Hi,

I would like to know if anyone has a workaround to viewing files leaked through a printer on an endpoint.

The GUI shows the file name that was printed but we cannot view the content.

Thanks,

Jerry Savio

the content should be highlighted when print task is executed. On regarding the retaining of the files, can you try the below KB articel

How to configure Symantec DLP to retain the Endpoint incident file

Jerry,

When it comes to a printing of the file, there is NO way to retain the actual file. Even if you do the Data Retention Response rule.

There has been a feature request on this for a long time.. not sure if it will happen.

The best way to get more info is to change the amount of data the console will show you around the mathced data. This is a setting on the Enforce server, where you can change how much data around the highlighted info will be displayed in the console. 

You will need to recycle the Manager Service.

So far this is the only way to help get a better understanding of the file.

Increase Highlight Match Counting

Edit the Manager.properties file in the config directory on the Enforce Server.

### Configuration for highlighting of violations on incident snapshots

# The maximum number of highlights that are shown in a chunk.

# If there are more than this number of highlights, then they are broken into separate chunks.

com.vontu.manager.incidents.matches.maxHighlightsPerViolation=50

# The maximum number of non-violating characters to show between highlighted violations in a chunk.

com.vontu.manager.incidents.matches.maxCharactersBetweenHighlights=1000

# The maximum number of non-violating characters to show before the first highlight in a chunk

# or after the last highlight in a chunk.

com.vontu.manager.incidents.matches.maxCharactersSurroundingHighlights=100

Good Luck

Ronak

PLEASE MARKED SOLVED WHEN POSSIBLE.

It is quite strange that such a use case has not been taken care of. It is a genuine use case and does cause issues if data is indeed leaked through printers.

Thanks for the workaround Ronak!

I would like to inform DLP 15 have the provision for this kind of request. If you are previous version of 15, then above thread suggestion should help.

Enhanced support for print channel monitoring and incident data collection

You can set agents to monitor Microsoft Office applications (PowerPoint, Word, and Excel) when they send files to a printer and prevent entire documents from printing. For example, if an endpoint user prints a 10-page document and sensitive data resides on page 10, then Symantec Data Loss Prevention prevents the entire document from printing and logs an incident.

If an incident is logged when this feature is enabled, additional information is collected in the incident. The incident collects the following information:
■ The print file location
■ The entire print file saved in the native file format

Hi pete_4u2002,

thanks for the update however the above point mentions only office applications which is quite limited. We had a use case for pdf files being printed from IE or adobe.

It works for pdf as well.

Regarding the pdf files being printed from IE, is it process gap when the confidential data is uploaded on portal ( intranet/internet)?