Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Winzip: Getting redundant incidents

Created: 09 Jan 2014 • Updated: 19 Jan 2014 | 5 comments
DLP Enthusiast's picture
This issue has been solved. See solution.

Dear All,

I've recently added Winzip under Application Monitoring. When Im trying to zip a file containing credit card no's im recieving 2/3 incidents and while sending the zipped folder via outlook there's one incident. (Total 4: 2/3 for Zipping the file and 1 for sending it via outlook) 

However for the redundant incidents there's only one notification coming onto the screen and one for outlook. Why am I getting redundant incidents while zipping ?..Im using Endpoint Prevent !

Operating Systems:

Comments 5 CommentsJump to latest comment

DLP Solutions2's picture

DLP...

We will need a bit more information, but I can see a couple of things here.

  1. The Incident with OUTLOOK is correct, when send out the zip file you should see a popup there and 1 incident should be created. I assume you are montoring OUTLOOK with the endpoint agent.
  2. The very 1st incident is when accesing the TXT file by the winzip application as it is creating the zip file. This is also correct, for it is based on the winzip application accessing the file. This is based on the fact that you are watching what WINZIP is accessing. Look at the incident and it should tell you what application is accesing the file
  3. The real issue is whay are you getting 2 incidents around the actual ZIP file. This will come down to how winzip actually creates files and might be something out of our control. I am not sure if this is the right assumption, but you will need to look at what application is creating the incidents. Look at the the incidents an see what application is the root of the issue.
  4. As far as only getting 2 popups, this is typical for in certain instances the agent is not going to give a popup more than once if the SAME application is causing the popup in a certain aount of time. If you look at the pop-ups there is a check box also to use the same response for the same issue/popup.

Hope this makes sense.

If this solves your questions please marked as solved.

Ronak

 

 

Please make sure to mark this as a solution

 

 

to your problem, when possible.

 

 

 

DLP Enthusiast's picture

Dear Ronak,

I saw the incident details of each incidents, they have the same Channel/protocol. Moreover there are no multiple pop-ups so that we can understand that there are multiple violations.

Even when i see the incident details of all these incidents, the time, incident matches and everything is the same. Why is this happening ?

DLP Solutions2's picture

Honestly I would play with the Winzip settings to seeif you should undo some of the monitoring you are doing.

Since you are ONLY getting 1 incident when you email it, it has nothing to do with Outlook. Though since you are getting multiple with the Winzip application is has to do with that portion of the product.

Try not using the Write to CD portion of the application montoring and ONLY the File Access configuration.

Over all I think it is how you have configured the Winzip application.

Keep in mind that the issue might be with how Winzip access the file and it might access the file more than once when it creates the ZIP file. If it does access it more than once the system will think of it as multiple reads/writes and that is why you are gettign more than 1 incident.

Hope this makes sense.

If this solves your questions please marked as solved.

Ronak

 

Please make sure to mark this as a solution

 

 

to your problem, when possible.

 

 

 

DLP Enthusiast's picture

Dear Ronak,

I've tried multiple options to minimize these redundant incidents but I'm not able to. Ive tried selecting application file access and deselcting CD/DVD option but this reduces the incidents from three to two .. But however there are mulitple incidents. Even you can test it on your side.

 

DLP Solutions2's picture

At this point I would call support a creaye a case.

Keep in mind that this issue might be with how Winzip access the file and it might access the file more than once when it creates the ZIP file. If it does access it more than once the system will think of it as multiple reads/writes and that is why you are gettign more than 1 incident.

Hope this makes sense.

If this solves your questions please marked as solved.

Ronak

 

Please make sure to mark this as a solution

 

 

to your problem, when possible.

 

 

 

SOLUTION