforce Server time-out when accessing WMI, thereby unloading the lookup plugin? No matter what I set the time-out value to, the lookup plugin unloads and gives an error.

     

    The following script will cause the plugin to unload and create error:

     

    import sys, subprocess, socket, string
    import wmi, win32api, win32con

    for item in sys.argv:
        s = item
        if "sender-ip=" in s: 
            a = s.replace(',', '')
            
    userIP = a.strip('sender-ip=')
    userloggedon = ""
        
    # perform system lookup of IP address
    userIP = "\\\\" + userIP
        
    pst = subprocess.Popen(
            ["D:\pstools\psloggedon.exe", "-l", "-x",  userIP],
            stdout = subprocess.PIPE,
            stderr = subprocess.PIPE
        )
     
    out, error = pst.communicate()
        
        
    userLoggedOn = out.split('\n')[1].strip()
    print 'userId={}'.format(userLoggedOn)

     

    But if I rewrite the script such that it doesn't execute pst=subprocess.Popen(...., then the script executes without error

     

     

    import sys, subprocess, socket, string
    import wmi, win32api, win32con

    for item in sys.argv:
        s = item
        if "sender-ip=" in s: 
            a = s.replace(',', '')
            
    userIP = a.strip('sender-ip=')
    userloggedon = ""
        
    # perform system lookup of IP address
    userIP = "\\\\" + userIP
        

        
        
    userLoggedOn = "DOMAIN\user"
    print 'userId={}'.format(userLoggedOn)

     

    Our environment is configured as follows:

    1. Script is in D:\SymantecDLP\Protect\plugins
    2. DLP Enforce Server is running on Windows Server 2008 where UAC is disabled
    3. "protect" account on DLP Enforce Server is local admin

     

     

    How do I troubleshoot this? Contacting Professional Services is NOT an option for us. 

     

    Thank you.



  • 2.  RE: Why does DLP Enforce Server time-out when accessing WMI

    Trusted Advisor
    Posted Jul 18, 2014 03:12 AM

    Hello,

    i think you already did it, but does your script running well when you execute it on your own on your server with protect account ? which version of python do you use ?

    are you sure "psloggedon.exe" is executed ? As it is executed via tomcat server, i am never sure which part of the server is accessible from script (usually i tried to put as much as possible script, configuration file,... in protect directory).

     Sometimes when i had some issue to fork some process from my script, i tried to put all my command in a bat file then i execute the bat file from python. This ensure you will have all windows environment variable of your account correctly set.

     Regards.



  • 3.  RE: Why does DLP Enforce Server time-out when accessing WMI

    Posted Jul 22, 2014 03:53 PM

    i think you already did it, but does your script running well when you execute it on your own on your server with protect account ?

    Yes

     

    which version of python do you use ?

    2.7

     

    are you sure "psloggedon.exe" is executed ?

     

    I'm not sure if psloggedon.exe is executed becaue if it's plugged into DLP Enforce Server, it just unloads, and displays error in red

     

    (usually i tried to put as much as possible script, configuration file,... in protect directory).

     

    Yes I am put as much as possible into D:\SymantecDLP\Protect\plugins

     i tried to put all my command in a bat file then i execute the bat file from python. This ensure you will have all windows environment variable of your account correctly set.

     

    Can you show how this is done. I believe this will help, somehow.



  • 4.  RE: Why does DLP Enforce Server time-out when accessing WMI

    Trusted Advisor
    Posted Jul 24, 2014 02:10 AM

    Hi,

     

    you can create a text file named "test.bat" like this in your protect/plugins directory :

    @echo off

    D:\pstools\psloggedon.exe -l -x $1

     

    then in you python script replace

    pst = subprocess.Popen(
            ["D:\pstools\psloggedon.exe", "-l", "-x",  userIP],
            stdout = subprocess.PIPE,
            stderr = subprocess.PIPE
        )

    by

    pst = subprocess.Popen(
            ["test.bat",  userIP],
            stdout = subprocess.PIPE,
            stderr = subprocess.PIPE
        )

     

    As i will need something like that soon for one of my client, i will do some test this week end about that and then i will let you know if i find a "good" way to have it working.



  • 5.  RE: Why does DLP Enforce Server time-out when accessing WMI

    Posted Jul 25, 2014 09:15 AM

    Thank you Stephane, please let us know.



  • 6.  RE: Why does DLP Enforce Server time-out when accessing WMI

    Trusted Advisor
    Posted Jul 28, 2014 02:14 AM

    hello,

     

     As i said i made some test on my own test platform.

    I have setup a dedicated custom attribute / add this plugin / tune your python script to take into account some unexpected behaviour (no sender-ip or null // more than one response from psloggedon (for example services running on windows machine) // few try/except and defaut paramater definition)

    Then one good news is that i was able to have same issue as you (one minute timeout, then plugin unloaded) so i was able to investigate and troubleshoot but the bad news is that for now i still have this issu (i dont like that :) ).

    I will try some other method during the next days and i will let you know if it works

    ( for example seems that this "old" command "wmic.exe /node:IP-or-HostName ComputerSystem Get UserName" still works on windows 2008 or may be coding it directly in python)

    if i can contact you directly on your professional mailbox, let me know and give it to me on PM.

     

     Regards