Symantec Data Loss Prevention Administration Guide

Documentation version: 15.5d

Legal Notice
Copyright © 2019 Symantec Corporation. All rights reserved.

Symantec, CloudSOC, Blue Coat, the Symantec Logo, the Checkmark Logo, the Blue Coat logo, and the
Shield Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S.
and other countries. Other names may be trademarks of their respective owners.

This Symantec product may contain third party software for which Symantec is required to provide attribution
to the third party (“Third Party Programs”). Some of the Third Party Programs are available under open
source or free software licenses. The License Agreement accompanying the Software does not alter any
rights or obligations you may have under those open source or free software licenses. Please see the
Third Party Legal Notice Appendix to this Documentation or TPIP ReadMe File accompanying this Symantec
product for more information on the Third Party Programs.

The product described in this document is distributed under licenses restricting its use, copying, distribution,
and decompilation/reverse engineering. No part of this document may be reproduced in any form by any
means without prior written authorization of Symantec Corporation and its licensors, if any.

THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS,
REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE
DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY
INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL
DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS
DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO
CHANGE WITHOUT NOTICE.
The Licensed Software and Documentation are deemed to be commercial computer software as defined
in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer
Software - Restricted Rights" and DFARS 227.7202, et seq. "Commercial Computer Software and
Commercial Computer Software Documentation," as applicable, and any successor regulations, whether
delivered by Symantec as on premises or hosted services. Any use, modification, reproduction release,
performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government
shall be solely in accordance with the terms of this Agreement.
Symantec Corporation
350 Ellis Street
Mountain View, CA 94043

https://www.symantec.com
 This chapter includes the following topics:

■ Introducing endpoint event detection

■ Configuring endpoint event detection conditions

■ Best practices for using endpoint detection

Endpoint detection matches events on endpoints where the Symantec DLP Agent is installed.
See “About Endpoint Prevent monitoring” on page 2296.
Symantec Data Loss Prevention provides several methods for detecting and excepting endpoint
events, and a collection of response rules for responding to them.
See “Response rule actions for endpoint detection” on page 1740.

About endpoint protocol monitoring

On the endpoint you can detect data loss based on the transport protocol, such as email
(SMTP), Web (HTTP), and file transfer (FTP).
See “Configuring the Endpoint Monitoring condition” on page 918.

Email/SMTP Simple Mail Transfer Protocol (SMTP) is a protocol for sending email messages between servers.

FTP The file transfer protocol (FTP) is used on the Internet for transferring files from one computer
to another.
HTTP The hypertext transfer protocol (HTTP) is the underlying protocol that supports the World Wide
Web. HTTP defines how messages are formatted and transmitted, and what actions Web servers
and browsers should take in response to various commands.

HTTP/SSL Hypertext transfer protocol over Secure Sockets Layer (HTTPS) is a protocol for sending data
securely between a client and server.

About endpoint destination monitoring

You can also detect endpoint data loss on the destination where data is copied or moved,
such as CD/DVD drive, USB device, or the clipboard.
See “Configuring the Endpoint Monitoring condition” on page 918.

Local Drive Monitor the local disk.

CD/DVD The CD/DVD burner on the endpoint computer. This destination can be any type of
third-party CD/DVD burning software.

Removable Storage Device Detect data that is transferred to any eSATA, FireWire, or USB connected storage
device.

Copy to Network Share Detect data that is transferred to any network share or remote file access.

Printer/Fax Detect data that is transferred to a printer or to a fax that is connected to the endpoint
computer. This destination can also be print-to-file documents.

Clipboard The Windows Clipboard used to copy and paste data between Windows applications.

About endpoint global application monitoring

The DLP Agent monitors applications when they access sensitive files. The DLP Agent monitors
any third-party application you add and configure at the System > Agents > Global Application
Monitoring screen.
You can create exceptions for allowable use scenarios.
See “Adding a Windows application” on page 2468.
See “Configuring the Endpoint Monitoring condition” on page 918.
See “Changing global application monitoring settings” on page 2462.
About endpoint location detection
You can detect or except events based on the location of the endpoint.
Using the Endpoint Location detection method, you can choose to detect incidents only when
the endpoint is on or off the network.
For example, you might configure this condition to match only when users are off the corporate
network because you have other rules in place for detecting network incidents. In this case
implementing the Endpoint Location detection method would achieve this result.
See “Configuring the Endpoint Location condition” on page 919.

About endpoint device detection

Symantec Data Loss Prevention lets you detect or except specific endpoint devices based on
described device metadata. You can configure a condition to allow endpoint users to copy
files to a specific device class, such as USB drives from a single manufacturer.
For example, a policy author has a set of USB flash drives with serial numbers that range from
001-010. These are the only flash drives that should be allowed to access the company’s
endpoints. The policy administrator adds the serial number metadata into an exception of a
policy so that the policy applies to all USB flash drives except for the drives with the serial
number that falls into the 001-010 metadata. In this fashion the device metadata allows for
only “trusted devices” to be allowed to carry company data.
See “Creating and modifying endpoint device configurations” on page 922.
The Endpoint Device Class or ID condition detects specific removable storage devices based
on their definitions. Endpoint Destination parameters in the Endpoint Monitoring condition
detect any removable storage device on the endpoint,
See “Configuring the Endpoint Device Class or ID condition” on page 920.

Table 38-3 describes the various methods for implementing endpoint event monitoring.

Endpoint Protocol Monitoring Detect endpoint data based on the protocol.

See “About endpoint protocol monitoring” on page 915.

See “Configuring the Endpoint Monitoring condition” on page 918.

Endpoint Destination Detect endpoint data based on the destination.
Monitoring
See “About endpoint protocol monitoring” on page 915.

See “Configuring the Endpoint Monitoring condition” on page 918.

Endpoint Application Detect endpoint data based on the application.

Monitoring
See “About endpoint protocol monitoring” on page 915.
See “Configuring the Endpoint Monitoring condition” on page 918.

Endpoint Device or Class ID Detect when users move endpoint data to a specific device.

See “About endpoint device detection” on page 917.

See “Configuring the Endpoint Device Class or ID condition” on page 920.

Endpoint Location Detect when the endpoint is on or off the corporate network.
See “About endpoint location detection” on page 917.

See “Configuring the Endpoint Location condition” on page 919.

Configuring the Endpoint Monitoring condition

The Endpoint Monitoring condition matches on endpoint message protocols, destinations, and
applications.
You can implement an instance of the Endpoint Monitoring condition in one or more policy
detection rules and exceptions.

This topic does not address network protocol monitoring configuration.

See “Configuring the Protocol Monitoring condition for network detection” on page 913.

Add or modify the Add a new Protocol or Endpoint Monitoring condition to a policy rule or
Endpoint Monitoring exception, or modify an existing rule or exception condition.
condition.
See “Configuring policy rules” on page 417.

See “Configuring policy exceptions” on page 426.

See “Configuring policies” on page 413.

 Select one or more To detect Endpoint incidents, select one or more :
endpoint protocols to
■ Email/SMTP
match.
■ HTTP
■ HTTPS/SSL
■ FTP

See “About endpoint protocol monitoring” on page 915.

Select one or more To detect when users move data on the endpoint, select one or more
endpoint destinations. :

■ Local Drive
■ CD/DVD
■ Removable Storage Device
■ Copy to Network Share
■ Printer/Fax
■ Clipboard

See “About endpoint protocol monitoring” on page 915.

Monitor endpoint To detect when endpoint applications access files, select the Application File
applications. Access option.

See “About global application monitoring” on page 2461.

Match on the entire The DLP Agent evaluates the entire message, not individual message
message. components.

The Envelope option is selected by default. You cannot select the other
message components.

See “Detection messages and message components” on page 391.

Also match one or more Select this option to create a compound condition. All conditions must match
additional conditions. to trigger or except an incident.

You can Add any condition available from the list.

See “Configuring compound match conditions” on page 429.

Configuring the Endpoint Location condition

The Endpoint Location condition matches endpoint events based on the location of the endpoint
computer where the DLP Agent is installed.
You can implement an instance of the Endpoint Location condition in one or more policy
detection rules and exceptions.
 See “Configuring policies” on page 413.

Add or modify the Add a new Endpoint Location detection condition to a policy rule or exception,
Endpoint Location or modify an existing policy rule or exception.
condition.
See “Configuring policy rules” on page 417.

See “Configuring policy exceptions” on page 426.

Select the location to Select one of the following endpoint locations to monitor:
monitor.
■ Off the corporate network
Select this option to detect or except events when the endpoint computer is
off of the corporate network.
■ On the corporate network
Select this option to detect or except events when the endpoint computer is
on the corporate network.
This option is the default selection.

See “About endpoint location detection” on page 917.

Match on the entire The DLP Agent evaluates the entire message, not individual message
message. components.

The Envelope option is selected by default. The other message components

are not selectable.

See “Detection messages and message components” on page 391.

Also match one or Select this option to create a compound condition. All conditions must match to
more additional trigger or except an incident.
conditions.
You can Add any condition available from the list.

See “Configuring compound match conditions” on page 429.

See “About endpoint location detection” on page 917.

See “Configuring the Endpoint Location condition” on page 919.

Configuring the Endpoint Device Class or ID condition

The Endpoint Device Class or ID condition lets you detect when users move endpoint data to
specific devices.
You can implement the Endpoint Device Class or ID condition in one or more policy detection
rules or exceptions.
See “Configuring policies” on page 413.
 Add or modify an Add a new Endpoint Device Class or ID condition to a policy rule or exception,
Endpoint Device or modify an existing one.
condition.
See “Configuring policy rules” on page 417.

See “Configuring policy exceptions” on page 426.

Select one or more The condition matches when users move data from an endpoint computer to the
devices. selected device(s).

Click Create an endpoint device to define one or more devices.

See “Creating and modifying endpoint device configurations” on page 922.

Match on the entire The DLP Agent matches on the entire message, not individual message
message. components.

The Envelope option is selected by default. You cannot select other components.

See “Detection messages and message components” on page 391.

Also match one or Select this option to create a compound condition. All conditions must match to
more additional trigger or except an incident.
conditions.
You can Add any condition available from the drop-down menu.

See “Configuring compound match conditions” on page 429.

See “About endpoint device detection” on page 917.

Gathering endpoint device IDs for removable devices

You add device metadata information to the Enforce Server and create one or more policy
detection methods that detect or except the specific device instance or class of device. The
system supports the regular expression syntax for defining the metadata. The system displays
the device metadata at the Incident Snapshot screen during remediation.
See “Creating and modifying endpoint device configurations” on page 922.
The metadata the system requires to define the device instance or device class is the Device
Instance ID. On Windows you can obtain the "Device Instance Id" from the Device Manager.
In addition, Symantec Data Loss Prevention provides DeviceID.exe for devices attached to
Windows endpoints and DeviceID for devices attached to Mac endpoints. You can use these
utilities to extract Device Instance ID strings and device regex information. These utilities also
report what devices the system can recognize for detection. These utilities are available with
the Enforce Server installation files.
See “About the Device ID utilities” on page 2496.
 The Device Instance ID is also used by Symantec Endpoint Protection.

Right-click My Computer.
Select Manage.
Select the Device Manager.
Click the plus sign beside any device to expand its list of device instances.
Double-click the device instance. Or, right-click the device instance and select Properties.
Look in the Details tab for the Device Instance Id.
Use the ID to create device metadata expressions.
See “Creating and modifying endpoint device configurations” on page 922.
See “About endpoint device detection” on page 917.

Creating and modifying endpoint device configurations

You can configure one or more devices for specific endpoint detection. Once the device
expressions are configured, you implement the Endpoint Device Class or ID condition in one
or more policy rules or exceptions to deny or allow the use of the specific devices.
You might deny or allow the use of devices if endpoint users must copy sensitive information
to company-provided USB drives or SD cards.
See “Gathering endpoint device IDs for removable devices” on page 921.

You can use the DeviceID utility for Windows and Mac endpoints to generate removable
storage device information. See “About the Device ID utilities” on page 2496.

Go to the System > Agent > Endpoint Devices screen.

Click Add Device.
Enter the Device Name.
Enter a Device Description.
Enter the Device Definition expression.
The device definition must conform to the regular expression syntax.
See Table 38-7 on page 923.
See “About writing regular expressions” on page 853.
 Click Save to save the device configuration.
Implement the Endpoint Device Class or ID condition in a detection rule or exception.
See “Configuring the Endpoint Device Class or ID condition” on page 920.

Generic USB Device USBSTOR\\DISK&VEN_SANDISK&PROD_ULTRA_BACKUP&REV_8\.32\\3485731392112B52

iPod generic USBSTOR\\DISK&VEN_APPLE&PROD_IPOD&.*

Lexar generic USBSTOR\\DISK&VEN_LEXAR.*

CD Drive IDE\\DISKST9160412ASG__________________0002SDM1\\4&F4ACADA&0&0\.0\.0

Hard drive USBSTOR\\DISK&VEN_MAXTOR&PROD_ONETOUCH_II&REV_023D\\B60899082H____&0

Blackberry generic USBSTOR\\DISK&VEN_RIM&PROD_BLACKBERRY...&REV.*

Cell phone USBSTOR\\DISK&VEN_PALM&PROD_PRE&REV_000\\FBB4B8FF4CAEFEC11

24DED689&0

SanDisk USB SanDisk&Cruzer Blade&20051535820CF1302C2E

SD Card SDC&346128262

External hard drive External&RAID&0000000000702293

See “About endpoint device detection” on page 917.

When implementing endpoint match conditions, keep in mind the following considerations:
■ Any detection method that executes on the endpoint matches on the entire message, not
individual message components.
See “Detection messages and message components” on page 391.
■ The Endpoint Destination and Endpoint Location methods are specific to the endpoint
computer and are not user-based.
See “Distinguish synchronized DGM from other types endpoint detection” on page 941.
■ You might often combine group and detection methods on the endpoint. Keep in mind that
the policy language ANDs detection and group methods, whereas methods of the same
type, two rules for example, are ORed.
See “Policy detection execution” on page 394.