search cancel

Identify the name of the child process to enable browser based file upload monitoring on Mac endpoints

book

Article ID: 161953

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent Data Loss Prevention Enforce

Issue/Introduction

Some web sites use plug-ins like Silverlight and Flash to process file uploads. In this case, the Firefox and Safari browsers use child processes to upload files. The Mac DLP Agent does not monitor these child processes by default. To ensure that the DLP Agent monitors these types of file uploads, you add the child process binary as an application to monitor on the Application Monitoring screen. You use the dtrace command to identify these child processes.
 
Note: Refer to ā€‹"Monitoring browser child processes" in the Symantec DLP Admin guide for more information.

Resolution

To use the dtrace command to identify child processes:
  1. Create a file on the endpoint where you plan to run the command. For example, create ABC.txt on the desktop.
  2. Launch the Terminal application.
  3. Enter the following command:
    sudo dtrace -n 'syscall::open*:entry { printf("%s %d
    %s",execname,pid,copyinstr(arg0)); }' | grep -v -e "mdworker" -e "mds" -e
    "invalid address" | grep -i "
    ABC.txt "
    ps -c -pā€‹
    Entering the ps -c -p command creates the complete name of the child process.
  4. Press Enter to run the command.
  5. Open the Safari or Firefox web browser.
  6. Upload the ABC.txt file using the browser.
  7. Review the Terminal application output information. The process name and the PID display. 
  8. Record the process name. You add the name to the Application File Access screen.