Professional Documents
Culture Documents
Legal Notice
Copyright © 2019 Symantec Corporation. All rights reserved.
Symantec, CloudSOC, Blue Coat, the Symantec Logo, the Checkmark Logo, the Blue Coat logo, and the
Shield Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S.
and other countries. Other names may be trademarks of their respective owners.
This Symantec product may contain third party software for which Symantec is required to provide attribution
to the third party (“Third Party Programs”). Some of the Third Party Programs are available under open
source or free software licenses. The License Agreement accompanying the Software does not alter any
rights or obligations you may have under those open source or free software licenses. Please see the
Third Party Legal Notice Appendix to this Documentation or TPIP ReadMe File accompanying this Symantec
product for more information on the Third Party Programs.
The product described in this document is distributed under licenses restricting its use, copying, distribution,
and decompilation/reverse engineering. No part of this document may be reproduced in any form by any
means without prior written authorization of Symantec Corporation and its licensors, if any.
THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS,
REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE
DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY
INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL
DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS
DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO
CHANGE WITHOUT NOTICE.
The Licensed Software and Documentation are deemed to be commercial computer software as defined
in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer
Software - Restricted Rights" and DFARS 227.7202, et seq. "Commercial Computer Software and
Commercial Computer Software Documentation," as applicable, and any successor regulations, whether
delivered by Symantec as on premises or hosted services. Any use, modification, reproduction release,
performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government
shall be solely in accordance with the terms of this Agreement.
Symantec Corporation
350 Ellis Street
Mountain View, CA 94043
https://www.symantec.com
This chapter includes the following topics:
Endpoint detection matches events on endpoints where the Symantec DLP Agent is installed.
See “About Endpoint Prevent monitoring” on page 2296.
Symantec Data Loss Prevention provides several methods for detecting and excepting endpoint
events, and a collection of response rules for responding to them.
See “Response rule actions for endpoint detection” on page 1740.
Email/SMTP Simple Mail Transfer Protocol (SMTP) is a protocol for sending email messages between servers.
FTP The file transfer protocol (FTP) is used on the Internet for transferring files from one computer
to another.
HTTP The hypertext transfer protocol (HTTP) is the underlying protocol that supports the World Wide
Web. HTTP defines how messages are formatted and transmitted, and what actions Web servers
and browsers should take in response to various commands.
HTTP/SSL Hypertext transfer protocol over Secure Sockets Layer (HTTPS) is a protocol for sending data
securely between a client and server.
CD/DVD The CD/DVD burner on the endpoint computer. This destination can be any type of
third-party CD/DVD burning software.
Removable Storage Device Detect data that is transferred to any eSATA, FireWire, or USB connected storage
device.
Copy to Network Share Detect data that is transferred to any network share or remote file access.
Printer/Fax Detect data that is transferred to a printer or to a fax that is connected to the endpoint
computer. This destination can also be print-to-file documents.
Clipboard The Windows Clipboard used to copy and paste data between Windows applications.
Table 38-3 describes the various methods for implementing endpoint event monitoring.
Endpoint Device or Class ID Detect when users move endpoint data to a specific device.
Endpoint Location Detect when the endpoint is on or off the corporate network.
See “About endpoint location detection” on page 917.
Add or modify the Add a new Protocol or Endpoint Monitoring condition to a policy rule or
Endpoint Monitoring exception, or modify an existing rule or exception condition.
condition.
See “Configuring policy rules” on page 417.
Select one or more To detect when users move data on the endpoint, select one or more
endpoint destinations. :
■ Local Drive
■ CD/DVD
■ Removable Storage Device
■ Copy to Network Share
■ Printer/Fax
■ Clipboard
Monitor endpoint To detect when endpoint applications access files, select the Application File
applications. Access option.
Match on the entire The DLP Agent evaluates the entire message, not individual message
message. components.
The Envelope option is selected by default. You cannot select the other
message components.
Also match one or more Select this option to create a compound condition. All conditions must match
additional conditions. to trigger or except an incident.
Add or modify the Add a new Endpoint Location detection condition to a policy rule or exception,
Endpoint Location or modify an existing policy rule or exception.
condition.
See “Configuring policy rules” on page 417.
Select the location to Select one of the following endpoint locations to monitor:
monitor.
■ Off the corporate network
Select this option to detect or except events when the endpoint computer is
off of the corporate network.
■ On the corporate network
Select this option to detect or except events when the endpoint computer is
on the corporate network.
This option is the default selection.
Match on the entire The DLP Agent evaluates the entire message, not individual message
message. components.
Also match one or Select this option to create a compound condition. All conditions must match to
more additional trigger or except an incident.
conditions.
You can Add any condition available from the list.
Select one or more The condition matches when users move data from an endpoint computer to the
devices. selected device(s).
Match on the entire The DLP Agent matches on the entire message, not individual message
message. components.
The Envelope option is selected by default. You cannot select other components.
Also match one or Select this option to create a compound condition. All conditions must match to
more additional trigger or except an incident.
conditions.
You can Add any condition available from the drop-down menu.
Right-click My Computer.
Select Manage.
Select the Device Manager.
Click the plus sign beside any device to expand its list of device instances.
Double-click the device instance. Or, right-click the device instance and select Properties.
Look in the Details tab for the Device Instance Id.
Use the ID to create device metadata expressions.
See “Creating and modifying endpoint device configurations” on page 922.
See “About endpoint device detection” on page 917.
You can use the DeviceID utility for Windows and Mac endpoints to generate removable
storage device information. See “About the Device ID utilities” on page 2496.
CD Drive IDE\\DISKST9160412ASG__________________0002SDM1\\4&F4ACADA&0&0\.0\.0
SD Card SDC&346128262
When implementing endpoint match conditions, keep in mind the following considerations:
■ Any detection method that executes on the endpoint matches on the entire message, not
individual message components.
See “Detection messages and message components” on page 391.
■ The Endpoint Destination and Endpoint Location methods are specific to the endpoint
computer and are not user-based.
See “Distinguish synchronized DGM from other types endpoint detection” on page 941.
■ You might often combine group and detection methods on the endpoint. Keep in mind that
the policy language ANDs detection and group methods, whereas methods of the same
type, two rules for example, are ORed.
See “Policy detection execution” on page 394.