Video Screencast Help

DLP and print screen

Created: 14 Dec 2010 • Updated: 14 Dec 2010 | 10 comments
xlloyd's picture
1 Agree
0 Disagree
+1 1 Vote
Login to vote

I've been pondering this a while now and really can't come to any other conclusion than this.

It's rather easy to get around some of DLP's functionality using print screen. Using print screen doesn't trigger a clipboard event. There are two ways to get around this:

  1. Have the sys admin write a script to disable the print screen key on all clients (extreme)
  2. Have the print screen key generate an event like this:
  • The user hits print screen
  • DLP agent immediately scans all visible text
  • If any visible text is discovered, generate an event

I'm guessing that it would have to be separate from the clipboard event in the "Protocol or Endpoint Destination" section though.

Comments 10 CommentsJump to latest comment

cable mite's picture

Are you sure that DLP does not catch PRtScrn events?

It would seem a pretty obvious thing for DLP to do.

I am having a DLP POC soon and will check this!

------------------------------------------------------------
MR99 will fix it all.

0
Login to vote
xlloyd's picture

I'm pretty sure, but maybe I missed something in all of my exploration. If you find anything please post it back here!

=]

If this post has helped you, please vote up or mark as solution
0
Login to vote
Thomas K's picture

Even if you can disable the print screen function, how do you keep a user from taking a photo of the screen with their hi-res camera phone?

Ooyala - Check us out!

0
Login to vote
xlloyd's picture

LOL! Maybe you'd have to use your hi-res security camera to take a picture of them taking a picture of sensitive data?

Here's an idea, once sensitive data is displayed on the screen at all (once the window with info matching the policies is NOT minimized) then DLP would send a trap to your IP-based security camera to take pictures every n minutes until it receives another trap to say that the document is closed.

Lol kinda much...and not very practical I'm afraid =/

If this post has helped you, please vote up or mark as solution
0
Login to vote
Thomas K's picture

How about monitors with build in web cams that have software that can detect objects like cameras and recording devices. The computer detects a camera like object in the foreground or backround, takes the photo and sends it off to security.

: )

Thomas

Ooyala - Check us out!

0
Login to vote
xlloyd's picture

Woooaah lol! Symantec would have to move into serious hardware for that >_<

This is the kinda thinking that will keep us moving forward though. Symantec better be taking notes when the US Government wants something like this =P

If this post has helped you, please vote up or mark as solution
0
Login to vote
cmiller-PDX's picture

This is an issue that represents a serious threat for data loss.  As far as a camera goes, that is what physical security is for; many organizations have policies that do not allow cameras in sensitive areas. Data loss on the endpoint is an IT security responsibility.  Disabling print screen on high risk clients (or doing some kind of optical character regonition on print screen images to inspect for sensitive data) seems like a logical feature to include in the DLP endpoint agent.  Is there a technical reason this is difficult to implement?

0
Login to vote
xlloyd's picture

Well it's easy enough to disable the print screen key is easy enough. The simple reason is that there are so many alternatives to print screen...I don't think it would be possible to block them from an application standpoint. You'd need to be able to integrate with the OS at a very low level to stop copying of the pixels representing the desktop. I doubt Microsoft's API has anything like that. If it did, then I'm sure it would have been done already (if not by Symantec, then by someone else).

If this post has helped you, please vote up or mark as solution
0
Login to vote
Barnabas's picture

Locklizard has done it quite well a couple of years ago. It's possible to take a screenshot, but protected documents' windows are not shown.

http://www.locklizard.com/stop-screen-grabbers_news.htm

Symantec is using this product as well to protect documents.

0
Login to vote
nsolling's picture

Hey,

We actually wrote an application fixing exactly this issue.

It is basically and OCR which runs when doing printscreens which then communicates to the DLP agent.

For more information feel free to write me on nso[at]helpag.com

0
Login to vote