Data Loss Prevention Endpoint Agent Print Detection Failing

book

Article ID: 184597

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent

Issue/Introduction

Endpoint Print detection not working even though it is enabled in the agent configuration.

0 | DllHooker.cpp(650)
05/13/2019 10:59:44 |  6108 | FINEST  | CodeInjection.HookManager | Sesion 0: OpenProcess failed for process: Pid->10488 ProcessName->C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Returned Error Code = 87 | DllHooker.cpp(357)
05/13/2019 10:59:44 |  6108 | FINEST  | CodeInjection.HookManager | Session 0: Hooking failed for process: Pid->10488 ProcessName->C:\Program Files (x86)\Google\Chrome\Application\chrome.exe | HookingTask.cpp(63)
05/13/2019 10:59:44 |  5444 | FINER   | CoreServices.ProcessActivity | Received rtam message for process C:\Program Files (x86)\Google\Chrome\Application\chrome.exe(6312) create status(0) session Id(2) sandboxed

Cause

Windows Defender disables extension points disables various extensibility mechanisms that allow DLL injection into all processes, such as AppInit DLLs, window hooks, and Winsock service providers.

 

When runtimebroker.exe has Disable Extension Points enabled print detection will not work.

 

Environment

Windows 10

DLP 15.5

Resolution

Runtimebroker.exe needs to be whitelisted in Windows Defender.

Process to do this:

1) Open windows Windows Defender

2) App & Browser Control

3) Exploit Protection 

4) Program Settings

5) Then go to “RuntimeBroker.exe, choose edit and uncheck everything especially “Disable Extension Points”.