Hi,
I need a solution if someone can help, we are using dlp solution and sometimes it's difficult to deal with agents not reporting, these users are for example are in sick leave, resignation, in mission out of the office, so we need to have these information displayed when we click on the agent not reporting to know exacltly why it's not. So is there any option on the dlp solution for this?
Best regards
My organization recently updated from Symantec Data Loss Prevention 14.6 MP2 to 15.1. We are also in the process of migrating our users to Skype for Business 2016 (formerly known as Lync) and Skype Meetings.
I've found that "Application Monitoring" in Symantec Data Loss Prevention 15.1 is by default configured to monitor Application File Access (AFAC) for the Skype for Business / Lync process (Lync.exe). However, whenever my users attempt to launch or join a Skype meeting, Skype for Business will enter a non-responsive state.
Examination of logs shows that the Lync.exe process is actually accessing a Windows Jump List (.automaticDestinations-ms file). The detection eventually times out if you wait the default 15 minutes.
11/21/2018 00:17:55 | 67720 | INFO | CoreServices.MessageLogger | MESSAGETYPE_DETECTION_REQUEST MESSAGESOURCE_FILE_SYSTEM_CONNECTOR 11/21/2018 06:17:55 [
Request Id #123
Detection Request Details :
Session Command : Single Request
Request Type : Data In Motion RequestDim Detection Request Details :
Process Id : 21852
Process Path : C:\Program Files (x86)\Microsoft Office\root\Office16\lync.exe
Application Name : Microsoft Lync
User : yourusername
Domain : yourdomain
Time Stamp : 11/21/2018 06:17:55
Dim Event Type : Application file accessAFAC Detection Request Details :
file: C:\Users\yourusername\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\78f0afb5bd4bb278.automaticDestinations-ms
]11/21/2018 00:32:55 | 67720 | INFO | CoreServices.MessageLogger | MESSAGETYPE_DETECTION_RESPONSE MESSAGESOURCE_DETECTION_SCHEDULER 11/21/2018 06:32:55 [
Request Id #123 FAILURE Detection timeout allow
Scan Time : 900146 ms]
I've been able to resolve the issue by creating a Channel Filter to exclude either the file path or the file type. Just sharing information and wondering if anyone else has ran into similar issues? Skype in general doesn't seem to be stable with Application File Access (AFAC) monitoring turned on.
My Console is not opening as shows in My Tab it Redirects 404 Error page. My all vontu services are running except one vontu incident persistance and all services are in automatical mode . If i start service It start after some time it is automatic stop. what do plz suggest me
Hi,
While accessing DLP enforcer console I am Getting a 404 error.
I tried to restart the vontu services but still the issue persist.
I am able to connect to database by SQLplus command.
How to create police based on only one Device can copy file
Hi,
I want to know dlp can block specific application
plz suggest me
Kind Regard,
Mubashshir shaikh
I am searching for a Symantec DLP Specialist Information Security Analyst for a fantastic opportunity with a Fortune 500 company in Dublin or Manchester. This is a full time position. If you are interested, Please contact me at: Koriskovich@novacoast.com
Hi Everyone !
My policies use group policy to differentiate the users that are monitored, but Enforce can't synchronize directory connectuon with the symantec Cloud detector (CDS / Message Labs).
Has anyone seen this problem?
Where in the logs can I see which file caused the Code 1818?
Hello.
I have a policy to detect social security numbers. The policy does detect incidents at the endpoint via outlook application and is being successfully reported at the enpoint reports tab. The problem is we are also expecting the social security incident to also be reported and detected at the Network Detect ( Email detection) channel and unfortunatly its doesnt get detected at that (network) channel.
When I create a new policy which specifies the SMTP protocol to be detected, it does get detected and reported at the Network reports tab, so we know that network SMTP detection is working.
Can someone verify if one incident gets detected and reported at the endpoint, does that same incident also get detect and reported at the network detect? Or does incidents only get detected at one detection channel, to reduce the same incidents from getting detected mulitple times ( through different channels).
Thanks!
Hello All,
I'm having a problem configuring LDAP lookup Plugin.
I've tried several syntaxes and still attributes appear empty in incidents like :
attr.LDAP\ givenName = cn=users:(|(givenName=$endpoint-user-name$)(mail=$sender-email$) (streetAddress=$discoverserver$)):givenName |
Aslo i'd like to know what is the part "sAMAccountName" IN THE Following refers to:
(|(sAMAccountName=$endpoint-user-name$)
I tried all the published on the online help but i couldn't get it to work, i believe it may be a syntax error but i'm open to your advice.
Hi professionals,
We already created a python script to run endpoint flexresponse. Yet, now we need to get "device instance id" on the client computer, which is also shown on Enforce console.
Device Instance ID
Device Instance Path (Device and Printer)
We already found the value in the corresponding oracle column.
Is there any way we can get this value through python?
Now we get the following:
1.source file location
2.destination file location
3.policy name
I checked Symantec DLP 11.x Endpoint FlexResponse Plug-in Developers Guide and only device type and device ip (for networkItem only) could be retrieved. https://support.symantec.com/en_US/article.TECH219205.html
Question:
DLP 15.0 endpoint flexresponse
windows server2016
oracle 12c
Thank you!
Regards,
Eileen
Hi Team
This is the environment that I have:
New Deployment
DLP v 15.0 MP1
Agents: v15.0.0108
Linux Environment: RH 6.9
The test Agents are not being showed on the Enforce , but we have noticed the following events:
Error code: 2711 Time mismatch between Enforce and Detection Server. This may affect certain functionalities in the system.
The Aggregator0.log from Endpoint Server is showing this:
...
1 TC - SSL handshake failed
...
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1728)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:304)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1906)
...
Caused by: java.security.cert.CertificateNotYetValidException: NotBefore: Tue Dec 05 14:18:00 UTC 2018
at sun.security.x509.CertificateValidity.valid(CertificateValidity.java:270)
....
FYI: We were working at Dec 05 10:00am and the Enforce had a wrong time.
Question:
Thanks
Hello Everyone
I submited on DLP using the IDM an excel format file with 70.000 rows.
But after upload, I saw in the event datails on System > Server and Detectors > Events
Message Code 2926
Resume: Created Exact Data Profile
20 invalid rows
How can I find that´s invalid rows in the file?
Hi,
I am using Python along with zeep to buid api client. I am able to fetch incedent details but unable to update the state of the incident through the API.
I'm using the below syntax:
client.service.updateIncidents(updateBatch={'batchId':'testing1','incidentId':'34344','incidentAttributes':{'status':'New'}})but I'm getting the following response.
[{
'batchId': 'testind1',
'InaccessibleIncidentId': [],
'statusCode': 'VALIDATION_ERROR',
'InaccessibleIncidentLongId': []
}]
But when I update severity with the same syntax above, I able to successfully update the severity
can someone help me to update the incident status through API in python please
Hi Guys,
We have installed symantec dlp on our network but we are wondering if it can monitor documents that have been sent to the printer.
If so, how can we configure it through the DLP portal?
Many thanks
Hello,
We have installed Symantec Data Loss Prevention Enforce server. Actually i do an rdp session and i can login locally into the web console.
How to configure it so i can access from my PC in the corporate network ?
Thank You
Hello,
i installed Oracle on first and Enforce server on second server, so it is okay for 3 tier. I want to seperate roles for detection server environment. For third server i am planning to install email and network prevent (detection) servers but not endpoint detection. Is it possible to install endpoint detection server on Enforce server? Version is 15.1 and when i try to install, it says that you cannot install detection on Enforce server. Thank you for comments, regards.
Hello!
We are running 15.0 in a two tier environment with multiple Netwrork Monitor servers as well as Endpoint and Network Discover servers.
We have a need to perform discover scans in our DMZ but due to current configurations and internal 'rules' we cannot scan the DMZ with our current 'internal' discover servers.
I assume there is a way to stand up a Discover server in our DMZ for scanning but report back into the internal console? I have been coming up short on my searching on finding clear information on how to set this up properly any information or links to guides most welcome!
Thanks,
Jennifer
Hi,
Our DLP setup mainly consists of two roles that we're currently using, System Admins who set everything up and do the backend management of the Enforce server, and Investigators who review incidents and mark them appropriately.
I've been asked if we can set up a weekly or daily report that shows all endpoint agents with a status of Critical or Warning, so our Investigators can check these machines and make sure they're still online and have a functioning DLP agent.
Only SysAdmins currently have access to the System tab, so only we can check the status of agents. Investigators don't have access to this, and the only way I can find to give them this is to grant the role the user privileges for Agent Management, however this also gives them the ability to delete agents, change their detection servers and agent group, plus shutdown/restart the agent. This is a bit more control than we'd like to give these users.
I've managed to create a shared report which does this, and I'd like to have this run weekly and email to a distribution list. However I can't seem to find any way to schedule this, the Schedule button is grayed out, so I can only Edit or Delete the report.
My only options at the moment seem to be to manually run the report and export it myself, or delegate Agent Management priveleges. Does anyone know a way I can resolve this?
Cheers