TrueCrypt container is treated as removable storage

book

Article ID: 159927

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent

Issue/Introduction

When you copy confidential data into a TrueCrypt container using Windows Explorer, DLP agent identifies it as Removable Storage.
When you copy confidential data into a TrueCrypt container using Command Prompt, DLP agent identifies it as Local Drive.

Resolution

The DLP agent works as designed.
DLP agent identifies the TrueCrypt container (Virtual Drive) as Removable Storage. Basically this is expected behavior, the Truecrypt Virtual Drive is essentially a file which can be disconnected and move elsewhere such as USB, hence the reason why file based virtual drives are always treated as removable media.

The TrueCrypt application can mount the encrypted volume in different ways:

http://www.truecrypt.org/docs/favorites#Y604

We have the enhancement request (PM-2076) to add the following funcionality into the DLP agent:

- If the user will mount the TrueCrypt encrypted volume as Removable Medium, the DLP agent will identify the VHD as Removable Storage.
- If the user will mount the TrueCrypt encrypted volume as Fixed Drive, the DLP agent will identify the VHD as Fixed Drive.