Data Loss Prevention

Is there any symantec recommendation or tool that can be used to probe/query the network for workstations without DLP endpoint agent.

You can use the Network Monitor to query the network traffic of the workstations.

Use Symantec messaging gateway as Email DLP or DLP solution suite for network monitoring

You can use sc.exe to query the remote workstation to verify if the agent process is running. If it is not running, you can assume the agent is not installed.

sc \\workstation query type= service | find "edpa"

I need a solution or tools to track device on the network that is not running endpoint agent.

do you use altiris or any third party software?

Yemmy,

Netflow is a Network Traffic tool.. this will not help you when it comes to DLP agents. The only way that it can work is if Netflow controls what laptops can connect to the DHCP servers and see if they have a specific application or service running. If you can do this then look to make sure that it sees an agent running on port 8000 (this is customizable, but 8000 is the default port). This would be a similar approach to seeing if a laptop has a specific Anti-Virus software running.

The best way to see if something is or is not running is by using a Desktop tool or Logon script that will check and make sure that specific applications or ervices are running on a device.

The other option is to run a netstat tool that probes EVERY ip address and see if port 8000 is accepting connections, if not then they might not have the DLP agent installed. Though this seems like overkill and would set off a ton of IDS alarms if you have them on your network.

Hope this makes sense.

If this solves your questions please marked as solved.

Ronak

we use sccm for desktop

@Madstan, thanks for your contribution. The Service Control (SC) query can only probe specific workstation on the network. In this case, I want to probe the entire network for workstations without the EDPA services.

It could easily be scripted. In fact perl has a function that will query services on remote workstations. 

Something like this:

use Win32::Service;
use Net::IP;

#define service

my $myedpa = "EDPA";

my %statusHash;

# define subnet

my $subnet = new Net::IP ('10.0.0.1 - 10.0.0.254') || die

#loop through subnet

do {

    my $myip = $subnet->ip();

    Win32::Service::GetStatus("$myip", "$myedpa", \%statusHash);

    if ($statusHash{"CurrentState"} =~ /[1-7]/){
            print "$myedpa" . " service for $myip is currently " . $statcodeHash{$statusHash{"CurrentState"}} . "\n";
        } else {
            print "$myedpa" . " service for " . "$myip" .  " is not running.\n";

        }
} while (++$ip)

Symantec Network Access Control should be able to do this