A user notification dialog and/or incident in Data Loss Prevention (DLP) Endpoint Prevent displays the URL as 'Unknown' for incidents generated by the Chrome HTTPS or Edge HTTPS (Chromium Only) monitor.
A component of the Chrome or Edge extension for the HTTPS monitor may have been tampered with or is being blocked. Similar messages include:
There are several possible resolutions, depending on the cause.
If client machines do not have access to the internet to download the extension from the play store contact support for the offline crx install for the extension.
Also note. Browsers using incognito (chrome) / in private (edge) mode will not load extensions by default. This can cause seemingly random incidents to report unknown URLs. See this KB for instructions on using Chrome / Microsoft administrative templates to force extensions to load. If the unknown URLs are consistent or incognito mode is not a factor then continue troubleshooting below.
If the other browsers (IE, Edge, Firefox) are reporting incidents with an unknown URL then this could be an environmental settings issue (such as proxies).
Make sure to be using the latest version of the DLP agent. For example, if using DLP 15.5 you will want to see if you have both the latest maintenance pack with the most recent hotfix. Note that the agent version can be newer than the Enforce / Detection version so long as the major & minor versions match up. For example, DLP version 15.5.0221 (15.5 MP2 hotfix 21) can be used with the 15.5 Enforce server.
Check the DLP system requirements and release notes for the version of DLP you are on and make sure the version of Chrome you are using is supported. If the version is too new this feature might be broken when used with older DLP agents.
If you are on the latest hotfix and your browser is up to date then this issue is most commonly caused by security policies imposed on Chrome / Edge. To check this do the following steps (details further below):
For convenience and testing purposes only you can download the attached documents and rename them to .reg files and import them as a test or review them as a template. Importing these will put in the default values (and paths) for the agent policies and white list them. Note that these will overwrite any existing agent registries. These were written for the 15.8 agent only. The Chrome DLP extension will stop working if directly imported on a 15.7 agent.
The browser will not only tell you if the policy is present but it will also inform you if it has been overwritten or if there is a formatting error in the data. In addition, this will display policies that may not show up in standard locations in the registry and easily missed by a manual search.
When checking the policies you want to make sure that the status OK. If Error, Warning or Conflict show up then resolve those issues. Note that you will not be able to change the values within the browser. Changes should be made via GPO polices through the security admin or can be tested by modifying the registry manually (details further down).
Validate the following Policies:
This policy should always be present if DLP Agent is installed.
Policy Value you should contain one of the following: (Note: this value can contain a long string of multiple extensions)
DLP Agent 15.8 - dehobbhellcfbmcaeppgfjhnldeimdph;https://clients2.google.com/service/update2/crx
DLP Agent 15.7 and earlier - eelojgpfkmhiikmhkineneemcahoehjo;https://clients2.google.com/service/update2/crx
All DLP Agents - lgliocaeggimgcpgbbejhdnbmajgaiii
For Chrome look in HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome
For Edge look in HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge
If present and an * is used in the value then an ExtensionInstallAllowlist policy will need to be implemented. Also ensure that the extensions listed above are not in the value.
This policy is deprecated. See ExtensionInstallBlocklist if values exist.
This policy needs to be present only if the ExtensionInstallBlocklist or ExtensionInstallBlacklist are being used AND they include an * value. If this policy is needed, make sure it includes the proper extension values listed for the ExtensionInstallForcelist policy above.
This policy is deprecated. If the ExtensionInstallBlocklist or ExtensionInstallBlacklist are being used AND they include an * value then create and use the ExtensionInstallAllowlist policy as described above.
Chrome only. If this policy contains the value * then a NativeMessagingWhitelist policy is required with the proper value. If it contains com.symantec.dlp then remove that value.
Edge only. If this policy contains the value * then a NativeMessagingAllowlist policy is required with the proper value. If it contains com.symantec.dlp then remove that value.
Edge Only. Required if the NativeMessagingBlocklist is being used. Add com.symantec.dlp to the value.
Chrome only. Required if the NativeMessagingBlacklist is being used. Add com.symantec.dlp to the value.
Data: C:\\Program Files\\Manufacturer\\Endpoint Agent\\chrm_manifest.json
For further troubleshooting increase the agent logging level to FINEST using this KB and enable developer mode on Chrome then duplicate the issue. After duplicating the issue open the extensions and check to see if there are any errors. If so include them with any evidence for the support case.
07/15/2021 12:21:57 | 13240 | FINEST | ApplicationConnector.ExtentionInstaller | ManageLGPO: for Browser (Edge Chromium), Error saving machine registry key for GPO, -2147024864
07/15/2021 12:21:57 | 13176 | WARNING | ApplicationConnector.ExtentionInstaller | ERROR: Failed to add Chrome LGPO for : (Edge Chromium) Error code = 2147942432
07/15/2021 12:21:57 | 13176 | SEVERE | MSEdge.EdgeConnector | Failed to install browser extension for browser Microsoft Edge, browser monitoring will not work | [SYMRESULT 0x80070020]