Data Loss Prevention

Hello,

We're planning to use symantec dlp to monitor print jobs, no blocking is required.

In our test environment everything works fine, except printing images (jpeg, bmp, etc).

The IDM profile is ok - word, excel and other documents are detected correctly, but not images. What can be wrong? Can't find any limitations in product's manual.

Hi Polunin,

How are you trying to identify the picture? What is your detection rule like?

~Xavier

Well, I've tried many ways:

- by IDM. I've created Profile with many files including my pictures.

- by Attachment/File Type. I've selected Bitmap, JPEG, Portable Network Graphics etc.

- by Attachment/File Name. Match *.bmp, *.jpg, *.jpeg.

Tried to combine them and seperate - nothing works.

It's strange because incidents with copying them to usb flash drives work perfectly, it's just print jobs that are not detected.

Hmm, that really is strange. I'm going to set it up myself and try it out.

The agent catches the incident if I select Printer/Fax for protocol...but once I select Filetype picture.

I think I figured out the issue. I think that detecting on print jobs only does so based on content being printed, not the name of the file being printed. So it'd work if you do Excel, Word, PDF, etc because those all contain text that you're matching against your IDM database...not file names.

I'm sure that if you were to try to attach a picture to an email, then it'd catch it because attachement is being done on either the file itself, or its contents. Print only matches against what exactly is being printed. All this is just supposition, mind you, but I can't think of anything else 'cause I set it up and the same thing happens with me. I'll test again if I come up with any ideas.

This looks like a breach - i can get a confidential document, copy/paste it to mspaint and then safely print without being detected.

That's why you'd monitor the clipboard to prevent copy/paste of text and disable print screen to prevent taking a screen shot

Hmm strange...I'm almost sure there was a way to disable print screen. I'm looking for it now but I can't find it =/

I don't think DLP has capabilites to monitor images- not there yet- :)

True, but if they can protect the data from even becoming an image then it'd be a good start. That's where controlling the print screen feature comes in =] (...or at least should come in if I could find it)

I guess the sys admin would have to get a bit extreme and disable print screen on all devices.

I actually dug up an idea I posted last year about this exact same thing:
https://www-secure.symantec.com/connect/idea/dlp-and-print-screen

And here's a post about preventing print screen (it's long but read to the end)
https://www-secure.symantec.com/connect/forums/how-block-print-screen-application-device-contrl

Making up the testing environment for this case. It seems an interesting one.
Guys, when saying that DLP does not block images printing do you base this statement on some document by Symantec? Or was it only your personal experience. If there's a problem - we should test it all over, report to Symantec (like xllod's ideas for example), and find some workarounds for that until it gets fixed by Symantec. Agree?

I'm in a conversation with techsupport right now, so i guess i'll get an official statment for this case soon.

Finally, https://kb1-vontu.altiris.com/article.asp?article=54665&p=5

Article ID: 54665

Detecting images with print/fax on Endpoint

Applies To

 • Endpoint Prevent 11.0
• Vontu Endpoint Prevent Endpoint Prevent

Problem Summary

 Why am I not able to detect images while printing?

Solution

 The print fax prevention feature can only intercepts text data. It intercepts text data at application level itself before it is rasterized and sent for printing.