Data Loss Prevention

 View Only

  • 1.  Endpoint Prevent Monitoring of Write to Local Drive

    Posted Sep 29, 2016 01:03 PM

    I have a endpoint prevent policy that is working well to detect anyone trying to write a limited number of file types to removable storage.  However, if I also include the local drive as a destination, it does not see the write (while it continues to detect the write to removable storage).  I can't find anything in the admin manual that indicates that you can monitor the local drive with endpoint prevent but the policy writer offers the local drive as an endpoint destination to monitor.  Is it even possible to use endpoint prevent to monitor someone writing certain file types to their local drive?



  • 2.  RE: Endpoint Prevent Monitoring of Write to Local Drive
    Best Answer

    Posted Sep 30, 2016 03:40 AM

    Hello,

     

    At first look it seems that your problem is that you have activated the detection protocol "Endpoint Destination Local Drive" in the policy rule but the Local Drive channel is not activated at Agent Configuration level. To do it go to System / Agents / Agent Config / Select your Agent Config ; then inside the Agent Config go to Agent Monitoring bar and tick the channel "Local Drive" .

    Don't forget to apply the changes of the Agent Config in the path System / Agents / Agent Config / Apply Configuration.

     

    BR,

     

     



  • 3.  RE: Endpoint Prevent Monitoring of Write to Local Drive

    Posted Oct 11, 2016 09:29 AM

    Thanks Morgado for the suggestion.  I do have the Local drive channel set to monitor.  I do not have the Clipboard Copy or Paste enabled however.  As far as I know, the only way users have tried to exercise this policy is to copy a file from another location to their local drive using a Cut and Paste.  Would I need to turn on the Clipboard monitoring in order to detect this type of write to the local drive?  I don't seem to need that turned on in order to detect the same type of copy and paste to a removable drive.



  • 4.  RE: Endpoint Prevent Monitoring of Write to Local Drive
    Best Answer

    Trusted Advisor
    Posted Oct 11, 2016 09:53 AM

    hello,

    Which DLP version are you using ?

     it seems that you have to be at least in v14.5 as it is announce as a new feature of this version (at least a supported features).

     

    Extract of "Symantec_DLP_14.5_Whats_New.pdf"

    --------------------------------------

    Monitoring filters for copy to network shares and for local drives

    Support for filtering by file type, size, and path. This feature provides coverage for the following scenarios:

    File copies from Mac and Windows endpoints to network shares

    File copies from network shares to local drives on Windows endpoints using Explorer

    --------------------------

     regards



  • 5.  RE: Endpoint Prevent Monitoring of Write to Local Drive

    Posted Oct 11, 2016 10:08 AM

    Stephane, I am usine 14.0.  Ultimately, what I want this policy to look for and block is anyone writing specifc types of CAD files to their local drives (both from the application itself or from an email, usb device or network share).  In our environment, we want all of those sensitive files to be written to a vault rather than local drives.