Hello,
I have been testing my new deployment of Endpoint and it seems a lot of the alerts are not even making it to the portal. I im testing a very general Policy (Made up) with an exception to a secure usb which was configured under Systems> Agents > Endpoint Devices. What am i missing or doing wrong?
The regex is
USBSTOR\\DISK&VEN_Integral&PROD_CRYPTO.*
and my current device is:
USBSTOR\Disk&Ven_WD&Prod_My_Passport_0730&Rev_1008\575838314337303631353834&0
In theory it should flag when I transfer the file from my PC (desktop and/or share) to this device but its not. My current Agent policy checks for
Removable storage, CD/DVD, Clipboard (paste only) Email (Outlook and notes) Web IE, Firefox, Chrome, Safari and FTP
Applications: Application file access, cloud storage
Network shares :none (copy to local and copy to share is off).
Order |
Actions |
Destination |
File Attributes |
|
|
Ignore |
Cloud Storage |
|
|
|
Ignore |
Local Drive |
-
path
=
- $Cookies$\*,
- $InternetCache$\*,
- $LocalAppData$\*,
- $LocalAppData$\..\Temp\*,
- $LocalAppDataLow$\*,
- $RoamingAppData$\*,
- $Windows$\Prefetch\*,
- $Windows$\SoftwareDistribution\*,
- *\System Volume Information\*
|
|
|
Ignore |
Application File Access, Copy to Share |
-
path
=
- \\mcbopsfiler4\group$\*,
- \\mcbopsfiler4\users$\*
|
|
|
Monitor |
Application File Access, CD/DVD, Cloud Storage, Copy to Share, Local Drive |
-
type
=
*.doc, *.docx, *.jar, *.mpp, *.pdf, *.ppt, *.pptx, *.rar, *.rtf, *.txt, *.wcm, *.xls, *.xlsx, *.zip
|
|
|
Ignore |
Local Drive, Copy to Local Drive, Removable Storage |
|
|
|
Ignore |
Application File Access, CD/DVD, Cloud Storage, Copy to Share, Local Drive |
|
pecify Default File Filter Action
The following action will be applied to any file that does not match any of the file filters configured above:
This is the policy:
Detection
Rules
Endpoint keyword test
- Content Matches Keyword
-
-
-
No keyword proximity matching
-
Match On Whole Word Only:
-
Count all matches and only report incidents with at least 1 matches
-
- Envelope
- Subject
- Body
- Attachments
-
Exceptions
Encrypted USB
Apply Exception to: Entire Message
- Endpoint Device Class or ID
-
-