DLP Endpoint Agent not detecting printing of Microsoft Office documents.
search cancel

DLP Endpoint Agent not detecting printing of Microsoft Office documents.

book

Article ID: 270812

calendar_today

Updated On:

Products

Data Loss Prevention Enforce

Issue/Introduction

One or all of the following might be encountered: 

  • Print detection failed for Microsoft Office documents synchronised with Office365/OneDrive containing sensitive data or meta data. 
  • The incidents are missing size in events generated with Microsoft office documents synchronised with Office365/OneDrive.

Environment

Release : 16.0

Cause

Detection requires a certain amount of time to hook into the application and do detection.

In the case of a document which is synchronised with Office365/OneDrive the standard application hooking time can be exceeded and the detection missed as a result or part of the detection information is not captured. 

In the edpa_ext0.log you might see the following timeout below:

05/25/2023 17:08:20 | 10984 | FINER   | CoreServices.ProcessActivity | Received rtam message for process C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE(4656) create status(1) session Id(1) sandboxed appliction(0) store appliction(0) subsystem application (0)
05/25/2023 17:08:20 |  3140 | FINER   | Configuration.ApplicationSettingsHandler | C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE {application id: -139} Microsoft Office Excel
05/25/2023 17:08:20 |  3140 | FINEST  | CoreServices.MessageLogger | MESSAGETYPE_PROCESS_ACTIVITY    MESSAGESOURCE_RTAM_CONNECTOR  05/25/2023 16:08:20  [Action: Create  Path: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE  PID: 4656]
05/25/2023 17:08:20 |  3140 | FINEST  | CodeInjection.HookManager | New process notification from RTAM for process 4656 | C:\VontuDev\workDir\Agent\HookManager\HookConnector.cpp(270)
05/25/2023 17:08:20 |  3140 | FINEST  | CodeInjection.HookManager | Session 0: Trying to hook into : Pid->4656 ProcessName->C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE | C:\VontuDev\workDir\Agent\HookManager\ProcessInjector.cpp(119)
05/25/2023 17:08:20 | 14936 | FINEST  | CodeInjection.HookManager | Session 0: Process filtered: Pid->4656 ProcessName->C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE | C:\VontuDev\workDir\Agent\HookManager\HookingTask.cpp(78)
05/25/2023 17:08:20 |  3140 | FINER   | FileSystem.ApplicationChecklist | PID: 4656 was not on ApplicationList. Process monitored is : 1
05/25/2023 17:08:20 | 19928 | FINER   | Configuration.ApplicationSettingsHandler | C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE {application id: -139} Microsoft Office Excel
05/25/2023 17:08:20 | 16068 | FINEST  | CodeInjection.POMClient | DLL injection is skipped, possible reason: TimeOut. Process ID:4656, Process Name:C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE. | C:\VontuDev\workDir\GeneralHooks\ProcessOperationMonitor\Src\POMHook.cpp(362)

Resolution

Modify the Hooking.APPLICATION_LOAD_TIMEOUT.int setting in the Endpoint Agent Advanced settings, then apply the change to the endpoint agent, make sure the timestamp of the local cg.ead file found in the Endpoint Agent installation folder has been updated before testing again. For testing purposes try changing the value to 600000. You may need to either increase or decrease the value to customise it for your environment. 

Additional Information

Advanced agent settings

https://api-broadcom-ca.wolkenservicedesk.com/attachment/get_attachment_content?uniqueFileId=QljUqwOJGSCOjbxrCSViTQ==