Diagnosing Clipboard Monitoring
search cancel

Diagnosing Clipboard Monitoring


Article ID: 159938


Updated On:


Data Loss Prevention Endpoint Prevent Data Loss Prevention


There is a policy deployed to the endpoints to catch protected data. The endpoint agent configuration is set to monitor Clipboard operations.   Something was copied or pasted to trigger an incident and/or block the operation, but the expected incident and/or block action did not occur.


DLP 15.X


Verify the following points:

  1. Endpoint agent is running, and hmc.dll is loaded in the process, for this process explorer can be used.
  2. Verify the clipboard monitoring functionality is enabled in the Endpoint Agent Configuration.
  3. Check to see if the application is excluded from clipboard monitoring.
    This can be verified by navigating to the Global Application Monitoring page (About global application monitoring)
  4. Check if clpbm.dll is injected in the process to be monitored; process explorer can be used to verify this.
  5. Collect the endpoint agent log by setting the ClipboardMonitorLevel to FINEST.  For information on modifying the Endpoint database (see How to Modify the Endpoint Database).
  6. Copy the vontusqlite3 tool from tools folder to agent directory, navigate to agent directory from cmd as administrator and run below commands:
    vontu_sqlite3.exe -db=cg.ead
    REPLACE into configuration values ('Logging','ClipboardMonitorLevel','str','FINEST');
    Restart the Endpoint Agent by using "sc stop edpa". 
  7. Logging will be written to edpa_ext0.log file in the Endpoint directory, default is c:\Program Files\Manufacturer\Endpoint Agent.  Send edpa_ext0.log and ks.ead to support.


Clipboard Monitoring not working for a specific application

Check the following:

  1. Verify the basic steps mentioned above.
  2. Check if content copied is a text content; this can be verified by using the ClipBook Viewer which displays the contents on the clipboard. Go to View->Unicode Text. Check if the content displayed here contains sensitive content.

Notification and Incidents are reported when switching between the host machine and a VM or Remote Session to another machine.

This is because to allow the content copied from the host to be available on the VM machine or machine to which the user has connected using Remote desktop, there are services that set the content onto the VM machine or Remote machine when the user switches between the two machines, which triggers the analysis of the content and hence the notification and incident are reported.

Application Crash or Hang

  1. Check if the crash\hang is reproducible without the Endpoint Agent; in most of the cases the applications themselves might crash.
  2. Turn off the clipboard monitoring feature, and observe if the hang\crash is reproducible; this would ensure if the crash\hang is related to the clipboard monitoring feature.
  3. Get the dump of the application; one can use Windbg or Procdump for generating the dump.

Same content if copied from the same application multiple times doesn't generate multiple notifications and incidents

This is a feature; since the same content is copied over and over again, to reduce the detection overhead these requests are filtered from detection.

Sensitive content can be pasted in the same application

This is a feature, because if the content is cut, the user might lose the content, there might be use-cases where users might want to move the content position in the document, to tailor such use-cases this feature was introduced.

Same content copied from two different applications, and later pasted in either of the applications is not blocked.

A hash of the content is maintained in the same application, later while pasting this hash is compared with the hash of the content being pasted, to decide if the content is being pasted in the same application, this technique allows us to identify if the content is pasted in the same application, but in this case since the hashes are maintained in both the applications which when compared to the content on the clipboard is same and we assume its the same application, and hence we allow paste operation.

Content copied from one word document, can be pasted in another word document.  Content copied from a word document, can be pasted into Outlook 

The hashing logic to identify the same application where content is being pasted works on the process parameter, which means copy and paste of sensitive content is allowed in the same process, but for Windows Word a single process is launched for multiple documents and we treat this as copy within in the same application.


Clipboard channel is disabled, Content from clipboard pasted into Chrome(HTTPS) gets detected while uploading but inline typing into Chrome(HTTPS) does not get detected

If you have enabled HTTPS monitoring for Google Chrome, it is recommended that you leave Paste monitoring disabled to prevent duplicate incidents. Enabling HTTPS monitoring for Google Chrome automatically enables Clipboard Paste monitoring.