How to whitelist or exclude an application from DLP Endpoint agents

book

Article ID: 160078

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent

Issue/Introduction

With Application Monitoring enabled, Symantec Data Loss Prevention (DLP) Endpoint Agent attempts to hook in and monitor any application. Certain applications may perform poorly with this monitoring enabled. In that case, Administrators may need to whitelist the application.
 

From the online help regarding application monitoring :
By default, DLP Agents monitors Clipboard, print, network (HTTP and FTP), and file system (removable disc, local drive, and network share) activity on all applications. You can add applications when you want DLP Agents to monitor files that applications open or read. You can also add applications when you want to prevent Symantec Data Loss Prevention from monitoring the application.

 

Resolution

 

Whitelist Endpoint Application :

  1. From the Enforce console select System > Agents >Application Monitoring.
  2. Select the application to the white list. If it is not listed, click on "add application" and provide at least one of the required application binaries.
    Note: DLP attempts to validate every field populated. We recommend using as few as fields as needed. If the whitelist seems to fail, try changing which required field is populated or removing one of the other fields. Additionally, it is recommended to use the "GetAppInfo.exe" tool provided for Windows Endpoints in the Agent Tools in the agent package. 

  1. Uncheck all of the detection channels under the "Application Monitoring Configuration." 
  2. Click on save and verify the application in the list of monitoring activities is unchecked.
  3. After making these changes, test the whitelisted application to see if the issue is resolved.

Note that on occasion it may be necessary to make changes and update the agent configuration for the new application monitor.


To ignore macOS applications from being monitored:

  1. Record the application name and the binary name of the application you want Symantec Data Loss Prevention to ignore. To obtain this information, open the application on a Mac endpoint and locate the required information on the Activity Monitor screen.
  2. Go to System > Agents > Application Monitoring.
  3. Click Add Application.
  4. Enter the application name in the Name field.
  5. Enter the binary name in the Binary Name field.
  6. Select Generic in the Application Type list. You do not make any other selections.
  7. Leave all other selections disabled.
  8. Save your changes.

 

Symantec Data Loss Prevention Endpoint Agent will need to check in to update before the changes will be effective.

 

Side Note: 

If the application name that you are whitelisting contains a dot in its name the dot must be escaped with a backslash.

For example an application with the name Tosca.Automation.Agent.exe we would add it's Binary name like this Tosca\.Automation\.Agent\.exe 

 

 

Attachments