In an incident snapshot the attachment is showing as part of body for HTTP and HTTPS upload
search cancel

In an incident snapshot the attachment is showing as part of body for HTTP and HTTPS upload

book

Article ID: 163136

calendar_today

Updated On:

Products

Data Loss Prevention Network Monitor Data Loss Prevention

Issue/Introduction

Attachment is showing as part of body when uploads from Internet Explorer 10 or 11. If same attachment is uploaded via older browsers, it appears as attachment in Incident snapshot.

Older browsers may have used "Content-Type: multipart/form-data" method, as result of which we received incident where attachment name is displayed as attachment instead of body. Where as the same upload via newer browsers, it instead uses method "Content-Type: application/x-www-form-urlencoded; charset=utf-8" which shows file name as body instead of attachment in incident.
              ==================++++++++++++++++++++++++======================
Content-Type: multipart/form-data; boundary=---------------------------7df7929160242
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2)
Host: mail.naver.com
               ==================++++++++++++++++++++++++======================

Cause

By default DLP Network Monitor and Web Prevent support multipart/form-data method for attachment. For any different method like application/x-www-form-urlencoded we need to modify NonMultipartAttachment.config file.

Resolution

In order to detect attachment we need to update NonMultipartAttachment.config file as below.

Steps
1>. Take backup of file C:\SymantecDLP\Protect\config\NonMultipartAttachment.config

2>. Add below line to NonMultipartAttachment.config.
# naver 
Host == mail.naver.com && URI == upload :: HEADERFIELD:filename
Host == link.ndrive.navercorp.com && URI == upload :: HEADERFIELD:filename
Host == ndrive1.navercorp.com && URI == upload :: HEADERFIELD:filename

NOTE: If there is any uncomment line for naver.com present in this file comment it before appending above 3 lines.

3>. Recycle SymantecDLPDetectionServer service on Web Prevent server.

4>. Send web mail from mail.naver.com with attachment. Check out triggered incident and see if attachment file name is captured
    as attachment instead of body.
Powered by Wolken Software