Office documents such as Excel, Word or PPT are triggering incidents although no data is visible
search cancel

Office documents such as Excel, Word or PPT are triggering incidents although no data is visible

book

Article ID: 159514

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent Data Loss Prevention Network Monitor Data Loss Prevention Network Prevent for Email Data Loss Prevention Network Protect Data Loss Prevention Endpoint Discover

Issue/Introduction

SSN policy gets triggered but the displayed Excel spreadsheet does not show the data that triggered the incident.

Resolution

One of the features of Office is to track changes.  This will effectively keep the deleted data within the file. Check to see if "track changes" is turned on.

Alternatively, Microsoft has a tool 'Document Inspector' that removes the hidden data and can be downloaded from https://support.microsoft.com/en-us/office/remove-hidden-data-and-personal-information-by-inspecting-documents-presentations-or-workbooks-356b7b5d-77af-44fe-a07f-9aa4d085966f

From Microsoft's KB notes:

Overview

When you distribute an Office document electronically, the document might contain information that you do not want to share publicly, such as information that allows you to collaborate on writing and editing the document, or hidden information that can be used to track who worked on the document.

The Remove Hidden Data add-in is a tool that you can use to remove personal or hidden information that might not be immediately apparent when you view the document in the Microsoft Office application.

You can run the Remove Hidden Data add-in on individual files from within the Office XP or Office System 2003 application. Or, you can run Remove Hidden Data on multiple files from the command line. In either case, the application that created the document must be installed in order for you to run the tool.

If the above scenario is the case you can verify this by running the filter test similar to Determining file type using filter.exe in DLP 

Type: filter <name of input file> <name of output file>.
The output file should display the cracked data and should reflect the data that triggered the incident.

NOTE: Text in Microsoft documents can also be hidden in the following ways:

Microsoft Word:  Select the text to be hidden, then click Format -> Font, and check the "hidden" checkbox. This will effectively hide the selected text from view.

Microsoft Excel:  Select the cell or cells containing the data to be hidden, then click Format -> Cells -> Number tab. Select Custom, highlight any entry in the Type box, and then replace the value listed with three semicolons (";;;").  Click OK.  This will hide the text in the cell or cells, but the data will still be displayed in the formula bar.

 

 

 

Powered by Wolken Software