Diagnosing Clipboard Monitoring

book

Article ID: 159938

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent

Issue/Introduction

I have a policy deployed to the endpoints to catch protected data.  I have set the endpoint agent to monitor Clipboard operations.  I copy or pasted something that should trigger an incident or block the operation and I'm not seeing either happen.

My Endpoint Clipboard is not functioning properly.  How can I diagnose the problem?

Resolution

Clipboard Monitoring not working, content can be copied and pasted in any application

Verify the following.

  1. Endpoint agent is running, and hmc.dll is loaded in the process; for this process explorer can be used.
  2. Verify that clipboard monitoring functionality is enabled in the Enforce UI for Endpoint Agents.
  3. Check to see if the application is excluded from clipboard monitoring.  
    This can be verified by navigating to the Endpoint Application Control List page (KB TECH219544). https://<Enforce>/ProtectManager/EndpointApplicationControlList.do
  4. Check if clpbm.dll is injected in the process to be monitored; process explorer can be used to verify this.
  5. Collect the endpoint agent log by setting the ClipboardMonitorLevel to FINEST.  For information on modifying the Endpoint database see KB TECH219080.  From the sql prompt:
     REPLACE into configuration values ('Logging','ClipboardMonitorLevel','str','FINEST');' Restart the Endpoint Agent by using "sc stop edpa". Watchdog will restart the agent.
  6.  
  7. Logging will be written to edpa_ext0.log file in the Endpoint directory, default is c:\Program Files\Manufacturer\Endpoint Agent.  Send edpa_ext0.log and ks.ead to support.
Clipboard Monitoring not working for a specific application

Verify the following.

  1. Verify the basic steps mentioned above.
  2. Check if content copied is a text content; this can be verified by using the ClipBook Viewer (available on XP) which displays the contents on the clipboard. Go to View->Unicode Text. Check if content displayed here contains the sensitive content.
Notification and Incidents are reported when switching between the host machine and a VM or Remote Session to another machine.

This is because to allow the content copied from the host to be available on the VM machine or machine to which the user has connected using Remote desktop, there are services which set the content onto the VM machine or Remote machine when the user switches between the two machines, which triggers the analysis of the content and hence the notification and incident are reported.

Application Crash or Hang
  1. Check if the crash\hang is reproducible without the Endpoint Agent; in most of the cases the applications themselves might crash.
  2. Turn off the clipboard monitoring feature, and observe if the hang\crash is reproducible; this would ensure if the crash\hang is related to the clipboard monitoring feature.
  3. Get the dump of the application; one can use Windbg or Dr. Watson for generating the dump.
Same content if copied from the same application multiple times doesn't generate multiple notifications and incidents

This is a feature; since the same content is copied over and over again, to reduce the detection overhead these requests are filtered from detection.

Sensitive content can be pasted in the same application

This is a feature, because if the content is cut, the user might lose the content, there might be use-cases where users might want to move the content position in the document, to tailor such use-cases this feature was introduced.

Same content copied from two different applications, and later pasted in either of the applications is not blocked.

A hash of the content is maintained in the same application, later while pasting this hash is compared with the hash of the content being pasted, to decide if the content is being pasted in the same application, this technique allows us to identify if the content is pasted in the same application, but in this case since the hashes are maintained in both the applications which when compared to the content on the clipboard is same and we assume its the same application, and hence we allow paste operation.

Content copied from one word document, can be pasted in another word document.   Content copied from a word document, can be pasted into Outlook

The hashing logic to identify the same application where content is being pasted works on the process parameter, which means copy and paste of sensitive content is allowed in the same process, but for Windows Word a single process is launched for multiple documents and we treat this as copy within in the same application.