Data Loss Prevention Endpoint Agent Print Detection Failing
Article ID: 184597
Updated On:
Products
Data Loss Prevention Endpoint Prevent
Issue/Introduction
Endpoint Print detection not working even though it is enabled in the agent configuration.
0 | DllHooker.cpp(650)
05/13/2019 10:59:44 | 6108 | FINEST | CodeInjection.HookManager | Sesion 0: OpenProcess failed for process: Pid->10488 ProcessName->C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Returned Error Code = 87 | DllHooker.cpp(357)
05/13/2019 10:59:44 | 6108 | FINEST | CodeInjection.HookManager | Session 0: Hooking failed for process: Pid->10488 ProcessName->C:\Program Files (x86)\Google\Chrome\Application\chrome.exe | HookingTask.cpp(63)
05/13/2019 10:59:44 | 5444 | FINER | CoreServices.ProcessActivity | Received rtam message for process C:\Program Files (x86)\Google\Chrome\Application\chrome.exe(6312) create status(0) session Id(2) sandboxed
Environment
Windows 10
DLP 15.5
Cause
Windows Defender disables extension points disables various extensibility mechanisms that allow DLL injection into all processes, such as AppInit DLLs, window hooks, and Winsock service providers.
When runtimebroker.exe has Extension Points disabled, print detection will not work.
Resolution
Runtimebroker.exe needs to be whitelisted in Windows Defender.
Process to do this:
- Open Windows Defender
- App & Browser Control
- Exploit Protection
- Program Settings
- Then go to “RuntimeBroker.exe", choose edit and uncheck everything especially “Disable Extension Points”.
Feedback
Yes
No
Powered by
