Data Loss Prevention

 View Only

  • 1.  DLP Print Monitor - How it works

    Posted Dec 26, 2012 12:45 AM

    Hi Everyone,

    Just wonder does anyone know in details how DLP Print monitor works in Symantec DLP

    I am actually trying to understand how print monitor works. Does it just monitor print jobs sent to windows print spooler service (spoolsv.exe) or  it actually uses some other techniques. one of the info i got from forum is DLP endpoint agent monitors windows GDI calls as shown by below post. other writeup i read suggest that DLP endpoint also monitor print drivers. anyone know that is done?

    http://www.symantec.com/connect/forums/print-data-application-we-can-not-get-incident

    I have a customer who  implemented a network printing for their mainframe. Mainframe sends print jobs to a windows server (BAR server) via IBM RJE/SNA emulation, the windows server will then in turn send the print jobs to another print server (solaris) via LPD/LPR. The printer is actually connected to the solaris print server. According to customer, the BAR server is not using the windows spooler service to send the job to the solaris print server. if this is the case, can our DLP endpoint still monitor the print jobs? Or under what conditions can only DLP endpoint inspect the print jobs for DLP?

    how about setting up application monitoring to monitor the application for any print/fax requests, will that solve the requirement.

    Thanks in advance for looking at my post



  • 2.  RE: DLP Print Monitor - How it works

    Posted Dec 26, 2012 01:46 PM

    The Print Monitoring doesnot depend on the server where you have connected the printer but the agent system. It should work if the  Printer/Fax channel is selected under agent configuration.



  • 3.  RE: DLP Print Monitor - How it works

    Trusted Advisor
    Posted Mar 13, 2013 11:52 PM

    The way the Endpoint agent works, is when a File or document is sent to the OS print spooler, the DLP agent intercepts that transmission and will then inspect the contents and compare that to the policy. So it will then trigger an incident on the match of the policy.

    If they are printing through a Main Frame.. how is the Endpoint connected to the MainFrame? It sounds like they are connecting to the MainFrame using a 3rd party app. (Citrix or an Emulator) so in reality they are NOT printing from the OS, but on the MainFrame itself. If this is the case then the agent is not going to see anything. If they are using Citirx, then they should install an agent on the Citrix server, this is outlined in the installation guide.

    Is there more information you need?

    Please call it solved if possible!!

    Ronak