Setup Bluetooth device monitoring in DLP
search cancel

Setup Bluetooth device monitoring in DLP

book

Article ID: 162661

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent Data Loss Prevention

Issue/Introduction

How to setup Application Monitor to monitor file access via Bluetooth devices.
 

Environment

Data Loss Prevention (DLP) Endpoint Prevent

Resolution

Gathering device information :

  1. Copy the tool "GetAppInfo.exe" from the Agent Tools folder and bring it to any Windows client machine.
  2. Run "GetAppInfo.exe" and click on Browse and give the path "C:\Windows\System32\fsquirt.exe" and click on "Get Info"
  3. You will see details similar to those shown below:
    1. Comments:
      InternalName: fsquirt.exe
      ProductName: Microsoft® Windows® Operating System
      CompanyName: Microsoft Corporation
      LegalCopyright: © Microsoft Corporation. All rights reserved.
      ProductVersion: 6.1.7601.17514
      FileDescription:
      LegalTrademarks:
      PrivateBuild:
      FileVersion: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
      OriginalFilename: fsquirt.exe
      SpecialBuild:
      PublisherName: Microsoft Windows (verified)
  4. Save this information on a notepad.
  5. Now go to the DLP Enforce Console, System > Agent > Application Monitoring.
  6. Click on Add Application and fill the information under Application Information as shown below.

    1. Name (Required)  = Bluetooth

      Binary Name         = fsquirt\.exe

      Internal Name       = fsquirt\.exe

      Original Filename = fsquirt\.exe

  7. On the Application Monitoring Configuration check the below options

    1. Network Access

      Print/Fax

      Send to Clipboard

      Filesystem Activity

      Under "Enable monitoring of local drive, removable media and other filesystem activities" check

      Monitor Application File Access to File Read.

  8. Save this configuration.
  9. Now go to System > Agent > Agent Configuration, Select your already created configuration
  10. Under Enable Monitoring, Application, check "Application File Access"
  11. Save this configuration.
  12. Apply/update this configuration.

Now you are ready to test the Bluetooth file transfer.

 

Note 1: On MAC OSX system the process name to monitor bluetooth is called "blued" - see https://en.wikipedia.org/wiki/Blued_(macOS). As of 15.8 this is NOT added by default and will need to be added manually. See documentation under "Adding a macOS application" and ensure that monitoring AFA is selected for this application.

Note 2: In DLP version 15.1 and above the fsquirt.exe application is enabled for Application Monitoring by default with the application name of "Microsoft Windows Bluetooth" in the Application list. But additional programs may need to be added in order to expand the monitoring capability of DLP Endpoint Prevent.
             

Additional Information

Reference:

Article ID 163800: How to enable monitoring for USB Bluetooth adapters

In one instance, even after configuring all the above, Bluetooth transfers were still not being blocked.
A new agent configuration was created that matched the previous agent configuration.
Once the new agent configuration was applied to the endpoints the Bluetooth transfers were blocked. 

Powered by Wolken Software