search cancel

Box Drive incidents not generated in 15.1 MP1 - 15.7 MP2

book

Article ID: 174407

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent

Issue/Introduction

After applying the Maintenance Pack for 15.1 MP1, you found that files copied to a local Box Drive directory no longer generated Endpoint Agent incidents.

This was not true in versions 15.1 and earlier, where those incidents were created as "Removable Storage".

Cause

Behavior for detection changed in 15.1 MP1.

While detection was occurring it was limited in that DLP could detect only file copies from Explorer: there was no detection when user tried to do file "save as" operations, or command line copies to Box Drive. Symantec developers have to consider all user scenarios before claiming support.

Environment

Endpoint Prevent 15.1 MP1 - 15.7 MP2

Resolution

Update: As of DLP v15.8, support for Box Drive has been (re)released.

Please see the 15.8 What's New Guide for the following update, on p. 12:

"When monitoring is enabled for cloud storage applications in the agent configuration, agents can monitor files that are saved to mounted Box Drives"

 

 

Additional Information

We do see different behaviors in DLP for the different applications which Box has available:

  1. Box Edit – aka Box for Office. This relies on the Box Edit executable (Box Edit.exe), which utilizes Windows APIs in Office that allow the app to sync changes to a Box repository via the Box Edit process.
    1. Defect 4199076 for BoxEdit: a “block” action reported in DLP is not successful. This is marked as resolved in 15.5.
    2. The root cause behind the issue is that “Box now using new upload URL (upload.app.box.com) along with the original one (upload.box.com)”, so we had to amend our detection/response routine.
  2. Box Sync – aka the predecessor to Box Drive. BoxSync.exe, the executable which syncs files within a directory on the user’s local drive to a repository in Box. The DLP Endpoint Agent supports this app and its APIs for monitoring and content inspection.
  3. Box Drive – an update of sorts to Box Sync, Box.exe. According to the vendor, they should not be run together on the same machine.
    1. While the known limitations on their site suggest that "unexpected behavior" may result if Symantec DLP does not exclude Box’s Default Drive location, the Symantec DLP Support team has found that as of DLP 15.1 MP1, we no longer detect file copies to this Default [Removable] Box Drive.
    2. This is a change from behavior in previous versions, because it was not possible to detect file copies in all scenarios. It was also not possible to set filters against Removable Drives, and this was determined to require a product change in response. On p. 29 of the latest 15.1 MP1 Release notes, Symantec indicated this change in behavior as follows:

4182567 Symantec Data Loss Prevention administrators were unable to ignore file copies to mounted Box drives.