Symantec Data Loss Prevention (DLP)
Frequently customers will state that a new Endpoint Prevent policy is not working.
The three goals of this article are:
• Walk you through deploying a new basic keyword policy and response rule.
• Walk you through deploying the policy on an endpoint.
• Ensuring that the endpoint agent has received the policy and configuration.
Applicable to all DLP releases despite version.
In the Enforce console Browse to Manage > Policies > Policy List >
Click Add a blank policy.
Name your policy “in this example we will be creating a simple keyword policy named purple-monkey to test channels”
Click Add Rule.
Select “Content Matches Keyword” and hit next.
For rule name type “purple-monkey”.
In "match any" type purple-monkey.
Select Ok at the top of the screen.
And hit save.
Now we will create the response rule not required but useful when testing.
Browse to Manage > Policies > Response
Click “Add response rule”
Select Automated Response and hit next.
For Rule Name we will use create block.
In the action pull down under Endpoint select “prevent: block”
Click add action.
Now we add this to our policy.
Browse to Manage > Policies > Policy List
Click the purple Monkey rule we created.
Click the response tab.
In the pull-down select Block,
Hit add response.
In the top left hit save.
We now have a policy that will look for the keyword “Purple-Monkey” with an endpoint block that we can use to test with.
Browse to System > Agents > Overview and click the OK button to get to the agent list.
Notate what group and configuration your endpoint that you are testing with is in and ensure that it is reporting:
Now browse to System > Agents > Agent Configuration, and select the configuration you are testing with.
Now select the channels you are trying to test with, in this case, we will be testing Copy and Paste in Firefox:
Ensure the appropriate channels are selected.
Note that the paste function states (configured applications only)
Click the application monitoring tab, and click add application and select windows or mac.
Scroll down and select Mozilla Firefox, hit add, and click save.
Click Mozilla Firefox in the application menu
In the application monitoring settings change the functionality to paste, and hit OK.
Hit save in the agent configuration screen.
In the next screen select Apply Configuration.
Check mark the appropriate configuration group, and hit assign configuration.
Select your configuration and hit OK.
If you get an error stating that it is already assigned that is OK.
Now select the configuration again, and hit update configuration.
Notate the “last deployment date” and time of deployment.
Now Browse to Manage > Policies > Policy List
Notate the last Modified date and time for the corresponding policy.
Now let’s move to the endpoint machine we are testing with.
On the endpoint machine open a file explorer window, and browse to
C:\Program Files\Manufacturer\Endpoint Agent.
Or /Library/Manufacturer/Endpoint Agent for Mac.
We need to look at the time stamp on the cg.ead “Configuration” and ps.ead “Policy” and ensure that the date and time of both files is later than the date and time of the configuration and policy deployment.
Please note the cg.ead “configuration” is generally instantaneously delivered where the policy will wait until the next polling. Network traffic can also affect this and slow the process down.
Rebooting the agent will usually force a refresh and the files will be updated unless the agent is having trouble communicating with the endpoint server. "Please note: agents that are remote connecting via VPN will not get an automatic update upon reboot, you must wait for the polling interval to expire."
Now that we have verified that the agent has the updated policy and configuration files we can test the channel.
In this case we will open Firefox and browse to https://dlptest.com/
We will look for the HTTP post, and HTTPS post.
You will notice in this example you cannot copy the purple-monkey keyword as it is being blocked on copy, so copy functionality will need to be removed from the configuration in order to test.
Repeat the above steps to update the configuration and verify that the configuration was updated by looking at the date and time stamp on the endpoint.