Data Loss Prevention

 View Only

  • 1.  How to detect the activities "open a file" and "read a file" on Endpoint Prevent DLP11.1.1

    Posted Oct 19, 2011 07:26 AM

    Hi all,

    Please tell me the way to detect the activities "open a file" and "read a file" on Endpoint Prevent DLP11.1.1.

    "Symantec Data Loss Prevention Endpoint Performance Guide Version11.1" says "You can specify either File Open or File Read actions" on p.38.

    So I want to know the way.

     

    Which way is the best practice?

     

    SIncerely,



  • 2.  RE: How to detect the activities "open a file" and "read a file" on Endpoint Prevent DLP11.1.1

    Broadcom Employee
    Posted Oct 19, 2011 09:24 AM

    In case of FILE READ, we don’t do detection if it matches any of the following conditions if the file reads are:

        less than 64 bytes.
        256 bytes but total length of file is _not_ 256 bytes.
        512 bytes but total length of file is _not_ 512.
        131072 bytes but total length of file is _not_ 131072 bytes.

    If FILE OPEN option is chosen, we don’t have these restrictions.



  • 3.  RE: How to detect the activities "open a file" and "read a file" on Endpoint Prevent DLP11.1.1

    Posted Oct 20, 2011 06:19 AM

    Hi yang_zhang,

    Thank you for your comments.

     

    I understood there are restrictions under detecting FILE READ.

    But I don't know the way to configure the settings.

    where can I choose FILE READ and FILE OPEN options?

    I can't find them on administration screen.

     

    Sincerely



  • 4.  RE: How to detect the activities "open a file" and "read a file" on Endpoint Prevent DLP11.1.1

    Posted Oct 22, 2011 07:06 AM

    Hello, Kengo.

    You can choose FILE READER or FILE OPEN on the application monitoring page:

    1. Go to the page System > Application Monitoring
    2. Click Add or Edit application
    3. Activate Monitor Application File Access
    4. Choose File Open or File Read (screen001)

     

    You also need activate Application File Access in the Agent configuration:

    1. Go to the page System > Agent Configuration
    2. Click Edit configuration
    3. Activate Application File Access (screen002)
    4. Click Save and Apply

     

    And if you use Protocole rule in policies, you need activate Application File Access in the policies:

    1. Go to the page Manage > Policy List
    2. Click on the Rule
    3. Open Endpoint monitoring condition
    4. Activate Application File Access (screen003)
    5. Click OK
    6. Click Save


  • 5.  RE: How to detect the activities "open a file" and "read a file" on Endpoint Prevent DLP11.1.1

    Posted Oct 24, 2011 08:09 AM

    Hello Artem,

    Thank you very much.
    I almost understood it.

     FILE READER or FILE OPEN detection is configured on application-based settings.
    So I can't easily configure to detect every  FILE READER or FILE OPEN activities unlike printer/fax, ftp and so on. If I want to detect every FILE READER or FILE OPEN activities, I need to configure every application settings on (screen001), right?

    Sincerely,