DLP 15.8 OOXML plugin is not inspecting content within XLSX files generated by certain SAP based applications.
search cancel

DLP 15.8 OOXML plugin is not inspecting content within XLSX files generated by certain SAP based applications.

book

Article ID: 261795

calendar_today

Updated On: 03-30-2023

Products

Data Loss Prevention

Issue/Introduction

DLP 15.8 OOXML plugin is not inspecting content within XLSX files generated by certain SAP based applications.

Environment

Release: 15.8

Cause

The OOXML plugin is a wrapper around Microsoft’s Open XML SDK. The version of OOXML plugin in DLP 15.8 expects an element named <workbookPr> to be present in XML representation of XLSX documents. This element defines certain properties of the workbook such as the formatting of date information in the workbook. XLSX files generated by certain SAP based applications seem to be missing this information. Consequently, the plugin parses such files incorrectly.

Resolution

This issue can be addressed either by installing DLP 15.8 MP3 Hotfix 10 or by disabling the OOXML plugin for the Detection Server and the Endpoint Agents.

DLP 15.8 MP3 HF10 is available for download in the support portal. DLP 15.8 Mp3 Hotfix 10 will allow DLP to use OOXML, instead of KeyView, to inspect XLSX files that may be missing <workbookPr> element.

    • Hotfix_15.8.00310.01004_Server.zip
    • Hotfix_15.8.00310.01004_Endpoint_Win.zip
    • Hotfix_15.8.00310.01004_Endpoint_Mac.zip

These hotfixes need to be installed on all the DLP servers and the Endpoints in order to resolve the issue completely. 

Disable OOXML for Detection Servers and Endpoints

Note: Any detection rules that require over 90% matching of an IDM index will require re-indexing when switching between OOXML and Verity.

Detection server:

  1. Go to System > Servers and Detectors > Overview
  2. Select a detection server.
  3. Click Server Settings
  4. Find the setting ContentExtraction.OfficeOpenXMLPluginEnabled 
  5. Set the value to off and save.
  6. Restart the detection server services.

Endpoint Agents:

  1. Go to System > Agents > Agent Configuration
  2. Click on the Agent configuration used for all agents
  3. Click on the Advanced Settings tab
  4. Find the setting Detection.OFFICE_OPEN_XML_ENABLED
  5. Set the value to off and save
  6. Next Click Apply Configuration
  7. Select your agent configuration and click Update Configuration

Additional Information

Overall, the OOXML and Verity plugins have the same detection capabilities including the following: Detections of Microsoft Sheets, Embedded content objects, MIP encrypted (when configured). The table below depicts the minor differences between each plugin and what to expect when changing between plugins.

Content Extraction Testing Results

 

15.8 GA

15.8 MP3 Hotfix 10 

16 GA

16 MP1

Verity OOXML Verity OOXML Verity OOXML Verity OOXML

SAP Generated Excel Files

TRUE FALSE TRUE TRUE TRUE TRUE TRUE TRUE

Content Detection of Macros

TRUE FALSE TRUE FALSE TRUE FALSE TRUE FALSE

MIP Co-Author Tagging*

        FALSE FALSE FALSE TRUE

Structured Data Identifiers (SDI)**

        FALSE TRUE FALSE TRUE

* MIP co-author tagging support was added with DLP16.0 MP1.
** SDIs were added in DLP 16.0.