Data Loss Prevention, no endpoint IDM incident with print or fax

book

Article ID: 160195

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent

Issue/Introduction

Data Loss Prevention Endpoint

IDM detection with print or fax detection may not work. 
A file that is copied to the USB generates an incident.
When the same file is sent to a printer it may not generate an incident.

If using a DCM policy, the same file is detected regardless of which component is monitored.

Steps to reproduce

  1. Create an IDM profile with some files smaller than 1kb and some larger.
  2. Enable print/fax, clipboard, and removable storage for endpoint
  3. Create an IDM policy using the profile you created, and a DCM policy
  4. From an endpoint agent, copy the files (less than 1kb) used the IDM profile to a USB, or to the clipboard. An incident is generated for both policies
  5. Print the same file (less than 1kb) – no incident is generated for the IDM policy, but one incident is generated for the DCM policy
  6. Print other files (larger than 2kb) – incident is generated for both policies

Resolution

At present, Print/Fax is not supported for IDM detection. 
IDM detection for printing has known issues.

If a file has fewer than 1000 non-whitespace characters, then we only do an exact match, which means an md5 of the binary file. 
If that happens, we do not detect on print because the print driver captures the print events. 
Detection never sees the original file, so we cannot do the md5 match.

The message is based on the print spool, not based on the original file. 
The pages may be sent to the printer out of order. 
The order change may change the percentage matches.

 If the print job injects any content (page #, etc.) then the match percentage could be considerably lower.