search cancel

Endpoint Agent actively monitors processes and services, even when no policies are loaded.

book

Article ID: 162670

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent Data Loss Prevention Endpoint Discover

Issue/Introduction

Symantec Data Loss Prevention Endpoint (DLP)

Under what circumstances does the EDPA service monitor applications on the endpoint computer in which it resides?

Even with all channels turned off on an agent configuration in the Enforce console, you may still see agent-related events showing up with process monitoring tools such as Process Monitor. (aka "Procmon" -- https://technet.microsoft.com/en-us/sysinternals/processmonitor.aspx). Such as QueryStandardInformationFile being carried out by edpa.exe for any application running on the endpoint.

Cause

To protect data, as well as a means for the endpoint agent to protect itself, DLP always listens. It watches for new threads and processes to be created.

For DLP to determine if it needs to monitor a process, it must query basic information from that process. Therefore, even with all channels turned off on an agent configuration, you can still capture events that are carried out by edpa.exe. Such as the QueryStandardInformationFile for any application running on the endpoint.

If Endpoint monitoring channels are enabled, DLP also monitors files (in addition to applications). Monitoring also occurs even when no policy is loaded. This monitoring can cause expected performance dips as content extraction takes time, especially with large files.

Please take these factors into consideration when performing baseline checks of your environment before a full DLP agent rollout.

Resolution

WORKAROUND:

Many events can be eliminated by white listing the applications that you notice activity on. White listing is done under System -> Agents -> Global Application Monitoring. For more on how to white list an application, please see https://support.symantec.com/en_US/article.TECH220322.html . The white listing is done at the driver level and thus happens before the EDPA service has a chance to query the process or thread.

One exception, however, is when a process affects a DLP Agent protected area, such as its installation directory. This action triggers the DLP Agent's tamper proofing features. And the EDPA service still investigates the offending application through basic queries (much as if we are monitoring the application). This action occurs even on applications that have been white listed on the application monitoring page.