Some private keys are not being detected by Endpoint Prevent
search cancel

Some private keys are not being detected by Endpoint Prevent

book

Article ID: 277385

calendar_today

Updated On:

Products

Data Loss Prevention

Issue/Introduction

You are trying to monitor the upload of private keys using DLP Endpoint Prevent.
Create two different policies, one a keyword policy and the other a regex policy, to detect the BEGIN statement at the start of the key.
(-----BEGIN RSA PRIVATE KEY-----) or (-----BEGIN PRIVATE KEY-----)
Some of the keys are detected and some are not.

The private key files that have one carriage return/line feed after the end key statement, (-----END RSA PRIVATE KEY-----) or (-----END PRIVATE KEY-----), are not detected.
If there is no CRLF or if there are two or more CRLFs after the end of the key statement, those files are detected.

Environment

DLP 15.8 MP3 and 16.0 GA

Cause

In 15.8 and 16.0 GA the KeyView included in those versions does not have a reader for PEM files.
The KeyView sees the key with the single carriage return as a PEM file and since there is no reader for that file type, it cannot read the contents of the file.
The KeyView filter tool returns the following message when attempting to read the key file with one carriage return at the end;

"FilterFileToFile can NOT filter the input file <file path and name>"

Whereas, the 15.8 and 16.0 GA KeyView sees the key without a carriage return or with more than one carriage return as an ASCII file type.
The KeyView can read the ASCII file.

Resolution

The updated KeyView included with 16.0 RU1 does read the PEM files and detects the key files with or without the CRLF at the end of the file.
Upgrade DLP to 16.0 RU1.

The KeyView tool is only updated in major releases.
There will not be a hotfix to update the KeyView in the older releases.