Data Loss Prevention

Hi,

I use DLP Endpoint Prevent ver 11.1.1

I have around 24 file servers in different network segments and I dont want to capture incidents when people transfer data to the file servers, so I went to agent configuration -> IP Filters and wrote this (-,172.21.37.113/32,*;+,*,* ). Actually the list is big, I just took an example of a single server,

But the problem is when I apply configuration, I still get incidents when some data is transferred to this file server.

Can you help?.

Let me know if you need further information.

Thanks,

Vinodh Stanley

So, you mean 'some data'? Is that mean not all the data violate your policy can be detected?

Hi,

Can you please analyze the incidents and let me know if you see the data has been transfered via HTTPS or HTTP?

If you see the data has been transfered via HTTPS then there is no problem all you have to do is have the filter applied to HTTPS box as well.

Refer to this Example:

-,10.6.232.115/32,*;-,10.0.0.0/8,*;-,132.180.8.41/32,*;-,172.16.4.30/32,*;+,*,*

it works perfectly at my environment :)

Hi Syed,

Let me check and get back to you.

Thanks,

Vinodh Stanley

Hi Syed,

I just checked, its neither http nor https. :-(

Regards,

Vinodh Stanley

Hi Vinodh,

Could you please give me more details on this

1) Let me know if the policy is applied to detect data transfer to a file servers is on endpoint or network

2) When you see the incidents, could you please look at Type and identify if it indicates as mail/globe icon/USB/CD-Rom

The above things will give me a clear picture where it is going on and conclude the root cause of the issue.

Hi Syed,

Answers

1. The policy is to track any transfer of data via all possible modes availabe in DLP

2. The icon against the incidents looks like three small monitors, with the middle monitor on top. It is not a https/http/ftp/ or email icon

Regards,

Vinodh Stanley

Hi Vinodh

The icon which your refering as three monitor with one on the top is "Network share"

Currently, DLP does not support IP filter for Network shares. Network share uses UNC and for DLP it is not considered as network event. You can use IP filter for protocols such as HTTP/FTP traffic.

Endpoint File Copies to and from Network Shares does not currently have the ability to use filters to exclude specific destinations or sources. Advise User to put exception of copy to network share in policy in order to ignore monitoring of Endpoint File Copies to and from Network Share.

Enhancement Request has been created to address this issue.  Hopefully this will be addressed in future release or any future updates.

Hi Vinodh,

Let me know, if your  query has been addressed or do you still have any questions in context to this issue.