Hi All,
What will be the impact , when DLP Enfore Server is failed ? Will network prevent server to continue to block based on EDM and IDM Policies ?? What are other impact with respect to information security ?
Thanks in Advance
Hi dlp experts, I have a big problem, my servers (DLP servers(enforce,mail prevent,detection), suddenly after I rebooted physically all the vontu services failed to start, can anyone help me please? Thanks
Hello,
after upgrade to DLP 15.1 MP1 + hotfixes 15.1.0102 and 15.1.0105 I'm getting error while doing IDM profile indexing "Error: Indexing was unsuccessful. Check the log files for details." During document indexing, enforcer shows error event: "Code: 3000 Summary: Protect Error 1001: Unexpected indexing error occurred. Detail: Protect Error 1001: Unexpected indexing error occurred. Document profile wasn't created."
I did some tests in lab enviroment and found out, that problem with IDM indexing starts after applying the Hotfix_15.1.0102.
In the Tomcat log I see below errors:
Thread: 73 SEVERE [com.vontu.profiles.manager.document.DocumentRepository] Unknown error during document indexing Cause: java.lang.NoClassDefFoundError: com/vontu/messaging/chain/message/NativeFileInfo java.lang.NoClassDefFoundError: com/vontu/messaging/chain/message/NativeFileInfo at com.vontu.directorycrawler.DiscoverNativeFile.getFileInfo(DiscoverNativeFile.java:71) at com.vontu.directorycrawler.VontuFile.retrieveFileTimes(VontuFile.java:1783) at com.vontu.directorycrawler.VontuFile.lastModified(VontuFile.java:842) at com.vontu.profiles.manager.document.DocumentRepository.createRepository(DocumentRepository.java:114) at com.vontu.profiles.manager.document.DocumentRepository.<init>(DocumentRepository.java:66) at com.vontu.profiles.manager.document.DocumentRepositoryFactory.createDocumentRepository(DocumentRepositoryFactory.java:37) at com.vontu.profiles.manager.document.DocumentSourceIndexCreator.doIndex(DocumentSourceIndexCreator.java:374) at com.vontu.profiles.manager.document.DocumentSourceIndexCreator.indexInfoSourceOnManager(DocumentSourceIndexCreator.java:309) at com.vontu.profiles.manager.InfoSourceIndexCreator.indexListOfDataSources(InfoSourceIndexCreator.java:254) at com.vontu.profiles.manager.document.DocumentSourceIndexJob.index(DocumentSourceIndexJob.java:31) at com.vontu.profiles.manager.InfoSourceIndexJob.execute(InfoSourceIndexJob.java:75) at org.quartz.core.JobRunShell.run(JobRunShell.java:213) at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:557) 15 Jan 2019 13:00:00,943- Thread: 73 SEVERE [com.vontu.profiles.manager.document.DocumentSourceIndexCreator] Error during document indexing Cause: com.vontu.profiles.common.ProfilesException: com/vontu/messaging/chain/message/NativeFileInfo com.vontu.profiles.common.ProfilesException: com/vontu/messaging/chain/message/NativeFileInfo at com.vontu.profiles.manager.document.DocumentRepository.createRepository(DocumentRepository.java:177) at com.vontu.profiles.manager.document.DocumentRepository.<init>(DocumentRepository.java:66) at com.vontu.profiles.manager.document.DocumentRepositoryFactory.createDocumentRepository(DocumentRepositoryFactory.java:37) at com.vontu.profiles.manager.document.DocumentSourceIndexCreator.doIndex(DocumentSourceIndexCreator.java:374) at com.vontu.profiles.manager.document.DocumentSourceIndexCreator.indexInfoSourceOnManager(DocumentSourceIndexCreator.java:309) at com.vontu.profiles.manager.InfoSourceIndexCreator.indexListOfDataSources(InfoSourceIndexCreator.java:254) at com.vontu.profiles.manager.document.DocumentSourceIndexJob.index(DocumentSourceIndexJob.java:31) at com.vontu.profiles.manager.InfoSourceIndexJob.execute(InfoSourceIndexJob.java:75) at org.quartz.core.JobRunShell.run(JobRunShell.java:213) at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:557)
I looked through DLP docs and it seems only rule/action we can create for a policy is if it detects a violation. Is there a way to trigger an action if a scan is negative?
Requirement:
I have a filesystem that I want to scan. If scan is negative for a file (i.e. no malicious content found), then I want to move the file to a staging directory for further processing.
If, on the other hand, the scan is positive, leave ithe file where it is, and send email/open INC ticket etc.
I think the second part is doable, but is the first part doable?
Hello. I have installed DLP detection server on a Windows 2106 server and im trying to add it as a Web Prevent detection server on our DLP 15.1 environment. The server status is " ? Unknown". Do I have to restart a specific DLP service on our Enforce Sever to have the Enforce server see it as "Status Running"?
CAn you let me know exactly which service need restarting? I tried recycling the "DetectionServerController Status" on the Enforce server through Server Overview page, but it doesnt seem to change the status of the new Web Prevent server as "Running"
Thanks in advance.
Hello All,
I'm required to do a DLP Gap Analysis for one of the customers that has a DLP full suite. What steps should be followed and what eexactly should i do ?
Any resources to have as a reference ? any best bractice to follow ?
Also if i completed an implementation and i want to make sure that everything is configured correctly, Are there any checklists to use ?
Hi All,
Did you all tried installing Oracle_12.2.0.1.0 on Windows Server 2016? Upon clicking the setup.exe, the Oracle UI won't launch (the command prompt box just pop up awhile then disappeared). Have tried the below:
1) Disable Data Execution Prevention
2) Bypass AV Scanning on DLP folder
3) RunAs administrator (in fact already login as localadmin)
However, same files, same user, do not have any issue on Windows Server 2012 R2.
Thanks in advance.
Hi, I am curious about how the Email Prevent for Symantec DLP works.
Let's say if my Email Prevent sits between SMG and an Exchange server and I have a block response rule configured in my policy, who will be taking the action for blocking the email?
Will it be the Email Prevent server or the SMG that will do the actual blocking? In the case of the latter, what do Email Prevent do to tell SMG to block the email?
Thanks in advanced.
Once again no instructions...just run this and fail...
Trying to install the indexers.msi. Picked path to where it needs to go but next question is to "Select the directory of the JRE you wish to use." I picked a JRE and get a "Could not find the location of jvm.dll. Please ensure that the JRE directory path is correct.".
THE FILE IS THERE! DO I NEED A DIFFERENT VERSION OR IS THIS JUST A WASTED APPLICATION! Supposed to be stand alone.
This was easy in 14.5.
Dear,
Its possible to install a DLP agents in a Windows image from deploy?
I am required to prepare LLD and Network design documents for symentec DLP using only endpoint prevent and discover detection server for POC. DLP server must be in cloud and integration with third party SIEM tool ( BOTH in cloud) Can you help with input steps to follow to start POC.
I was able to run through the URT and everything seemed to work fine, but when running the actual EnforceServerMigrationUtility per the logs below I am geting a java error and erroring out around the ServerXmlMigrator and it appears to have problems with the server.xml file and the SpringSecurityContext file. I am using the java that comes with the installation and already have it installed and am pointing the installation to it. Any help would be greatly appreciated. The following logs are from the MigrationUtility.log
After the migrator fails:
Running migration action "VerifyURTZipIsExtracted"
Completed migration action "VerifyURTZipIsExtracted"
Running migration action "StopDLPServices"
Completed migration action "StopDLPServices"
Running migration action "DisableDLPServices"
Completed migration action "DisableDLPServices"
Running migration action "VerifyOracleVersion"
Completed migration action "VerifyOracleVersion"
Running migration action "CompileDbPackages"
Completed migration action "CompileDbPackages"
Running migration action "VerifyDBPermissions"
Completed migration action "VerifyDBPermissions"
Running migration action "CheckOracleCharacterSet"
Completed migration action "CheckOracleCharacterSet"
Running migration action "DatabaseProcessCheck"
Completed migration action "DatabaseProcessCheck"
Running migration action "UpgradeReadinessTool"
Completed migration action "UpgradeReadinessTool"
Running migration action "DatabaseUpdate"
Completed migration action "DatabaseUpdate"
Running migration action "CorrelationSettingMigrationAction"
Completed migration action "CorrelationSettingMigrationAction"
Running migration action "EnforceConfigurationMigrationAction"
Completed migration action "EnforceConfigurationMigrationAction"
Running migration action "SpringSecurity"
#
# A fatal error has been detected by the Java Runtime Environment:
#
# SIGSEGV (0xb) at pc=0x00000000014257e0, pid=96005, tid=0x00007fbb8ba98780
#
# JRE version: Java(TM) SE Runtime Environment (8.0_181-b13) (build 1.8.0_181-b13)
# Java VM: Java HotSpot(TM) 64-Bit Server VM (25.181-b13 mixed mode linux-amd64 compressed oops)
# Problematic frame:
# C 0x00000000014257e0
MigrationUtility.log
Jan 24, 2019 10:37:17 AM com.symantec.dlp.enforceservermigrationutility.actions.util.ServerXmlMigrator getSourceTomcatServerXMLValues
SEVERE: Unexpected error while reading from source installation tomcat server.xml.
java.lang.NullPointerException
at sun.nio.fs.UnixPath.normalizeAndCheck(UnixPath.java:77)
at sun.nio.fs.UnixPath.<init>(UnixPath.java:71)
at sun.nio.fs.UnixFileSystem.getPath(UnixFileSystem.java:281)
at java.nio.file.Paths.get(Paths.java:84)
at com.symantec.dlp.enforceservermigrationutility.actions.util.ServerXmlMigrator.getSourceTomcatServerXMLValues(ServerXmlMigrator.java:83)
at com.symantec.dlp.enforceservermigrationutility.actions.SpringSecurityMigrationAction.runAction(SpringSecurityMigrationAction.java:92)
at com.symantec.dlp.migrationcommon.MigrationActionsExecutor.runMigrationAction(MigrationActionsExecutor.java:47)
at com.symantec.dlp.migrationcommon.MigrationActionsExecutor.executeMigrationActions(MigrationActionsExecutor.java:100)
at com.symantec.dlp.migrationcommon.MigrationUtility.runMigrationUtility(MigrationUtility.java:117)
at com.symantec.dlp.migrationcommon.MigrationUtility.runMigrationUtility(MigrationUtility.java:70)
at com.symantec.dlp.enforceservermigrationutility.EnforceServerMigrationUtility.runMigration(EnforceServerMigrationUtility.java:17)
Jan 24, 2019 10:37:17 AM com.symantec.dlp.migrationcommon.MigrationActionsExecutor executeMigrationActions
SEVERE: Failed to execute migration actions. Please refer to the log file for details
com.symantec.dlp.migrationcommon.MigrationException: Failed to run migration action "SpringSecurity"
at com.symantec.dlp.migrationcommon.MigrationActionsExecutor.runMigrationAction(MigrationActionsExecutor.java:54)
at com.symantec.dlp.migrationcommon.MigrationActionsExecutor.executeMigrationActions(MigrationActionsExecutor.java:100)
at com.symantec.dlp.migrationcommon.MigrationUtility.runMigrationUtility(MigrationUtility.java:117)
at com.symantec.dlp.migrationcommon.MigrationUtility.runMigrationUtility(MigrationUtility.java:70)
at com.symantec.dlp.enforceservermigrationutility.EnforceServerMigrationUtility.runMigration(EnforceServerMigrationUtility.java:17)
Caused by: com.symantec.dlp.migrationcommon.MigrationException: java.lang.NullPointerException
at com.symantec.dlp.enforceservermigrationutility.actions.util.ServerXmlMigrator.getSourceTomcatServerXMLValues(ServerXmlMigrator.java:110)
at com.symantec.dlp.enforceservermigrationutility.actions.SpringSecurityMigrationAction.runAction(SpringSecurityMigrationAction.java:92)
at com.symantec.dlp.migrationcommon.MigrationActionsExecutor.runMigrationAction(MigrationActionsExecutor.java:47)
... 4 more
Caused by: java.lang.NullPointerException
at sun.nio.fs.UnixPath.normalizeAndCheck(UnixPath.java:77)
at sun.nio.fs.UnixPath.<init>(UnixPath.java:71)
at sun.nio.fs.UnixFileSystem.getPath(UnixFileSystem.java:281)
at java.nio.file.Paths.get(Paths.java:84)
at com.symantec.dlp.enforceservermigrationutility.actions.util.ServerXmlMigrator.getSourceTomcatServerXMLValues(ServerXmlMigrator.java:83)
... 6 more
As captioned, is there any way to monitor Bluetooth data transfer DLP
End user may need to enable the Bluetooth for Bluetooth headphone and mouse, my boss worried the data will be leakage from Bluetooth.
Could anyone help
Hello,
I am trying to find a way to delete incident older than X days.
I found that :
- Create incident report
- Configure flag incident for deletion (with incident report created)
- Schedule to delete incident flagged for deletion
But i can't create a report that search for incident older than X days.
I found a discussion on the forum about this but it was 1 year ago : https://www.symantec.com/connect/forums/automatic-deletion-dlp-incidents
Is it still the same ?
Best Regards,
Joris KIEFFER
We have a daily task to send reports to the users in excel format with proper order. We tried to automate the task, We have numerous custom attributes that are used and would like a way to be able to configure the export of the report to only include certain attributes and rearrange the order.
We tried to change the custom attributes order (System -> Incident Data > Attributes ->Custom Attributes) but didn't work and we tried to modify "Lookup Plugin script" as well but no luck.
Please leave your comments.
Thanks in Advance.
Hi All,
I am having problems with a policy I created at the Endpoint to detect Magnetic Stripe Data.
I have the correct Data Identifier selected, set the Breath to Medium, counting all unique matches and matching on Body and Attchments.
However I am not able to trigger and incidents.
I did some research, where someone pointed out the use of Regular expresion. But it was not too clear.
I need your help folks.
Any thoughts?
Thanks
i am trying to populate LOB-line of business information from AD. does anyone know Syntax of LOB?
such as if we want fist name in attributes
Hello. I'm new to DLP but so far i have done by my self the deploy of all the application.
I want to know if there is any response rule to activate when a user try to send a doc into USB and he/she trigger the PCI-DSS policy for example.
We as admin are notified and if we think that the word doc is ok to be copied to allow that ?
For example with Trend Micro we block mail trying to go out of the company based on some rules. If the think that is false positive we can allow that.
Thank You
Buenas,
Hemos detectado un problema de rendimiento en el proceso "edpa.exe" cuando se ejecuta Internet Explorer. Concretamente, el consumo de RAM se dispara hasta valores muy altos (próximos a 2GB) cuando se usa IE11 y se abren varias pestañas de Office 365. Además, aunque se mate el proceso de IE11, el proceso "edpa.exe" continúa con un consumo excesivo de memoria
Afecta tanto a Windows 10 como a Windows 7.
Hemos probado el siguiente artículo y no se ha solucionado el problema:
https://support.symantec.com/en_US/article.TECH236...
¿Alguna otra idea de cómo solucionarlo?
Muchas gracias.
Hi all,
We have used Symantec Data Loss Prevention 15.1 Version. We noticed that DLP endpoint service EDPA.exe took more than 1GB on Laptop and Desktop. We already excluded the all DLP related folders and services based on the URL https://support.symantec.com/en_US/article.TECH220.... After that also we faced the same issues. Application device control and Local drive also not enabled on the Agent configuration.
Please help us to resolve the issue.