Flex Response Plug-in for Symantec Endpoint Encryption Removable Media Encryption Implementation Guide
Article ID: 213405
Updated On:
Products
Issue/Introduction
Symantec Endpoint Encryption Removable Media Encryption (SEE RME) can integrate with DLP so that data copied to removable devices can be done so based on policy to ensure sensitive data is always encrypted on these devices. This feature is called "DLP Integration. This document will walk through the process to use these tools for proper integration.
Resolution
Symantec Endpoint Encryption Removable Media Encryption has integration with Symantec DLP. The DLP configuration is a critical step to configure this integration. For more information on the DLP side of this integration, see the following KB:
DLP Agent Flex Response Plug-in Install and Configuration (broadcom.com)
This document will focus on the SEE RME side and necessary DLP configuration to make this work.
Important Note for DLP 15.8:
Table of Contents
- Section 1 of 4: Prerequisites For SEE RME with DLP Integration
- Section 2 of 4: Installing and configuring the Symantec Endpoint Encryption FlexResponse Plug-In
- Section 3 of 4: Configuring Rules for Symantec Data Loss Prevention to use the SEE RME Flex Response Plug-in
- Section 4 of 4: Uninstalling the Symantec Endpoint Encryption FlexResponse Plug-In
Implementation Guide Outline
The Symantec Endpoint Encryption FlexResponse Plug-In integrates the detection and enforcement capabilities of Symantec Data Loss Prevention with the encryption features of Symantec Endpoint Encryption Removable Media Encryption. With the Symantec Endpoint Encryption FlexResponse Plug-In for Data Loss Prevention, any sensitive files that are written to a removable media can be encrypted automatically.
When you write a file to a removable media device, Symantec Data Loss Prevention determines that the file conforms to the Symantec Data Loss Prevention detection rule defined by your organization.
When the file is sensitive, Symantec Data Loss Prevention executes the Symantec Endpoint Encryption FlexResponse Plug-In as specified in its response rule. The FlexResponse Plug-In then communicates with Symantec Endpoint Encryption Removable Media Encryption to encrypt the file. Based on the availability of default credentials, Symantec Endpoint Encryption either prompts for a credential or encrypts the file automatically.
Section 1 of 4: Prerequisites For SEE RME with DLP Integration
*Item 1: Install Symantec Endpoint Encryption Removable Media Encryption on client machines
It is recommended to be on the latest version of SEE RME. As of this writing, the best version for SEE RME Integration is SEE 11.4.
Check the following article to find out what the current version of SEE is that you should be on:
Symantec Encryption Products Current Version Available (broadcom.com)
*Item 2: Configure SEE Policy on the SEE Management Server to enable DLP integration
To work with Symantec Data Loss Prevention, the encryption policy for Removable Media Encryption needs to be configured to enabled Symantec DLP integration.
You can enable this policy when you create the client installation package or update the policies via SEE Management Server.
On Symantec Endpoint Encryption Management Server, select the Encrypt files as per Symantec Data Loss Prevention option to enable this policy.
*Item 3: Install Symantec Data Loss Prevention on client machines
As mentioned above, it is recommended to be on the latest version. For Symantec DLP, the best version to be on is DLP 15.8 MP1 or above.
*Item 4: Symantec Endpoint Encryption FlexResponse Plug-In (EERPlugin_flexresponse.zip)
Each installation of SEE RME already come with the latest version of this utility. If you are running SEE 11.3 or older with DLP 15.8, it is recommended to upgrade to the above versions mentioned. If this is not possible, you will need to acquire an updated binary for SEE RME and be on DLP 15.8 MP1 or later.
For guidance in obtaining this updated binary, reach out to Symantec Encryption Support. Otherwise, it is best to update based on the recommendations above.
*Item 5: DLP Endpoint FlexResponse Utility (flrinst.exe)
In order for the integration to happen properly, a DLP binary called "flrinst.exe" needs to be used. This can be obtained from the Symantec Support Team for either of these products.
*Item 6: Configure DLP Detection Rules
Configuration of Symantec Data Loss Prevention involves adding a detection rule to the policy to identify the sensitive files and creating and configuring a response rule specific to FlexResponse to ensure that the sensitive files are acted upon by Removable Media Encryption. After you create and configure a response rule specific to FlexResponse, you must add the response rule to the policy.
Section 2 of 4: Installing and configuring the Symantec Endpoint Encryption FlexResponse Plug-In
Before you install the Symantec Endpoint Encryption FlexResponse Plug-In, ensure that you have installed Symantec Endpoint Encryption Removable Media Encryption on the client computer. The EERPlugin_flexresponse.zip file that you require to install the Symantec Endpoint Encryption FlexResponse Plug-In is available in the installation directory of Removable Media Encryption:
C:\Program Files\Symantec\Endpoint Encryption Clients\Removable Media Encryption
Note 1: You must set up the default credentials for encryption after you install Removable Media Encryption.
Note 2: Ensure that you do not set any credentials for the Symantec Endpoint Encryption FlexResponse Plug-in.
Step 1: Install the Symantec DLP Agent on each client computer. For installation steps, see the Symantec Data Loss Prevention Installation Guide.
Step 2: Locate the EERPlugin_flexresponse.zip file on the client computer. After installation of Removable Media Encryption, this file is available at the following location:
C:\Program Files\Symantec\Endpoint Encryption Clients\Removable Media Encryption
Important Note: If you are on SEE 11.3 and using DLP 15.8, it is recommended you upgrade. See Item 1 in the Prerequisites Section for more information on this.
You can also place the EERPlugin_flexresponse.zip file in a network location that each client computer can access.
Step 3: Locate the folder in which the Symantec DLP Agent was installed. By default, the following path is typically used:
C:\Program Files\Manufacturer\Endpoint Agent\
Step 4: Copy the "flrinst.exe" binary in the Endpoint Agent location in Step 3.
Step 5: Now open a command prompt as an administrator and navigate to the Endpoint Agent path (C:\Program Files\Manufacturer\Endpoint Agent\).
The following command will install the configuration needed to use the SEE RME integration binary:
flrinst.exe -op=install -package="path\EERPlugin_flexresponse.zip"
In the example above, the "EERPlugin_flexresponse.zip" was located in the "C:\Program Files\Symantec\Endpoint Encryption Clients\Removable Media Encryption" directory.
We ran the "flrinst.exe" command from the "C:\Program Files\Manufacturer\ Endpoint Agent" directory.
The above command paths can be adapted to your specific needs, but make sure not to put the flrinst.exe binary in the "tools" directory for DLP "Endpoint Agent" as this may cause issues and not execute properly. The following errors may be displayed:
"The code execution cannot proceed because PGPce.dll was not found. Reinstalling the program may fix this problem".
"The code execution cannot proceed because boost_filesystem-vc142-mt-x4-1_72.dll was not found."
Similar errors may be presented referencing other binaries for SEE or DLP, but this typically means the flrinst.exe binary exists in the directory where these other binaries exist, and cannot build the configuration properly.
The command above will prompt you for the password. Once authenticated, the configuration logic will be installed.
Step 6: To complete the installation restart the EDPA service.
Step 7: In the example above, we'll have the package located C:\Program Files\Manufacturer\ Endpoint Agent.
Run the following command to retrieve more information about what is installed:
flrinst.exe -op=list
This command displays the package name, package size, and install time for verification and could be useful information for you to make note of.
Step 8: Delete the flrinst.exe file from the client computers. Removal of the FlexResponse utility prevents end users from tampering with
Symantec Data Loss Prevention endpoint security policies.
Section 3 of 4: Configuring Rules for Symantec Data Loss Prevention to use the SEE RME Flex Response Plug-in
Step 1: Now that the flex response plug-in has been installed for DLP and SEE RME integration, you are now able to configure your enforce rules to trigger this flex response based on the criteria you with to use. Open DLP and select the Removable Storage option in the Agent Monitoring > Enable Monitoring section of the Enforce Server.
Step 2: Create or edit a policy and then add a detection rule to the policy that identifies the files that should be encrypted.
Step 3: Select "Automated Response" as the response rule type and click Next.
Step 4: Provide a name for the response rule in the Rule Name box and a description for the response rule in the Description box. Click "Add Condition".
Step 5: Select "Protocol or Endpoint Monitoring".
Step 6: Select "Is Any Of".
Step 7: Select "Endpoint Removable Storage Device".
Step 8: Select "Endpoint: FlexResponse" from the Actions list and click Add Action.
Step 9: Type "EERPlugin_flexresponse" in the Python Plugin box
Important: Ensure that you type the EERPlugin_flexresponse without the file extension. The plug-in name is case-sensitive.
Step 10: Do not add any value for the "Add Parameter" option. Now click Save.
The following screenshot is how you would configure the DLP configuration screen for policy as described above:
Once the above has been configured, you can test these policies by plugging in a removable device, such as a USB drive, and copy files over the trigger the rules.
It would also be a good idea to copy files over that do not trigger the rules to see if those get encrypted.
Content should be encrypted that are triggering these DLP rules. If they are not triggering the rules, review the response rules mentioned above to ensure they are accurate.
Section 4 of 4: Uninstalling the Symantec Endpoint Encryption FlexResponse Plug-In
Step 1: Locate the folder in which the Symantec DLP Agent was installed. By default, and in this example, the following path is used:
C:\Program Files\Manufacturer\Endpoint Agent
Step 2: Step 3: Place a copy of the Endpoint FlexResponse utility (flrinst.exe) in the directory above.
Step 3: Navigate to the above path and run the following command to uninstall:
flrinst.exe -op=uninstall -package=EERPlugin_flexresponse.zip
Step 5: To verify successful uninstallation of the FlexResponse Plug-In, run the following command:
flrinst.exe -op=list
This command should not display the FlexResponse Plug-in package.
Step 6: To complete the uninstallation, restart the EDPA service.
Step 7: Delete the flrinst.exe file from the client computers. Removal of the FlexResponse utility prevents end users from tampering with
Symantec Data Loss Prevention endpoint security policies.
Now on the DLP side, you should be able to configure your policies for the incidents. There are various methods for filtering, such as the following:
In this example, we will be triggering for USB devices, but there are many ways to filter.
Again, for this example we will be triggering encryption based on keywords. The following is a sample for this type of configuration:
In the policy rule "Encrypt files to USB" above, you can see this will trigger based on the keywords of "Confidential" or "Encrypt me" ("Encrypt me" will be considered one word").
This means if a file has these keywords, they will be encrypted to the USB drive when they are copied to them.
Note: There are many ways to apply these rules. However; keep in mind that the policy rules that are configured, are associated to Agent Configurations.
If you create a new Agent Configuration, once it is configured, be sure to "Update Configuration", otherwise, these rules will not get triggered properly:
As you can see above, you have the "Encrypt Me Group" and the "Encrypt Me Configuration". When you click "Update Configuration", you will see the configuration will then be in effect for the group.
The rule part of this configuration should then be triggered and when you go to your incidents, you will see a green checkmark next to the incident, indicating the rule matched as expected:
If you go to the incident and look at the History tab, you can see the rundown. In this example, the file "Encrypt me file.txt" is linked to the successful Encryption event triggered:
"File is encrypted" is the end result of this action when the incident is triggered based on the policy for the Agent Configuration.
Note: When you copy files to the USB Drive as per this scenario, they will always get encrypted. If the file does not match the policy, after about 10 seconds, the file will then decrypt.
This ensures that any data that gets copied to USB drives will always remain secure, even if they are eventually found to be benign.
See the following article for more information on Policies and configuration:
Additional Information
Symantec Endpoint Encryption Removable Media Encryption FAQs - General Information (broadcom.com)
How can I Recover Files Encrypted with Symantec Removable Media Encryption (RME)? (broadcom.com)
For additional information about this configuration, see the Symantec Data Loss Prevention Administration Guide.
Feedback
