McAfee Host Data Loss Prevention 9.

1
Product Guide

COPYRIGHT Copyright © 2010 McAfee, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies. TRADEMARK ATTRIBUTIONS AVERT, EPO, EPOLICY ORCHESTRATOR, FOUNDSTONE, GROUPSHIELD, INTRUSHIELD, LINUXSHIELD, MAX (MCAFEE SECURITYALLIANCE EXCHANGE), MCAFEE, NETSHIELD, PORTALSHIELD, PREVENTSYS, SECURITYALLIANCE, SITEADVISOR, TOTAL PROTECTION, VIRUSSCAN, WEBSHIELD are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners. LICENSE INFORMATION License Agreement NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND. License Attributions Refer to the product Release Notes.

2

McAfee Host Data Loss Prevention 9.1

Contents
Introducing McAfee Host Data Loss Prevention. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
What is McAfee Host Data Loss Prevention?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Product components and how they interact. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 How Data Loss Prevention works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Strategies for categorizing applications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Encryption. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 The Host DLP Policy console. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Audience. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Finding documentation for McAfee enterprise products. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Controlling Removable Media With Device Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Device classes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Device definitions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Importing device parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Device rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Defining device classes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Creating a new device class. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Changing the status of a device class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Creating device definitions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Creating a Plug and Play device definition. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Creating a whitelisted Plug and Play definition. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Creating a removable storage device definition. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Importing device definitions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Creating a device definition group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Creating and defining device rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Creating and defining a Plug and Play device rule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Creating and defining a removable storage device rule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Creating and defining a removable storage file access rule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Device parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Classifying Content. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Dictionaries. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Document properties and file extensions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

McAfee Host Data Loss Prevention 9.1

3

Contents

Registered document repositories. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Registering documents on host computers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 Using registered document repositories. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 Text pattern definitions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 Whitelist. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Creating a new dictionary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Classifying data with registered document repositories. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Creating a new registered document repository definition. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Creating a registered document repository group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Indexing registered documents repositories. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Deploying a registered document package to the agents. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Classifying data with text patterns. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Creating a new text pattern. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Testing a text pattern. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Creating a new text pattern group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Adding and removing whitelist content. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Adding new whitelist content. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Deleting whitelist files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Tracking Content. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
How tags and content categories are used to classify content. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 How tagging rules link tags to content. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 How classification rules link categories to content. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Creating tags, categories, catalogs, and groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Creating a tag. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Creating a content category. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Creating a tag and category group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Creating and defining tagging rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Creating and defining an application-based tagging rule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Creating and defining a location-based tagging rule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Creating and defining classification rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Creating and defining a content classification rule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Creating and defining a registered documents classification rule. . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Creating manual tags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Tagging files manually. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Removing manual tags from content. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Rights management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Adobe rights management users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

4

McAfee Host Data Loss Prevention 9.1

Contents

How Data Loss Prevention works with Rights Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Defining an Adobe RM server and synchronizing policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Defining a Microsoft RMS server and synchronizing templates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Locating Files With Sensitive Content. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
How scanning works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 Using the discovery crawler. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 How to restore quarantined files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 Applications and how to use them. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 The Enterprise Application List. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 Application definitions and how they are categorized. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 File extension definitions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 Creating file extensions and file extension groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 File server list. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 Creating and adding to a file server list. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 Network definitions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 Creating network definitions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

File Destinations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Email destination definitions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 Printers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 Web destination definitions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 Creating email destinations and groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 Creating email destinations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 Creating an email group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 Creating a printer list and adding printers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 Creating a printer list. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 Adding a printer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 Adding an unmanaged printer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 Adding an existing printer to the printer whitelist. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 Creating web destinations and groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 Creating a web destination. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 Creating a web destination group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

Assignment Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
User assignment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 Computer assignment groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 Creating user assignment groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 Creating a user assignment group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

McAfee Host Data Loss Prevention 9.1

5

Contents

Creating a privileged users group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

Protection Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
How protection rules work. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 Definitions and how they define rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 Defining a protection rule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 Creating and defining an application file access protection rule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 Creating and defining a clipboard protection rule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 Creating and defining an email protection rule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 Creating and defining a file system protection rule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 Creating and defining a network communication protection rule. . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 Creating and defining a PDF/Image Writer protection rule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 Creating and defining a printing protection rule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 Creating and defining a removable storage protection rule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 Creating and defining a screen capture protection rule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Creating and defining a web post protection rule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 Removing rules, definitions, device classes, or user groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 How templates work. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 Synchronizing templates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

Policy Assignment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Assigning policies with ePolicy Orchestrator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 Applying the system policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 Assigning a policy or agent configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 Importing policies and editing policy descriptions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 Importing a policy from ePolicy Orchestrator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 Editing a policy description. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 Agent bypass and related features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 Administering the Host DLP Agent. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 Refreshing the Host DLP Agent policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 Requesting an override key. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 Generating an agent override key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 Generating a quarantine release key. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

The Host DLP Monitor and What It Does. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Agent events and how they are tracked. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 Agent override. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 Evidence. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 Hit count. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

6

McAfee Host Data Loss Prevention 9.1

. . . . . . . . . . . . . . . . . . . . . 105 Exporting Host DLP Monitor events. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 Searching Host DLP Monitor events by event ID. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Contents Redaction. . . 107 Setting up RSS feeds. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 Filtering event information. . . . 112 Applying the global agent configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 Agent configuration. . 104 Using labels. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109 Setting up Data Loss Prevention rolled up reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 Printing Host DLP Monitor events. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110 Viewing database statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 Adding predefined filters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 Configuring Safe Mode operation. . . . . . . 101 Defining filters. . . . . . . . . . . . . . . . . . . . . . . . . . .1 7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109 Administering the database. . . . . . . . . . . . . . . . . . . . . . . . . 106 Sending Host DLP Monitor events by email. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 Viewing the system log. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 Resetting the agent configuration values. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 McAfee Device Control. . . . . . . . . . . . . . . . . 104 Filtering the events monitor list. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 Importing the global agent configuration. 106 Database Administration and Reporting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 Managing agent configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 Report options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 McAfee Host Data Loss Prevention 9. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102 Defining date filters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 Monitoring system events and alerts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 Viewing redacted monitor fields. . . . . . 112 System log. . . . . . . . . . . . . . . . . . . . . 112 System tools. . . . . . . 110 Configuring the Host DLP System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

whether or not they are connected to the enterprise’s network.Introducing McAfee Host Data Loss Prevention McAfee Host Data Loss Prevention software protects enterprises from the risk associated with unauthorized transfer of data from within or outside the organization. the most widespread and costly source of data loss in many companies today.1 is available in two configurations: McAfee Device Control and full McAfee Host Data Loss Prevention. The default installation is a 90-day license for McAfee Device Control. McAfee Host Data Loss Prevention software version 9. Contents What is McAfee Host Data Loss Prevention? Product components and how they interact How Data Loss Prevention works Strategies for categorizing applications Encryption The Host DLP Policy console Finding documentation for McAfee enterprise products What is McAfee Host Data Loss Prevention? McAfee Host Data Loss Prevention is a content-based agent solution that inspects enterprise users’ actions concerning sensitive content in their own work environment. Data loss is defined as confidential or private information leaving the enterprise as a result of unauthorized communication through channels such as applications. their computers. It is the default configuration on installation. • Protection on-the-go — Prevents transmission of sensitive data from desktops and laptops. • Persistent content-aware data protection — Protects against data loss regardless of the format in which data is stored or manipulated. What is McAfee Device Control? McAfee Device Control prevents unauthorized use of removable media devices. physical devices. It uses advanced discovery technology as well as predefined dictionaries to identify this content. 90-day trial and unlimited. McAfee Host Data Loss Prevention provides: • Universal protection — Protects against data loss through the broadest set of data-loss channels. and incorporates device management and encryption for additional layers of control. Each configuration is available with two licensing options. or network protocols. enforces data loss prevention without disrupting legitimate user activities.1 . 8 McAfee Host Data Loss Prevention 9.

and other removable media. CDs. McAfee Host Data Loss Prevention 9.Introducing McAfee Host Data Loss Prevention Product components and how they interact McAfee Device Control provides: • Persistent content-aware data protection — Controls what data can be copied to removable devices. blocks applications run from removable drives. DVDs. blocking them completely or making them read-only. Each component plays a part in defending your network from data loss. It is used to create the information security policy and administer the McAfee Host Data Loss Prevention components. or controls the devices themselves. Bluetooth devices. Figure 1: McAfee Host Data Loss Prevention Host DLP Policy Console The Host DLP Policy console is the interface where the administrator defines and enforces the enterprise information security policy.1 9 . • Protection on-the-go — For USB drives. The Host DLP Policy console is accessed from the ePolicy Orchestrator Menu. Product components and how they interact McAfee Host Data Loss Prevention software consists of several components. iPods.

tagging rules. Host DLP Monitor Events that are sent to the DLP Event Parser are displayed in the Host DLP Monitor. and prevent unauthorized users from copying or transferring sensitive data. In certain cases.Introducing McAfee Host Data Loss Prevention How Data Loss Prevention works Host DLP Agent The Host DLP Agents reside on enterprise computers.1 . protection rules. ePO Event Parser Events that are generated by the Host DLP Agents are sent to the ePO Event Parser. and user and group assignments. and enforces the policies defined in the Host DLP Policy. which are referred to as managed computers. and recorded in tables in the ePO database. How Data Loss Prevention works McAfee Host Data Loss Prevention safeguards sensitive enterprise information by deploying policies which are made up of classification rules. or policy version. an interface accessed from the ePolicy Orchestrator Reporting console. device rules. as required. control. Events can be labeled by the administrator for tracking purposes. time. severity. user. computer name. All events can be filtered and sorted based on criteria such as protection rules. They also generate events recorded by the ePO Event Parser. date. sensitive content 10 McAfee Host Data Loss Prevention 9. and defined actions using content identified as sensitive are monitored or blocked. The agents audit user activities to monitor. Events are stored in the database for further analysis and used by other system components. The policies are monitored.

or application-based tagging rule. based on enterprise requirements. • Location — When files are copied or accessed by local processes. a file being copied locally from a share on a network server. Content is stored as evidence. and reports are created for review and control of the process. Figure 2: McAfee Host Data Loss Prevention workflow Tagging and classification rules Tagging and classification rules. or based on the file type or file extension. identify confidential information and its sources. • Registered Documents Classification Rules — Classify all specified content in a defined group of folders. For example.1 11 . as specified in application definitions. • Content — Classification rules apply content categories based on parsing the content and matching it against predefined patterns or keywords. McAfee Host Data Loss Prevention 9. location-based tagging rules apply tags based on the location of the source file. Data can be classified by: • Application — Application-based tagging rules apply tags generically based on the application or applications that create a file. There are two types of classification rules: • Content Classification Rules — Match content against pre-defined strings and text patterns or dictionaries. combining the two types of rules. NOTE: You can add text patterns and dictionaries to a location.Introducing McAfee Host Data Loss Prevention How Data Loss Prevention works is encrypted before the action is allowed.

copies a few paragraphs of it into a text file. or text patterns. • Hit highlighting — Evidence can be saved with highlighting of the text that caused the event. Whenever such files are accessed. regardless of how it is being used. Removable storage device rules offer additional functionality to set the device as read-only and prevent writing data to the device. Discovery rules define the content being searched for and whether it is to be monitored. Settings in the Global Agent Configuration determine where and when the search is performed. Discovery rules Host DLP Discovery is a crawler that runs on client computers. Device rules Device rules monitor and potentially block the system from loading physical devices such as removable storage devices. McAfee Host Data Loss Prevention software tracks data transformations and maintains the classification of the sensitive content persistently. • Evidence collection — If protection rules are defined to collect evidence. monitored. Policies and policy deployment A policy is the combination of tagging rules. protection rules. if a user opens a tagged Word document. In addition to tags and content categories. McAfee Host Data Loss Prevention uses four types of whitelists: 12 McAfee Host Data Loss Prevention 9. users and computers in the enterprise. or blocked. Protection rules Protection rules prevent unauthorized distribution of tagged data. document properties. a copy of the tagged data is saved and linked to the specific event. protection rules are defined with applications or application groups. and assignment groups. and definitions such as email destinations. definitions. For example. Evidence is encrypted using the AES algorithm before being saved. Bluetooth. Policies are deployed by ePolicy Orchestrator to the enterprise’s managed computers (computers with a Host DLP Agent installed). the outgoing message has the same tag as the original document.1 . Monitoring • Event monitoring — The Host DLP Monitor allows administrators to view agent events as they are received. and other Plug and Play devices. and attaches the text file to an email message. Highlighted evidence is stored as a separate encrypted HTML file. Wi-Fi. user assignments. encrypted. protection rules determine whether this should be allowed.Introducing McAfee Host Data Loss Prevention How Data Loss Prevention works Tags and content categories identify files as containing sensitive information. or deleted. This information can help determine the severity or exposure of the event. Whitelists Whitelists are collections of items that you want the system to ignore. Assignment groups Assignment groups apply specific protection rules to different groups. Device classes and device definitions are used to define device rules. quarantined. When a user attempts to copy or attach tagged data.

Whitelisted printers are excluded from the proxy driver installation process. The main purpose of this is to improve the efficiency of the tagging process by skipping standard content that does not need to be protected. and so forth. in order of decreasing security. • Trusted — An application that needs unrestricted access to files for scanning purposes. Examples are compression software such as WinZip. You can change the strategy to achieve a balance between security and the computer’s operating efficiency. you should use the trusted strategy with these programs. backup software. Copernic. This includes “classic” editors like Microsoft Word and Microsoft Excel.Introducing McAfee Host Data Loss Prevention Strategies for categorizing applications • Application Device rules can block applications run from removable devices. Attempting to manage them might cause the system to stop responding or cause other serious problems. are: • Editor — Any application that can modify file content. McAfee Host Data Loss Prevention software version 9. ® Examples are McAfee VirusScan . • Printers — To prevent printing of confidential data. Encryption Encryption of critical documents is an important part of a strong security policy. Most applications are editors. the high level of observation that an editor application receives is not consistent with the constant indexing of a desktop search program. To allow necessary applications such as encryption software. The performance penalty is high.). • Content — The whitelist folder contains text files defining content (typically boilerplate) that is not tagged and restricted. whitelisted application definitions can be created to exempt such applications from the blocking rule. • Explorer — An application that copies or moves files without changing them. such as Windows Explorer or certain shell applications. McAfee Host Data Loss Prevention 9. accounting software. Strategies for categorizing applications McAfee Host Data Loss Prevention divides applications into four categories or “strategies”. and encryption software such as McAfee Endpoint Encryption or PGP. A strategy is assigned to each application definition. Change the strategy as necessary to optimize performance. • Plug and Play devices — Some Plug and Play devices do not handle device management well. as well as browsers. and desktop search software (Google.1 13 . For example. causing the printer to stop responding. The strategies. The definitions apply to removable storage devices only. Therefore. and so forth. • Archiver — An application that reprocesses files.1 supports encryption in the following ways: • Built-in device definitions to recognize McAfee Endpoint Encryption for Removable Media devices and content encrypted with McAfee Endpoint Encryption for Files and Folders. In some cases printer drivers cannot work in this architecture. Whitelisted Plug and Play devices are automatically excluded when a policy is applied. the Host DLP Agent replaces the original printer driver with a proxy driver that intercepts printing operations and passes them through to the original driver. and the risk of a data leak from such an application is low. graphics software.

you can block unencrypted email or web post attachments. The XML file type is also associated with McAfee Endpoint Encryption *.1 . • Encryption keys definitions. and so forth. removable storage. web post protection. You use this interface to create and 14 McAfee Host Data Loss Prevention 9. To use this option. a file type. ® LiveCycle ® and Microsoft Rights Management • Filtering in rules by document property (encrypted/not encrypted. Device definitions Built-in device definitions for McAfee Endpoint Encryption for Removable Media and McAfee Endpoint Encryption for Files and Folders allow the creation of device rules that permit only encrypted content to be saved to devices. If these conditions are not met. Encryption filters Email protection. Two precautions must be observed: • Email programs treat the body of the email as an attachment. McAfee Endpoint Encryption strips the encryption because you are "opening" the file on your computer. McAfee Endpoint Encryption must also be installed. All other content is blocked. the option Encrypt is present on the rule wizard actions page. You can also use file types in rules to point to encrypted files. Using this feature. removable storage protection. which is allowed. file system. If you create a rule to block unencrypted content and do not use an additional parameter to define the attached file. but permit encrypted ones. and discovery rules allow encrypted content to be defined in the rule. the action defaults to Block.) • Filtering in discovery and most protection rules by Adobe LiveCycle or Microsoft Rights Management protection. and the file type Executable program files is also associated with self-extractors.sba files. To send an encrypted attachment. • Encryption on demand. The Host DLP Policy console The Host DLP Policy console is the interface for McAfee Host Data Loss Prevention software and is accessed from the ePolicy Orchestrator console. • If you have McAfee Endpoint Encryption installed and you drag an encrypted file to an email. Monitor. Encrypt on demand File system protection. and you must define an encryption key in McAfee Host Data Loss Prevention with a name that matches a defined key in McAfee Endpoint Encryption. all emails will be blocked.Introducing McAfee Host Data Loss Prevention The Host DLP Policy console • Support in discovery rules for Adobe protection. This means that in addition to the usual actions of Block. and discovery rules have an option to encrypt on demand. attach a self-extractor file rather than one with standard encryption. such as a tag. or a file extension.

Protection Rules to enforce the defined policies. The main panel displays information about the selected object. manage policies/templates. and Discovery Rules to search for sensitive content in your network. • Applications — Access the Enterprise Application List to import applications.Introducing McAfee Host Data Loss Prevention Audience enforce policies that protect your enterprise’s sensitive information.5 The Host DLP Policy console is divided into these areas: 1 Navigation pane — Where the system administrator selects a rule or definition. • Database Administration — Monitor and maintain the system’s database. and registered document repositories to identify sensitive content. depending on which object is currently selected in the navigation pane. 2 3 Main Panel— Where the system administrator edits and reviews rules or definitions. and groups of privileged users that can bypass policy enforcement.1 15 . This is where you create. and create encryption keys. • Definitions — Create new objects for system rules. text patterns. • Device Management — Monitor and control the use of physical devices. • Content Protection — Access Tagging Rules or Classification Rules to classify content. • RM and Encryption — Set up communication with rights management servers. Figure 3: Host DLP Policy console in ePolicy Orchestrator 4. • Policy Assignment — Create and maintain user groups for deploying policies. Audience The information in this guide is intended primarily for two audiences: McAfee Host Data Loss Prevention 9. Details pane — Displays a detailed description of a single object selected in the main panel. • Content Based Definitions — Create dictionaries. modify and control system rules and objects to prevent information loss.

Select a product document Product documentation by phase McAfee documentation provides the information you need during each phase of product implementation. use the McAfee Technical Support ServicePortal. • Network administrators who are responsible for implementing and enforcing the enterprise policy for protecting the company’s intellectual property.mcafee.1 . available through the McAfee ServicePortal. Select a Version. 1 2 3 4 Go to the McAfee ServicePortal (https://mysupport. Finding documentation for McAfee enterprise products To access the documentation for your McAfee products. Select a Product. Depending on the product.com) and select Self Service | Product Documentation.Introducing McAfee Host Data Loss Prevention Finding documentation for McAfee enterprise products • Security officers who are responsible for determining sensitive and confidential data and defining the enterprise policy for protecting the company’s intellectual property. and after installation • Release Notes • Installation Guide Setup phase — Using the product • Product Guide • Online Help Maintenance phase — Maintaining the software • KnowledgeBase (http://mysupport. during. After a product is released. Installation phase — Before.com) 16 McAfee Host Data Loss Prevention 9. information regarding the product is entered into the online KnowledgeBase. from installing a new product to maintaining existing ones.mcafee. additional documents might also be available.

• Unmanaged — Device classes not managed by McAfee Host Data Loss Prevention. Contents Device classes Device definitions Device rules Defining device classes Creating device definitions Creating and defining device rules Device parameters Device classes Device classes name and identify the devices used by the system. allowing you to monitor and control their use in the distribution of sensitive information. Each class of devices is identified by a name. defined by device class. you find built-in device classes listed under Device Management | Device Classes. In addition. or efficiency. the IT and sales force can use these devices. and are only monitored by the system. When you install McAfee Host Data Loss Prevention. Bluetooth devices. This is the level of protection provided by McAfee Device Control. For example. removable storage devices. but whose status can be changed to Managed by the system administrator. that can be managed by McAfee Host Data Loss Prevention.1 17 .Controlling Removable Media With Device Rules Devices attached to enterprise managed computers — such as smartphones. or Plug and Play devices — can be monitored or blocked using device rules. while the majority of workers are not allowed to copy enterprise data to removable storage devices. this level of data loss prevention is the primary goal. This kind of scenario can be implemented by using the properties of the specific device with a suitable device rule. McAfee Host Data Loss Prevention 9. For many organizations. The devices are categorized by status: • Managed — Specific Plug and Play or removable storage devices. an (optional) description. New classes of devices cannot be added to this list. and the action taken when the rule is triggered by content being sent to or from the named device or devices. MP3 players. • Unmanageable — Device classes not managed by McAfee Host Data Loss Prevention because attempts to manage them can affect the managed computer. and one or more Globally Unique Identifiers (GUIDs). A device rule consists of a list of the device definitions included or excluded from the rule. you can create different sets of rules for the enterprise workforce based on roles and needs. system health.

Device properties serve as filter criteria for controlling devices. Device definition groups can be created for a flexible and accurate way to maintain the required level of security. such as a USB mass storage device. McAfee recommends using the removable storage device definitions and rules to control devices. one comma separated row per event. that can be classified as either. and might cause the system to stop responding or cause other serious problems. They are never managed. Built-in definitions for McAfee Endpoint Encryption and McAfee Endpoint Encryption for Removable Media facilitate the use of those products. the system administrator should not tamper with the device classes list because improper use (for example. user-defined.1 . for example. Device definitions Device definitions control specific devices by fine-tuning the device properties such as the device class. NOTE: If you inspect the device rules. Plug and Play device definitions allow you to manage and control most available devices. Bluetooth. Whitelisted Plug and Play device definitions are added automatically to the excluded list in every Plug and Play device rule. The list can be made by selecting multiple events inside the DLP Monitor and exporting the device parameters (using the context menu) to a CSV file. Plug and Play devices include most Windows devices. See the online Help for information on formatting the CSV file. Wi-Fi. The device definitions and groups are available for two types: • Plug and Play device — A device that can be added to the managed computer without any configuration or manual installation of dlls and drivers. Importing device parameters Device parameters can be entered from lists saved in CSV format. and PCMCIA. the removable storage device definitions and rules are more flexible and include additional properties related to the removable storage devices. TIP: While the Plug and Play device definitions and rules include general device properties. McAfee recommends adding such devices to the whitelisted device list to avoid compatibility problems. class to the list. • Removable Storage device — An external device containing a file system that appears on the managed computer as a drive. The definition is added to the rule when the policy is applied. providing the advantage of using portable devices while maintaining the company policy for sensitive information. Lists can also be created manually. blocking the managed computer’s hard disk controller) can cause a system or operating system malfunction. You do not have to rewrite existing rules to include new whitelisted devices. and prevent such devices from being loaded by the system. add a new. They combine a different set of properties for each device needing to be blocked or monitored by the system. 18 McAfee Host Data Loss Prevention 9. Instead of editing an existing item to suit the needs of a device protection rule.Controlling Removable Media With Device Rules Device definitions In day-to-day tasks. device Product ID/Vendor ID (PID/VID). even if their parent device class is managed. or USB class code. you do not see the whitelist definition. Whitelisted Plug and Play devices The purpose of whitelisted Plug and Play devices is to deal with those devices that do not handle device management well.

Device file access rules block removable storage devices from running applications. Defining device classes Use these tasks to create and modify device classes. must be allowed to run. The edit dialog box appears. and . . and the device's Globally Unique Identifier (GUID) in the appropriate text boxes. and . A new Device Class icon appears (default name Device Class) in the unmanaged device class section.msi.jar. . The OK button remains unavailable until you type it. Plug and play and removable storage rules allow the device to be blocked or monitored.1 19 .py. The following extensions are blocked: . The available devices appear in the main panel.cmd. Because some executables.vb. .scr. . File access rules determine if a file is an executable by its extension.rar. 1 2 In the Host DLP Policy console navigation pane under Device Management. 5 To move the device to Managed status. and for the user to be notified of the action taken. to block files that might be executed from within archives.zip files are also blocked.bat.com. . There are three types of device rules: Plug and Play. NOTE: A GUID in the correct format is required.dll. The file filter driver cannot differentiate between opening and creating an executable.cgi. but block their potential use as storage devices. . Removable storage file access rules block executables on plug-in devices from running. Right-click in the Device Classes pane and select Add New | Device Class.pyc. 3 4 McAfee Host Data Loss Prevention 9. . such as encryption applications on encrypted devices. Removable storage device rules can also define a device as read only. . . .cab. select the checkbox. Double-click the icon. . press the F1 key. removable storage and removable storage file access. select Device Classes.ws. . Tasks Creating a new device class Changing the status of a device class Creating a new device class Use this task to create a device class.vbs. . . a description (optional).wsf.exe. NOTE: File access rules also block executable files from being copied to removable storage devices. . Type a name. .Controlling Removable Media With Device Rules Device rules Device rules Device rules define the action taken when particular devices are used.cpl. In addition. Whitelisted Application definitions can be included in the rule to exempt specifically named files from the blocking rule. Task For option definitions. A typical use of this feature is to allow users to listen to MP3 players.

1 . as appropriate. NOTE: When you create a device definition with multiple parameters. NOTE: Details for "Unknown" device classes (classes with no name) can appear in the DLP Monitor. Changing the status of a device class Use this task to change the status of a device class. the following parameter selection creates the device definition shown below: Device definition Bus Type Selected parameter Firewire USB Device Class Memory Devices Windows Portable Devices • Bus Type is one of: Firewire (IEEE 1394) OR USB • AND Device Class is one of Memory Devices OR Windows Portable Devices. Tasks Creating a Plug and Play device definition Creating a whitelisted Plug and Play definition Creating a removable storage device definition Importing device definitions Creating a device definition group Creating a Plug and Play device definition Use this task to define Plug and Play devices.Controlling Removable Media With Device Rules Creating device definitions 6 Click OK. Right-click a specific device class and select Change Device Status to Managed or Change Device Status to Unmanaged. The available devices appear in the main panel. Task 1 2 In the Host DLP Policy console navigation pane under Device Management. These events should be handled by the system administrator. select Device Classes. Creating device definitions Use these tasks to create device definitions. For example. 20 McAfee Host Data Loss Prevention 9. and added to the managed or unmanaged device lists as is appropriate. and multiple Parameter Names are added as logical ANDs. the parameters defined in each Parameter Name are added to the definition as logical ORs.

Task For option definitions. Whitelisted Plug and Play devices are added automatically to the “excluded” list in all Plug and Play device rules when the policy is applied. McAfee recommends adding such devices to the whitelisted device list to avoid compatibility problems. Select the Parameter Name from the available list. Task For option definitions. McAfee Host Data Loss Prevention 9. Click OK. In the Device Definitions pane. select Device Definitions. select Device Definitions. The available device definitions and device definition groups appear in the main panel. Name the new device definition and double-click the icon. 1 In the Host DLP Policy console navigation pane under Device Management. In the Device Definitions pane. They are never managed. 2 3 4 5 6 7 Creating a removable storage device definition Use this task to define removable storage devices. Select the device parameters from the available list. 2 3 4 5 6 Creating a whitelisted Plug and Play definition The purpose of whitelisted Plug and Play devices is to deal with those devices that do not handle device management well. Type a description (optional). The new Plug and Play Device Definition icon appears. press the F1 key. Click Add New and type in the parameter information.Controlling Removable Media With Device Rules Creating device definitions Task For option definitions. and might cause the system to stop responding or cause other serious problems. press the F1 key. The edit dialog box appears. Type a description (optional). Name the new device definition and double-click the icon. 1 In the Host DLP Policy console navigation pane under Device Management. press the F1 key. Click OK twice. The new Whitelisted Plug and Play Device Definition icon appears. The edit dialog box appears. The available device definitions and device definition groups appear in the main panel. right-click and select Add New | Plug and Play Device Definition. Use this task to define Plug and Play devices as whitelisted. The Edit the device definition parameter dialog box opens. even if their parent device class is managed. right-click and select Add New | Whitelisted Plug and Play Device Definition.1 21 .

the import fails. Task 1 2 Open an existing device definition by double-clicking on it. navigate to the CSV file and click Open. Name the new device definition and click OK to create it.1 . The new Removable Storage Device Definition icon appears. The available device definitions and device definition groups appear in the main panel. the definition is ignored and the import continues. right-click and select Import from file. The edit dialog box appears.) In the Import From dialog box. In the parameter definition edit dialog box. then select the type of definition (Plug and Play or removable storage. Click OK. Before you begin Create a file containing the device definition parameter to import. In the Device Definitions pane. You can also use open-source/third party CSV libraries to create the file. If the file contains parameters that do not match the type of device definition selected. Name the new device definition and double-click the icon. If the format is not correct. Before you begin Create a device parameter list. The available device definitions and device definition groups appear in the main panel. for example a File Volume Serial Number imported into a Plug and Play definition. right-click and select Add New | Removable Storage Device Definition.Controlling Removable Media With Device Rules Creating device definitions 1 In the Host DLP Policy console navigation pane under Device Management. and save in CSV format. Select a parameter to edit. 2 3 4 Importing a parameter to an existing device definition Use this task to import a parameter from a file. The list can be made by selecting multiple events inside the DLP Monitor and selecting Export Device Event Parameters on the context menu. In the Device Definitions pane. The parameters are imported to the new device definition. Task 1 In the Host DLP Policy console navigation pane under Device Management. 22 McAfee Host Data Loss Prevention 9. click Import. 2 3 4 5 6 Importing device definitions Use this task to import a device definition from a file. select Device Definitions. select Device Definitions. You can import a new definition from a file. Select the device parameters from the available list. Type a description (optional). one comma-separated row per parameter. or import a parameter to an existing definition. Device parameters can be imported from lists saved in CSV format.

2 3 4 5 6 Creating and defining device rules Device rules assign actions to device definitions. The available device management rules appear in the main panel. Task For option definitions. The available device definitions and device definition groups appear in the main panel. Using the Plug and Play Device Blocking Rule can result in blocking the entire USB Hub/Controller. Click OK. Select the relevant Plug and Play device or removable storage device definition entries from the available list. press the F1 key. 1 2 In the Host DLP Policy console navigation pane under Device Management.1 23 . 1 In the Host DLP Policy console navigation pane under Device Management. The McAfee Host Data Loss Prevention 9. select Device Rules. but McAfee recommends using the Removable Storage Device Blocking Rule instead. select Device Definitions. Creating a device definition group Use this task to create a device definition group. The parameter values are imported to the parameter definition. TIP: You can use the Plug and Play Device Blocking Rule to block USB devices. Type a description (optional). right-click and select Add New | Plug and Play Device Definition Group or Add New | Removable Storage Device Definition Group. right-click and select Add New | Plug and Play Device Rule. Tasks Creating and defining a Plug and Play device rule Creating and defining a removable storage device rule Creating and defining a removable storage file access rule Creating and defining a Plug and Play device rule Use this task to define a Plug and Play device rule. The new Device Definition Group icon appears. Name the new device definition group and double-click the icon. In the Device Definitions pane. navigate to a file and click Open. Task For option definitions. Click OK to accept the changes to the device definition. In the Device Rules pane. Use these tasks to create and define device rules. press the F1 key.Controlling Removable Media With Device Rules Creating and defining device rules 3 4 In the Import From dialog box. The edit dialog box appears.

If you select Notify User. right-click the rule icon and click Enable. If you select Monitor. Creating and defining a removable storage device rule Use this task to define a removable storage device rule. press the F1 key. You can include or exclude definitions. 1 2 In the Host DLP Policy console navigation pane under Device Management. Click Finish. When you have finished. By default. 3 Rename the new device rule and double-click the icon. or define a new group by clicking Add. click Edit alert popup to modify the alert message. right-click and select Add New | Removable Storage Device Rule. You may include or exclude definitions. click Severity to modify the value. While it is possible to use a Plug and Play Device Blocking Rule. or define a new group by clicking Add. Click Finish. Step 1 of 3 Action Select a Plug and Play device definition or definitions or group from the available list. Click Add group to create a new Plug and Play group.1 . click Severity to modify the value. click Next. click Next. Select an assignment group or groups. TIP: McAfee recommends using the Removable Storage Device Blocking Rule to block USB devices. this can result in blocking the entire USB Hub/Controller. If you select Notify User. The available device management rules appear in the main panel. Select actions from the available list. Follow these steps in the wizard. 3 Rename the new device rule and double-click the icon. 24 McAfee Host Data Loss Prevention 9. Select an assignment group or groups. Deselect either as required. 2 of 3 3 of 3 (optional) 4 To activate the rule. click Edit alert popup to modify the alert message. 2 of 3 3 of 3 (optional) 4 To activate the rule. Deselect either as required. Task For option definitions. right-click the rule icon and click Enable. By default. Follow these steps in the wizard. Click Next. It also allows you to define the device as read-only. In the Device Rules pane. The Removable Storage Device Blocking Rule allows the device to initialize and register with Windows. It also allows you to define the device as read-only. Step 1 of 3 Action Select a removable storage device definition or definitions or group from the available list. Select actions from the available list. When you have finished. or link text. URL. Click Add item to create a new removable storage device definition. If you select Monitor. URL. Click Add group to create a new removable storage device group. selecting an action selects both Online and Offline. or link text.Controlling Removable Media With Device Rules Creating and defining device rules Removable Storage Device Blocking Rule allows the device to initialize and register with Windows. selecting an action selects both Online and Offline. select Device Rules. Click Add item to create a new Plug and Play definition.

a description (optional). When you have finished adding file names. 1 2 3 In the Host DLP Policy console navigation pane under Device Management. Right-click in the Whitelisted Applications pane and select Add New | Whitelisted Application. Double-click the icon. select Device Rules. 1 2 3 4 5 6 In the Host DLP Policy console navigation pane under Device Management. Whitelisted application definitions are used in removable storage file access rules to exempt specifically named files from being blocked. Task For option definitions. Creating a whitelisted application definition Use this task to create a whitelisted application definition. right-click the rule icon and click Enable. Rename the new device rule and double-click the icon. Task For option definitions. Whitelisted application definitions specified in step 2 provide lists of specific files that are exempt from the blocking rule. right-click and select Add New Removable Storage File Access Rule. You may include or exclude definitions. Follow these steps in the wizard. Click Add item to create a new removable storage device definition. Click Add to add the file name to the list. click Next. Click Add to create a new whitelisted application definition or Edit to modify an existing definition. Select an assignment group or groups. click OK. press the F1 key. The available whitelisted applications appear in the main panel. When you have finished. Repeat typing and adding file names as required.1 25 . and the file name of the executable you want to allow to run in the appropriate text boxes. When you have finished. File access rules block removable storage media from running applications. Step 1 of 3 Action Select a removable storage device definition or definitions or group from the available list. Click Add group to create a new removable storage device group. or define a new group by clicking Add. select Whitelisted Applications. Type a name. The available device management rules appear in the main panel. The edit dialog box appears.Controlling Removable Media With Device Rules Creating and defining device rules Creating and defining a removable storage file access rule Use this task to define a removable storage file access rule. 2 of 3 3 of 3 (optional) 4 To activate the rule. Select a whitelisted application or applications from the available list. McAfee Host Data Loss Prevention 9. press the F1 key. Click Finish. click Next. In the Device Rules pane. A new whitelisted application icon appears.

The user-defined volume label. for example. The access to the file system: read only or read-write.) A generic category for any CD or DVD drive. PCI. If the last part of the instance ID does not follow these requirements. For example. for example. The PCI VendorID and DeviceID are embedded in the PCI device. A 32-bit number generated automatically when a file system is created on the device.Controlling Removable Media With Device Rules Device parameters Device parameters The following table provides definitions for all parameters used in device definitions. A unique alphanumeric string assigned by the USB device manufacturer. Select to indicate a device protected with McAfee Endpoint Encryption. Effective especially with device types other than USB and PCI. and so forth..) Table 1: Device definitions for Plug and Play and removable storage devices Parameter name Found in. It can be viewed by running the command line command dir x:. A list of physical device descriptions. USB\VID_3538&PID_0042###BOT_TEXT###0000000002CD8. Import parameters yes Description Bus Type both Selects the device BUS type from the available list (IDE. it is not a serial number. Select the class code from the available list. Partial matching is allowed. and so forth.1 . File System Type RS only no File System Access File System Volume Label File System Volume Serial Number RS only RS only no yes RS only yes PCI VendorID / DeviceID both yes USB Class Code PnP only no USB Device Serial Number both yes 26 McAfee Host Data Loss Prevention 9.. It indicates which type of device the parameter is found in and whether it can be imported as a list from a file (see Device definition parameter management. both yes The name attached to a hardware device. A Windows-generated string that uniquely identifies the device in the system. Device Compatible IDs both Device Instance ID (Windows XP / Windows 2000) Device Instance Path (Windows Vista / Windows 7) Device Name both yes USB\VID_0930&PID_6533&26450FC&0&6. viewable in Windows Explorer. Identifies a physical USB device by its general function. representing its physical address. where x: is the drive letter. for example NTSF. CD/DVD Drives Content encrypted by McAfee Endpoint Encryption Device Class RS only RS only no no PnP only no yes Selects the device class from the available managed list.A valid serial number must have a minimum of 5 alphanumeric characters and must not contain ampersands (&). which are more easily identified using PCI VendorID/DeviceID or USB PID/VID. The type of file system. These parameters can be obtained from the Hardware ID string of physical devices. PCI\VEN_8086&DEV_2580&SUBSYS_00000000&REV_04. typically for removable storage devices. FAT32. The serial number is the last part of the instance ID.

Import parameters yes Description USB Vendor ID / Product ID both The USB VendorID and ProductID are embedded in the USB device. These parameters can be obtained from the Hardware ID string of physical devices..Controlling Removable Media With Device Rules Device parameters Parameter name Found in. McAfee Host Data Loss Prevention 9.. for example: USB\Vid_3538&Pid_0042.1 27 .

A dictionary tagging rule gives you more flexibility because you can set a threshold. A string text pattern tagging rule always tags the document if the phrase is present. Content classification rules use specified dictionaries to classify a document if a defined threshold (total weight) is exceeded. The different classifications help you create granular tagging and protection rules to control different content in different ways. In addition to the ability to create your own dictionaries. The assigned weights can be negative or positive. which allows you to look for words or phrases in the presence of other words or phrases. that is. McAfee Host Data Loss Prevention comes with several built-in dictionaries with terms commonly used in health. finance. 28 McAfee Host Data Loss Prevention 9. which makes the rule relative. Dictionaries can be created (and edited) manually or by cut and paste from other documents. • It matches substrings. Dictionary matching has the following characteristics: • It is not case-sensitive. Other languages should behave in a similar manner. The difference between a dictionary entry and a string in a text pattern definition is the assigned weight.Classifying Content McAfee Host Data Loss Prevention gives you several ways of classifying sensitive content. Contents Dictionaries Registered document repositories Text pattern definitions Whitelist Creating a new dictionary Classifying data with registered document repositories Classifying data with text patterns Adding and removing whitelist content Dictionaries A dictionary is a collection of keywords or key phrases where each entry is assigned a weight. banking. and other industries. if enough words from the dictionary appear in the document. The following descriptions are specifically for dictionaries written in English. Dictionaries are saved in Unicode (UTF-8). Limitations This section describes the design of the dictionary feature and some limitations this design entails. but there may be unforeseen problems in certain languages.1 . and therefore can be written in any language. not whole words.

such as author and title. McAfee Host Data Loss Prevention 9. • Any property — Allows defining a property by value alone. in some HIPAA disease lists. There are three types of document properties: • Predefined properties — Standard properties shared by most document types. Registered document repositories The registered documents feature is an extension of location-based tagging. • User defined properties — Custom properties added to the document metadata. and tagging rules to increase granularity. it gets two hits — one for each entry — skewing the total score. The feature now appears in the McAfee Device Control version of the software as well as the full McAfee Host Data Loss Prevention version. discovery. They are used in protection rules as well as discovery rules.) Document properties can be retrieved from any Microsoft Office document. It is also included as a tab in the template synchronization wizard. adding the value Secret to the Any property parameter classifies all documents that have the word Secret in at least one property. File extension groups can be used to simplify rules by defining.Classifying Content Document properties and file extensions • It matches phrases including spaces. File extensions File extension definitions are used in protection. The Date Created property now has a relative date option (document is stored more than X days. For example. For example. due to its inclusion in removable storage protection rules." To prevent false positives of this type. For example. both "celiac" and "celiac disease" appear as separate entries. but cannot duplicate a property that is on the list.0. or SIPs. and new definitions can be added.1 29 . all graphic file formats as a single definition. give the best results. to protect it from being distributed in unauthorized ways. allowed by some applications such as Microsoft Word. For most properties. Document properties and file extensions Document property and file extension definitions classify content by predefined metadata values or filename extension. If the second term appears in a document. It gives administrators another way to define the location of sensitive information. Document properties Document properties definitions were expanded in McAfee Host Data Loss Prevention version 9. a dictionary entry of "cat" would flag both "cataracts" and "duplicate. Because the matches are substring. because of the potential of false positives. for example. The feature is useful in cases where the keyword has been entered in the wrong property parameter or when the property name is unknown. statistically improbable phrases. Another source of false positives is similar entries. partial matching is permitted. McAfee recommends using caution when entering short words. A user defined property can also reference a standard document property that is not on the predefined properties list. A predefined list of extensions is included.

add the associated categories to a protection rule that accepts content categories. and the content is blocked or monitored according to the protection rule. The content of these folders is categorized. Text pattern definitions Tagging rules and content classification rules use text patterns to classify data according to specific words or patterns. and to a maximum file size. Text patterns can include a validator — an algorithm used to test regular expressions. such as “Company Classified” or “Internal Use Only. NOTE: Whitelisted content is removed from the registered document repository database. The DLP Agent on the endpoint blocks distribution of documents containing registered content fragments outside of the host system. all content leaving the managed computer is checked against all registered document fingerprints. Use of the proper validator can significantly reduce false positives.zip) that is added to the ePolicy Orchestrator repository and deployed to the managed computers. When you have defined a registered documents classification rule. Registered document classification rules apply only to content in the repository that is not whitelisted. and categories increases modularity. a registered documents classification rule. without the need to re-index and re-deploy.1 . the Registered Documents Classification Rule. you need to categorize it only once using a registered document repository. They can identify known strings. fingerprinted and distributed to all endpoint workstations. A new type of rule in a new category. • If the same confidential content exists in several documents.Classifying Content Text pattern definitions To use registered document repositories. Using registered document repositories Registered document repositories are indexed periodically using ePolicy Orchestrator Server Tasks. has been created for protecting files in registered document folders.” or regular expressions (Regex). and tag each one. groups. and allows the creation of new classification rules. The classification rule associates a specified content category with the files in the registered document repository. the administrator selects a list of shared folders to be registered. The definition can be limited to specified file extensions within those folders. Registered documents classification rules detect all files in the defined folders. When an index. when you use location-based tagging you have to identify every network share where the confidential content is located. Registering documents on host computers Using registered document repositories Registering documents on host computers Two advantages of registering documents over traditional location-based tagging are: • Documents that existed before the location-based tag was defined are not detected by location-based tagging rules unless the user opens or copies the original file from its network location. The indexing process creates a package (reg_docs9000_x. such as in social security numbers or credit card numbers. which allow complex pattern matching. The separation of definitions. 30 McAfee Host Data Loss Prevention 9. or modification of existing ones. and a protection rule specifying the category have been deployed to a managed computer.

or copyright notes. right-click and select Add New | Dictionary. text pattern groups can be used to associate multiple patterns to a single group. This allows users to distribute standard content that would otherwise be tagged or categorized and restricted by the system. The file share must be defined in the agent configuration options. NOTE: Each file in the whitelist folder must contain at least 400 characters for it to be ignored by the system. Some files in the whitelist folder might not be added to the policy distribution because of configuration. Dictionary definitions can be used to define Content Classification rules. license and trademark attributions.Classifying Content Whitelist Text patterns can be marked as sensitive. See the Installation Guide for instructions. it is not ignored by the system. Repeat steps 4 and 5 as necessary. Whitelist The whitelist is a shared folder containing files that agents reference when tagging or categorizing data. If multiple text patterns are used for matching similar content. select the text and edit. all relevant tags and content categories associated with the content remain in effect. Sensitive patterns are encrypted when displayed in hit highlighted evidence. Creating a new dictionary Use this task to create a new dictionary. a file share must be created with read-only access by the Windows group domain computers. The files define text that is ignored by the Data Loss Prevention tracking mechanism. Type the new word or phrase in the text box. A new Dictionary icon appears. Task For option definitions. A typical use for the whitelist is to define text that is often added to documents. Name the new dictionary and double-click the icon. NOTE: If both an included pattern and an excluded pattern are specified. If a file contains both tagged or categorized data and whitelisted data. These files are listed in the Warning tab when running the Policy Analyzer. such as a disclaimer. McAfee Host Data Loss Prevention 9. the excluded pattern has priority. In the Dictionaries window. To use the whitelist. Type a description (optional). This simplifies the creation of content categories if you defined many text patterns. Click Add to create a new text box. However. 1 2 3 4 5 6 In the Host DLP Policy console navigation pane under Content Based Definitions.1 31 . press the F1 key. To change the default weight. The available dictionaries appear in the main panel. select Dictionaries. This allows you to specify a general rule and add exceptions to it without rewriting the general rule.

Type the UNC path to the folder you are defining. Registered document repositories are used to defined Registered Documents Classification rules. 2 3 4 5 6 7 8 Creating a registered document repository group Use this task to create a registered document repository group. Tasks Creating a new registered document repository definition Creating a registered document repository group Indexing registered documents repositories Deploying a registered document package to the agents Creating a new registered document repository definition Use this task to create a registered document repository definition. Name the new registered document repository and double-click the icon. To copy and paste multiple entries. or Edit an existing one. 1 In the Host DLP Policy console navigation pane under Content Based Definitions. lines separated by a single carriage return. select Registered Documents Repositories. Specify the maximum file size (optional) and click OK. Registered document repository groups can be used to defined Registered Documents Classification rules. Add a description (optional). right-click and select Add New | Registered Document Repository. Specify document extensions to include or exclude (optional). or click Browse to locate the folder. The text window is limited to 10. set up a source document with one entry per line.1 . press the F1 key. if required. no matter how many times it appears in the document.Classifying Content Classifying data with registered document repositories 7 To import entries from another document click Import Entries. select the Count multiple entries checkbox. To have each appearance of a term contribute to the total score. A new Registered Documents Repository icon appears.000 lines of 50 characters per line. Task For option definitions. A text window opens that allows you to copy and paste entries. 8 Classifying data with registered document repositories Use these tasks to classify data with registered document repositories. and a password if required. The available registered documents appear in the main panel. Default behavior is for a term to be counted only once. 32 McAfee Host Data Loss Prevention 9. Type a user name to access the folder. You can Add a new extension. In the Registered Documents Repositories window.

Task For option definitions. Type a description (optional). The new Registered Document Repository Group icon appears. Deploying a registered document package to the agents Use this task to deploy a registered document package when working in ePolicy Orchestrator. In the Server Task Builder. select DLP Register Documents Scanner from the pull-down menu. review your task. 1 In the Host DLP Policy console navigation pane under Content Based Definitions. select the level at which to deploy the registered document package. In the Registered Documents Repositories window. 2 3 4 5 6 7 Indexing registered documents repositories Use this task to schedule indexing of registered document repositories in ePolicy Orchestrator. Click OK. Apply the policy to ePolicy Orchestrator. Name the new registered document group. then create and enable a registered documents classification rule and a protection rule using the content category specified in the classification rule. press the F1 key. select Registered Documents Repositories. The task now appears in the Server Tasks list. The edit window appears. Before you begin Create a registered documents repository definition. McAfee Host Data Loss Prevention 9. right-click and select Add New | Registered Document Repository Group. Select the registered document definitions from the available list. click ? in the interface. Task 1 2 In ePolicy Orchestrator click System Tree. Double-click the icon. TIP: Leaving the level at My Organization deploys to all workstations managed by ePolicy Orchestrator. Click Next to schedule the scan. Select it and click Run to run the scan immediately. Before you begin The registered document package must be indexed in ePolicy Orchestrator. name the new task and click Next. Click New Task. select Server Tasks. and click Save. On the Actions page. The available registered documents repositories and groups appear in the main panel. In the System Tree. 1 2 3 4 5 From the ePolicy Orchestrator Menu.Classifying Content Classifying data with registered document repositories Task For option definitions.1 33 .

Under Actions click New Task. A discussion of regex is beyond the scope of this document. Deploy registered document package. The Client Task Builder wizard opens. When you are satisfied that it is correct. Task For option definitions. Tasks Creating a new text pattern Testing a text pattern Creating a new text pattern group Creating a new text pattern Use this task to create a text pattern definition. but not all. A new text patterns icon appears. Classifying data with text patterns Use these tasks to classify data with text patterns. Text patterns can be used to define Content Classification rules. right-click and select Add New |Text Pattern.1 . press the F1 key. In the Type field. Review the task summary. Click Next. 34 McAfee Host Data Loss Prevention 9. text patterns are defined using regular expressions (regex).0. Click Next. date. 1 2 In the Host DLP Policy console navigation pane under Content Based Definitions. select Text Patterns. NOTE: Many. In the Text Patterns window. 3 4 5 6 7 8 9 Click the Client Tasks tab. the right-hand pane displays the available workstations. for example. The available text patterns appear in the main panel. Leave the Action on Install.0. In the Name field. type a suitable name. There are a number of regex tutorials on the internet where you can learn more about this subject. Click Next. In the Products and Components field. and Schedule parameters.1. click Save. You can also deploy the registered document package to individual workstations. Select a suitable Schedule type and set the Options.Classifying Content Classifying data with text patterns If you select a level under My Organization. select DLP Registered Documents 9. select Product Deployment.

The default is No Validation. Figure 4: Text Pattern dialog box 4 5 Add a description (optional). but adding a threshold of 5 requires five or more matches of the credit card pattern. McAfee Host Data Loss Prevention 9.Classifying Content Classifying data with text patterns 3 Name the new text pattern and double-click the icon. b Select Is Regex if the string is a regular expression.1 35 . when found. 6 Under Excluded Patterns. Under Included Patterns. add the number of times the pattern must be found to be considered a match. c Select Is Regex if the string is a regular expression. select an appropriate validator (optional). d If you select Is Regex. b Click Add to define the new pattern. select an appropriate validator (optional). The default is No Validation. then type the text strings that. then type the text string. d Under Threshold. c If you select Is Regex. type the number of times the pattern must be found in the data for it to be considered a match. are ignored by the system. finding one credit card in an email may be acceptable. do the following: a Select the pattern recognition method (All or Any patterns). do the following: a Click Add to add an exclusion pattern. For example. e Under Threshold.

select the Regular expression checkbox and select a validation method from the pull-down list. Before you begin Create a new text pattern definition.Classifying Content Classifying data with text patterns e Click OK. When you click OK the text pattern in the definition is modified to match the last pattern you tested. Type some test patterns in the Test text box and click Check. Task For option definitions. Testing a text pattern Use this task to test a text pattern before submitting the pattern to ePolicy Orchestrator. or add a new item to an existing definition. You do not have to save the definition before testing. you must click Check again to retest.1 . press the F1 key. click the Edit button ( ) of the item to be tested. If applicable. modify the text pattern and retest. The test dialog box appears with the search text or regular expression in the Pattern: text box. 4 If results are unacceptable. The matches and validated matches are displayed. 36 McAfee Host Data Loss Prevention 9. 1 In the text pattern definition. 2 3 Figure 5: Testing a credit card pattern NOTE: If you make any changes or additions to the text in the Test box.

Deleting whitelist files Use this task to remove content from the Whitelist folder. Right-click in the Whitelist window and click Refresh. press the F1 key. Task For option definitions. click ? in the interface. Task 1 In the Host DLP Policy console navigation pane under Definitions. The window is updated with the latest list of files. select Whitelist.Classifying Content Adding and removing whitelist content Creating a new text pattern group Use this task to create a text pattern group definition. Task For option definitions. The available whitelist files appear in the main panel. select Whitelist.1 37 . McAfee Host Data Loss Prevention 9. 1 2 3 4 5 6 7 In the Host DLP Policy console navigation pane under Content Based Definitions. Type a description (optional). The new Text Pattern Group icon appears. Adding and removing whitelist content Use these tasks to add or remove content from the Whitelist folder. and copy it to the Whitelist folder. In the Text Patterns window. Name the new text pattern group. In the Host DLP Policy console navigation pane under Definitions. Click OK. The available whitelist files appear in the main panel. select Text Pattern. Tasks Adding new whitelist content Deleting whitelist files Adding new whitelist content Use this task to add content to the Whitelist folder. right-click and select Add New | Text Pattern Group. Select the text patterns from the available list. The available text patterns and groups appear in the main panel. 1 2 3 Create a file containing only the text you want to add to the whitelist. The edit window appears. Double-click the icon.

Click Yes to confirm the deletion.Classifying Content Adding and removing whitelist content 2 3 4 Select the file to remove from the Whitelist folder.1 . Click OK. 38 McAfee Host Data Loss Prevention 9. and select Delete. right-click.

NOTE: In McAfee Device Control only content categories are available. Once assigned. or included in or attached to other files or file types. and groups Creating and defining tagging rules Creating and defining classification rules Creating manual tags How tags and content categories are used to classify content Tags give you a method for classifying content and reusing that classification. monitor. Content categories are used with classification rules to classify content and registered document groups. follow this high-level process: 1 2 3 4 Classify the information that needs to be protected. Contents How tags and content categories are used to classify content How tagging rules link tags to content How classification rules link categories to content Creating tags. Define protection rules incorporating the tags and content categories that block. Content categories Content categories. Tagging rules associate files and data with the appropriate tags. catalogs.1 39 . To protect data. Create tagging rules and classification rules that associate sensitive data with the appropriate tags and content categories. In both cases. Create tags or content categories for each classification of data. Classification rules associate files and data with content categories. are another way of classifying content. known as content tags in earlier versions of McAfee Host Data Loss Prevention. They can also be specified directly in most protection rules. and the label stays with the content even if it is copied into another document or saved to a different format. the tag stays with the content as it is moved or copied. the sensitive information is labeled. or encrypt the sensitive data when users send it to portable devices or specified network locations. Tagging rules assign tags to content from specific applications or locations.Tracking Content McAfee Host Data Loss Prevention software tracks and controls sensitive information using two similar mechanisms: tags and content categories. McAfee Host Data Loss Prevention 9. categories. not tags.

A location-based tagging rule can attach the same “Finance” tag to files in a specific location. Tags can be grouped to simplify rule making. the tag stays with the content. irrespective of location. File types and extensions are predefined in the system and cannot be modified by the administrator. an application-based tagging rule can attach a tag called “Finance” to specific file types. Once a tag is attached to a file. AND with the selected file type or extension. irrespective of file type. it automatically adds both the content category and the related classification rules to the policy.Tracking Content How tagging rules link tags to content Category catalogs Category catalogs are sets of content categories and associated predefined classification rules that can be used as an out-of-the-box building block for policies. Adding conditions to a simple rule restricts it by adding a logical AND. 40 McAfee Host Data Loss Prevention 9. Multiple text patterns or dictionaries can be selected. For the Microsoft Word file type. you can also specify where in the document (header/body/footer) the specified content is found. How classification rules link categories to content Classification rules associate files and data with the appropriate content categories. an optional description. Simple location-based tagging rules monitor or block all files in the specified location. Content categories Content category definitions are created in the Tags and Categories definition panel. Adding a specific file type or extension to an application-based or location-based tagging rule attaches a tag only on files created by a specific application or in a specific location. Tags Tag definitions are created in the Tags and Categories definition panel. or created by a specific application. If you have already created a category with that name. When you select a content category from a catalog. Tagging rules Simple application-based tagging rules monitor or block all files created by the application or applications designated in an application definition. Using the text pattern or dictionary restriction in application-based or location-based tagging rules attaches tags only to files in a specific location. How tagging rules link tags to content Tagging rules associate files and data with the appropriate tags. an optional description. A specific tag can be used by more than one tagging rule. This option allows you to combine features of content categories with tagging. A content category definition consists of a suitable name. A tag definition consists of a suitable name. AND containing the specific pattern or dictionary threshold. and a Globally Unique Identifier (GUID) assigned by the system. even when that content is copied to a file of different type or location. specified as ANY of the following or ALL of the following. and a Globally Unique Identifier (GUID) assigned by the system.1 . For example. Categories can be grouped to simplify rule making. only the rules are added.

and make a tag or content category for each type. NOTE: You can also create a new tag while creating a tagging or protection rule. then double-click the icon. select Tags and Categories. Type a name. Consider the distinctions you need to make between different types of content. In the Tags and Categories window. Task For option definitions. right-click and select Add New | Tag. Click OK. catalogs. As with content classification rules. Creating tags. categories. which add a content category and the related classification rule simultaneously. Registered documents classification rules Registered documents classification rules associate all content matching a specified registered documents repository definition to a content category. content containing the specified text is monitored or blocked. The new tag icon appears with the name selected. content categories. Add a description (optional). when categories are added to protection rules.1 41 . and groups Content classification rules Content classification rules associate specified text pattern and dictionary definitions with content categories. catalogs. 1 2 3 4 5 In the Host DLP Policy console navigation pane under Definitions. Or create content catalogs. content containing the specified text is monitored or blocked. press the F1 key. For Microsoft Word files. The available tags. categories. Tasks Creating a tag Creating a content category Using category catalogs Creating a tag and category group Creating a tag Use this task to create a general purpose tag or a content-based tag. Rules can contain any combination of text patterns and dictionaries. you can also specify where in the document (header/body/footer) the specified content is found. When those categories are added to protection rules. content categories.Tracking Content Creating tags. and groups Use these tasks to create tags. and tag and category groups. McAfee Host Data Loss Prevention 9. which are then attached to files with tagging or classification rules. and groups appear in the main panel.

the Category Catalog window opens. 1 2 3 4 5 In the Host DLP Policy console navigation pane under Definitions. content categories. Click OK. catalogs. Use this task to import a category catalog. right-click and select Add New | Tag and Category Group. After a few seconds. NOTE: You can also create a new content category while creating a classification or protection rule. select Tags and Categories. The available tags. Task For option definitions. 42 McAfee Host Data Loss Prevention 9. right-click and select Add New | Content Category. Task For option definitions. Type a name. 1 2 3 In the Host DLP Policy console navigation pane under Definitions. and groups appear in the main panel. content categories. and groups appear in the main panel. the classification rules can be used as is or modified as required. In the Tags and Categories window. Add a description (optional). then click OK. only the classification rules are imported. Once a category catalog is imported into the policy. The new content category icon appears with the name selected. If a content category with the same name already exists. Name the new group and double-click the icon. press the F1 key. In the Tags and Categories window. then double-click the icon. press the F1 key. press the F1 key. Using category catalogs Category catalogs are sets of content categories and associated predefined classification rules. categories.Tracking Content Creating tags. The categories and related classification rules are imported. 1 2 3 In the Host DLP Policy console navigation pane under Definitions.1 . and groups appear in the main panel. select Tags and Categories. content categories. The available tags. The new tag and category group icon appears. In the Tags and Categories window. Tag and category groups are used to place multiple tags and content categories on files more efficiently. select Tags and Categories. The available tags. Task For option definitions. The edit window appears. Creating a tag and category group Use this task to create a tag and category group. and groups Creating a content category Use this task to create content categories. Select the categories you want to import. right-click and select Import Categories.

1 2 3 4 From the navigation pane. Creating and defining tagging rules Creating tagging rules is a three step process. or click Add group to create a new text pattern group. press the F1 key. Select the Select from list option. Double-click the rule icon and follow these steps in the wizard: Step 1 of 7 Action Select an application definition or definitions from the available list. ANY (logical OR) or ALL (logical AND). select Content Protection | Tagging Rules. Click Next. You can include or exclude definitions. then select one or more dictionaries. ANY (logical OR) or ALL (logical AND). Click Next.Tracking Content Creating and defining tagging rules 4 5 6 Add a description (optional). then select file extensions from the available list. all tags in the selected group must be available in the specific content for the protection rule to be triggered. Select one of the dictionary options. then defined. A tagging rule must first be created. In the Tagging Rules pane. Click Add item to create a new text pattern. The available tagging rules appear in the main panel. Click Add to create a new dictionary or Edit to modify an existing dictionary.1 43 . then enabled before it can be used. then select one or more text patterns or text pattern groups from the available list. Click OK. Rename the rule to something that will help you recognize its specific function. Click Next. Connect multiple text patterns and dictionaries with either logical AND or logical OR. 2 of 7 (optional) 3 of 7 (optional) 4 of 7 (optional) 5 of 7 (optional) McAfee Host Data Loss Prevention 9. Click Add item to create a new application definition. Click Next. Use these tasks to create and define tagging rules. Select one of the text pattern options. NOTE: When using a tag group in protection rules. Select the Select from list option. Select the tags and content categories for the group. right-click and select Add New | Application Based Tagging Rule. Click Next. Tasks Creating and defining an application-based tagging rule Creating and defining a location-based tagging rule Creating and defining an application-based tagging rule Use this task to associate a tag with an application. Use the Other File Types option to select unlisted (unknown) file types. then select file types from the available list. Click Edit to modify an existing text pattern or group. Task For option definitions.

then select one or more dictionaries.definition is 'Email Client Applications' OR 'Microsoft Office Applications' AND the definition is not 'Media Burner Applications'' CAUTION: If you do not include at least one application definition. Select one of the text pattern options. right-click and select Add New | Location Based Tagging Rule. a Configure Selection dialog box opens..Tracking Content Creating and defining tagging rules Step 6 of 7 (optional) Action Select the part of the document where the text pattern or dictionary matching takes place. Type a network location. Alternately. This option is intended to be used with Microsoft Word files. Select the part of the document where the text pattern or dictionary matching takes place. all included applications are added in one line of the rule with logical OR and all excluded applications are added to a second line with logical OR. 7 of 7 5 To activate the rule. Click Next. This option is intended to be used with Microsoft Word files. 2 of 7 (optional) 3 of 7 (optional) 4 of 7 (optional) 5 of 7 (optional) 6 of 7 (optional) 44 McAfee Host Data Loss Prevention 9. then select file types from the available list. Connect multiple text patterns and dictionaries with either logical AND or logical OR. right-click the protection rule icon and select Enable. For example: . Click OK. Rename the rule to something that will help you recognize its specific function. The available tagging rules appear in the main panel. 1 2 3 4 From the navigation pane. or click Add group to create a new text pattern group. then select file extensions from the available list. then select the text patterns from the available list. Select the Select from list option. Select an available tag for this rule. In the Tagging Rules pane. the rule applies to all applications not specifically excluded. Click Edit to modify an existing text pattern or group. When you have completed all selections. NOTE: When you create an application definition tagging rule with multiple applications. The two lines are a logical AND. or click Browse and locate the server.1 . select Content Protection | Tagging Rules. Task For option definitions. Click Finish. Click Add to create a new dictionary or Edit to modify an existing dictionary. Select one of the dictionary options. press the F1 key. you can select Any Network File Severs. Click Add item to create a new text pattern. Click Next. Double-click the rule icon and follow these steps in the wizard: Step 1 of 7 Action Select one or more locations from the available list. Use the Other File Types option to select unlisted (unknown) file types.. ANY (logical OR) or ALL (logical AND). Select the Select from list option. ANY (logical OR) or ALL (logical AND). Click Next. or create a new one by clicking Add New. click Next. Creating and defining a location-based tagging rule Use this task to define a location-based tagging rule. Click Next. If you select a Network File Server.

Click Finish.1 45 . right-click the protection rule icon and select Enable. right-click the classification rule icon and select Enable. Click Finish. McAfee Host Data Loss Prevention 9. Select a content category.Tracking Content Creating and defining classification rules Step 7 of 7 Action Select an available tag for this rule. Rename the rule to something that will help you recognize its specific function. Click Add item to create a new text pattern. Click Edit to modify an existing text pattern or group. In previous versions of McAfee Host Data Loss Prevention. Use this task to define a content classification rule. Select one of the dictionary options. right-click and select Add New | Content Classification Rule. In the Classification Rules pane. Connect multiple text patterns and dictionaries with either logical AND or logical OR. ANY (logical OR) or ALL (logical AND). select Content Protection | Classification Rules. they were known as content-based tagging rules. Creating and defining classification rules Use these tasks to create and define classification rules. but applies to any file type that has a header / footer. then select one or more text patterns or text pattern groups from the available list. or create a new one by clicking Add New. This option is primarily intended to be used with Microsoft Word files. 1 2 3 4 From the navigation pane. Click Next. or click Add group to create a new text pattern group. then select one or more dictionaries from the available list. press the F1 key. Select the part of the document where the text pattern or dictionary matching takes place. The available classification rules appear in the main panel. or create a new one by clicking Add New. Click Next. ANY (logical OR) or ALL (logical AND). Task For option definitions. Double-click the rule icon and follow these steps in the wizard: Step 1 of 4 Action Select one of the text pattern options. 5 To activate the rule. Tasks Creating and defining a content classification rule Creating and defining a registered documents classification rule Creating and defining a content classification rule Content classification rules link text patterns or dictionaries to content classifications. 2 of 4 3 of 4 (optional) 4 of 4 5 To activate the rule. Click Add to create a new dictionary or Edit to modify an existing dictionary.

or create a new one by clicking Add New. 46 McAfee Host Data Loss Prevention 9.Tracking Content Creating manual tags Creating and defining a registered documents classification rule Use this task to create a new registered documents classification rule.1 . The available classification rules appear in the main panel. Rename the rule to something that will help you recognize its specific function. Tasks Tagging files manually Removing manual tags from content Tagging files manually Use this task to tag a file manually. Use these tasks to work with manual tags. Click Finish. This option is accessed from the managed computer. Double-click the rule icon and follow these steps in the wizard: Step 1 of 2 Action Select one or more registered documents repository definitions or groups from the available list. In the Classification Rules pane. select Content Protection | Classification Rules. Tags that are applied to files manually affect the transmission options of the content immediately. right-click the classification rule icon and select Enable. 1 2 3 4 From the navigation pane. Permission for manual tagging is defined in the Host DLP Policy console on the Agent Configuration | Edit Global Agent Configuration | Security tab. NOTE: A user must be authorized to use manual tagging. Click Next. based on the relevant protection rules. Manual tagging provides the ability to maintain your organization’s classification policy even in special cases of sensitive or unique information that is not being tagged by the system automatically. press the F1 key. Task For option definitions. 2 of 2 5 To activate the rule. Select a content category. right-click and select Add New | Registered Documents Classification Rule. Task 1 On a managed computer. Click Add item to create a new registered documents repository definition. or Add Group to create a new registered documents repository group. open Windows Explorer. Creating manual tags The Manual Tagging option allows authorized users to add or remove tags from files without using tagging rules.

Task 1 2 3 4 On a managed computer. and select Manual Tagging. The Manual Tags window with all the assigned tags appears. Click OK.Tracking Content Creating manual tags 2 3 4 Right-click the file. The Manual Tags window with the available tags appears. Click OK. McAfee Host Data Loss Prevention 9.1 47 . Removing manual tags from content Use this task to remove tags that were created manually. then select Manual Tagging. Right-click the file with tags you want to remove. Select the tags that are appropriate for the file. open Windows Explorer. Select the tags that need to be removed from these files. NOTE: When selecting multiple files with several assigned tags. only those tags assigned to all selected files are removed.

adobe.com/go/rm/. You can apply RM protection to: • PDF documents • Microsoft Word 2003/2007 documents • Microsoft Excel 2003/2007 documents • Microsoft PowerPoint 2003/2007 documents Microsoft Windows RMS McAfee Host Data Loss Prevention supports RMS on Windows Server 2003 and Active Directory RMS (AD-RMS) on Windows Server 2008. For more information on Microsoft RMS. file system. You can apply Windows RMS protection to: • Microsoft Word 2003/2007 documents • Microsoft Excel 2003/2007 documents • Microsoft PowerPoint 2003/2007 documents • SharePoint 2007 documents • Exchange Server 2007 documents Contents Adobe rights management users How Data Loss Prevention works with Rights Management Defining an Adobe RM server and synchronizing policies Defining a Microsoft RMS server and synchronizing templates 48 McAfee Host Data Loss Prevention 9. Adobe RM McAfee Host Data Loss Prevention supports Adobe LiveCycle Rights Management ES2 and the Extension for Microsoft Office.1 . • Email.1 supports both Adobe LiveCycle Rights Management and Microsoft Windows Rights Management Services (RMS).mspx Two use cases are currently supported: • DLP Discovery can apply RM policies to files detected in discovery scans. For more information on Adobe LiveCycle Rights Management. and web post protection rules can recognize RM protected files. go to http://www.com/windowsserver2003/technologIEs/rightsmgmt/default.microsoft.Rights management McAfee Host Data Loss Prevention software version 9. go to http://www. These files can be included or excluded from the rule. removable storage.

and their roles defined. you define the Rights Management server and manage the Rights Management policies used by discovery rules and email. Adobe RM workflow When the Host DLP Agent applying the discovery rule finds a file to protect. removable storage. When you select the Apply RM Policy action in a discovery rule. In all cases. These are set on the RM server by the Adobe LiveCycle Rights Management administrator. it sends the file to the RM server. • DLP Agent User — Applies RM policies to files on the client computer. If the operation fails on the RM server side (because you cannot connect to the server for any reason) the file is monitored and an event (RM Failed) is sent to the DLP Monitor. The protection is applied according to the selected policy and the file is sent back to the client computer. you must specify the RM server and policy as properties. you try to McAfee Host Data Loss Prevention 9. and web post protection rules.1 49 .Rights management Adobe rights management users Adobe rights management users McAfee Host Data Loss Prevention requires two types of Adobe RM users. • DLP Policy User — Logs into the Adobe server and synchronizes policies. McAfee Host Data Loss Prevention users must be on the Document Publisher list for the DLP Policy Set and must have the role of Services User. See the Adobe LiveCycle Help for details. Before they can be used in McAfee Host Data Loss Prevention. in the Settings | User Management section of the Adobe LiveCycle Rights Management ES2 server. How Data Loss Prevention works with Rights Management Rights Management in McAfee Host Data Loss Prevention is managed from the RM and Encryption section of the navigation pane. These users are named in the Rights Management Server definition. There are two ways to set up this user: • Using Windows authentication — The user must have Kerberos credentials (Service Principal Name – SPN) defined on the Adobe LiveCycle server. In this section. they must be created. If the operation fails on the Host DLP Agent side (for example. • Using Adobe LiveCycle authentication — The user must be on the Document Publisherlist for the DLP Policy Set and must have the role of Services User.

the policy remains active.Rights management How Data Loss Prevention works with Rights Management protect an unsupported file type) the file is monitored. If a user modifies the file. Limitations McAfee Host Data Loss Prevention does not inspect RM protected files for content. but you do not re-synchronize. Figure 6: Adobe RM protection flow diagram McAfee recommends creating a Policy Set on the Adobe LiveCycle Rights Management server exclusively for policies used with McAfee Host Data Loss Prevention. it is not deleted but becomes Not Active (with a different icon) and creates an error in the DLP Policy Analyzer. all tags are lost when the file is saved. At least one policy in the policy set must be enabled for the policy set to appear in the policy synchronization dialog box. the policy is deleted from the RM policies page when you re-synchronize.1 . only static tags (location and application) are maintained. If a policy is disabled on the RM server. When a tagged file is RM protected. When the Host DLP Agent attempts to apply the policy. 50 McAfee Host Data Loss Prevention 9. If the disabled policy is used in a discovery rule. but no error event appears in the DLP Monitor. If you disable a policy on the RM server. NOTE: You must enable the Apply RM Policy Failed event in Agent Configuraton | Events and Logging for the event to be logged. an Administrative RM Protect Failed event is sent to the DLP Monitor.

Rights management Defining an Adobe RM server and synchronizing policies

Windows RMS workflow When the Host DLP Agent applying the discovery rule finds a file to protect, it uses the template GUID as a unique identifier to locate the template and apply protection.

Figure 7: Windows RMS protection flow diagram With Windows RMS, McAfee Host Data Loss Prevention can inspect the content of protected files if the current user has view permissions.

Defining an Adobe RM server and synchronizing policies
Use this task to set up an Adobe LiveCycle Rights Management server and import RM policies. Before you begin Set up users in the Adobe LiveCycle Rights Management server with appropriate roles and permissions. Task For option definitions, press the F1 key. 1 2 From the navigation pane, select RM and Encryption | Rights Management Servers. In the Rights Management Servers pane, right-click and select Add New | Adobe LiveCycle Rights Management Server.

McAfee Host Data Loss Prevention 9.1

51

Rights management Defining a Microsoft RMS server and synchronizing templates

3 4

Double-click the rule icon. The Adobe LiveCycle Rights Management Server dialog box appears. Enter the Adobe RM server URL path and Adobe RM user name and password, then test the connection. McAfee recommends creating a single Policy Set for all DLP-related policies. The named user should be a Document Publisher for this policy set. Enter the DLP Agent user credentials. Select the Import RM Policies on OK checkbox to synchronize policies immediately, then click OK. If you don't select the checkbox, you can synchronize at any time from the context-sensitive menu. You must synchronize policies to use RM policies in DLP discovery rules. When you synchronize, the Adobe LiveCycle Rights Management Server dialog box appears listing all policy sets available to the logged on user.

5 6

7

Select the policy sets to import. All enabled policies in the set are imported and can be viewed in the Rights Management Policies pane.

Defining a Microsoft RMS server and synchronizing templates
Use this task to set up a Microsoft RMS server and import templates. Before you begin Set up users in the server with appropriate roles and permissions. Task For option definitions, press the F1 key. 1 2 3 4 5 6 7 From the navigation pane, select RM and Encryption | Rights Management Servers. In the Rights Management Servers pane, right-click and select Add New | Microsoft RMS Server. Double-click the rule icon. The Microsoft RMS Server dialog box appears. Click Edit to set up the RMS template source. You can retreive templates from either a network share or a web service. Enter the path and password, if required. Click OK. Enter the URL of the RMS server, or select Using Auto service discovery to find the server. Enter a User ID to specify a specific user, or select the Use end point logged in user option. Select the Import RMS Templates on OK checkbox to synchronize policies immediately, then click OK. If you don't select the checkbox, you can synchronize at any time from the context-sensitive menu. You must synchronize policies to use RMS templates in Host DLP discovery rules. CAUTION: There is an option in the RMS template settings to allow trusted browsers, such as Rights Management Update for Internet Explorer, to view the content of RMS protected documents. This option is NOT supported the the Host DLP Agent. If such a template is applied by a Host DLP discovery rule, the protected files cannot be viewed by trusted browsers.

52

McAfee Host Data Loss Prevention 9.1

Rights management Defining a Microsoft RMS server and synchronizing templates

8

Select Rights Management Policies in the navigation pane to view the imported templates.

McAfee Host Data Loss Prevention 9.1

53

54 McAfee Host Data Loss Prevention 9. it can monitor. When it finds predefined content. you must activate the discovery module on the Miscellaneous tab of the Agent Configuration dialog box. DLP Discovery finds your data-at-rest. You can also define content by file extension. quarantine.1 . or by which application created it. This is known as data-in-use. or run a scan when the Host DLP Agent configuration is enforced. NOTE: To use DLP Discovery. or delete the files. Contents How scanning works Applications and how to use them File extension definitions File server list Network definitions How scanning works DLP Discovery is a crawler that runs on client computers. encrypt. Data-at-rest is the term used to describe actual locations ("where is it in the network?" "which folder is it in?"). These definitions provide granularity to help you protect only those files that need to be protected. You can suspend a scan when the computer's CPU or RAM exceed a specified limit. You can specify start and stop dates. or on specified days of the week or month.Locating Files With Sensitive Content This section describes different ways to locate and define the files that contain sensitive data. When can you search? You can run a host scan at a specific time daily.

A new action allows matched files to be tagged. document properties can be specified in place of tags or content categories.1. NOTE: In earlier versions of McAfee Host Data Loss Prevention. Tagging is now. and what to do when this content is found. if no tag or category is defined. quarantine. and the administrator issues an Agent Quarantine Release Key. When you monitor. document properties. Tasks Creating and defining a discovery rule Setting up a discovery scan Scheduling a discovery scan Creating and defining a discovery rule Discovery rules define the content the discovery crawler searches for. encryption type. Thus. They can be done in any order. rules and schedule parameters will change immediately. • Set up the scan parameters. In Version 9. encrypt. a result of a discovery scan. Use this task to create and define a discovery rule. What happens to discovered files with sensitive content? For host discovery scans. RM protection. sends it to the administrator. the new rule takes effect immediately.Locating Files With Sensitive Content How scanning works If you change the discovery policy while a host scan is running. optionally. • Set the scheduling. You can specify a document property instead of a tag or content category. If the computer is restarted while a scan is running. a document property is required. The user generates a challenge key. encryption. you can apply RM protection. the scan continues where it left off. Using the discovery crawler Use these tasks to set up and run the discovery crawler. and quarantine are mutually exclusive. • Create and define a discovery rule. What content can be discovered? There are two ways to define sensitive content. file extensions. Categories match specific text patterns. you need a release key to release files from quarantine. Tags define files in specified locations or produced with specified applications. Changes to which parameters are enabled or disabled will take effect with the next scan. and user assignment in the discovery rule. Changes to a discovery rule take effect as soon as the policy is deployed. • Using tags or content categories. • Using file context. Monitoring and tagging can be added to other actions. You can specify file types. or tag the files. dictionaries. Either is valid. There are three steps to running the discovery crawler. Even if a scan is in progress. For host scans. McAfee Host Data Loss Prevention 9. or registered documents repositories to the files. Tagging is additive to other selected actions.1 55 . monitor. file context was optional. you can also choose to store evidence.

If you select the Support discovery delete option in Tools | Options. Changes in discovery setting parameters take effect on the next scan. They are not applied to scans already in progress. content categories. 56 McAfee Host Data Loss Prevention 9. or Add group to create a new group. press the F1 key. Click Finish. Monitor: Click Severity to modify the value. then select file types from the available list. Setting up a discovery scan Use this task to set up a discovery scan. right-click the discovery rule icon and select Enable. 1 2 3 4 From the navigation pane select Content Protection | Discovery Rules. 5 To activate the rule. Click Next. There is no option for adding a tag. Click Next. then select file extensions from the available list. Encrypt: Click Select an Encryption key to select an encryption key or add a new key. and can be used instead of Encrypt or Quarantine. and groups to be included or excluded from the rule. the content is quarantined. Task For option definitions. Quarantine. Select an existing document property definition or group by selecting one of the checkboxes to indicate whether the definition is included or excluded. right-click and select Add New | Discovery Rule. Select the Select from list option. Click Add item to create a new tag or content category. then select an encryption type. Select actions from the available list. If you select Encrypt and McAfee Endpoint Encryption is not installed. Click Add item to create a new document property definition. Click Next. press the F1 key. If you select Apply RM Policy and the specified RM policy cannot be applied. The tag you use must be pre-defined. • • • • Apply RM Policy: Click Select RM Policy to select a RM Policy and the server where it is located. Tag: Click Select a tag. Rename the rule to something that will help you recognize its specific function. 7 of 7 (optional) Select an assignment group or groups. Select the Select from list option. Click Add group to create a new tag and content category group. or define a new group by clicking Add. and Encrypt are mutually exclusive actions: selecting one deselects the others. the Delete action appears.1 . McAfee does not recommend activating the discovery delete option.Locating Files With Sensitive Content How scanning works Task For option definitions. the content is monitored. The available discovery rules appear in the main panel. Double-click the rule icon and follow these steps in the wizard: Step 1 of 7 (optional) Action Select the Select from list option. 2 of 7 (optional) 3 of 7 (required*) 4 of 7 (required*) 5 of 7 (optional) 6 of 7 NOTE: Apply RM Policy. Click Next. The discovery scan is setup on the Agent Configuration | Discovery settings dialog box. Use the Other File Types option to select unlisted (unknown) file types. In the Discovery Rules pane. Select tags. Other actions are additive. Click Next.

NOTE: If you don't specify any folders for either scan or skip.cekey • Executable files (*. no notification is needed because the files remain in place. NOTE: If you select the Encrypt action and McAfee Endpoint Encryption is not installed. no matter which folder they are in: • The specific files ntldr. users must have the encryption key specified in the discovery rule. the files are monitored. press the F1 key. The only folder that is skipped by default is C:\Windows.com. The options are: • Suspend scan when the system's CPU is above (%) • Suspend scan when the system's used RAM is above (%) • Do not scan files larger than (MB) Most files of interest are small. If no notifications are set. 1 2 3 4 5 6 On the Discovery Settings tab of the Agent Configuration menu. discovery removes files with sensitive content to the quarantine folder. then cut and paste the address into the Enter folder text box. When the Quarantine action is selected in a discovery rule. Use the plus icon to the add the folder to the scan list. A popup appears. You can remove folders with the minus icon.ini. click the File system scan schedule icon ( ). To unlock encrypted files. 2 3 Select the folders to scan and the folders to skip.sys) Scheduling a discovery scan Use this task to schedule a discovery scan. The discovery scan scheduler is in the Agent Configuration | Discovery Settings dialog box Task For option definitions. The notification feature replaces files with stand-in files with the same name containing the notification text. users must request a quarantine release key from the administrator. Set the notification details. To get files out of quarantine. Use Windows Explorer to browse to a folder. If you want to prevent runs being missed due to the user being logged off. If you select the Apply RM policy action and the RM provider is not available. select Run now. The following file types will always be skipped. This works in a similar manner to the agent override key. Skipping large files can significantly shorten the scan time. Click the icon ( ) in the Folders section. McAfee Host Data Loss Prevention 9. Set the start and end dates for discovery scans. select Resume discovery missed runs after login. and . *. If you want to run a discovery scan immediately. the files are quarantined. all folders on the computer are scanned.1 57 .exe. *. Set the scanning frequency using the option buttons and checkboxes.Locating Files With Sensitive Content How scanning works 1 Set the performance parameters. users might wonder why their files disappeared. Set the time of day for the scan to start using the thumbwheel. Use the pause controls to minimize the impact of the scan on system performance. If the discovery rule is set to encrypt files. boot.

58 McAfee Host Data Loss Prevention 9. System administrators can import a list of all relevant applications available within the enterprise.) The user enters the response code in the Challenge/Response popup and clicks OK. replacing them with placeholders that notify users that their files have been quarantined. then create a rule that defines whether Excel files or their contents can be printed or copied. 3 4 Copy the challenge ID code from the popup and send it to the DLP administrator. Select the files to be restored. and group by any column. Click the Host DLP Agent icon and select Open Quarantine Folder. NOTE: If the path has been changed or deleted. The Challenge/Response popup appears. which is sent to the user. the file is restored as xxx-copy. Use this task to remove files from quarantine. create different application definitions based on their needs. • Application Definitions — The details that define templates you use to customize rules about specific applications. If a file with the same name exists in the location. The administrator takes the challenge code. the original path is restored. or create them directly. Task 1 2 Open the quarantine folder. Tagging rules and protection rules always refer to application definitions rather than individual applications.1 . For example. and implement these definitions with relevant rules to maintain policies. • Enterprise Applications List — A comprehensive list of applications used by the enterprise. (This also sends an event to the DLP monitor recording all of the details.dlpenc (DLP encrypted). The Enterprise Application List The Enterprise Applications List is a comprehensive list of the applications whose data you want to control. You can add applications to application definitions from the Enterprise Applications List. Right-click and select Manual Decryption.Locating Files With Sensitive Content Applications and how to use them How to restore quarantined files When the discovery crawler finds sensitive content it moves the affected files into a quarantine folder. The decrypted files are restored to their original location. to control the data in Excel files. enters it into the Tools | Generate Agent Quarantine Release Key dialog box. The quarantined files are also encrypted to prevent unauthorized use. NOTE: The Manual Decryption context-sensitive menu item only appears when selecting files of type *. and generates a response code. Application-based tagging rules and most protection rules reference application definitions.abc 5 Applications and how to use them Importing an applications list and creating application definitions are efficient ways of handling all application related tagging and protection rules. You can scan for new applications and merge them with the existing list. modify the list. add Excel to the Enterprise Applications List.

Task 1 2 3 4 In the Enterprise Applications List window. The Merge icon adds the applications to the Enterprise Applications List. right-click and select Scan Applications.Locating Files With Sensitive Content Applications and how to use them The information in the first five columns of the Enterprise Applications List is read from each application file’s property list. right-click and select Add. you must add them. Select an application and click Open. Adding and removing applications Use these tasks to add or remove applications from the Enterprise Applications List. NOTE: You can also add an application by selecting the executable. The merged applications appear in the Enterprise Applications List.1 59 . All available applications appear. You must use the Merge option to do this. Applications must be defined in the Enterprise Applications List before they can be referenced in a rule. The Scan for Applications window appears. Click Add to import the application to the list. Close the Scan for Applications window. then dragging and dropping it into the Enterprise Applications List window. The application details appear. it is displayed as unknown. The Add Executable window appears Click Browse and select the application EXE file. In cases where the property has no value listed. Task 1 2 Click the Start button and select the drives and folders to scan for applications. Tasks Importing an application manually Importing new applications by scanning Removing applications from the list Importing an application manually Use this task to add an application manually to the Enterprise Applications List. Importing new applications by scanning Use this task to add groups of applications to the Enterprise Applications List from specific drives or folders. 3 Select the required action from the list: • • 4 The Clear icon discards the current list. McAfee Host Data Loss Prevention 9. If applications you want to control do not appear on the list. In the Enterprise Applications List window.

• Original executable name — Identical to the executable file name. • Working directory — The directory where the executable is located. creates a URL-based template. Application definitions can be identified by any of the following parameters: • Command line — Allows command line arguments. or clipboards saved from a browser can now be tagged and blocked based on URL.Locating Files With Sensitive Content Applications and how to use them Removing applications from the list Use this task to remove items from the Enterprise Applications List. granular. 60 McAfee Host Data Loss Prevention 9. The available applications appear in the main panel. One result of this is that the same application can be included in several application definitions and can therefore be assigned more than one strategy. unless the file has been renamed. that can control previously uncontrollable applications. that is. A new subcategory. Application definitions and how they are categorized Application definitions replace the application groups used in previous versions of McAfee Host Data Loss Prevention. Right-click and select Application Definitions | Go To to see if the application is included in any definitions before removing. with an identifying SHA1 hash. the Host DLP Agent does not treat the application as an editor. NOTE: You cannot remove an application if it is included in an application definition. all parameters accept sub-string matches. • Window title — A dynamic value that changes at run-time to include the active filename. Because they are defined in a similar manner to device definitions. With the exception of the SHA1 application name and working directory. select Enterprise Applications List. for example: java-jar. The entire application is removed. and select Remove. • Product name — The generic name of the product. Task 1 2 3 In the Host DLP Policy console navigation pane under Applications. application strategy is now defined in the application definitions. The Host DLP Agent resolves potential conflicts according to the following hierarchy: archiver > trusted > explorer > editor. Click Yes to confirm the deletion. Right-click the application’s main executable (EXE) file. not in the Enterprise Applications List. They also reduce policy size by using a different data model.1 . they are more intuitive. web application definitions. If an application is an editor in one definition and anything else in another. for example Microsoft Office 2003. As a result of this new data model. that is. • Vendor name — The company name. • Executable file name — Normally the same as the display name (minus the SHA1 hash). One use of this parameter is to control U3 applications. if listed in the executable file's properties. but could be different if the file is renamed. Files. if listed in the executable file's properties. and configurable. • Executable file hash — The application display name. editor has the lowest ranking. scalable. screen shots. the executable and all associated files.

CAUTION: Because the strategy affects the system’s observation level. The edit window appears with several parameters selected. In the Application Definitions window. its edit window appears. select Enterprise Applications List. and type a value and optional description. Click Add New. You can McAfee Host Data Loss Prevention 9. Application definitions have replaced the application groups used in earlier versions of McAfee Host Data Loss Prevention. right-click and select Add New | Application Definition. Task For option definitions.Locating Files With Sensitive Content Applications and how to use them Creating application definitions Use these tasks to create application definitions. 1 2 3 4 5 6 In the Host DLP Policy console navigation pane under Definitions. based on the information available. click OK to save the edited definition. Creating an application definition from the Enterprise Applications List Use this task to create an application definition from the Enterprise Applications List. A new application definition icon appears. The available definitions appear in the main panel. When you are finished adding parameters. The available applications list appears in the main panel. You can also create an application definition from the Enterprise Application List. Right-click an application and select Create Application Definition. 7 8 9 Click Add New to add more values. Name the new application definition and double-click the icon. select Application Definitions. Select the option if you want to use it. Select parameters. Type a description (optional). press the F1 key. As you select each parameter.1 61 . all new application definitions are created with the Editor strategy. Some parameters allow partial matching. the typed in value is matched as a substring. When you have finished. click OK to close the parameter edit window. Tasks Creating an application definition Creating an application definition from the Enterprise Applications List Creating a web application definition Creating an application definition Use this task to create an application definition directly. press the F1 key. right-click the definition name and select Process Strategy. it can strongly affect system performance. 1 2 In the Host DLP Policy console navigation pane under Applications. Task For option definitions. To change the strategy. By default. The edit window appears. NOTE: If you select partial matching.

right-click the definition name and select Process Strategy. To change the strategy. Creating a web application definition Use this task to create a web application definition. A new web application definition icon appears. Creating file extensions and file extension groups Use these tasks to create file extensions or file extension groups. all new application definitions are created with the Editor strategy. Select the Browser URL parameter to open its edit window. Name the new web application definition and double-click the icon. File extension definitions File extension definitions restrict tagging rules and protection rules to particular file types. By default. CAUTION: Because the strategy affects the system’s observation level. A list of default file extensions is available in the software. Select partial matching if you want the typed value to be used as a substring. using the usual Shift-click and Ctrl-click selection rules. select Application Definitions to view the new definition. Web application definitions are used to create tagging and protection rules for files saved from browsers. Task For option definitions. In the Host DLP Policy console navigation pane under Definitions. the Go To option is enabled. Click OK. NOTE: If application definitions that include the selected application already exist. The available definitions appear in the main panel. and you can manually add file extensions as needed for your environment. Click Add New. Click OK to save the edited definition. select Application Definitions.1 . The window contains one parameter: Browser URL. The edit window appears. 3 4 5 Type a description (optional). Select them. Type a description (optional). In the Application Definitions window. right-click and select Add New | Web Application Definition. it can strongly affect system performance. When you are finished. 62 McAfee Host Data Loss Prevention 9. and type a value and optional description. 1 2 3 4 5 6 7 8 In the Host DLP Policy console navigation pane under Definitions. based on the browsed URL. press the F1 key. Click Add New to add more URL values.Locating Files With Sensitive Content File extension definitions modify the definition now or after creating it. click OK to close the parameter edit window. Clicking a Go To option opens Application Definitions in the main panel and selects the application. before right-clicking. You can also add multiple applications to a definition.

Click OK. McAfee Host Data Loss Prevention 9. 1 2 3 4 5 6 7 In the Host DLP Policy console navigation pane under Definitions.GIF. If a server doesn’t contain a file share used for a location-based tagging rule. or after right-clicking in the File Extensions window. press the F1 key. select File Extensions. type the extension preceded with a period. for example . Double-click the icon. Task For option definitions. The new File Extension Group icon appears. The new File Extension icon appears.1 63 . 3 4 5 6 7 File server list The file server list is created by an LDAP query or network scan. Define the network servers that are used in location-based tagging rules. select File Extensions. Type a description for the file extension (optional). Type the name of the new file extension entry and double-click the icon. Creating file extension groups Use this task to create a file extension group definition. In the File Extensions window. Double-click the icon. Click OK. press the F1 key. right-click and select Add New |File Extension. Click Add New | File Extension Group either on the Host DLP Policy console toolbar. you don’t need to include it in this list. Type the name of the file extension group. Select the file extensions from the available list.Locating Files With Sensitive Content File server list Tasks Creating file extensions Creating file extension groups Creating file extensions Use this task to create a file extension definition. In the Extension text box. Add a description for this group (optional). The edit window appears. 1 2 In the Host DLP Policy console navigation pane under Definitions. The available file extension groups appear in the main panel. The edit window appears. Task For option definitions. The available file extensions appear in the main panel. The edit window appears.

The new Server icon appears. Type the server name. The available file servers appear in the main panel. 64 McAfee Host Data Loss Prevention 9. 1 2 In the Host DLP Policy console navigation pane under Definitions. press the F1 key. • The Network Address Range monitors network connections between an external source and a managed computer. In the File Servers window. In the File Servers window. Task 1 2 3 In the Host DLP Policy console navigation pane under Definitions.1 .Locating Files With Sensitive Content Network definitions Creating and adding to a file server list Use these tasks to create a file server list. select File Servers. Network definitions Network definitions serve as filter criteria in network-related protection rules. • Network Servers By LDAP Selection — Select the file servers and click OK. select File Servers. Task For option definitions. • The Network Port Range allows you to use network port ranges to enforce the network-related rules to a specific service. • The Network Address Ranges Group allows you to use multiple network ranges for network-related rules. • All Network Servers . right-click and select Scan for these scanning options: • All Network Servers . Tasks Creating a file server list Adding a single server to a list Creating a file server list Use this task to create a file server list. Adding a single server to a list Use this task to add a file server to the file server list. The available file servers appear in the main panel.By Net View — Find all available file servers on the local network. or to add servers to the list. right-click and select Add New | Server.By Organizational Units — Select the organizational unit to search and click OK.

The edit window appears. Double-click the icon. right-click and select Add New | Network Address Range. Click OK. Task For option definitions. right-click and select Add New | Network Address Range Group. Type the name of the network address group. Type the name of the network address range. Creating a network address range group Use this task to add a network address range group definition. Tasks Creating a network address range Creating a network address range group Create a new network port range Creating a network address range Use this task to add a network address range definition. select Network. The edit window appears. press the F1 key. Select the network address ranges from the available list. network address range. Task For option definitions. Type the IP range using one of these methods: • Define using address range • Define using a network mask 7 • Define using CIDR notation Click OK. 1 2 3 4 5 6 In the Host DLP Policy console navigation pane under Definitions. select Network. Double-click the icon.1 65 . In the Network window. Type a description (optional). press the F1 key. in the Network window. The new Network Address Range icon appears. The new Network Address Range Group icon appears. The available network address range groups appear in the main panel. The available network address ranges appear in the main panel. McAfee Host Data Loss Prevention 9. or network address range group. 1 2 3 4 5 6 7 In the Host DLP Policy console navigation pane under Definitions. Type a description (optional).Locating Files With Sensitive Content Network definitions Creating network definitions Use these tasks to add a network port range.

66 McAfee Host Data Loss Prevention 9.). TCP or both). range. The edit window appears. multiple ports. The available network port ranges appear in the main panel. Double-click the icon.Locating Files With Sensitive Content Network definitions Create a new network port range Use this task to create a network port range definition. Click OK. Task For option definitions. Type a description (optional). press the F1 key. Select the protocol type (UDP. Type the port range (single port. select Network. The new Network Port Range icon appears. Type the name of the network port range. In the Network window.1 . 1 2 3 4 5 6 7 8 In the Host DLP Policy console navigation pane under Definitions. right-click and select Add New | Network Port Range.

Contents Email destination definitions Printers Web destination definitions Creating email destinations and groups Creating a printer list and adding printers Creating web destinations and groups Email destination definitions Email destination objects are predefined email domains or specific email addresses that can be referenced in email protection rules. or can prevent tagged data from being emailed to undefined domains.1 67 . and the creation of definitions to exercise that control. To prevent operational problems.File Destinations In addition to classifying content by its originating location. Typically. are described. There are two types of printer definitions: network printers and unmanaged (whitelisted) printers. Printers Printer definitions are used to define printing protection rules. the destinations you can control. Email destination groups allow protection rules to reference a single entity that defines multiple destinations. where content is being sent. A typical use of this feature is to create an email destination group for all internal domains. this is known as data-in-motion. The printer list is created by an LDAP query or network scan. or automatically from a printer list. In data loss prevention parlance. Whitelisted printers are printers that cannot work with the proxy driver architecture required for Data Loss Prevention management. The email protection rule can block tagged data from being emailed to specific domains. Printers from the scan list are then selected to add them to the printer definitions. Network printers can be added manually by creating a definition that specifies the UNC path to the printer. In the following section. the email destinations section defines any internal domains and external domains where emailing tagged data is allowed. Printing protection rules are used to manage both local and network printers and either block or monitor the printing of confidential material. these printers are McAfee Host Data Loss Prevention 9. you can classify. and control.

Double-click the icon. You can use web destination definitions to block tagged data from being posted to defined web destinations (websites or specific pages in a website). there is a third category of printer. or use them to prevent tagged data from being posted to websites that are not defined. the web destinations section defines any internal websites as well as external websites where posting tagged data is allowed. Task For option definitions. When a printer is connected to a managed computer and the DLP Agent fails to install its printer driver. A new Email Destination icon appears. Tasks Creating email destinations Creating an email group Creating email destinations Use this task to create an email destination definition. 68 McAfee Host Data Loss Prevention 9. right-click and select Add New | Email destination. A typical use of this feature is to create a web destination group for all internal websites. The available email destinations and groups appear in the main panel. these printers are placed on the whitelist if no other solution is found.File Destinations Web destination definitions defined as unmanaged. 1 2 3 4 In the Host DLP Policy console navigation pane under Definitions. Typically. it is reported as unsupported. Creating email destinations and groups Use these tasks to create email destinations and groups. you can create web destination groups so that protection rules can reference a single entity. The edit window appears. For reporting purposes. If you have defined numerous web destinations. Unmanaged printer definitions are created manually using printer model information from the operating system printer properties. After investigation of the reason for the failure.1 . In the Email Destinations window. Add the email destination name: under Email address. Web destination definitions Web destination objects are predefined web addresses that can be referenced in web post protection rules. type the domain name and click Add. select Email Destinations. press the F1 key.

Double-click the icon. right-click the domain name. Add a domain entry for every internal domain. press the F1 key. then deselect all domains and select Other email domain. Click OK. then deselect the user. select Add | Email User. right-click and select Add New | Email Group. Type a description (optional). Click OK. select Email Destinations. then type the user name and click OK. 1 2 3 4 5 6 7 In the Host DLP Policy console navigation pane under Definitions. In the Email Destinations window. 5 Creating an email group Use this task to create an email group. • To exclude a particular email address from the domain. Type the name of the email group.1 69 . right-click the domain name and select Add | Other email user. Task For option definitions. add the user to the domain. McAfee Host Data Loss Prevention 9. The edit window appears. Figure 8: Email destination edit dialog box • To add a specific email address from this domain. The available email destinations and groups appear in the main panel. Select the email destination definitions from the available list.File Destinations Creating email destinations and groups • To create an email destination of external domains. A new Email Group icon appears.

Adding a printer Use this task to add a printer to a printer list. you can rerun the search by clicking Refresh. The edit window appears.File Destinations Creating a printer list and adding printers Creating a printer list and adding printers Printer lists are used to manage sensitive content sent to printers. Use these tasks to create a printer list and add printers to it. right-click and select Add New | Network Printer. 1 2 3 4 5 6 In the Host DLP Policy console navigation pane under Definitions. Task For option definitions.1 . select Printers. select Printers. 70 McAfee Host Data Loss Prevention 9. The available printers appear in the main panel. TIP: After editing parameters or adding a filter. right-click. The new Network Printer icon appears. A list of printers appears in the view window. In the Printers window. In the Printers window. Type the UNC path of the network printer. select Scan and select a scanning option: • Network Printers By Organizational Units • Network Printers By LDAP Selection 3 • Scan Shared Printers Edit the search parameters (optional). Tasks Creating a printer list Adding a printer Adding an unmanaged printer Adding an existing printer to the printer whitelist Creating a printer list Use this task to create a printer list. press the F1 key. Double-click the Network Printer icon. 4 Select the printers to add to the printer list and click OK. add a filter (optional) and click Search. Type the name of the network printer. 1 2 In the Host DLP Policy console navigation pane under Definitions. Task For option definitions. The printers that have already been added appear in the main panel. Click OK. press the F1 key.

b Right-click the printer you are whitelisting and select Properties. In other cases. McAfee Host Data Loss Prevention 9. Task For option definitions. such as one belonging to a top executive.File Destinations Creating a printer list and adding printers Adding an unmanaged printer Some printers stop responding when the Host DLP Agent assigns them a proxy driver. right-click and select Add New | Unmanaged Printer Model. you might choose to exempt a printer. Type a name into the text box. In either case. The printers that have already been added appear in the main panel. You can cut and paste the information using the Model: information from the printer properties: a From the Microsoft Windows Start menu. The edit window appears. Type the printer model. 1 2 3 4 In the Host DLP Policy console navigation pane under Definitions. In the Printers window. press the F1 key. Add a definition (optional). select Printers and Faxes. and must be exempted from printer rules to avoid problems. placing them on the printer whitelist.1 71 . copy the Model: information (below the Comment text box). Figure 9: Copying the printer model information 5 6 Paste the model information into the Model text box in the Unmanaged Printer Model dialog box. These printers cannot be managed. Use this task to add an unmanaged printer to the printer list. c On the General tab. select Printers. Double-click the icon. from printer rules. you define these printers as unmanaged.

Type the path and click OK. 1 2 3 4 5 6 7 In the Host DLP Policy console navigation pane under Definitions. In the text box at the bottom of the window. select Web Servers. The edit window appears. In this procedure. Task For option definitions. you can add it to the printer whitelist temporarily until the problem is clarified. Adding an existing printer to the printer whitelist Use this task to add a printer to the printer whitelist. In the Web Servers window. Creating web destinations and groups Use these tasks to create web destinations and web destination groups. Use this task to add an existing network printer to the printer whitelist. Task For option definitions. When an existing network printer malfunctions. type the web server URL and click Add to add a web server address. right-click the web server address and select Add | Resource Path.File Destinations Creating web destinations and groups 7 Click OK. 72 McAfee Host Data Loss Prevention 9. The printer appears in the Unmanaged Printer Model section of the Printers panel. • Right-click an existing network printer definition and click Add as Unmanaged Printer. Tasks Creating a web destination Creating a web destination group Creating a web destination Use this task to create a web destination definition. The available web servers appear in the main panel. the definition is removed. Double-click the icon. preventing printer protection rules from being applied to it. Type a description (optional). right-click and select Add New | Web Server. To add a resource path. Click OK. press the F1 key. When the problem is resolved. press the F1 key. A new Web Server icon appears. the printer remains on the network printer list but is also whitelisted.1 .

In the Web Servers window. 1 2 3 4 5 6 7 In the Host DLP Policy console navigation pane under Definitions. right-click and select Add New | Web Server Group. Task For option definitions. McAfee Host Data Loss Prevention 9. Click OK. Type the name of the web server group.1 73 . press the F1 key. A new Web Server Group icon appears. Type a description (optional). Select the web servers from the available list. Double-click the icon. The edit window appears.File Destinations Creating web destinations and groups Creating a web destination group Use this task to create a web destination group definition. select Web Servers. The available web servers groups appear in the main panel.

groups. Active Directory organizational units. However. When protection rules are created. unless otherwise specified in the rule. when required. you can’t monitor that user if the group is being blocked. Local users are defined as users logged on remotely who have local authentication. Contents User assignment Computer assignment groups Creating user assignment groups User assignment User assignment groups define groups of users to be included or excluded from rules. or to computers by using ePolicy Orchestrator deployment.Assignment Groups Device and protection rules are applied equally for every computer and user receiving a policy. The difference is that the excluded user is defined in the assignment group. It is being described here because of the effect on McAfee Host Data Loss Prevention rules. or computers.1 . while a manager’s rule set can be much less restrictive. There are two strategies available for privileged users: Monitor only and Override all. Excluded users are similar to privileged users. In addition. they can be applied to a specific user or group by using the assignment group. or add local users to a user assignment group. or to apply specific rules to them. 74 McAfee Host Data Loss Prevention 9. rules can be applied to particular users. The Privileged Users setting can be used to override blocking or monitoring rules for certain users. so only that one group need be assigned to a rule. you can include or exclude users from the rule the group is assigned to. In earlier versions of McAfee Host Data Loss Prevention software there was no way to define them as a user category. Individuals or computers that should not access sensitive data can have restrictive rule sets. The option to use excluded users or privileged users gives the administrator considerable flexibility in how rules are applied. Computer assignment groups Computer assignment groups is a feature of ePolicy Orchestrator. You create the list in a similar manner to creating the user assignment groups — by scanning the user list and selecting names. On the other hand. This flexibility allows administrators to apply rules that are appropriate for a user’s job function. in that they are exempt from particular rules.

Assignment Groups Creating user assignment groups Computer assignment groups specify which computers are assigned which policies. those policies are enforced on the named computers. and user assignment groups in McAfee Host Data Loss Prevention rules are lost. and then select an email protection rule and a web post protection rule in the computer assignment group definition. McAfee Host Data Loss Prevention 9. Assigning policies with computer assignment groups The computer assignment group feature allows you to choose which McAfee Host Data Loss Prevention rules you want to assign to a particular group of computers. Task For option definitions. and not according to any User Assignment Groups defined in the DLP protection rule. When a computer group is assigned specific policies.1 75 . Tasks Creating a user assignment group Creating a privileged users group Creating a user assignment group Use this task to create a user assignment group. press F1. those DLP rules will be applied to all users in the Marketing computer group. You can use this feature to apply different policies to groups of computers in your network. Figure 10: Assigning rules with ePO computer assignment groups If. you have assigned Marketing computers to a group. for example. Creating user assignment groups Use these tasks to work with user assignment groups. Any rules not included in the computer assignment group (for example. a removable storage protection rule) will be applied according to the User Assignment Group definition in the rule.

Figure 11: Including and excluding users 8 9 To add local users to the group. 76 McAfee Host Data Loss Prevention 9. Creating a privileged users group Use this task to create a user assignment group with special permissions. select User Assignment Groups. The available assignment groups appear in the main panel. When you have finished making selections.1 . organizational units. make the appropriate selection. click Add Local Users. click OK. click the Protection Rules tab to select the protection rules for this assignment group. right-click and select Add New | User Assignment Group. groups. The edit window appears with the Policy Assignment tab displayed. press the F1 key. NOTE: The order doesn’t matter. To exclude any of them from the rules the group is assigned to. In the User Assignment Groups panel. then type in a filter and click Search to find users and groups. If you created rules to assign the group to. You can create rules first and assign them to a group in this step. or create groups first and assign them to rules when you create the rules. Select the users and groups to be added to the assignment group.Assignment Groups Creating user assignment groups 1 2 3 4 5 6 7 In the Host DLP Policy console navigation pane under Policy Assignment. and click OK. The new User Assignment Group icon appears. Click Add to select the objects for this group (domains. Task For option definitions. and users). Users and groups are included by default. Name the new User Assignment Group entry and double-click the icon. A search window appears. Select the Object Types to search for.

The new Privileged Users icon appears in the window. Select the users and groups to be added to the privileged users group. select Privileged Users. Select the Object Types to search for. The available groups appear in the main panel.1 77 . and select Scan users and groups. and click OK. A search window opens. To change this. then type in a filter and click Search to fine users and groups. right-click. McAfee Host Data Loss Prevention 9. The default strategy for privileged users is Override All.Assignment Groups Creating user assignment groups 1 2 3 4 5 In the Host DLP Policy console navigation pane under Policy Assignment. In the Privileged Users panel. right-click the group icon and click Set Strategy | Monitor Only.

In some cases.) These options allow creation of rules with considerable granularity. and user assignment groups. They do this by linking actions with definitions. protection rules merely log the event. the protection rules may prevent the transfer of data and notify the user of the violation. Protection rules are optionally applied to assignment groups. users. device classes. definitions. or user groups How templates work Synchronizing templates How protection rules work Protection rules define the action taken when an attempt is made to transfer or transmit tagged data. The protection rule specifies the transfer method. and encryption (including password protection). or document properties. In other cases. 78 McAfee Host Data Loss Prevention 9. You can define protection rules to include or exclude specific tags. You can also specify file types. and how the system should react to the event. Each event is given a severity level.1 . file extensions. This allows a rule to apply only to particular user groups. (Not all options are available for all rules. tags and content categories. Contents How protection rules work Defining a protection rule Removing rules.Protection Rules Protection rules control the flow of data by defining the action taken when an attempt is made to transfer or transmit sensitive data. and options for responding to the event. named tag(s).

the modification is automatically propagated to all rules that use the definition. When you modify a definition. You create a definition for each category you want to control. Definitions are created in a two-step process: first you create the definition (right-click. then you define it (double-click the newly created definition. Definitions let you customize the system to enforce your enterprise security policy and other requirements. Table 2: Definitions and the tagging and protection rules that use them Definition Application Associated tagging/classification rules Application-based tagging Associated protection rules Application File Access. select Add New). it will generate a warning. For example. At the very least. Definitions can be assigned to any new or existing rule. Removable Storage. in most cases. Screen Capture NA Email Application File Access Protection. such as compliance issues and privacy laws. Email Protection. or Marketing printers and Finance printers. Clipboard.1 79 . Leaving a definition empty (undefined) will. Customizing these definitions creates an efficient method of maintaining company policies.) These two steps should always be done together. File System Protection. you can have a McAfee email destination and a Microsoft email destination.based McAfee Host Data Loss Prevention 9. Changes take effect immediately upon redeploying the system policy to the agents.Protection Rules How protection rules work Actions/Rules matrix Figure 12: Rules and their actions Definitions and how they define rules Definitions are the fundamental building blocks used to create rules. Printing. generate an error when you try to apply the policy to ePolicy Orchestrator. Network Dictionary Email Destination File Extension Content classification NA Application-based. Location. Network Communication. File System.

80 McAfee Host Data Loss Prevention 9. you have considerable granularity in deciding which files are blocked. By selecting different combinations of application definitions and file extensions.1 . Use this task to define an application file access protection rule. Application-based NA tagging. and might cause the Host DLP Agent to malfunction. Web Post Protection File Server Network Printer Registered document repository Tag/Content Category NA NA NA Registered document classification Application-based tagging. be aware that including McAfee Host Data Loss Prevention processes on a McAfee Endpoint Encryption Blocked Processes list will prevent protection rules with encryption definitions from triggering. Registered document classification NA Network Communication Protection Printing Protection NA all Protection Rules Text Pattern Web Destination Whitelist Content classification. Tasks Creating and defining an application file access protection rule Creating and defining a clipboard protection rule Creating and defining an email protection rule Creating and defining a file system protection rule Creating and defining a network communication protection rule Creating and defining a PDF/Image Writer protection rule Creating and defining a printing protection rule Creating and defining a removable storage protection rule Creating and defining a screen capture protection rule Creating and defining a web post protection rule Creating and defining an application file access protection rule Protection rules for application file access monitor or block files based on the application or applications that created them. Removable Storage Protection. Location-based tagging NA NA Web Post Protection NA Defining a protection rule Use these tasks to define protection rules. CAUTION: If you are also working with McAfee Endpoint Encryption.Protection Rules Defining a protection rule Definition Associated tagging/classification rules Associated protection rules Communication Protection. Location-based tagging. Content classification.

select Content Protection | Protection Rules. Click Next. McAfee Host Data Loss Prevention 9. right-click and select Add New | Application File Access Protection Rule. If you select Monitor. then select file extensions from the available list. Step 1 of 6 Action Select an application definition or definitions from the available list. Select actions from the available list. Double-click the rule icon and follow these steps in the wizard: You can include or exclude tags and file extensions as well as application definitions. select Content Protection | Protection Rules. press the F1 key. NOTE: Trusted processes are not part of the clipboard rule logic. or define a new group by clicking Add.Protection Rules Defining a protection rule Task For option definitions. 2 of 6 3 of 6 (optional) 4 of 6 (optional) 5 of 6 6 0f 6 (optional) 5 To activate the rule. Click Finish. In the Protection Rules pane. The available protection rules appear in the main panel. You can include or exclude definitions. select the Protect clipboard of any size option on the Advanced Configuration tab of the Agent Configuration dialog box.1 81 . Click Next. right-click the protection rule icon and select Enable. The available protection rules appear in the main panel. Use this task to define a clipboard protection rule. You must include at least one tag in order to use the exclude tag option. Rename the rule to something that will help you recognize its specific function. Select available tags to be included or excluded from the rule. Applications with a Trusted strategy are not exempt from being blocked by clipboard rules. The only options for application file access rules are Monitor and Notify User. Select the Select from list option. Select an assignment group or groups. Deselect either as required. In the Protection Rules pane. right-click and select Add New | Clipboard Protection Rule. Click Add item to create a new application definition. Task For option definitions. 1 2 3 4 From the navigation pane. selecting an action selects both Online and Offline. click Severity to modify the value. Click Next. 1 2 3 4 From the navigation pane. Click Add item to create a new document properties definition or Add group to create a new document properties group. You can include or exclude definitions. To protect clipboards larger than 1 MB. Click Next. By default. Click Add item to create a new tag. Creating and defining a clipboard protection rule Clipboard protection rules monitor or block use of the clipboard. Double-click the rule icon and follow these steps in the wizard: You can include or exclude tags as well as application definitions. press the F1 key. Select a document properties definition or definition group from the available list. Rename the rule to something that will help you recognize its specific function.

You must include at least one tag. Click Next. Click Next. Select the Select from list option. NOTE: In systems where both Microsoft Exchange and Lotus Notes are available. content categories. Double-click the rule icon and follow these steps in the wizard: Step 1 of 9 (optional) Action Select Select from list option. You can include or exclude definitions. Select the Select from list option. Click Next. 2 of 5 (optional) 3 of 5 (optional) 4 of 5 5 of 5 (optional) 5 To activate the rule. then select file extensions from the available list. 1 2 3 4 From the navigation pane. Click Add item to create a new application definition. Click Add group to create a new tag and content category group. select Content Protection | Protection Rules. Click Add group to create a new tag and content category group. or define a new group by clicking Add. content category. or Add group to create a new destination group. Click Next. Click Next. select the Lotus Notes Handler on the Miscellaneous tab of the Agent Configuration dialog box. You can include or exclude definitions. 2 of 9 (optional) 3 of 9 (optional) 4 of 9 (optional) 5 of 9 (optional) 82 McAfee Host Data Loss Prevention 9. Use this task to define an email protection rule. To activate Lotus Notes support. Block is the only action. Click Add item to create a new tag or content category. Click Finish.Protection Rules Defining a protection rule Step 1 of 5 (optional) Action Select an application definition or definitions from the available list. Select tags. or group in order to use the exclude option. right-click and select Add New | Email Protection Rule. Select an assignment group or groups. Select a document properties definition or definition group from the available list. right-click the protection rule icon and select Enable. For clipboard protection rules. Click Next. Click Add item to create a new tag or content category. Creating and defining an email protection rule Email protection rules monitor or block email sent to specific destinations or users. You must include at least one tag in order to use the exclude tag option. content categories. press the F1 key. Rename the rule to something that will help you recognize its specific function. Click Next. and Online / Offline the only option. Click Next. Repeat as required. Use the Other File Types option to select unlisted (unknown) file types. Type the title of a specific application window and click Add. You can include or exclude file extensions. then select file types from the available list.1 . Click Next. Task For option definitions. and groups to be included or excluded from the rule. Click Add item to create a new email destination definition. Select an action from the available list. The available protection rules appear in the main panel. Select tags. McAfee recommends disabling unused handlers. and groups to be included or excluded from the rule. and select one or more email destination definitions. email rules will not work if the outgoing mail server (SMPT) name is not configured for both. In the Protection Rules pane. Click Add item to create a new document properties definition or Add group to create a new document properties group.

click Severity to modify the value. you must also select Block. 9 of 9 (optional) 5 To activate the rule. You can specify applications. Creating and defining a file system protection rule File system protection rules protect files on specific file servers or mass storage devices. then select file extensions from the available list. NOTE: Text patterns must be pre-defined. press the F1 key. or group in order to use the exclude option. right-click the protection rule icon and select Enable. If you want Request Justification to block email when no justification is provided. Use this task to define a file system protection rule. By default. Click Next. Click Next. select the Select from list option. Double-click the rule icon and follow these steps in the wizard: You can include or exclude tags and file extensions as well as application definitions. or define a new group by clicking Add. Step 1 of 9 Action Select a destination or destinations where files are being sent. and notify the user when files are monitored. select Content Protection | Protection Rules. 2 of 9 (optional) 3 of 9 (optional) 4 of 9 (optional) 5 of 9 (optional) McAfee Host Data Loss Prevention 9. or link text. 7 of 9 8 of 9 Select actions from the available list. content category. In the Protection Rules pane. and only one can be used per rule.1 83 . Click Add group to create a new tag and content category group. Click Next. Click Next. Click Next. select Do not apply this rule if the email subject contains this pattern and select a pattern. or tags to limit to the rule. or click Browse to select a new network destination. If you select Monitor. then select file types from the available list. Deselect either as required. Select an assignment group or groups. If you select Notify User.Protection Rules Defining a protection rule Step 6 of 9 (optional) Action To apply the rule to attachments of specific encryption types. Files can be monitored. Click Next. Select an application definition or definitions from the available list. Click Add item to create a new application definition. Task For option definitions. Click Finish. Select the Select from list option. but not blocked. then Add to add it to the list. You can save evidence. file extensions. and groups to be included or excluded from the rule. 1 2 3 4 From the navigation pane. click Change default alert to modify the alert message. and select one or more attachment encryption types. right-click and select Add New | File System Protection Rule. You can include or exclude definitions. Click Add item to create a new tag or content category. The available protection rules appear in the main panel. the Configure Selection window opens. If you select File Servers. Use the Other File Types option to select unlisted (unknown) file types. Select tags. selecting an action selects both Online and Offline. content categories. file types. Type a network path and click Add. Email bypass feature: To exclude an email based on subject. Rename the rule to something that will help you recognize its specific function. URL. You must include at least one tag. Select the Select from list option.

By default. 7 of 8 (optional) 8 of 9 9 of 9 (optional) 5 To activate the rule. click Severity to modify the value. You can protect incoming or outgoing connections or both directions. Use this task to define a network communication protection rule. If you want Request Justification to encrypt files when no justification is provided. you must also select Encrypt. and select one or more encryption types. or define a new group by clicking Add. If you select Monitor. selecting an action selects both Online and Offline. right-click and select Add New | Network Communication Protection Rule. Click Next. To apply the rule to files with specific encryption types. Click Finish. Select the Select from list option. select Content Protection | Protection Rules. Click Add item to create a new network address range definition. You can include or exclude definitions. Click Finish. You can protect or exclude range definitions. URL. You can limit the rule with specific applications or tags. Step 1 of 7 (optional) Action Select the Select from list option. Click Add item to create a new network port range definition. Click Next. If you select Notify User. press the F1 key. select the Select from list option. Click Add item to create a new document properties definition or Add group to create a new document properties group.1 .Protection Rules Defining a protection rule Step 6 of 9 (optional) Action Select a document properties definition or definition group from the available list. Click Add item to create a new application definition. Deselect either as required. or define a new group by clicking Add. Click Add group to create a new network address range group. Click Next. The available protection rules appear in the main panel. Select an assignment group or groups. You can include or exclude definitions. Click Add item to create a new tag. By default. You can protect or exclude range definitions. Select actions from the available list. click Change default alert to modify the alert message. Click Next. Select the network connection direction. Select actions from the available list. Click Next. then select one or more available network port ranges. selecting an action selects both Online and Offline. Select an application definition or definitions from the available list. In the Protection Rules pane. Click Add group to create a new network port range group. 1 2 3 4 From the navigation pane. Rename the rule to something that will help you recognize its specific function. click Severity to modify the value. If you select Monitor. right-click the protection rule icon and select Enable. Click Next. Deselect either as required. 2 of 7 (optional) 3 of 7 4 of 7 (optional) 5 of 7 (optional) 6 of 7 7 of 7 (optional) 84 McAfee Host Data Loss Prevention 9. Select an assignment group or groups. Click Next. Task For option definitions. Click Next. You must include at least one tag in order to use the exclude tag option. Select tags to be included or excluded from the rule. or link text. then select one or more available network address ranges. Creating and defining a network communication protection rule Network communication protection rules monitor or block incoming or outgoing data on your network. Double-click the rule icon and follow these steps in the wizard: NOTE: You can include or exclude tags as well as application definitions.

select Content Protection | Protection Rules. The available protection rules appear in the main panel. Use this task to create and define a printing protection rule. If you select Notify User. By default. selecting an action selects both Online and Offline. Double-click the rule icon and follow these steps in the wizard: Step 1 of 2 Action Select actions from the available list. select Content Protection | Protection Rules. right-click the protection rule icon and select Enable. Creating and defining a PDF/Image Writer protection rule McAfee Host Data Loss Prevention software can block PDF and Image Writer print drivers that print to files. Creating and defining a printing protection rule Printing protection rules monitor or block files from being printed. New Feature: Printer add-ins. can improve printer performance when using certain common applications. Rename the rule to something that will help you recognize its specific function. Double-click the rule icon and follow these steps in the wizard: NOTE: You can include or exclude tags as well as application definitions. Select an assignment group or groups. Task For option definitions. or link text. 2 of 2 (optional) 5 To activate the rule. 1 2 3 4 From the navigation pane. click Change default alert to modify the alert message. or define a new group by clicking Add. Click Finish.Protection Rules Defining a protection rule 5 To activate the rule. you must also select Block. In the Protection Rules pane. press the F1 key. press the F1 key. Click Next. right-click the protection rule icon and select Enable. McAfee Host Data Loss Prevention 9. If you select Monitor. Task For option definitions. right-click and select Add New | Printing Protection Rule. enabled on the Agent Configuration | Miscellaneous tab. click Severity to modify the value. Rename the rule to something that will help you recognize its specific function. You can limit the rule to specific applications or tags. 1 2 3 4 From the navigation pane. right-click and select Add New | PDF/Image Writers Protection Rule. URL. Use this task to create and define a PDF/Image Writer protection rule. If you want Request Justification to block printing when no justification is provided. Deselect either as required. In the Protection Rules pane. The add-ins are only installed when a printing protection rule is enabled on the client computer. The available protection rules appear in the main panel.1 85 .

content category. Click Add item to create a new tag or content category. Double-click the rule icon and follow these steps in the wizard: You can include or exclude tags and file extensions as well as application definitions. NOTE: Only one of the first two steps can be optional. Click Next. Select Other network printer to protect all network printers that have not been defined. Click Next. Select tags. and groups to be included or excluded from the rule. 2 of 8 (optional) 3 of 8 (optional) 86 McAfee Host Data Loss Prevention 9. then select file types from the available list. Select an assignment group or groups. Use the Other File Types option to select unlisted (unknown) file types.Protection Rules Defining a protection rule Step 1 of 6 (optional) Action Select the Select from list option. or link text. Click Add group to create a new tag and content category group. then select Any local printer to protect printing from local printers. If you want Request Justification to block printing when no justification is provided. or define a new group by clicking Add. 1 2 3 4 From the navigation pane. If you select Notify User. The available protection rules appear in the main panel. Rename the rule to something that will help you recognize its specific function. right-click and select Add New | Removable Storage Protection Rule. 2 of 6 (optional) 3 of 6 (optional) Select an application definition or definitions from the available list. Select the Select from list option. Click Add group to create a new tag and content category group. You must select a network printer. Click Next. Task For option definitions. By default. then select an available network printer. You can include or exclude definitions. or group in order to use the exclude option. Select the Select from list option. Click Next. content categories. content categories. press the F1 key. you must also select Block. content category. Creating and defining a removable storage protection rule Removable storage protection rules monitor or block data from being written to removable storage devices. Click Next. Click Next. or both. You can include or exclude definitions.1 . URL. and groups to be included or excluded from the rule. select Content Protection | Protection Rules. Click Add item to create a new application definition. or group in order to use the exclude option. 4 of 6 (optional) 5 of 6 6 of 6 (optional) 5 To activate the rule. Deselect either as required. click Severity to modify the value. Click Add item to create a new application definition. right-click the protection rule icon and select Enable. local printers. Click Finish. Click Next. Select tags. Click Add item to create a new tag or content category. In the Protection Rules pane. You must include at least one tag. including PDF and Image Writer printer drivers. You must include at least one tag. Click Next. Select actions from the available list. Step 1 of 8 (optional) Action Select an application definition or definitions from the available list. Use this task to define a removable storage protection rule. selecting an action selects both Online and Offline. click Change default alert to modify the alert message. If you select Monitor.

To apply the rule to specific encryption types. you must also select Block. press the F1 key. Click Finish. Click Next. Select actions from the available list. or link text. If you select Monitor. Click Next. then select file extensions from the available list. URL. 2 of 5 3 of 5 (optional) 4 of 5 5 of 5 (optional) McAfee Host Data Loss Prevention 9. Repeat as required. If you select Monitor. You must include at least one tag in order to use the exclude tag option. URL. Click Next. If you select Encrypt. you must also select Encrypt. Select a document properties definition or definition group from the available list. Click Add item to create a new tag. Double-click the rule icon and follow these steps in the wizard: You can include or exclude tags as well as application definitions. click Severity to modify the value. Rename the rule to something that will help you recognize its specific function. selecting an action selects both Online and Offline. Step 1 of 5 (optional) Action Select an application definition or definitions from the available list. select Content Protection | Protection Rules. Click Next. and select one or more encryption types. and will be blocked like any other applications. You can include or exclude definitions. If you select Notify User. Click Finish. Deselect either as required. If you select Notify User.Protection Rules Defining a protection rule Step 4 of 8 (optional) Action Select the Select from list option.1 87 . In the Protection Rules pane. Click Next. Click Add item to create a new document properties definition or Add group to create a new document properties group. 5 of 8 (optional) 6 of 8 (optional) 7 of 8 8 of 8 (optional) 5 To activate the rule. Creating and defining a screen capture protection rule Use this task to define a screen capture protection rule. Click Add item to create a new application definition. selecting an action selects both Online and Offline. Click Next. 1 2 3 4 From the navigation pane. NOTE: Trusted processes are not part of the screen capture rule logic. The available protection rules appear in the main panel. If you want Request Justification to encrypt files when no justification is provided. Applications with a Trusted strategy are therefore not exempt from screen capture rules. Task For option definitions. click Select an Encryption key to select an encryption key or add a new key. By default. select the Select from list option. If you want Request Justification to block files when no justification is provided. Select tags to be included or excluded from the rule. or link text. click Change default alert to modify the alert message. Select an assignment group or groups. Select actions from the available list. Click Next. You can include or exclude definitions. right-click and select Add New | screen Capture Protection Rule. or define a new group by clicking Add. click Change default alert to modify the alert message. Type the title of a specific application window and click Add. By default. click Severity to modify the value. Select an assignment group or groups. or define a new group by clicking Add. Deselect either as required. right-click the protection rule icon and select Enable.

right-click and select Add New | Web Post Protection Rule. then select file types from the available list. You must include at least one tag. content categories. Click Add item to create a new tag or content category. Click Add group to create a new web destination group. and groups to be included or excluded from the rule. 2 of 8 (optional) Select tags. use network communication protection rules. content category. For other browsers. Click Add item to create a new web destination definition. NOTE: Not defining any specific web destinations will block all outgoing HTTP content. Click Next. then select file extensions from the available list. then select an available web destination or web destination group for this rule. Click Next.1 . This includes the following sites that could not be blocked in earlier versions: • Microsoft Outlook Web Access • Gmail • Google Docs • Yahoo • Hotmail NOTE: When a web post protection rule is enabled. Use this task to define a web post protection rule. Click Add item to create a new document properties definition or Add group to create a new document properties group. Creating and defining a web post protection rule Web post protection rules monitor or block data from being posted to websites. In the Protection Rules pane. 3 of 8 (optional) 4 of 8 (optional) 5 of 8 (optional) 88 McAfee Host Data Loss Prevention 9. Click Next. 1 2 3 4 From the navigation pane. web post file uploads continue in the background after the upload bar indicates that the upload is finished. or group in order to use the exclude option. The available protection rules appear in the main panel. select Content Protection | Protection Rules. Select a document properties definition or definition group from the available list. Task For option definitions. Rename the rule to something that will help you recognize its specific function. Click Next. You can include or exclude definitions. New Feature: Web post protection rules can now block or monitor content uploaded to websites based on AJAX or Flash technologies. Double-click the rule icon and follow these steps in the wizard: You can include or exclude tags and file extensions. Select the Select from list option. Use the Other File Types option to select unlisted (unknown) file types. press the F1 key. Select the Select from list option. right-click the protection rule icon and select Enable.Protection Rules Defining a protection rule 5 To activate the rule. Click Next. Step 1 of 8(optional) Action Select the Select from list option. Click Add group to create a new tag and content category group. including web-based email sites. NOTE: The web post protection rule is supported only for Microsoft Internet Explorer 6 and later.

select the category (for example. right-click and select Delete. right-click the protection rule icon and select Enable. or user groups Use this task to remove rules. Select an assignment group or groups. a message identifies which rules or groups contain it. Task 1 In the Host DLP Policy console navigation pane. If you want Request Justification to block web posts when no justification is provided. Click Yes to confirm the deletion. Removing rules. Click Next. or link text. device classes. McAfee Host Data Loss Prevention 9. before proceeding. Using the template synchronizer wizard. Network definition) of the item you want to remove. 7 of 8 8 of 8 (optional) 5 To activate the rule. make sure that any device classes used in definitions are included in the system’s defaults. NOTE: When distributing a template to create a Plug and Play device definition. Before you begin You cannot remove a definition or device class that is in use.Protection Rules Removing rules. If the item is in use. you must deselect it in all rules and groups that contain it. Select actions from the available list. URL. Before removing. The available items and groups appear in the main panel. click Change default alert to modify the alert message. or remove the tags from the rules. the definition is removed with a notification message. device classes. or any definition except whitelist content. device classes. Select the item or group to remove.1 89 . or define a new group by clicking Add. definitions. Synchronizing templates Use this task to synchronize templates with the current policy. and select one or more encryption types. Policy definitions stored in the templates directory can be shared or used later. selecting an action selects both Online and Offline. Click Finish. Deselect either as required. If you select Notify User. select the Select from list option. you must also select Block. By default. If you select Monitor. definitions. attempt to remove it. you can copy templates to an existing policy or create new templates from definitions created for the current system policy. you must either remove the rules that use them. 2 3 How templates work Templates are predefined system definitions such as application definitions or text patterns. TIP: If you don't know if or where the item is in use. click Severity to modify the value. or user groups Step 6 of 8 (optional) Action To apply the rule to specific encryption types. To remove tags. If you use a device class that is not in the system default.

or create a new template from a current policy definition. The 5 Click OK. select Synchronize Templates.1 .Protection Rules Synchronizing templates Task For option definitions. select the definition and click one of the Move icons definition entry is changed from Missing to the definition name or . Where there is no match between the templates folder and the current system policy the definition will be displayed as missing. The Template Synchronization wizard appears. 1 2 From the Host DLP Policy console File menu. 90 McAfee Host Data Loss Prevention 9. to 4 To copy a template to the current policy. Select the template type from the tabs. press the F1 key. Figure 13: The Template Synchronization Wizard 3 Click the View icon to view the selected definition properties or the Delete icon remove the selected definition.

Verify the policy before applying it: click Tools | Run Policy Analyzer. Task 1 2 From the ePolicy Orchestrator Menu. Contents Assigning policies with ePolicy Orchestrator Importing policies and editing policy descriptions Agent bypass and related features Administering the Host DLP Agent Assigning policies with ePolicy Orchestrator Use these tasks to work with McAfee Host Data Loss Prevention policies in ePolicy Orchestrator. but not if they contain errors. filter. This outputs the policy in an easily readable format for review and analysis. TIP: To review a policy quickly. • Performing administrative maintenance — Keeping the Host DLP Agents up-to-date and generating agent override. and quarantine release keys as required. select Data Protection | DLP Policy. use the Host DLP Monitor to audit the state of your enterprise’s sensitive information. Using McAfee Host Data Loss Prevention software involves the following tasks: • Assigning policy — Deploying the Host DLP policy to managed computers. You can control exactly what is output on the Tools | Options | HTML Export tab. Tasks Applying the system policy Assigning a policy or agent configuration Applying the system policy Use this task to apply a policy in ePolicy Orchestrator. resolve the problem(s) causing the error(s).1 91 .Policy Assignment After creating the rules and definitions required for your enterprise. or customize the McAfee Host Data Loss Prevention 9. view. • Monitoring events — Using the Host DLP Monitor to audit. agent uninstall. Once the policy is in place. NOTE: Policies can be applied to ePolicy Orchestrator with warnings. you enforce them by assigning the policy to your managed computers. If you see errors. select File | Export Policy to HTML. and sort events in your enterprise network.

Task For option definitions. it will generate an error. 1 2 3 4 5 In ePolicy Orchestrator.1 Installation Guide for a list of unsupported features. click ? in the interface. Click Actions | Agent | Wake Up Agents. On the Assign Policy page. When the agent wake-up call is completed.1 . Click Save. you see the message “Validation succeeded. See the McAfee Host Data Loss Prevention 9. or to modify policy descriptions. and an administrative event is generated. 3 From the Host DLP Policy console File menu. 6 7 Importing policies and editing policy descriptions Use these tasks to import policies from ePolicy Orchestrator. Task 1 2 From the Host DLP Policy console File menu.Policy Assignment Importing policies and editing policy descriptions policy analyzer options. Click Yes in the confirmation window. Click OK. and Policy to be applied.” Assigning a policy or agent configuration Use this task to assign a policy or agent configuration to a computer or directory with ePolicy Orchestrator. click System Tree. select the Product. Reselect the computers that will be assigned a policy. 92 McAfee Host Data Loss Prevention 9. select Apply to ePO. If you are using the agent backward compatibility option and a policy contains a feature that is unsupported in older agent versions. The policy is saved to the ePO database. TIP: If you have activated the browser Status Bar. and click Actions | Agent | Set Policy & Inheritance. Category. you are returned to the System Tree. The Applying to ePO window appears. select Import Policy from ePO. Tasks Importing a policy from ePolicy Orchestrator Editing a policy description Importing a policy from ePolicy Orchestrator Use this task to import a policy from ePolicy Orchestrator. Select Agent Wake-Up Call. Locate the directory containing the computers that will be assigned a policy. and select them. and set Randomization to 0 minutes.

or modify its description. Agent bypass A user can be given permission to access or transfer sensitive information for a limited time. the agent generates a FIPS-compliant 16 digit code. agent uninstall. the action is blocked. according to existing rules.1 93 . and quarantine release keys as required. all sensitive information is monitored. McAfee Host Data Loss Prevention 9. The administrator then sets the bypass time limit. Justifications are entered in the Global Agent Configuration window. Quarantine removal A similar situation occurs when the discovery crawler quarantines sensitive content on a client computer. Edit the policy name and description in the Host DLP Security Policy window. rather than blocked. Use these tasks to administer the Host DLP Agent. Administering the Host DLP Agent Agent administration consists of keeping the Host DLP Agents up-to-date and generating agent override. the user must request a quarantine remove key from the administrator. The user communicates this code to the Host DLP administrator. Agent bypass and related features Occasionally there is a legitimate business need to bypass the Host DLP system. McAfee Host Data Loss Prevention offers two methods of doing this. and the bypass timer starts. When this is done. and returns this to the user. Both the user and the system administrator receive messages about the bypass status when its enabled and disabled (the user by a popup message. When this is done. the action is monitored. To remove the files from quarantine. generates and 32 digit challenge key. Task 1 2 3 From the Host DLP Policy console File menu. select Edit Policy Description. and the administrator by an event entry in the ePO Event Monitor. When this action is added to a protection rule. • Business justification action • Agent bypass Business justification Most protection rules offer the option of a Business Justification action.) The agent context-menu is used to request a bypass. the user is prompted when copying or sending sensitive content. If a user types in a preset justification when prompted. Otherwise. The challenge key is entered in the appropriate text box.Policy Assignment Agent bypass and related features Editing a policy description Use this task to change the name of a policy. The procedure is similar to that of agent bypass and uninstall. Click OK. and are part of the global policy.

Figure 14: Requesting an agent bypass 94 McAfee Host Data Loss Prevention 9. the user requests an override key. Click More Actions | Wake Up Agents. then click (or right-click) the DLP icon and select Request Agent Bypass from the menu. Task For option definitions.0: In the system tray of the managed computer. Click OK. The user does not receive visual notification of events while in bypass mode. Use this task to request an override key. a user has a valid need to copy something that is blocked by a rule. click the McAfee Agent icon. click ? in the interface. the system policy deployment relies on the ePolicy Orchestrator server. Select the wake-up call type.1 . which bypasses normal agent action for a preset amount of time. When in bypass mode. marking them with the override flag. Users of managed computers do not refresh policies manually unless specifically instructed to do so. Use this task to update a policy in ePolicy Orchestrator without waiting for the scheduled refresh. the agent still collects and sends event information to the ePO Event Parser. Requesting an override key Occasionally. 1 2 3 In the ePolicy Orchestrator system tree. and set Randomization to 0 minutes. select the computer or computers to be refreshed. NOTE: Policies are updated on a scheduled basis by the ePolicy Orchestrator server. and the policy refresh on the managed computer is performed in accordance with the McAfee Agent settings. In such cases. Task 1 For McAfee Agent 4.Policy Assignment Administering the Host DLP Agent Tasks Refreshing the Host DLP Agent policy Requesting an override key Generating an agent override key Generating a quarantine release key Refreshing the Host DLP Agent policy Normally.

select Generate Agent Override Key. 2 The user communicates the Identification Code to the administrator. you must remove them before copying the number into the text box. You must leave the bypass request window open until you receive your matching Release Code.5: In the system tray of the managed computer.1 95 . NOTE: The release code is a 8 or 16 digit alphanumeric. McAfee Host Data Loss Prevention 9. Figure 15: Host DLP Agent bypass request For McAfee Agent 4. NOTE: Each time you select Request Agent Bypass from the menu a new Identification Code is generated. 3 Type or paste the Release Code into the text box and click OK. When approved. The agent popup displays a verification. Task 1 From the Host DLP Policy console Tools menu. then right-click McAfee DLP Agent and select Request Agent Bypass from the menu. The system administrator sets the length of time for the override before generating the code. click the McAfee Agent icon. the administrator can generate an override key for a specified period.Policy Assignment Administering the Host DLP Agent The release code window appears. If the code contains dashes (making it easier to read). the administrator generates the Release Code and sends it to the user. click Managed Features. Figure 16: Host DLP Agent popup Generating an agent override key When a user requests an override. Use this task to create an agent override key.

The administrator can release these files for use by creating a quarantine release key. 3 4 5 Type the challenge code. Use this task to create a quarantine release key.(Step 4) Click Generate Key to create the override code for the user. select Generate Agent Quarantine Release Key. This Release Code is sent to the user to enter into the request bypass dialog box. 3 4 5 6 Type the agent override request Identification Code generated by the Host DLP Agent. Generating a quarantine release key Discovery rules can place files on a managed computer in quarantine if they contain sensitive content. NOTE: All fields are required. Task 1 2 From the Host DLP Policy console Tools menu.Policy Assignment Administering the Host DLP Agent 2 Type the user information in Step 1. 96 McAfee Host Data Loss Prevention 9. (Step 2) Select the length of time to override the system rules. and all information is logged to the database. (Step 3) Type the agent override key password or select Use password from current policy. This Release Code is sent to the user to enter into the request bypass dialog box. Click Generate Key to create the release key for the user. Type the agent override key password or select Use password from current policy. and all information is logged to the database. Type the user information in Step 1. NOTE: All fields are required.1 .

Auditors.1 97 . McAfee Host Data Loss Prevention 9. allowing data leaks. privacy officials and other key workers can use the Host DLP Monitor to observe suspicious or unauthorized activities and act in accordance with enterprise privacy policy. relevant regulations or other laws. suspicious content is attached as evidence to the event. By reviewing recorded events and evidence. These events can be viewed. signing officers. As McAfee Host Data Loss Prevention takes a major role in a enterprise’s effort to comply with all regulation and privacy laws. and sorted in the Host DLP Monitor. the Host DLP Monitor presents information about the transmission of sensitive data in an accurate and flexible way. The system administrator or the security officer can follow administrative events regarding agents and policy distribution status. It can also be installed on multiple clients that connect to the ePO server using a browser. filtered. it generates an event and sends it to the ePO Event Parser. causing unnecessary work delays. allowing security officers or administrators to view events and respond quickly. and specific monitoring permissions are defined during the installation of the Host DLP Windows Communication Foundation (WCF) Service. If applicable. you determine when rules are too restrictive. The Host DLP Monitor can be installed on multiple ePolicy Orchestrator servers. You can use the database administration tools to manage the database and view database statistics. and producing reports.The Host DLP Monitor and What It Does Monitoring the system consists of gathering and reviewing evidence and events. and when they are too lax. Contents Agent events and how they are tracked Redaction Monitoring system events and alerts Filtering event information Using labels Searching Host DLP Monitor events by event ID Exporting Host DLP Monitor events Printing Host DLP Monitor events Sending Host DLP Monitor events by email Agent events and how they are tracked When an agent determines a policy violation has occurred. The Host DLP monitor provides the necessary feedback for designing an effective Data Loss Prevention system.

This is the default condition for McAfee Host Data Loss Preventionsoftware. For tags and content categories. When in override mode. When this option is selected. Rules allowing evidence storage The following rules have the option of storing evidence: • Email protection rules — Saves a copy of the email • File system protection rules — Saves a copy of the file • Printing protection rules — Saves a copy of the file 98 McAfee Host Data Loss Prevention 9. When selected. an encrypted copy of the content that was blocked or monitored is stored in the pre-defined evidence folder on the endpoint computer. Evidence handler The evidence handler is enabled on the Miscellaneous tab of the Agent Configuration. the agent still collects and sends event information to the ePO Event Parser. Evidence replication setting A setting on the Evidence tab of the Agent Configuration allows you to select evidence collection. Events are marked with the override flag. the text consists of a highlighted word or phrase and one hundred characters before and after (for context) organized by the tag or content category that triggered the event and including a count of the number of events per tag/content category. When the Host DLP Agent passes information to the server. See the McAfee Host Data Loss Prevention Installation Guide for details on setting up the folder and setting access permissions. which must also be enabled for evidence collection. Evidence Some rules allow the option of storing evidence. the folder is purged and the evidence is stored in the server evidence folder. Hit highlighting The hit highlighting option helps administrators identify exactly which sensitive content caused an event. The following are either required or set as defaults when setting up the software: Evidence storage folder Specifying the UNC path to the evidence storage folder is a requirement for applying a policy to ePolicy Orchestrator. you can improve performance by disabling the evidence handler. If you do not want to save evidence. For secured text patterns and dictionaries. The user does not receive visual notification of events while in override mode. the exact text is extracted. Settings on the Evidence tab of the Agent Configuration can be used to control the maximum size and age of local evidence storage when the computer is offline. Prerequisites for evidence storage Evidence storage must be enabled before it can be used.1 . it stores an encrypted HTML file containing extracted text. It is a sub-entry under Reporting Service. hit highlighting.The Host DLP Monitor and What It Does Evidence Agent override Agent override temporarily suspends blocking by the agent. or both.

The Host DLP Monitor and What It Does Hit count • Removable storage protection rules — Saves a copy of the file • Screen capture protection rules — Saves a JPEG of the screen • Web post protection rules — Saves a copy of the email • Discovery rules — Saves a copy of the file Hit count The Host DLP Monitor maintains hit counts — the number of tags and content categories that triggered each event. the fields computer name. and to protect confidential information in all circumstances. permissions. and links to evidence are hidden. A single event can generate multiple hits. Multiple dictionary hits add to the total. A user with the DLP Monitor permission User can partially view DLP Monitor can view only the following reports: • Agent distribution by date • Agent version • Bypassed agents • Enforced device control rules.1 99 . Redacted information is encrypted in: • DLP Monitor • RSS feeds The confidential fields can only be viewed by a user who has User can reveal sensitive data. which allows viewing without encryption. McAfee Host Data Loss Prevention 9. Redaction To meet legal demands in some markets. that would be listed as two hits and three tags and categories. The permissions are set up in the Permission Sets section of ePolicy Orchestrator.. • Number of tags and categories — the sum of all content categories and tags found. Tags are not counted. the total number of hits is concatenated to each evidence file path. if an email with two attachments is blocked. When using data redaction. specific fields in the DLP Monitor containing confidential information are encrypted to prevent unauthorized viewing. McAfee Host Data Loss Prevention software offers a data redaction feature. For RSS feeds. Currently. Redaction in ePO Reports In ePO reports and the Event Threat log. For example. user name. Hit counts are recorded in two fields in the Host DLP Monitor: • Number of hits — the sum of content category hits. In the event details pane. and IP address are predefined as confidential. This can only be done in the presence of a user with User can partially view DLP Monitor permissions. the enable/disable option is in the WCF setup wizard. See the McAfee Host Data Loss Prevention Installation Guide for details on setting permissions. If you are not using the redaction feature. all DLP events are filtered out of the reports for unauthorized users. and the second because it triggered a text pattern and contained tagged content. the first attachment because it triggered a dictionary. use the permission User can view DLP Monitor..

.The Host DLP Monitor and What It Does Redaction • Enforced discovery rules • Enforced protection rules • Evidence path distribution • Event collector distribution • Policy distribution • Privileged permissions • Undefined device classes • Unmanaged printers • Unsupported printers Table 3: Summary of DLP Monitor permissions and their effects Permission Description Effect in DLP Monitor DLP Monitor is unavailable. DLP Event Reports are empty. but can decrypt confidential fields in the presence of a user who can view DLP events. No DLP Reports are authorized.1 . Effect in RSS feeds Available. User is not DLP Monitor is authorized to view unavailable. Effect in ePO Reports No DLP Reports are authorized. User can view DLP User can view all Monitor DLP event data. All events are filtered out. but Monitor. DLP events are filtered out. DLP events.. All DLP Reports are authorized. All DLP Monitor fields are available.. Task 1 Select the events to be viewed. User cannot view DLP Monitor User is unauthorized to view the DLP Monitor User can partially User is not DLP Monitor is view DLP authorized to view available.. Effect in Event Threat log Only general information about DLP events is available. Only general information about DLP events is available. confidential fields. Viewing redacted monitor fields Use this task to view redacted content in the DLP Monitor Before you begin Create permission sets for viewing and auditing in ePolicy Orchestrator. 100 McAfee Host Data Loss Prevention 9. DLP events are filtered out. User can reveal sensitive data. Confidential fields are encrypted if WCF service was installed with redaction enabled. confidential fields are encrypted and evidence is hidden. See the McAfee Host Data Loss Prevention Installation Guide for information. NOTE: You can select up to 10 events at one time.

enter the user name and password of an administrator with permission to reveal sensitive data. McAfee Host Data Loss Prevention 9. TIP: Click the Hide/Display icon to hide/display the Details pane. In the All Events pane. right-click. or one with permission to reveal sensitive data.The Host DLP Monitor and What It Does Monitoring system events and alerts 2 3 Right-click. These are separate roles and require separate permission sets. Click Reporting. is required. Enter a user name and password in the Release Redacted Information dialog box and click OK. user. and select Decrypt Data of Selected Events. Redacted evidence is viewed in a similar manner. 4 If any Evidence is available. Select a single event from the list to display its full details. NOTE: The permission set in ePolicy Orchestrator for releasing information is different than the permission set for viewing information. The event information appears in the Details pane. See the McAfee Host Data Loss Prevention 9. In the dialog box that appears.1 101 . To enlarge either of the panes grab the bar between the All Events and Details panes and drag it. you might need to reduce the amount of information shown to see relevant details at a glance. Some typical filters are: • Critical events. An administrator account for viewing the DLP Monitor (and selecting the events) cannot release the encrypted information. sort the list by clicking any column. You can apply a filter to define specific criteria to reduce the list of events to only relevant data. Filtering event information When viewing events. select the data to view. double-click the attached file to view its content. • Violations of a new rule. NOTE: Two administrators are required: one with permission to view the DLP Monitor (except sensitive text). NOTE: When the Monitor window is minimized to the taskbar. 1 2 3 In ePolicy Orchestrator. Monitoring system events and alerts Use this task for basic Host DLP Monitor operations. time of day. Sort by severity. and select Decrypt Data of Selected Events from the context menu. 5 To view encrypted sensitive text.1 Installation Guide for information on setting up the permission sets. A Global Administrator account. new event notifications are displayed via the popup tray. A credentials dialog box appears. and so forth. then click Host DLP Monitor. the other with permission to view sensitive text. The confidential information is revealed.

The Host DLP Monitor and What It Does Filtering event information • Events associated with a particular user or computer. click the Show Filters icon filter list. NOTE: Two standard filters are Computer Name and User Name. these fields are pre-defined as confidential and are encrypted for users with partial view permission.1 . to display the available 2 3 Type a name for your filter in the Filter Name text box. Tasks Defining filters Defining date filters Adding predefined filters Filtering the events monitor list Defining filters Use this task to define a new events filter. If you are using the redaction feature. Click the Add Filter icon to add a new filter. Task 1 On the Host DLP Monitor toolbar. 102 McAfee Host Data Loss Prevention 9.

you can’t use the filter in future monitor sessions if you do not save it. click the Edit button to modify the filter. The filter is applied to the events displayed in the events panel. select Event Time. to display the available 2 3 4 to add a new filter. On the Host DLP Monitor toolbar. Under Filter Conditions.The Host DLP Monitor and What It Does Filtering event information 4 Select the filter conditions and properties. You are prompted to save the filter. click the Show Filters icon filter list. However.1 103 . NOTE: The filter is applied even if you click No at the prompt. Defining date filters Use this task to define a date filter. Task 1 On the Host DLP Monitor toolbar. McAfee Host Data Loss Prevention 9. click the Add Filter icon Type a name for your filter in the Filter Name text box. 6 In the Filters pane. Figure 17: Host DLP Monitor Filter dialog box 5 Click OK.

select In from the Days pull-down list. However. and so forth. click the Hide administrative events icon Host DLP Monitor toolbar. 104 McAfee Host Data Loss Prevention 9. and the list displays according to the filter definition. Select the filters you want to use and click OK. The events can then be easily sorted and filtered by these customized labels. then select the days of the week. TIP: By default. To display a relative range. Select the file DefaultFilters.xml and open it. use the Hours pull-down menu and related hour lists. are displayed in the event list with all other system events. The filters appear in the Filters window. Task 1 2 From the Host DLP Monitor File menu. NOTE: You can combine selections from any of the sections to define your date filter. Click the Show Filter icon to display the selected filters. Use this task to create or remove a label. Months) in the units window. on the Using labels Customized labels allow you to mark events with a unique tag. NOTE: By default. select a predefined filter or create a new one. Days. do not select a relative range with a date that is outside of that range. The title of the event list becomes the name of the filter. In the Filters section. policy changed. To select a day of the week. All selected filters display simultaneously. Select more filters (optional). To select an hour range. and a unit (Hours. click the Show Filter icon to display the available filter list. you should take care that the definitions are compatible with each other. Adding predefined filters McAfee Host Data Loss Prevention software contains a number of predefined filters that can save you the trouble of creating commonly used filters. select Load filters from file. Click OK. select Display recent events in the Relative section. For example. the Filters pane is hidden. Task 1 2 3 On the DLP Monitor toolbar.The Host DLP Monitor and What It Does Using labels 5 6 7 8 9 To set a date range.1 . To exclude administrative events from the list. select a number in the dial window. on the DLP toolbar Filtering the events monitor list Use this task to filter the events monitor list. use the Date pull-down list and related calendars. all administrative events such as agent state (up or down).

In the Label Editor. select an event. click Labels | Set Labels. select a label from the list or create a new label by typing in a name for the label and clicking New Label. Exporting Host DLP Monitor events The Host DLP Monitor export feature produces an Excel file that you can use for further analysis or auditing. Select Export Events to Excel to export the complete event list. Click OK to add the label to the event(s). a label. McAfee Host Data Loss Prevention 9. or Export Selected Event to Excel to export a specific event from the list. click the Search icon to start the search. Task 1 2 From the Host DLP Monitor File menu. several events. or to change them. or a range of events. Click Find. select the events and click Labels | Remove Labels. To remove labels. On the Host DLP Monitor toolbar. Use this task to export Host DLP Monitor events. Set Labels changes the state of the label according to what is selected. or as part of an external report. Add Labels adds. NOTE: You can also use Set Labels to remove labels. Task 1 On the Host DLP Monitor toolbar.1 105 . Figure 18: Host DLP Monitor search dialog box 2 3 Type the event ID and select one of the find options.The Host DLP Monitor and What It Does Searching Host DLP Monitor events by event ID Task 1 2 3 4 5 In the Host DLP Monitor. but doesn’t remove or change. select Export. Searching Host DLP Monitor events by event ID Use this task to find an event by ID. Remove Labels only removes the selected label(s). The selected label(s) are both applied and saved.

Add a recipient and click Send. select the event or events you want to print. select Print | Details. Task 1 2 In the Host DLP Monitor. select Print | Event Table. 106 McAfee Host Data Loss Prevention 9. select one of the following: • To print just the events. • To print event details. • To print the complete list. Right-click and select Send email report or Send email report (Without evidence). Task 1 2 3 In the Host DLP Monitor. select specific events.The Host DLP Monitor and What It Does Printing Host DLP Monitor events 3 Type a file name and click Save. Printing Host DLP Monitor events Use this task to send a list of events or event details to a printer. An email message with the selected event details appears. Sending Host DLP Monitor events by email Use this task to email specific events to users.1 . From the Host DLP Monitor File menu. select Print | Selected Events.

you can view information on product properties on the ePO Dashboard. ePolicy Orchestrator rollup queries and rolled up reports. Contents Report options Setting up RSS feeds Administering the database Viewing database statistics Report options McAfee Host Data Loss Prevention offers two reporting options to review events. ePO Notifications are supported. For information on using the ePO reporting service. McAfee Host Data Loss Prevention 9. Two types of reports are supported: • Host DLP properties reports • Host DLP events reports Nine Host DLP properties reports are displayed in the DLP: Status Summary dashboards. are supported. and to view database statistics. The database features allow you to remove data that is no longer needed.1 107 . which summarize data from multiple ePO databases. Twelve predefined events queries are provided. which runs queries that report on summary data from multiple ePO databases. See the Sending Notifications chapter in the McAfee ePolicy Orchestrator 4.0 Product Guide for details.Database Administration and Reporting McAfee Host Data Loss Prevention has built-in features for database management and reporting. see the ePolicy Orchestrator Product Guide. See the Querying the Database chapter in the McAfee ePolicy Orchestrator Product Guide for details. ePolicy Orchestrator includes a "rollup" function. ePO Reports McAfee Host Data Loss Prevention integrates reporting with the ePolicy Orchestrator reporting service. ePO Reports and RSS feeds. All twenty-one queries can be found in the ePolicy Orchestrator console under Menu | Queries | Shared Groups. In addition. All of the McAfee Host Data Loss Prevention reports are set up to support rollup queries. Reporting McAfee Host Data Loss Prevention uses ePolicy Orchestrator reporting features.

and users allowed to bypass all Host DLP events. Displays the number of computers enforcing each discovery rule. The nine dashboard reports and eleven other predefined reports are available from the ePolicy Orchestrator Menu by selecting Queries.Database Administration and Reporting Report options RSS feeds You can monitor McAfee Host Data Loss Prevention events without being logged on to ePolicy Orchestrator. Displays the number of events for each severity level. You can set up any RSS reader that supports authentication to get feeds from the Host DLP Monitor. This is a real-time view that refreshes when a bypass begins or expires. Drill down to view which rules are being enforced on which users. Displays the number of events for each rule. Displays the number of events for each rule. Useful when there are several different agent configurations. for different dates. Displays the number of events for each event type. Displays the number of computers enforcing each device control rule. Those also available as rolled up reports are indicated in the tables. There are nine predefined monitors that display on the DLP: Status Summary tab of the ePO Dashboards console. Displays the different evidence shares used by the agents. Shows how many nodes report to each event collector server. See the ePolicy Orchestrator documentation for instructions. Displays the distribution of agents in the enterprise. Used to monitor agent deployment progress. The DLP Dashboards are listed as Public Dashboards in the ePO Manage Dashboards window. Bypassed agents Enforced device control rules Enforced protection rules Event collector distribution Evidence path distribution Policy distribution (also rolled up report) Privileged permissions Table 5: Predefined Host DLP Event Reports Name Agent status Block and block write device events Daily events distribution by severity Enforced discovery rules Events by event type (also rolled up report) Events by protection / discovery rule by date Events by protection rule Events by severity (also rolled up report) Description Displays all agents and their status. ePO Dashboard/ePO Reports You can view information on Host DLP product properties on the ePO Dashboard.1 . Monitors can be edited and customized. Table 4: Predefined Host DLP Dashboards Name Agent to ePO communications distribution (also rolled up report) Agent version (also rolled up report) Description Displays agents according to the date of their last communication with ePolicy Orchestrator. Displays device events that were blocked or write-blocked. Displays how many Host DLP nodes are in policy bypass mode. Displays the number of computers enforcing each protection rule. They are listed under Shared Groups. It allows you to drill down to view normal Host DLP users as well as users with “monitor only” permissions. You can use Host DLP Monitor filters to filter results. 108 McAfee Host Data Loss Prevention 9. and new monitors can be created. Used to monitor progress when deploying a new policy. Displays a day's events ordered by severity. Displays the current privileged Host DLP users. Displays the Host DLP policy distribution throughout the enterprise. Useful in the case of a multiple event collector setup.

Clicking either a listed printer or a bar on the graph drills down to a list of the computers connected to it./GetRSSFilteredCounted?filterName=X&itemCount=Y.Database Administration and Reporting Setting up RSS feeds Name Events by tag and category (also rolled up report) Undefined device classes Unmanaged printers Description Displays the number of events for each tag and content category that they recognize. Clicking either a listed printer or a bar on the graph drills down to a list of the computers connected to it.1 109 .. click ? in the interface. change the URL to . You might also need to change the port designation. use . the click New Task. Lists and shows a bar graph of the devices whose device class cannot be determined. select Automation | Server Tasks. McAfee Host Data Loss Prevention 9. Host DLP Monitor provides a feed of the latest 50 events. Setting up Data Loss Prevention rolled up reports Use this task to set up a rolled up report of McAfee Host Data Loss Prevention data. NOTE: Replace <servername> with the name of the DLP Event Parser server. Lists and shows a bar graph of the unmanaged (whitelisted) printers and the number of nodes attached to each.. For a standard installation. use . Clicking on a computer drills down to the properties of the computer. Specify the DLP RSS URL: http://<servername>:8731/DLPWCF/DLPRSSFeeder/GetRSS. 3 4 5 To change the default number of events. Use this task to configure your reader to receive Host DLP events./GetRSSFiltered?filterName=X. 1 2 From the ePolicy Orchestrator Menu.. To specify both an event count and a filter. To filter the results with an existing Host DLP Monitor filter. and (optional) notes. Unsupported printers Setting up RSS feeds McAfee Host Data Loss Prevention events can be viewed in any RSS reader (feed reader) that supports authentication. Type a name for the task. then click Next. Clicking on a workstation drills down to the properties of the computer. depending on your installation. 1 2 Open the reader and select the Add feed option. Task For option definitions. Lists and shows a bar graph of the unsupported printers (that is../GetRSSCounted?itemCount=X. printers detected by the Host DLP Agent that were not whitelisted but failed to install a Host DLP proxy driver) and the number of nodes attached to each.. use localhost..

The list of available statistical values appears in the main panel. select Database Administration. Select an action from the available list. Select any value from the available list to view details. make sure they have been properly reported and analyzed. under Database Administration. Task For option definitions.1 . On the toolbar. Review the set-up information. Set the schedule type.Database Administration and Reporting Administering the database 3 In the Actions drop-down menu. The confirmation window appears. select one of the McAfee Host Data Loss Prevention report types: DLP CMA Properties or DLP Events. Removing all events from the system can potentially remove violations before they have been seen by security officers or administrators. Click Next. The administrative actions appear in the main panel. Click Next. click ? in the interface. 110 McAfee Host Data Loss Prevention 9. CAUTION: Pay attention to the description of each option. under Database Administration. Continue with the configuration as required. Viewing database statistics Use this task to view the database statistics. select Database Statistics. Before you begin When removing events from the database. 1 2 3 In the Host DLP Policy console navigation pane. McAfee recommends creating a database backup prior to removing events. click Refresh Database statistics to update the information. select Roll Up Data. date and time. In the Data Type drop-down menu. then click Save. the Date option removes events older than the date specified. Task For option definitions. 4 5 6 Administering the database Use this task to remove events from the events database. click ? in the interface. 3 Click Execute to proceed with the operation or Close to cancel the operation. 1 2 In the Host DLP Policy console navigation pane. Specifically. The operation progress bar window appears.

and agent module selections. Differences between versions The following definitions are turned off (unavailable) in McAfee Device Control: • Discovery • Email Destinations • File Servers • Network • Printers • Rights Management McAfee Host Data Loss Prevention 9. When upgrading. and a full Data Loss Prevention version. You can turn off removable storage protection if it is not needed. You can configure and fine-tune these options and components: • McAfee Device Control vs. By configuring the agent and system options. you do not need to reinstall the software. full McAfee Host Data Loss Prevention configuration. customized user notifications. system logging options. License options for either version of the software are 90-day trial or unlimited. file tracing parameters. whitelisted content limitations and locations. and system report printing options. Upgrade to full McAfee Host Data Loss Prevention by upgrading the license. The default configuration of McAfee Device Control includes device rules and removable storage protection. policy analyzer settings. • Agent configuration — Sends the agents all relevant information about event storage locations. Contents McAfee Device Control Agent configuration System tools Managing agent configuration Configuring Safe Mode operation Viewing the system log McAfee Device Control McAfee Host Data Loss Prevention is available in two versions: a Device Control-only version. you can optimize the system to safeguard sensitive enterprise information efficiently.1 111 . • System options — Allows you to set the DLP Policy WCF service path. Outlook logon settings.Configuring the Host DLP System System components can be customized to best fit the needs of your enterprise. The default installation is for a 90-day trial license for McAfee Device Control.

McAfee Host Data Loss Prevention runs a protective service called the Agent Service WatchDog (ASWD). Managing agent configuration After setting the options in the Agent Configuration window. Agent Service WatchDog To maintain normal operation of the Host DLP Agent. and restarts it if it stops running for any reason. If the agent configuration is updated. System log Use the system log to observe and receive alerts about the system health and related events. even in the event of malicious interference.Configuring the Host DLP System Agent configuration • Web Destinations The following features are unavailable: • Protection rules (with the exception of removable storage rules) • Tags and tagging rules Agent configuration The Host DLP Agent resides on enterprise computers and executes the defined policy. If you want to verify that ASWD is running.1 to keep track of system health alerts and to configure advanced features. you can use the Configuration menu to restore default settings and to save the settings to a file. the policy needs to be redeployed. This service monitors the Host DLP Agent. Agent configuration is stored in the policy. ASWD is enabled by default.1 . Use these tasks to work with the Global Configuration Policy. System tools Use the system tools in McAfee Host Data Loss Prevention software version 9. which can be used as a configuration backup or to load the same agent configuration on other systems. The agent also monitors user activities involving sensitive content. use the Agent Configuration menu in the Host DLP Policy console. look in the Windows Task Manager processes for a service named fcagswd. The system log is crucial for troubleshooting. Tasks Applying the global agent configuration Importing the global agent configuration Resetting the agent configuration values 112 McAfee Host Data Loss Prevention 9.exe. To define the behavior of the agent and other system components. which is deployed to managed computers.

Viewing the system log Use this task to display system log entries. Select Activate agent self protection in safe mode and change the setting to Enabled. Click Yes to restore default settings.1 113 . The Agent Configuration progress bar window appears as the configuration is applied to ePolicy Orchestrator. Task 1 2 From the Host DLP Policy console Agent Configuration menu. press the F1 key. Click OK. Task For option definitions. McAfee Host Data Loss Prevention 9. select Import Global Agent Configuration from ePO. Task • From the Host DLP Policy console Agent Configuration menu. A warning message appears concerning possible system inaccessibility with this option. select Reset Agent Configuration values. select Apply global Agent Configuration. Task 1 2 From the Host DLP Policy console Agent Configuration menu. 1 2 3 4 From the Agent Configuration menu. Only agent protection operates in Safe Mode.Configuring the Host DLP System Configuring Safe Mode operation Applying the global agent configuration Use this task to apply the global agent configuration. Click Yes to confirm. Use this task to configure the agent protection in Safe Mode.0. select Edit Global Agent Configuration. Resetting the agent configuration values Use this task to reset the agent configuration values to the defaults. Configuring Safe Mode operation Safe Mode operation was changed in McAfee Host Data Loss Prevention version 9. Importing the global agent configuration Use this task to import a global agent configuration. The agent itself does not run in Safe Mode. Open the Advanced Configuration tab.

1 . select View Log (or press F7). 114 McAfee Host Data Loss Prevention 9. The bottom of the window displays the system log entries.Configuring the Host DLP System Viewing the system log Task • From the Host DLP Policy console Tools menu.

described 9 computer assignment groups 74 content categories 39. viewing 110 date filters. 42 D dashboards. application strategy 58 assignment groups computer 74 creating 75 definition 10 privileged users 76 users. 88. advanced. See rights management agent bypass 94 agent configuration about 112 assigning with ePolicy Orchestrator 92 global 113 resetting 113 Safe Mode 113 application definitions templates 89 about 60 creating 61 creating from the Enterprise Applications List 61 removing 89 strategy 13 using 58 web applications 62 application strategy 58 applications. creating 81 components. errors with 91 business justification 82. See device definitions dictionaries 28 document properties 29 email destination 67 file extension 29. list of 26 Plug and Play 18 removable storage 18 whitelisted 18 dictionaries about 28 creating 31 importing entries 31 discovery about 54 creating a discovery rule 55 scheduling 57 setup 56 DLP Discover 54 B backward compatibility. for this document 15 database (continued) statistics. adding Plug and Play definitions 21 management 17 parameters. changing 20 types of 17 device control 111 device definitions groups 23 importing 22 importing to existing 22 parameter management 18 Plug and Play 20 removable storage 21 device rules about 19 definition 10 Plug and Play 23 removable storage 24 devices lists. 40. See filters definitions application 58 device. 68 data-in-use 62 database administration 107 removing events 110 McAfee Host Data Loss Prevention 9. in rules 58 archiver. report options 107 data classifying 28 data-at-rest 54 data-in-motion 67. See online Help rules.1 115 .Index A Adobe LiveCycle Rights Management. 112 options. including and excluding 74 audience. 40 clipboard protection 81. 62 file server list 63 network 64 printer 67 registered document repository 29 registered documents 32 removing 89 table of 79 tags 39 text pattern 30 web destination 68 whitelist 31 device class creating new 19 removing 89 status. 93 C category catalog 42 classification rules 10.

Data Loss Prevention marking with labels 104 evidence agent events 97 DLP Monitor 101 storage for encrypted content 98 Excel. creating 32 document properties definitions 29 documentation. described 9 file access rules. exporting to 105 explorer. events 98 Host DLP Agent bypass 93. 24 protection 10 removable storage file access 25 tagging 10 HTML export option. filtering 104 RSS feeds for viewing 109 defining new 102 exporting 105 marking with labels 104 monitoring 97 printing 106 removing 110 search by ID 105 sending by email 106 viewing 101 events. 14 defined 9 DLP system configuring 112 options. creating 95 service watch dog 112 uninstall 93 wake-up call 94 Host DLP data.Index DLP messages. 37 web destination 72 H HDLP actions/rules matrix (graph) 78 hit count 99 hit highlighting. assigning 91 events monitor list. about 19 rules. removable storage 25 file extensions about 62 creating 63 creating groups 63 definitions 29 definitions (table) 79 removing 89 file server list about 63 adding a server 64 creating 64 definitions (table) 79 file system protection rule 83 filters events monitor list 104 date. See online Help document groups registered. in printing protection rules 85 116 McAfee Host Data Loss Prevention 9. See online Help DLP Monitor viewing redacted content 100 defining event filters 102 responding to events 97 system events and alerts 101 viewing database statistics 110 DLP Policy console. registered document 29 Host DLP rules classification 10 device 10. See online Help I Image Writer. See online Help override key. application strategy 58 G global agent configuration 113 groups device definitions 23 email 69 file extension 62 network address range 65 text patterns 34. defining 103 defining new 102 event information. illustrated 10. application strategy 58 email protection rules 82 sending DLP events by 106 email bypass 82 email destinations about 67 creating 68 definitions (table) 79 groups 69 removing 89 encryption 13 enterprise applications list about 58 importing by scanning 59 importing to 59 removing applications 60 ePO Event Parser 9 ePolicy Orchestrator computer assignment groups 74 ePO notifications 107 ePO reports 107 policy template synchronization wizard 91 system policy. 98 defined 9 memory setting. viewing 101 network definitions 64 predefined 104 E editor. classifying 30 Host DLP Monitor defined 9 Host DLP Policy. See DLP Policy Host DLP repositories. 23. McAfee enterprise products 16 F features.1 .

ePolicy Orchestrator 107 NTFS extended attributes. 33 registered document repositories. device 26 PDF writer. See online Help Lotus Notes. indexing 33 removable storage protection rules 86 reporting 107 repositories. See online Help release key. 71. in Host Data Loss Prevention 109 rollup queries 107 RSS feeds monitoring events 107 setting up 109 rules classification 40 removing 89 tagging 10. See business justification K key generator 93. See online Help Policy console console. using 30 registered documents repositories. generating 96 removing files 93 quarantine removal 58 R redaction about 99 viewing content 100 viewing redacted text 101 registered document repositories 29. 98 L labels marking events 104 labels. See online Help Q quarantine release key. Data Loss Prevention marking events 104 local users 74 logging. illustrated 10 printer list adding printers 70 S Safe Mode 113 screen capture protection rules 87 server options. 40 O Outlook probe. 32. See online Help override key. registered document 32 rights management setting up the server 51. 72 privileged users assignment group 76 protection rules application file access 80 clipboard 81 definition 10 email 82 file system 83 how they work 78. removable 18 McAfee Host Data Loss Prevention 9. See online Help notifications. generating 95 key. 79 network communication 84 printer 85 removable storage 86 screen capture 87 web post 88 N network definitions (table) 79 about 64 address range 65 address range group 65 port range 66 protection rule 84 removing 89 network shares. email protection rule 82 M manual tags 46 McAfee Device Control 8. See online Help storage devices. creating 21 policies applying to ePolicy Orchestrator 91 assigning with ePolicy Orchestrator 92 assignment with ePolicy Orchestrator 91 definition 10 editing a description 93 importing 92 refreshing 94 user assignment 74 policy analyzer. in printing protection rules 85 Plug and Play devices device definitions 20 whitelisted 18 whitelisted definition. 111 McAfee Encrypted USB 18 McAfee Endpoint Encryption 18 printer list (continued) creating 70 definitions (table) 79 printer protection rule 85 printers about 67 unmanaged 67. requesting 94 mode for the Host DLP Agent 98 P parameters.Index J justification. 52 synchronizing policies 51 synchronizing templates 52 users 49 working with Data Loss Prevention 49 rolled up reports 107 rolled up reports. 71 unsupported 67 whitelisted 67.1 117 .

See online Help tag groups 42 templates 89 text patterns about 30 creating 34 definitions (table) 79 groups 37 removing 89 testing 36 trusted. whitelisted user assignment groups creating 75 118 McAfee Host Data Loss Prevention 9. See online Help linking tags to content 40 manual 46. about 112 WCF service 97 web destinations about 68 creating 72 definitions (table) 79 groups 73 removing 89 web post protection rules 88 whitelist adding content 37 definition (table) 79 deleting content 37 printer 67 whitelisted Plug and Play devices 18 whitelists about 31 application definitions 25 how Data Loss Prevention works 10 Plug and Play definitions. creating 21 printers 72 unmanaged printers 71 window titles. in screen capture protection rules 87 wizards Template Synchronization 89 Client Task Builder 33 U unmanaged printers. See printers. viewing 113 system tools 112 users assignment groups 74 excluding from a user assignment group 74 local 74 restricting domains.Index strategy.1 . 47 removing 89 storing. application strategy 58 tuning tool. 36 W wake-up call 94 WatchDog configuring. See application definitions strategy. See online Help protective service. See online Help V validators 30. See content categories creating 41 definitions (table) 79 in non-NTFS file systems. for applications 58 system log 112 system log. See online Help T tagging rules application-based 43 content-based 45 creating 43 definition 10 dictionary 46 links to content 40 location-based 44 tags about 39 content.