Data Loss Prevention

I created a look-up script that runs with elevated credentials. It takes input in the form sender-ip=10.10.10.10 and returns userId=DOMAIN\username

However, the script will return userId=CannotAuthenticate if

(1) the elevated credentials cannot authenticate to the remote computer

(2) the WMI in the remote computer is disabled

(3) the WMI in the remote computer is turned off

I have worked with DLP engineer to configure the lookup plug in. And no matter what IP address is sent, we always get CannotAuthenticate as the userId

________________________________________________________________________________

Here is the plugin configuration

Script Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Arguments: -NonInteractive,-ExecutionPolicy, ByPass,-InputFormat,none,-File,D:\script\current_or_last_user.ps1

Options:

Enabled stdin

Enabled stdout

Enable credentials

Credentials File Path: D:\symantecdlp\protect\cred_file.txt

________________________________________________________________________________

When ever we reload the plug in, we manually remove the old value for userId for an incident, i.e. we go to Edit and delete the value for userId. And today, tried unchecking Enabled stdin and then reloading the plug in as advised, but it still does not work.

This case has been going on for several weeks.

Can you tell me how DLP enforce server calls the script. Does it execute commands on a command prompt? I would like to simulate the exact conditions that DLP enforce server uses, perhaps something can be adjusted on the script side?

Any information to troubleshoot and resolve this issue is greatly appreciated!

hi,

 DLP is just calling plugin script sending parameter on stdin like :

<my script> sender-ip=10.10.10.10 sender-email=test@dlp.com ........

(usually i test my script with a simple bat file on windows server which call the script with parameters)

to troubleshoot it you can activate logs but as we already discuss about that in this forum i think you already do it.

 did you check that your script is working fine just adding static variable in the script and run it alone ?

When i do a new plugin i always validate that it runs fine alone then i try to integrate it with DLP.

In DLP, which key parameters did you check ?

 Did you try to change credential file path to "../cred_file.txt"  cause script is executed from tomcat server and not from windows OS so it could have problem to interpret full path. (you can also try a "stupid" path to check what kind of behaviour you have when credential file is not found).

regards

The script works perfectly when I run it manually, the problem arises when I try to integrate it with DLP.

In DLP, I checked the following key parameters

• Incident
• Message
• Sender

When I kept the credential file path as D:\symantecdlp\protect\cred_file.txt, the \Protect\logs\tomcat\localhost.2013*.txt  displays the elevated credentials in CLEARTEXT.

When I kept the credential file path as ../cred_file.txt, the \Protect\logs\tomcat\localhost.2013*.txt also displays the elevated credentials in CLEARTEXT.

So, DLP enforce server has the credentials, why isn't it being applied to the lookup script?

When I included a "stupid" path I get Failed Status for the Plugin

oups sounds weird...

did you try adding some comments in your script after each important line, so it will send this output to log files and you willbe able to check which information are wrong/not available at each time or send them to a specific log file (I did that once just to see that DLP did not send information in format i was expected)

 one other point, your script will run with sam eaccount as tomcat server (protect) so did you try to execute your script with this account ?

This sounds like a permissions issue.  The script will run with the credentials the Vontu services are running as (typically the Protect user).  Make sure this user has the required permissions.

1. What version of DLP are you on?
2. The issue may just be on where you have the files located.
3. I would put them all in the plugins directory and make sure they have the right permissions.
4. Can you use a Credntial instead of a file?
5. I would also modify your script to output the variables at different times to see what the content is.
6. Also turn off boh the STDIN and STDOUT, it will cause problems for the script plugin does not like special characters "/" This can be your issue.
7. It the "/" is the issue, you may want to clean up that string before outputing the username. This can be helpful casue you can then do an LDAP lookup with it.

Can you attach the script here and we can then look at it.

Hope this makes sense.

If this solves your questions please marked as solved.

Ronak

1.    What version of DLP are you on?

How to find the version?

2.    The issue may just be on where you have the files located.

The script is on C:\Script and the DLP installation is on C:\SymantecDLP\Protect

3.    I would put them all in the plugins directory and make sure they have the right permissions.

Where is the plug-in directory

4.    Can you use a Credntial instead of a file?

What do you mean by this?

5.    I would also modify your script to output the variables at different times to see what the content is.

Will do this

6.    Also turn off boh the STDIN and STDOUT, it will cause problems for the script plugin does not like special characters "/" This can be your issue.

Will do this

7.    It the "/" is the issue, you may want to clean up that string before outputing the username. This can be helpful casue you can then do an LDAP lookup with it.

Well, the script outputs jdoe, but I format the string to be userId=DOMAIN\jdoe. Will make changes.

See attached script

Attachment(s)

current_or_last_user.zip   1 KB 1 version

- you can see DLP version in "Server/overview" web page on DLP UI after each server name (mostly enforce server of course)

- plugin directory is in C:\Symantec DLP\Protect\ directory.

Sounds like you are pretty new to DLP..

• There is a section System > Settings > Credential where you can create a credential.
• If you write the script properly you can use a credential from here in the script. It would need to be written in java.
• Put all fles in the Plugin Dir..
• C:\SymanteDLP\protect\plugins
• Also make sure you have a Custom Attribute called "userId", this is case sensitive. So make sure it is the same as what is outputted and correct.
• Make the custom attribute System > Attributes > Custom Attribute Tab.

Hope this makes sense.

If this solves your questions please marked as solved.

Ronak

RSAKSA,

I looked at your script..

First of all the input that you will get from the DLP server will look like this:

Lookup using com.vontu.lookup.script.ScriptLookup complete: {Manager Last Name=Doe, discover-location=null, protocol=Clipboard, Resolution=null, file-owner=rpatel, Employee Type=External Employee, endpoint-file-path=null, Title=null, discover-extraction-date=null, Manager Business Unit=IT Services, Manager Phone=414-555-5555, Username=rpatel, Division=Contractor, file-created-by=DOMAIN\rpatel, file-owner-domain=DOMAIN}.

It is a comma Delimited input.. so you need to change the following:

$line_array+= $i.split(" ") to $line_array+= $i.split(",")

Lastly when you created the Credential File .. did you follow the intructions on Generating the Encrypted Credential file?

Clear text file should have "username=usernameadminaccess password=whatever"

SymantecDLP\protect\bin\CredentialGenerator.bat inputfilename.txt outputfilename.txt

Then put the filename in the UI. Again put these files in the Plugins directory.

_________________________________________________________________

If this does not fix it..

Also after looking at the script I would run this Manually from a Command Prompt on the Enforce Server to see if it works.

Use the "runas" command to open a command window as the user you are specifiying in the credntial file.

run powershell

Run the following command and see if it works.

Get-WmiObject -Class Win32_OperatingSystem -ComputerName "MachineName"

The script does not even need a credential to run. The issue you are having is that the script calls a comand in powershell "Get-WmiObject ...". The user that runs this command needs to also be in the Administrator group on the remote System. So I am wondering if the account in the credential file can even do that period, is there an account that can do this on all of your systems? So make sure that acount can run it on a remote system

This is why you are getting the "CannotAuthenticate" as the output. The Get-WmiObject is failing.

Hope this makes sense.

If this solves your questions please marked as solved.

Ronak

Hello Ronak,

Thank you for the thorough replies.

I will make the updates to the script and let you know soon.

RSASKA,

Were you able to figure it out?

Hope this makes sense.

If this solves your questions please marked as solved.

Ronak

I will try this out later this week or early next week ...

I'm trying it out, and am researching why powershell strips out the commas when it receives input

Manager Last Name=Doe, discover-location=null, protocol=Clipboard, Resolution=null, file-owner=rpatel, Employee Type=External Employee, endpoint-file-path=null, Title=null, discover-extraction-date=null, Manager Business Unit=IT Services, Manager Phone=414-555-5555, Username=rpatel, Division=Contractor, file-created-by=DOMAIN\rpatel, file-owner-domain=DOMAIN

So far, I was able to adjust the script so that it can read input such as

.\script.ps1 Manager Last Name=Doe, discover-location=null, protocol=Clipboard, Resolution=null, file-owner=user, Employee Type=External Employee, endpoint-file-path=null, Title=null, discover-extraction-date=null, Sender-IP=10.10.10.10, Manager Business Unit=IT Services, Manager Phone=414-555-5555, Username=user, Division=Contractor, file-created-by=DOMAIN\user, file-owner-domain=DOMAIN

And is able to detect Sender-IP

Here is code snippit in Powershell ....

$line_array = @()
$multi_array = @()
[hashtable]$my_hash = @{}
$Sender_IP = $NULL
$Win32OS = $NULL
$Build = $NULL
$folder = $NULL
$SysDrv = $NULL
$key = $NULL
$value = $NULL

$args = (($args | % { $_ -join ", " }) -join " ")

foreach ($i in $args){
   $line_array+= $i.split(",")
}

foreach ($j in $line_array){
    $multi_array += ,@($j.split("="))
}

foreach ($k in $multi_array){
    $key = $k[0].Trim()
    $value = $k[1].Trim()
   
    $my_hash.add($key,$value)
}

Will keep you guys posted ....

Since DLP Solutions helped me proceed with the troubleshooting, hence I marked his post as solution.

I posted part II of this issue here: https://www-secure.symantec.com/connect/forums/part-ii-how-does-dlp-enforce-server-invoke-powershell-lookup-script