Data Loss Prevention

 View Only

  • 1.  DLP FlexResponse not logged

    Posted Jun 18, 2018 05:21 AM

    So, basically, I'm trying to integrate Symantec Endpoint Encryption and Symantec Data Loss Prevention via FlexResponse.

    I followed the guide and managed to encrypt the files via DLP policy but its just that the event/incident does not show up in the Incidents Reports.

    Is this intended or not?

    Other incidents are being logged properly.

     

    Fyi, the guide that I followed is the DLP 15 Administration Guide and this: https://support.symantec.com/en_US/article.DOC7639.html

     



  • 2.  RE: DLP FlexResponse not logged

    Posted Jun 18, 2018 07:07 AM

    Which Policy did you create?

    How are you triggering Policy?

    Which Report are looking at Network/Endpoint/Incident?



  • 3.  RE: DLP FlexResponse not logged

    Posted Jun 18, 2018 09:34 PM

    I created a policy for Endpoint Server with a keyword match of "encrypt" on all areas (envelope, subject etc) and the Protocol is Removable Storage. The response rule of the policy Endpoint FlexResponse (EERPlugin_flexresponse).

     

    I am triggering the policy by creating a text file with the word "encrypt" in it and moving the said file to a USB connected to the machine.

     

    I am primarily looking at Endpoint Reports but at the same time, I took a look at other reports (Network/Discover) and do not find the incident there.



  • 4.  RE: DLP FlexResponse not logged

    Posted Jun 19, 2018 04:17 AM

    Does the "Examining content" popup when you copy the file?

    [image%255B5%255D.png]

     

    How to Deploy Endpoint FlexResponse
    https://www.symantec.com/connect/articles/how-deploy-endpoint-flexresponse

    Complete Process of Deploying and Enabling of Endpoint FlexResponse plug-in
    https://www.symantec.com/connect/articles/complete-process-deploying-and-enabling-endpoint-flexresponse-plug

     

    Have you updated the following setting?

    System | Agents | Agent Configuration

    PostProcessor.ENABLE_FLEXRESPONSE.int
     


  • 5.  RE: DLP FlexResponse not logged

    Posted Jun 19, 2018 04:33 AM

    Yes, the "Examining content" popup appears when I copied the file.

    And I have updated the setting as well.

    I just checked the Endpoint report and saw the incident. It seems it took a long time to appear on the reports.

    However another incident was not logged. Fyi, the incident do not have any content but has the keyword as the name of the file. Does DLP not check the name of the file for the keyword?

     

    And I noticed that there's a warning on the Endpoint Server: "Time mismatch between Enforce and Monitor. This may affect certain functionalities in the system.". Could this be the cause of the issue?

     

    Thanks in advanced.



  • 6.  RE: DLP FlexResponse not logged

    Posted Jun 19, 2018 09:01 AM

    Which content is missing?

    There should be the "Incident Details" in the "Key Info" tab on the left hand side which would have the full filepth and name.

    The other incident may also be taking a while to process.

    It could, what is the difference in times?



  • 7.  RE: DLP FlexResponse not logged

    Posted Jun 19, 2018 09:50 PM

    I'm sorry for misleading. What I meant was I created an empty text file but with the keyword as the name of the file. I used that file to trigger an incident but that incident is not logged.

     

    Is there a way to check this? I have set the system time to be the same on both Windows server (Enforce and Endpoint). Is there a way to change the time on the Enforce system itself?