Data Loss Prevention

 View Only

  • 1.  DLP Skype support

    Posted Nov 14, 2012 01:55 PM

    Hi Fellas,

    We are working on DLP POC but unable to detect and block keyword being sent through Skype. We opened support ticket with Symantec for that and we were informed that Skype uses encryption and is not supported by DLP.

    But I believe that DLP Endpoint agent should detect the keyword being written on Skype message window before being sent. Encryption kicks in once we press Enter key but before pressing Enter, DLP endpoint agent should detect it. Please correct me if I am wrong and also suggest the way out.

    Regards,

    Atif



  • 2.  RE: DLP Skype support

    Posted Nov 15, 2012 08:48 AM

    You might be able to add the program to the list of watched applications. However, just typing in a program won't cause DLP to catch/create an incident. Something has to happen with that data; whether copy/paste, printed, saved, etc.

    Skype is encrypted communication. You may have better luck trying to proxy it and use SSL MITM but I'm not sure even that would work.

    Aaron



  • 3.  RE: DLP Skype support

    Broadcom Employee
    Posted Nov 15, 2012 09:27 AM

    thumbs up to abpve suggestion.

    Skype is not covered under DLP for IM monitoring. However you need to set the Application Monitoring

    Article ID: 54937 for more details.



  • 4.  RE: DLP Skype support

    Posted Nov 15, 2012 12:45 PM

    Thanks guys for your feedback. Is it possible to intercept Skype traffic through Network Prevent for Web integrated with Symantec Web Gateway provided all http https traffic is going through SWG?

    Could not find mentioned article. Can you please provide full URL to that?

     



  • 5.  RE: DLP Skype support
    Best Answer

    Posted Dec 06, 2012 01:29 AM

    Hi Atif,

    Application monitoring lets you monitor third-party applications for IM, email, or HTTP/S clients. By default, Symantec Data Loss Prevention only monitors first-party applications such as AIM, Microsoft Outlook, or Mozilla Firefox. Examples of third-party applications include Skype, Mozilla Thunderbird, or Google Chrome. Any application that is not specifically monitored by Symantec Data Loss Prevention must be added to the Application Monitoring page before Symantec Data Loss Prevention can begin monitoring.

     

    Steps to add an application Monitoring

    1. From the Application Monitoring page, click Add Application.

    2. For name, enter a name for the fingerprint.

    3. Enter the name of the binary file, "firefox.exe", for example. Note that for the fingerprint to work correctly, you must include an escape character ("\") between the application name and the file extension, due to the way the regex is used to read the filename.  e.g., firefox\.exe

    4. Enter an internal name, "Firefox", for example

    5. Enter the original filename of the application itself, "firefox\.exe", for example. See note in step 3.

    6. Leave the Publisher Name blank, unless absolutely necessary, as it increases resources used by the Agent.

    7. Choose the elements to be monitored (print, network, etc).

    8. Save the fingerprint and allow the changes to propagate to the Agents.

    NOTE: You may also use the utility included with the Endpoint Agent tools,GetAppInfo.exe, to help determine the *Binary Name, *Internal Name, *Original Filename, or Publisher Name.

    Running GetAppInfo in windows mode will open a UI which allows you to browser to the executable intended for monitoring.

    Note that you must provide at least one of these names correctly for monitoring to work.



  • 6.  RE: DLP Skype support

    Posted Dec 08, 2012 02:27 AM

    Thanks Kishorilal for excellent explaination.