McAfee Data Loss Prevention 10 · Set up the appliance ... Create a general classification definition ... and incident and case management settings using the tools in McAfee ePO

Migration GuideRevision A

McAfee Data Loss Prevention 10.x

COPYRIGHT

© 2017 Intel Corporation

TRADEMARK ATTRIBUTIONSIntel and the Intel logo are registered trademarks of the Intel Corporation in the US and/or other countries. McAfee and the McAfee logo, McAfee ActiveProtection, McAfee DeepSAFE, ePolicy Orchestrator, McAfee ePO, McAfee EMM, McAfee Evader, Foundscore, Foundstone, Global Threat Intelligence,McAfee LiveSafe, Policy Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, McAfee Shredder, SiteAdvisor, McAfee Stinger, McAfee TechMaster, McAfeeTotal Protection, TrustedSource, VirusScan are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the US and other countries.Other marks and brands may be claimed as the property of others.

LICENSE INFORMATION

License AgreementNOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETSFORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOUHAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOURSOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR AFILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SETFORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OFPURCHASE FOR A FULL REFUND.

2 McAfee Data Loss Prevention 10.x Migration Guide

Contents

1 Introduction 5Migration overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Migration workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Differences between versions . . . . . . . . . . . . . . . . . . . . . . . . . . 7Unsupported features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

2 Installation 9Migrating physical appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Installing McAfee DLP Prevent appliances . . . . . . . . . . . . . . . . . . . . . . . . 9

Plan your configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Identify network ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Install the extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Configure network information . . . . . . . . . . . . . . . . . . . . . . . . . 11Set up the appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Install the appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Post-setup tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

3 Configuring system components 15Register an LDAP server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Create end-user definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Users, groups, and permission sets . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Create a user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Create a permission set . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Create a McAfee DLP permission set . . . . . . . . . . . . . . . . . . . . . . . 18

The Common Appliance Management policy . . . . . . . . . . . . . . . . . . . . . . . 18Add an evidence server to store incidents . . . . . . . . . . . . . . . . . . . . . . . . 19

4 Classifying sensitive content 21Create a classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Create classification criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Create document properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Upload registered documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22From concepts to definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Dictionary definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Advanced pattern definitions . . . . . . . . . . . . . . . . . . . . . . . . . . 26Create a general classification definition . . . . . . . . . . . . . . . . . . . . . 28

5 Protecting McAfee DLP Prevent with rules, rule sets, and policies 29McAfee DLP Prevent rule reactions and definitions . . . . . . . . . . . . . . . . . . . . 30Create a rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Create a rule set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Create an email address list definition . . . . . . . . . . . . . . . . . . . . . . . . . 32Create a network address range . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Create a URL list definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Create a network port range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

McAfee Data Loss Prevention 10.x Migration Guide 3

Create a policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Assign a policy to a McAfee DLP Prevent appliance . . . . . . . . . . . . . . . . . . . . 34Use case: Block outbound messages with confidential content unless they are sent to a specifieddomain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Use case: Track intellectual property violations . . . . . . . . . . . . . . . . . . . . . 36Use case: Application-based fingerprinting . . . . . . . . . . . . . . . . . . . . . . . 37

6 Scanning data with McAfee DLP Discover 10.x 39Types of repository . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Types of scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Create scan definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Create a classification scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41Create rules for remediation scans . . . . . . . . . . . . . . . . . . . . . . . . . . . 42Use case: Schedule a scan and filter the results . . . . . . . . . . . . . . . . . . . . . 43Use case: Create a one-time scan that runs until it completes . . . . . . . . . . . . . . . . 43

7 Monitoring and reporting 45Incidents and cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Sort and filter incidents . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47View incident details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47Update a single incident . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Update multiple incidents . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Create email notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . 50Create cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50Assign a reviewer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51View case information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51Update cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51Assign incidents to a case . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Use case: Find policy violations by user . . . . . . . . . . . . . . . . . . . . . . 53Use case: Find high-risk incidents . . . . . . . . . . . . . . . . . . . . . . . . 54Use case: Set properties to incidents . . . . . . . . . . . . . . . . . . . . . . . 54Use case: Filter incidents by date, destination, and user . . . . . . . . . . . . . . . 54Assign incident viewing permissions to users in an Active Directory . . . . . . . . . . 55Assign case management viewing permissions to a user . . . . . . . . . . . . . . . 55

Monitoring system health and status . . . . . . . . . . . . . . . . . . . . . . . . . . 56McAfee DLP dashboards . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56Appliance Management dashboard . . . . . . . . . . . . . . . . . . . . . . . . 56McAfee DLP Prevent events . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

8 Maintenance and troubleshooting 59Managing with the McAfee DLP Prevent appliance console . . . . . . . . . . . . . . . . . 61Accessing the appliance console . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62Replace the default certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62Error messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63Configuration backups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Index 67

Contents


1 Introduction

This migration guide provides information that helps you move from McAfee®

Network Data LossPrevention (McAfee Network DLP) 9.3.x to McAfee

®

Data Loss Prevention (McAfee DLP) 10.x.

It covers the following versions of McAfee DLP products:

• McAfee® Data Loss Prevention Prevent (McAfee DLP Prevent) 9.3.x to versions 10.0.100 and later

• McAfee® Data Loss Prevention Discover (McAfee DLP Discover) 9.3.x to version 10.0.0 and later

It also provides information to help you get started with your new version of McAfee DLP.

For more information, see the McAfee Data Loss Prevention Product Guide for version 10.0.200.

Migration overviewThere is no automatic upgrade path to move from McAfee Network DLP 9.3.x to McAfee DLP 10.x andlater. This guide helps you configure the newer versions of McAfee DLP with settings that behave in asimilar way to your McAfee Network DLP 9.3.x setup.

Migration workflowUse the workflow diagram to install the appliance, then recreate your configuration settings, rules,policies, and incident and case management settings using the tools in McAfee ePO.

Installation scenarios

From To See

Physical McAfee Network DLP 9.3.x Physical McAfee DLP 10.x McAfee DLP Hardware Migration GuideMcAfee DLP Hardware Guide

Physical McAfee Network DLP 9.3.x Virtual McAfee DLP 10.x McAfee DLP Hardware Migration GuideMcAfee DLP Product Guide

Virtual McAfee Network DLP 9.3.x Virtual McAfee DLP 10.x This guide

For a list of virtual platforms supported by McAfee DLP 10.x, see the release notes for your version.

Scenario: Using unified incident and case management or McAfee DLP Manager

Complete the steps in this workflow diagram if:

1


• Your existing incidents and cases are already available in McAfee ePO.

• You use McAfee DLP Manager to manage incidents and cases.

Incidents and cases in McAfee DLP Manager cannot be migrated to the McAfee DLP 10.x tools.

McAfee Network DLP 9.3.x customers and McAfee DLP Endpoint 9.4 customers who chose to retain theirMcAfee DLP Manager box can keep it available until the incidents and cases are no longer needed.

Scenario: Using the Capture Search feature

McAfee DLP 10.x does not include capture functionality.

1 IntroductionMigration overview


Differences between versions

Architecture

Because the product architecture for versions 9.3.x and 10.x is different, the configuration settingsand data you had in McAfee DLP Manager cannot migrate directly to the McAfee DLP tools in McAfeeePO.

Incidents and cases in McAfee DLP Manager cannot be migrated to the McAfee DLP 10.x tools.

Product names

The 9.3.x version of the product was called McAfee Network Data Loss Prevention (McAfee NetworkDLP). With version 10.x, the Network part of the product name has been dropped to become McAfeeData Loss Prevention.

Product management

With version 10.x, products are now managed with McAfee ePO.

Configuration settings, rules, concepts and policies that you used in McAfee DLP Manager must berecreated in McAfee ePO.

Keep McAfee DLP Manager available until the incidents and cases are no longer required.

Differences in terms

Most features have the same name in the new version, with a few exceptions.

Table 1-1 Terminology differences

McAfee Network DLP 9.3.x McAfee DLP 10.x

Concept • Dictionary definition

• Advanced pattern definitions (regex)

Action rule Reaction

Template • Classification

• Definition

Policy Rule set

Validator Algorithm

Group Permission set

Unsupported featuresThese features are not supported in McAfee DLP version 10.x.

• Capturing data

• Integrating registered documents with McAfee DLP Discover

• Creating definitions using the following settings:

• Number of lines from the beginning

• Percentage match

IntroductionMigration overview 1


• Proximity

• Number of byes from the beginning

1 IntroductionMigration overview


2 Installation

To use McAfee DLP 10.x, you must perform a full installation.

For instructions on installing McAfee DLP Discover 10.x, see the McAfee Data Loss Prevention ProductGuide.

Best practice: Before you begin to install the new version, make a full configuration backup of yourcurrent installation so you can return to it if necessary.

Contents Migrating physical appliances Installing McAfee DLP Prevent appliances

Migrating physical appliancesIf you have a model 4400, 5500, 6600 appliance, you can install McAfee DLP Prevent 10.x.

McAfee DLP Manager machines can be repurposed after you've installed McAfee DLP Prevent 10.x onyour existing appliances. For more information, see the McAfee Network DLP 9.3.x to McAfee DLP 10.xHardware Migration Guide available from the McAfee download site.

Model 1650 and 3650 appliances do not support McAfee DLP Prevent 10.x.

Installing McAfee DLP Prevent appliancesFor more detailed installation instructions, see the McAfee Data Loss Prevention Product Guide for yourversion of the product.

Plan your configurationUse the deployment information in the product guide to plan the integration of McAfee DLP products inyour network.

Task1 Familiarize yourself with the McAfee DLP deployment options.

2 Complete the deployment checklist.

2


Identify network portsIdentify the network ports on your appliance. Unlabeled ports are not used.

Figure 2-1 Model 4400 appliance port configuration

1 Serial port 4 Remote access port (RMM)

2 OOB port 5 Unused (Ethernet port 2)

3 LAN1 port 6 Unused (Ethernet port 3)*

*If the appliance has a fiber NIC, the LAN1 port is Ethernet port 3 (callout 6).


1 Unused (Ethernet port 3) 4 LAN1

2 Unused (Ethernet port 2)* 5 Serial port

3 OOB port 6 Remote access port (RMM)

*If the appliance has a fiber NIC, the LAN1 port is Ethernet port 2 (callout 2).


1 LAN1 4 Serial port

2 Unused 5 Remote access port (RMM)

3 OOB port

2 InstallationInstalling McAfee DLP Prevent appliances


Install the extensionsPrepare the McAfee ePO server for integration with McAfee DLP Prevent.

TaskFor details about product features, usage, and best practices, click ? or Help.

1 In McAfee ePO, select Menu | Software | Software Manager.

2 In the left pane, expand Software (by Label) and select Data Loss Prevention.

3 Select the entry for McAfee DLP Prevent.

These extensions are included:

• McAfee DLP

• Common UI

• Appliance Management Extension

• McAfee DLP Prevent

4 Click Check In.

5 Select the checkbox to accept the agreement, then click OK.

Configure network informationConfigure the DNS server, NTP server, and Smart Host in McAfee ePO.


1 In McAfee ePO, select Menu | Policy | Policy Catalog.

2 From the Product drop-down list, select Common Appliance Management.

3 Select the My Default policy.

4 Add the DNS server and the NTP server, then click Save.

5 From the Product drop-down list, select DLP Prevent Server.

6 Select the My Default policy for Email Settings.

7 Enter the IP address of the Smart Host, then click Save.

Set up the appliancePrepare the appliance for network integration.

InstallationInstalling McAfee DLP Prevent appliances 2


By default, each appliance is configured with these IP addresses after installation:

• LAN1 — 10.1.1.108/24Use the LAN1 network for SMTP or ICAP traffic. You can also use it for management traffic.

• OOB — 10.1.3.108/24(Optional) Use the out-of-band (OOB) network for management traffic including McAfee ePOcommunication.

If your network uses DHCP, the first IP address that the DHCP server assigns to the appliance is usedinstead. You can manually configure the IP address with the Setup Wizard. The appliance does notsupport using a continuous DHCP configuration.

The default gateway for the appliance uses the LAN1 network. Configure any routing required on theOOB interface using static routes.

Task1 Install the appliance in a rack.

2 Connect a monitor, keyboard, and mouse to the appliance.

3 Connect the LAN1 interface of the appliance to your network.

4 (Optional) Connect the OOB interface to another network.

Install the applianceInstall the software and run the Setup Wizard.

Task1 Prepare the appliance for installation.

• 6600 appliances — Turn on the appliance.

• 4400 and 5500 appliances1 Using the installation ISO file, create or set up the external imaging media. You can perform

the initial installation using these methods:

• USB drive

Use image writing software, such as Launchpad Image Writer, to write the image to theUSB drive. For more information, see KB87321.

• USB CD drive

• (4400 appliances only) Integrated CD drive

• Virtual CD drive using the remote management module (RMM)

2 Insert or connect the media to the appliance.

3 Turn on the appliance.

4 Before the operating system starts, press F6 for the boot menu and select the externalmedia.

R3c0n3x is the BIOS password for 4400 appliances.

2 Follow the onscreen prompts.

When the installation completes, the appliance restarts.



https://kc.mcafee.com/corporate/index?page=content&id=KB87321

3 Complete the Setup Wizard using the information in the on-screen Help.

McAfee DLP Prevent is installed and registered to McAfee ePO.

If the installation fails, call McAfee technical support. Do not perform the installation again.

Post-setup tasks1 Configure an evidence server to store the files that triggered rule violations.

2 Configure one or more syslog servers if required.

3 Verify connectivity and mail flow between the mail transfer agent (MTA) server and McAfee DLPPrevent.

4 Verify that the X-RCIS-Action: Allow header is added to received email.

5 Verify connectivity between the web proxy server and McAfee DLP Prevent.

6 Create classifications and rules to detect potential violations within your network.

InstallationInstalling McAfee DLP Prevent appliances 2




3 Configuring system components

Register LDAP servers, define user permissions and groups, and specify evidence servers in McAfeeePO. Manage appliances with a new feature in McAfee ePO called Appliance Management, where youspecify policies and view system health status for all McAfee DLP Prevent appliances.

Contents Register an LDAP server Users, groups, and permission sets The Common Appliance Management policy Add an evidence server to store incidents

Register an LDAP serverYou must have a registered LDAP server to use Policy Assignment rules, to enabledynamically-assigned permission sets, and to enable Active Directory User Login.


1 Select Menu | Configuration | Registered Servers, then click New Server.

2 Select LDAP Server from the Server type menu, then specify a unique name and optional description andclick Next.

3 Select an OpenLDAP or Active Directory server from the LDAP server type list.

4 Specify a domain name or a specific server name.

Use DNS-style domain names (such as internaldomain.com), or fully-qualified domain names or IPaddresses for servers (such as server1.internaldomain.com or 192.168.75.101). OpenLDAP serverscan only use server names. They cannot be specified by domain.

5 Specify whether to use the Global Catalog (not available for OpenLDAP servers).

Select it only if the registered domain is the parent of only local domains to avoid potential networktraffic, which can impact performance.

6 If you don't use the Global Catalog, select whether to chase referrals.

Chasing referrals can generate non-local network traffic.

7 Choose whether to use SSL to communicate with this server.

8 If you are configuring an OpenLDAP server, enter the port.

3


9 Enter a user name and password for an admin account on the server.

• Active Directory servers — Use the format domain\username

• OpenLDAP servers — Use the format cn=User,dc=realm,dc=com

10 Enter a Site name for the server, and click Test Connection to verify the connection, then click Save tocomplete the registration.

Tasks• Create end-user definitions on page 16

McAfee DLP accesses Active Directory (AD) or Lightweight Directory Access Protocol (LDAP)servers to create end-user definitions.

Create end-user definitionsMcAfee DLP accesses Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) servers tocreate end-user definitions.

End-user groups are used for administrator assignments and permissions, and in protection anddevice rules. They can consist of users, user groups, or organizational units (OU), allowing theadministrator to choose an appropriate model. Enterprises organized on an OU model can continueusing that model, while others can use groups or individual users where needed.

LDAP objects can be identified by name or security ID (SID). SIDs are more secure, and permissionscan be maintained even if accounts are renamed. On the other hand, they are stored in hexadecimal,and have to be decoded to convert them to a readable format.


1 In McAfee ePO, select Menu | Data Protection | DLP Policy Manager.

2 Click the Definitions tab.

3 Select Source/Destination | End-User Group, then Actions | New.

4 In the New End-User Group page, enter a unique name and optional description.

5 Select the method of identifying objects (SID or name).

6 Click one of the Add buttons (Add Users, Add Groups, Add OU).

The selection window displays the selected type of information.

The display might take a few seconds if the list is long. If no information appears, select Container andchildren from the Preset drop-down list.

7 Select names and click OK to add them to the definition.

Repeat the operation as needed to add users, groups, or organizational users.

8 Click Save.

3 Configuring system componentsRegister an LDAP server


Users, groups, and permission setsCreating users and groups is managed in McAfee DLP 10.x in the McAfee ePO Users and Permission Setssections. You can also create LDAP user groups in the McAfee ePO DLP Policy Manager.

Permission sets in McAfee ePO are referred to as groups in DLP Manager.

Best practice: Create specific McAfee DLP permission sets, users, and groups. Create different roles byassigning different administrator and reviewer permissions for the different McAfee DLP modules inMcAfee ePO.

For more information about users and permission sets in McAfee DLP 10.x, see the McAfee Data LossPrevention Product Guide.

Administrator rights in McAfee ePO

When you install McAfee ePO, an administrator account is created automatically. Administrators haveread and write permissions and rights to all operations. By default, the user name for this account isadmin. If the default value is changed during installation, this account is named accordingly.

You can create additional administrator accounts for people who require administrator rights. To do so,follow the instructions in Create a user .

Administrator rights include:

• Creating, editing, and deleting source and fallback sites

• Changing server settings

• Adding and deleting user accounts

• Adding, deleting, and assigning permission sets

• Importing events into the McAfee ePO databases and limiting the number of events stored

Create a userUsers in McAfee DLP 10.x are known as local users in McAfee Network DLP 9.3.x.


1 In McAfee ePO, select Menu | User Management | Users.

2 Click New User and type a user name.

3 Select whether to enable or disable the logon status of this account.

Best practice: Disable this account if it is for someone who is not yet a part of the organization.

4 Select an authentication method for this account, and provide the required credentials.

• Windows authentication

• Certificate-Based Authentication

5 (Optional) Provide the user's full name, email address, phone number, and a description in the Notestext box.

6 Choose to make the user an administrator, or select the appropriate permission sets.

7 Click Save to return to the Users tab.

Configuring system componentsUsers, groups, and permission sets 3


The new user appears in the Users list on the User Management page.

Create a permission setA permission set in McAfee DLP is equivalent to a local group in McAfee Network DLP 9.3.x.


1 In McAfee ePO, select Menu | User Management | Permission Sets.

2 Select a predefined permission set or click New to create one.

3 Type a name, select the users you want to add, then click Save.

4 Click Save.

Create a McAfee DLP permission setPermission sets define different administrative and reviewer roles in McAfee DLP software.



2 Select a predefined permission set or click New to create a permission set.

a Type a name for the set and select users.

b Click Save.

3 Select a permission set, then click Edit in the Data Loss Prevention section.

a In the left pane, select a data protection module.

Incident Management, Operational Events, and Case Management can be selected separately. Other optionsautomatically create predefined groups.

b Edit the options and override permissions as needed.

Policy Catalog has no options to edit. If you are assigning Policy Catalog to a permission set,you can edit the sub-modules in the Policy Catalog group.

c Click Save.

The Common Appliance Management policyThe Common Appliance Management policy category is installed as part of the Appliance Managementextension. It applies common settings to new or re-imaged appliances.

• Date and time, and time zone information • Secure Shell (SSH) remote logon settings

• Lists of DNS servers • Remote logging settings

• Static routing information • SNMP alerts and monitoring

Information about these options is available in the Appliance Management Help.

3 Configuring system componentsThe Common Appliance Management policy


Add an evidence server to store incidentsSome incidents have evidence items associated with them. You can store the evidence on an evidenceserver.

Before you beginThe evidence server must be a CIFS share with read/write permissions.


1 In McAfee ePO, select Menu | DLP Settings | General.

2 Enter the path to the evidence server in Default Evidence Storage to save the settings and activate thesoftware.

The evidence storage path must be a network path, that is \\[server]\[share].

3 Provide the user name and password to access the server, and click Save.

Configuring system componentsAdd an evidence server to store incidents 3


3 Configuring system componentsAdd an evidence server to store incidents


4 Classifying sensitive content

With McAfee DLP 10.x, content is defined using classifications. Classifications used for McAfee DLPPrevent can contain combinations of definitions, document properties, and registered documents.

For McAfee DLP 10.x, content classification is configured in two places in McAfee ePO.

• Menu | Classification | Definitions | Dictionary — create definitions based on keywords.

• Menu | Classification | Definitions | Advanced Pattern — create definitions based on regex.

You can associate the pre-defined definitions as they are to create rules, or create duplicates of thepre-defined rules that you can customize.

Contents Create a classification Create classification criteria Create document properties Upload registered documents From concepts to definitions

Create a classificationData protection and discovery rules require classification definitions in their configuration.


1 In McAfee ePO, select Menu | Data Protection | Classification.

2 Click New Classification.

3 Enter a name and optional description.

4 Click OK.

5 Add end user groups to manual classification, or registered documents to the classification, byclicking Edit for the respective component.

6 Add content classification criteria or content fingerprinting criteria with the Actions control.

4


Create classification criteriaApply classification criteria to files based on file content and properties.

You build content classification criteria from data and file definitions. If a required definition does notexist, you can create it as you define the criteria.



2 Select the classification to add the criteria to, then select Actions | New Content Classification Criteria.

3 Enter the name.

4 Select properties and configure the comparison and value entries.

• To remove a property, click <.

• For some properties, click ... to select an existing property or to create one.

• To add additional values to a property, click +.

• To remove values, click –.

5 Click Save.

Create document propertiesCreate a classification based on document properties.



2 Click New Classification, type a unique name and an optional description.

3 Click Actions, then select New Content Classification Criteria or click the Edit link to change an existingclassification criteria.

4 Click Document Properties , then click … and select New item.

5 Select the property you want, then click Save.

Upload registered documentsSelect and classify documents to distribute to the endpoint computers.

McAfee DLP Discover does not support registered documents.

4 Classifying sensitive contentCreate classification criteria




2 Click the Register Documents tab.

3 Click File Upload.

4 Browse to the file, select whether or not to overwrite a file if the file name exists, and select aclassification.

File Upload processes a single file. To upload multiple documents, create a .zip file.

5 Click OK.

The file is uploaded and processed, and statistics are displayed on the page.

When you have completed the file list, click Create Package. A signature package of all registereddocuments and all whitelisted documents is loaded to the McAfee ePO database for distribution to theendpoint computers.

You can create a package of just registered or whitelisted documents by leaving one list blank. Whenfiles are deleted, remove them from the list and create a new package to apply the changes.

From concepts to definitionsMcAfee Network DLP 9.3.x uses concepts based on McAfee expressions to create classification criteria.A concept can contain keywords or regular expressions (regex). In McAfee DLP 10.x, concepts becomedefinitions. McAfee DLP 10.x uses Google RE2 syntax expressions to build definitions.

McAfee Network DLP 9.3.x contained some predefined concepts (such as a selection of credit cardnumbers, HIPAA, and gambling) that match definitions available in McAfee DLP 10.x. For those that donot match, you must create them by hand.

To achieve similar functionality with McAfee DLP 10.x and later, create separate definitions for Dictionarydefinitions (keywords) and Advanced Pattern definitions (regular expressions).

Table 4-1 Regular expressions

Expression DLP 9.3.x DLP 10.x

\s any character [\ \f \n \r \t < > ;] whitespace character

\w any alphanumeric character plus underscore any alphanumeric character plusunderscore

. any character

\D any non-digit

\c any alpha [A–Z] or [a–z]

\i case sensitivity off

$ end of a string

(up arrow) start of a string

Classifying sensitive contentFrom concepts to definitions 4


For more information about Google RE2, see https://support.google.com/a/answer/1371417?hl=en.

Best practice: Before you start to create definitions in McAfee DLP 10.x, review your existing conceptsettings to ensure they are still relevant to your needs, and that they provide the results you expect.

Dictionary definitionsA dictionary is a collection of keywords or key phrases where each entry is assigned a score.

Content classification and content fingerprinting criteria use specified dictionaries to classify adocument if a defined threshold (total score) is exceeded — that is, if enough words from thedictionary appear in the document. The assigned scores can be negative or positive, which allows youto look for words or phrases in the presence of other words or phrases.

The difference between a dictionary and a string in a keyword definition is the assigned score.

• A keyword classification always tags the document if the phrase is present.

• A dictionary classification gives you more flexibility because you can set a threshold when youapply the definition, which makes the classification relative. The threshold can be up to 1000. Youcan also choose how matches are counted: Count multiple occurrences increases the count with eachmatch, Count each match string only one time counts how many dictionary entries match the document.

McAfee DLP software includes several built-in dictionaries with terms commonly used in health,banking, finance, and other industries. In addition, you can create your own dictionaries. Dictionariescan be created (and edited) manually or by copying and pasting from other documents.

Limitations

There are some limitations to using dictionaries. Dictionaries are saved in Unicode (UTF-8) and can bewritten in any language. The following descriptions apply to dictionaries written in English. Thedescriptions generally apply to other languages, but there might be unforeseen problems in certainlanguages.

Dictionary matching has these characteristics:

• It is only case sensitive when you create case-sensitive dictionary entries. Built-in dictionaries,created before this feature was available, are not case-sensitive.

• It can optionally match substrings or whole phrases.

• It matches phrases including spaces.

If substring matching is specified, use caution when entering short words because of the potential forfalse positives. For example, a dictionary entry of "cat" would flag "cataracts" and "duplicate." Toprevent these false positives, use the whole phrase matching option, or use statistically improbablephrases (SIPs) to give the best results. Similar entries are another source of false positives. Forexample, in some HIPAA disease lists, both "celiac" and "celiac disease" appear as separate entries. Ifthe second term appears in a document and substring matching is specified, it produces two hits (onefor each entry) and skews the total score.

Create or import a dictionary definitionA dictionary is a collection of keywords or key phrases where each entry is assigned a score. Scoresallow for more granular rule definitions.

You can create a dictionary definition by importing a dictionary file in CSV format. You can also importitems with a script containing REST API calls. The administrator running the script must be a validMcAfee ePO user who has permissions in McAfee ePO Permission Sets to perform the actions that areinvoked by the APIs.

4 Classifying sensitive contentFrom concepts to definitions


https://support.google.com/a/answer/1371417?hl=en



2 Click the Definitions tab.

3 In the left pane, select Dictionary.

4 Select Actions | New.


6 Add entries to the dictionary.

To import entries:

a Click Import Entries.

b Enter words or phrases, or cut and paste from another document.

The text window is limited to 20,000 lines of 50 characters per line.

c Click OK.

All entries are assigned a default score of 1.

d If needed, updated the default score of 1 by clicking Edit for the entry.

e Select the Start With, End With, and Case Sensitive columns as needed.

Start With and End With provide substring matching.

To manually create entries:

a Enter the phrase and score.

b Select the Start With, End With, and Case Sensitive columns as needed.

c Click Add.

7 Click Save.

Create a keyword-based dictionary definitionCreate a dictionary definition based on keywords

Task1 In McAfee ePO, go to Classification- | Definitions | Dictionary and click Action | New.

2 Give the dictionary a name and an optional description, then click Action | Add.

3 In Phrase, type the word security, then set the Score as 1 and select Case Sensitive to only match onthe keyword when it is lowercase.

4 Click Add, then click Save.

5 Select Classification | New Classification. Give the classification a name, add an optional description andclick OK.

6 Select the newly-created classification and click Action | New Content Classification Criteria.

7 Select the dictionary and use the comparison (OR/AND/NOT).



8 Click (…). select the dictionary you recently created, give it a threshold of 10 and click OK.

9 Assign the classification to a rule to trigger the classification.

Advanced pattern definitionsAdvanced patterns use regular expressions (regex) that allow complex pattern matching, such as insocial security numbers or credit card numbers. Definitions use the Google RE2 regular expressionsyntax.

Advanced pattern definitions include a score (required), as with dictionary definitions. They can alsoinclude an optional validator — an algorithm used to test regular expressions. Use of the propervalidator can significantly reduce false positives. The definition can include an optional IgnoredExpressions section to further reduce false positives. The ignored expressions can be regexexpressions or keywords. You can import multiple keywords to speed up creating the expressions.

When defining an advanced pattern, you can choose how matches are counted: Count multiple occurrencesincreases the count with each match, Count each match string only one time counts how many definedpatterns give an exact match in the document.

Advanced patterns indicate sensitive text. Sensitive text patterns are redacted in hit highlightedevidence.

If both an matched pattern and an ignored pattern are specified, the ignored pattern has priority. Thisallows you to specify a general rule and add exceptions to it without rewriting the general rule.

Create a definition based on an advanced patternAdvanced patterns are used to define classifications. An advanced pattern definition can consist of asingle expression or a combination of expressions and false positive definitions.

Advanced patterns are defined using regular expressions (regex).

There is no equivalent to the Percentage match, Proximity, and Number of bytes from the beginning options in McAfeeDLP 10.x.



2 Select the Definitions tab, then select Advanced pattern in the left pane.

To view only the user-defined advanced patterns, deselect the Include Built-in items checkbox.User-defined patterns are the only patterns that can be edited.

The available patterns appear in the right pane.



5 Under Matched Expressions:

a Enter an expression in the text box and add an optional description.

b Select a validator from the drop-down list or if validation is not appropriate for the expression,select No Validation.

A validator is the same as algorithm in McAfee DLP 9.3.x. Use it to minimize false positives.



c Enter a number in the Score field to indicate the weight of the expression in threshold matching.

d Click Add.

6 Under Ignored Expressions:a Enter an expression in the text box.

If you have text patterns stored in an external document, copy them into the definition withImport Entries.

b In the Type field, select RegEx from the drop-down list if the string is a regular expression, orKeyword if it is text.

Keyword expressions can also be added using Import Keywords, entering keywords separated by anew line.

c Click Add.

7 Add the count to the concept:

a Give all the expressions a score of 1.

b When you assign the dictionary to the classification, give the threshold the same value that thecount setting had in McAfee DLP 9.3.x.

c Select count multiple occurrence of each match string if the score must be added for multiple occurrenceof a single expression in a document.

d Select count each match string only one time if the score should not be added and should be one evenwhen multiple occurrences of a single expression are present in a document.

e Select start with and end with to see if the document starts or ends with the expression, or selectboth options to find the expression anywhere in the document.

f To match on the number of lines from the beginning of the document, you can create a newregular expression using conditions such as less than, equals, or greater than.

8 Click Save.

Create a regex-based definitionBlock a document that has a credit card number in the format xxxx-xxxx-xxxx-xxxx where x is anydigit (0–9) that occurs more than 10 times.


1 In McAfee ePO, go to Classification | Definitions | Advanced pattern and click Actions | New.

2 Type a name for the advanced pattern and add an optional description.

3 Enter the phrase as \d{4}(-|\s)\d{4}(-|\s)\d{4}(-|\s)\d{4}\D, select Luhn10 as the validator,and give it a score of 1.

4 Specify any credit card numbers that you want to ignore.

5 Click Add, then click Save.

6 Select Classification | New Classification, type a name for the classification and add an optionaldescription, then click OK.

7 Select the classification and select Action | New Content Classification Criteria, then click Advanced pattern andselect the comparison (OR/AND/NOT).



8 Click (…), select the pattern you recently created and give it a threshold of 10, then click OK.

9 Assign the classification to a rule.

Create a general classification definitionCreate and configure definitions for use in classifications and rules.



2 Select the type of definition to configure, then select Actions | New.

3 Enter a name and configure the options and properties for the definition.

The available options and properties depend on the type of definition.

4 Click Save.



5 Protecting McAfee DLP Prevent withrules, rule sets, and policies

McAfee DLP 10.x uses rules to inspect data and traffic and takes protective action when it detects ruleviolations. Rules are grouped into rule sets.

Rules

The rule conditions define what triggers the rule. Depending on the rule type, conditions includeclassifications, rule definitions, and other criteria. For example, you can create a rule that monitors forwhen a specific group of users send out certain company confidential documents as emailattachments.

Exceptions define parameters excluded from the rule. You might want to block most users fromvisiting a certain website but allow a certain user group access as an exception.

Rule sets

To recreate the policies you used in DLP Manager, you create rule sets in McAfee DLP 10.x. Your rules aregrouped into the rule sets. If you have multiple McAfee DLP products, you can combine all rule typesinto a single rule set.

Policy

Policies in McAfee DLP 10.x are sets of definitions, classifications, and rules that define how McAfeeDLP products protect your data.

Contents McAfee DLP Prevent rule reactions and definitions Create a rule Create a rule set Create an email address list definition Create a network address range Create a URL list definition Create a network port range Create a policy Assign a policy to a McAfee DLP Prevent appliance Use case: Block outbound messages with confidential content unless they are sent to a specifieddomain Use case: Track intellectual property violations Use case: Application-based fingerprinting

5


McAfee DLP Prevent rule reactions and definitionsMcAfee DLP Prevent works with McAfee DLP Email Protection rules and Web Protection rules.

Reactions

McAfee DLP Prevent can take these actions when rules are triggered.

Rule type Reaction Description

Any No Action Allows the traffic or action.

Report Incident Generates an incident reporting the violation.

Web Protection Store original file asevidence

Stores the file that triggered the rule on the evidence share.You can view evidence in the incident details.

User notification Notifies the user of the violation.

Block Blocks the user from accessing the website.

Email Protection Add HeaderX-RCIS-Action

These actions are available:• SCANFAIL — Messages that cannot be analyzed.

• BLOCK — Blocks the message.

• QUART — Quarantines the message.

• ENCRYPT — Encrypts the message.

• BOUNCE — Issues a Non-Delivery Receipt (NDR) message tothe sender.

• REDIR — Redirects the message.

• NOTIFY — Notifies supervisory staff.

• ALLOW — Allows the message through. The Allow value isadded automatically to all messages that do not contain anymatched contents.

Store original email asevidence

Stores the email that triggered the rule on the evidence share.You can view evidence in the incident details.

Rule definitions

Similar to classifications, rule definitions specify a condition in the rule. McAfee DLP Prevent uses theserule definitions:

• Email Address List • Network Port Range

• End-User Group • File Extension

• URL List • Application Template

• User Notifications • File Name List

• Network Address Range

Create a ruleThe process for creating a rule is similar for all rule types.

5 Protecting McAfee DLP Prevent with rules, rule sets, and policiesMcAfee DLP Prevent rule reactions and definitions




2 Click the Rule Sets tab.

3 Click the name of a rule set and if needed, select the appropriate tab for the Data Protection, DeviceControl, or Discovery rule.

4 Select Actions | New Rule, then select the type of rule.

5 On the Condition tab, enter the information.

• For some conditions, such as classifications or device template items, click ... to select anexisting item or create an item.

• To add additional criteria, click +.

• To remove criteria, click –.

6 (Optional) To add exceptions to the rule, click the Exceptions tab.

a Select Actions | Add Rule Exception.

Device rules do not display an Actions button. To add exceptions to device rules, select an entryfrom the displayed list.

b Fill in the fields as needed.

7 On the Reaction tab, configure the Action, User Notification, and Report Incident options.

Rules can have different actions, depending on whether the endpoint computer is in the corporatenetwork. Some rules can also have a different action when connected to the corporate network byVPN.

8 Click Save.

Create a rule setRule sets combine multiple device protection, data protection, and discovery scan rules.




3 Select Actions | New Rule Set.

4 Enter the name and optional note, then click OK.

Protecting McAfee DLP Prevent with rules, rule sets, and policiesCreate a rule set 5


Create an email address list definitionEmail address list definitions are predefined email domains or specific email addresses that can bereferenced in email protection rules.

To get granularity in email protection rules, you include some email addresses, and exclude others.Make sure to create both types of definitions.

Best practice: For combinations of operators that you use frequently, add multiple entries to one emailaddress list definition.

You can import email address lists in CSV format. You can also import items with a script containingREST API calls. The administrator running the script must be a valid McAfee ePO user who haspermissions in McAfee ePO Permission Sets to perform the actions that are invoked by the APIs.

Best practice: Email address list CSV files use multiple columns. Export an address list to understandhow the columns are populated before creating a file for import.

Email value definitions support wildcards, and can define conditions. An example of a condition definedwith a wildcard is *@intel.com. Combining an address list condition with a user group in a ruleincreases granularity.


1 In McAfee ePO, select Menu | Data Protection | DLP Policy Manager | Definitions.

2 In the left pane, select Email Address List, then Actions | New.

3 Enter a Name and optional Description.

4 Select an Operator from the drop-down list.

Operators defined using the Email Addresses option support wildcards in the Value field.

Email protection rules that are enforced on McAfee DLP Prevent do not match on the Display nameoperators.

5 Enter a value, then click Add.

6 Click Save when you have finished adding email addresses.

Create a network address rangeNetwork address ranges serve as filter criteria in network communication protection rules.

TaskFor each required definition, perform steps 1–4: For details about product features, usage, and bestpractices, click ? or Help.


2 In the left pane, select Network Address (IP address), then click Actions | New.

3 Enter a unique name for the definition and an optional description.

5 Protecting McAfee DLP Prevent with rules, rule sets, and policiesCreate an email address list definition


4 Enter an address, a range, or a subnet in the text box. Click Add.

Correctly formatted examples are displayed on the page.

Only IPv4 addresses are supported. If you enter an IPv6 address, the message says IP address isinvalid rather than saying that it isn't supported.

5 When you have entered all required definitions, click Save.

Create a URL list definitionURL list definitions are used to define web protection rules. They are added to rules as Web address (URL)conditions.

You can create a URL list definition by importing the list in CSV format. You can also import items witha script containing REST API calls. The administrator running the script must be a valid McAfee ePOuser who has permissions in McAfee ePO Permission Sets to perform the actions that are invoked by theAPIs.

Best practice: URL list CSV files can use multiple columns. Export a URL list to understand how thecolumns are populated before creating a file for import.

TaskFor each URL required, perform steps 1–4. For details about product features, usage, and bestpractices, click ? or Help.


2 In the left pane, select URL List, then select Actions | New.

3 Enter a unique Name and optional Definition.

4 Do one of the following:

• Enter the Protocol, Host, Port, and Path information in the text boxes, then click Add.

• Paste a URL in the Paste URL text box, then click Parse, then click Add.

The URL fields are filled in by the software.

5 When all required URLs are added to the definition, click Save.

Create a network port rangeNetwork port ranges serve as filter criteria in network communication protection rules.



2 In the left pane, select Network Port, then click Actions | New.

You can also edit the built-in definitions.

3 Enter a unique name and optional description.

Protecting McAfee DLP Prevent with rules, rule sets, and policiesCreate a URL list definition 5


4 Enter the port numbers, separated by commas, and optional description, then click Add.

5 When you have added all required ports, click Save.

Create a policy


1 Click Menu | Policy | Policy Catalog, select the DLP Prevent Server category, and click New Policy.

2 Select the policy you want to duplicate, type a name for the new policy and click OK.

The policy appears in the Policy Catalog.

3 Select the name of the new policy to open the Policy Settings wizard.

4 Edit the policy settings and click Save.

Assign a policy to a McAfee DLP Prevent applianceBefore you begin• An email protection or web protection rule enforced on McAfee DLP Prevent

• A rule set

• A McAfee DLP Prevent policy

that is assigned to a rule set.


1 In McAfee ePO, open the policy you created.

2 Select Actions | Active Rule Set, then select the rule set from the list and click OK.

3 Click Menu | Systems | System Tree | Assigned Policies, then select a group from the System Tree.

4 Select the product as DLP Appliance Management.

All assigned policies, organized by product, appear in the details pane.

5 Click the Edit Assignment link for the DLP Policy category.

6 Select Break inheritance and assign the policy and settings below and change the assigned policy to the policyyou created.

7 Click Save.

5 Protecting McAfee DLP Prevent with rules, rule sets, and policiesCreate a policy


Use case: Block outbound messages with confidential contentunless they are sent to a specified domain

Outbound messages are blocked if they contain the word Confidential, unless the recipient is exemptfrom the rule.

Table 5-1 Expected behavior

Email contents Recipient Expected result

Body: Confidential [email protected] The message is blocked because it containsthe word Confidential.

Body: Confidential [email protected] The message is not blocked because theexception settings mean that confidentialmaterial can be sent to people atexample.com

Body:Attachment:Confidential

[email protected][email protected]

The message is blocked because one of therecipients is not allowed to receive it.


1 Create an email address list definition for a domain that is exempt from the rule.

a In the Data Protection section in McAfee ePO, select DLP Policy Manager and click Definitions.

b Select the Email Address List definition and create a duplicate copy of the built-in My organization emaildomain.

c Select the email address list definition you created, and click Edit.

d In Operator, select Domain name is and set the value to example.com.

e Click Save.

2 Create a rule set with an Email Protection rule.

a Click Rule Sets, then select Actions | New Rule Set.

b Name the rule set Block Confidential in email.

c Create a duplicate copy of the in-built Confidential classification.

An editable copy of the classification appears.

d Click Actions | New Rule | Email Protection Rule.

e Name the new rule Block Confidential and enable it.

f Enforce the rule on DLP Endpoint for Windows and DLP Prevent.

g Select the classification you created and add it to the rule.

h Set the Recipient to any recipient (ALL).

Leave the other settings on the Condition tab with the default settings.

3 Add exceptions to the rule.

a Click Exceptions, then select Actions | Add Rule Exception.

b Type a name for the exception and enable it.

Protecting McAfee DLP Prevent with rules, rule sets, and policiesUse case: Block outbound messages with confidential content unless they are sent to a specified domain 5


c Set the classification to Confidential.

d Set Recipient to at least one recipient belongs to all groups (AND), then select the email address listdefinition you created.

4 Configure the reaction to messages that contain the word Confidential.

a Click Reaction.

b In DLP Endpoint, set the Action to Block for computers connected to and disconnected from thecorporate network.

c In DLP Prevent, select the Add header X-RCIS-Action option and click the Block value.

5 Save and apply the policy.

Use case: Track intellectual property violationsYour company has lost intellectual property, and you suspect it was leaked from someone at a specificoffice location. You can create rule parameters that find the leaked documents and the suspectedemployee, then monitor their activities to build a legal case and prevent any more data loss.

Before you beginYou must have an Active Directory server and McAfee® Logon Collector connected to McAfeeDLP. For more information, see the McAfee Data Loss Prevention Product Guide.


1 In McAfee ePO, select Menu | Data Protection | DLP Policy Manager | Rule Sets .

2 Either edit an existing rule, or select Actions | New Rule Set and create a new one.

3 Select a rule set, then click Actions | New Rule, and select the type of rule.

4 Enter a Rule Name, State, and Severity for the rule.

5 Add classification criteria that describes the lost intellectual property. Either select an existingclassification, or add a new one.

6 Add classification criteria that describes the lost intellectual property.

a Click Menu | Data Protection | Classification

b Select the classification and click Actions | New Content Classification Criteria.

c Add conditions that describes the lost intellectual property.

For example, you might add keywords, an exact phrase found in the leaked documents, a filetype, or a concept.

7 Return to the DLP Policy Manager, and select the Definitions tab.

8 Open the Source/Destination category and add a destination that might identify the recipients of thedata.

For example, you might have IP addresses, domains, or a geographic locations that might help todefine the recipient.

5 Protecting McAfee DLP Prevent with rules, rule sets, and policiesUse case: Track intellectual property violations


9 Click Save.

After the rule retrieves incidents.

10 Examine the Incident Details page to confirm the rule retrieves incidents.

11 On the Reaction tab, select Add header X-RCIS-Action from the drop down list in the McAfee DLP Preventsection, then select Block, Quarantine, Redirect, or Notify.

Use case: Application-based fingerprintingYou can classify content as sensitive according to the application that produced it.

In some cases, content can be classified as sensitive by the application that produces it. An example istop-secret military maps. These are JPEG files, typically produced by a specific US Air Force GISapplication. By selecting this application in the fingerprinting criteria definition, all JPEG files producedby the application are tagged as sensitive. JPEG files produced by other applications are not tagged.



2 On the Definitions tab, select Application Template, then select Actions | New.

3 Enter a name, for example GIS Application, and optional description.

4 Using one or more properties from the Available Properties list, define the GIS application, then clickSave.

5 On the Classification tab, click New Classification, and enter a name, for example, GIS application, andoptional definition. Click OK.

6 Select Actions | New Content Fingerprinting Criteria | Application to open the applications fingerprintingcriteria page.

7 In the Name field, enter a name for the tag, for example GIS tag.

8 In the Applications field, select the GIS application created in step 1.

9 From the Available Properties | File Conditions list, select True File Type, then in the Value field, select Graphicfiles [built-in].

The built-in definition includes JPEG, as well as other graphic file types. By selecting an applicationas well as a file type, only JPEG files produced by the application are included in the classification.

10 Click Save, then select Actions | Save Classification.

The classification is ready to be used in protection rules.

Protecting McAfee DLP Prevent with rules, rule sets, and policiesUse case: Application-based fingerprinting 5


5 Protecting McAfee DLP Prevent with rules, rule sets, and policiesUse case: Application-based fingerprinting


6 Scanning data with McAfee DLP Discover10.x

Contents Types of repository Types of scan Create scan definitions Create a classification scan Create rules for remediation scans Use case: Schedule a scan and filter the results Use case: Create a one-time scan that runs until it completes

Types of repositoryMcAfee DLP Discover 10.x works with CIFS, SharePoint, and Box repositories.

CIFS repositories

When defining a CIFS repository, the UNC path can be the fully qualified domain name (FQDN) (\\myserver1.mydomain.com) or the local computer name (\\myserver1). You can add both conventionsto a single definition.

SharePoint repositories

When defining a SharePoint repository, the host name is the server URL unless Alternate AccessMapping (AAM) is configured on the server. For information about AAM, see the SharePointdocumentation from Microsoft.

Box repositories

When defining a Box repository, obtain the client ID and client secret from the Box website.

Types of scanMcAfee DLP Discover 10.x performs inventory, classification, and remediation scans.

McAfee DLP Discover 10.x does not perform registration scans.

6


Inventory scan

• Collects metadata but does not download any files

• Returns Online Analytical Processing (OLAP) counters and data inventory (list of files scanned)

• Restores the last access time of files scanned

Classification scan

• Collects the same metadata as an inventory scan

• Analyzes the true file type based on the content of the file rather than the extension

• Collects data on files that match the configured classification

• Restores the last access time of files scanned

Remediation scan

Remediation scans apply rules to protect sensitive content in the scanned repository. When a filematches the classification in a remediation scan, McAfee DLP Discover can:

• Generate an incident

• Store the original file on the evidence server

• Copy the file

• Move the file

• Apply rights management policy to the file

• (Box scans only) Modify anonymous share to login required

• Take no action

Create scan definitionsAll scans require a definition to specify the repository, credentials, and schedule.

Before you beginYou must have the user name, password, and path for the repository.

Best practice: Optional file information definitions are used to define scan filters. Filters allow you toscan repositories in a more granular manner by defining which files are included and which areexcluded.

6 Scanning data with McAfee DLP Discover 10.xCreate scan definitions



1 In McAfee ePO, select Menu | Data Protection | DLP Discover, and click the Definitions tab.

2 Create a credentials definition.

a In the left pane, select Others | Credentials.

b Enter a unique name for the definition.

The Description and Domain name are optional fields. All other fields are required. If the user is adomain user, use the domain suffix for the Domain name field. If the user is a workgroup user, usethe local computer name.

c For Windows domain repositories, click Test Credential to verify the user name and password fromMcAfee ePO. This does not test the credentials from the McAfee DLP Discover server.

3 Create a repository definition.

a In the left pane, under Repositories, select the type of new repository you want to create.

b Select Actions | New, type a unique repository name in the Name field, and fill in the rest of theType and Definitions information.

c Click Save.

4 Create a scheduler definition.

a In the left pane, select Others | Scheduler.

b Select Actions | New and fill in the scheduler parameters.

c Click Save.

5 (Optional) Create a file information definition.

a In the left pane, select Data | File Information.

b Select Actions | New and replace the default name with a unique name for the definition.

c Select properties to use as filters and fill in the Comparison and Value details.

d Click Save.

Create a classification scanClassification scans collect file data based on defined classifications. They are used to analyze filesystems for sensitive data to be protected with a remediation scan.

By changing the scan type, you can also create Remediation and Inventory scans.


1 In McAfee ePO, select Menu | Data Protection | DLP Discover.

2 On the Discover Servers tab, select Actions | Detect Servers to refresh the list.

If the list is long, you can define a filter to display a shorter list.

Scanning data with McAfee DLP Discover 10.xCreate a classification scan 6


3 On the Scan Operations tab, select Actions | New Scan and select the repository type.

4 Type a unique name and select Scan Type: Classification, then select a server platform and a schedule.

5 Discover servers must be predefined. You can select a defined schedule or create one.

6 (Optional) Set values for Throttling, Files List, or Error Handling in place of the default values.

7 Select the repositories to scan.

a On the Repositories tab, click Actions Select Repositories.

b If needed, specify the credentials for each repository from the drop-down list.

c (Optional) On the Filters tab, select Actions | Select Filters to specify files to include or exclude.

By default, all files are scanned.

8 Select the classifications for the scan.

a On the Classifications tab, click Actions | Select Classifications.

b Select one or more classifications from the list.

c Click Save.

9 Click Apply policy.

Create rules for remediation scansUse rules to define the action to take when a remediation scan detects files that match classifications




3 If there are no rule sets configured, create a rule set.

a Select Actions | New Rule Set.

b Enter the name and optional note, then click OK.

4 Click the name of a rule set, then if needed, click the Discover tab.

5 Select Actions | New Network Discovery Rule, then select the type of rule.

6 On the Condition tab, configure one or more classifications and repositories.

• To create an item, click ....

• To add additional criteria, click +.

• To remove criteria, click -.

7 (Optional) On the Exceptions tab, specify any exclusions from triggering the rule.

8 On the Reaction tab, configure the reaction. The available reactions depend on the repository type.

9 Click Save.

6 Scanning data with McAfee DLP Discover 10.xCreate rules for remediation scans


Use case: Schedule a scan and filter the resultsSchedule a scan to run at regular intervals,

Scans run until they complete unless an end time is defined. If the scan is still running at the time ofthe next scheduled interval, that instance is skipped, and scanning restarts at the following one.

For example, if a daily scan that has no end time starts running on Monday at 9 a.m. and completes49 hours later, it restarts Thursday at 9 a.m.


1 Create a scan definition and select the Schedule type as Run Immediately. Use the Suspend time option tospecify an end time for the scan.

2 In McAfee ePO, select Menu | Data Protection | DLP Discover.

3 Click the Edit link next to the Filter dropdown list.

4 Select Files Scanned from the left pane.

5 Enter the comparison, value, and other parameters such as Estimated Files to Scan, Scan errors, and ScanType.

6 Check the scan results in the Data Analytics and Data Inventory tabs.

Use case: Create a one-time scan that runs until it completesSchedule a scan that runs until it completes.

Before you beginDetermine the repository type, the credentials used to access it, and the scan mode thatfits the task.



2 Select HIPAA from the left-hand pane, then click Actions | Duplicate Classification.

3 Specify the credentials, repository, and schedule.

4 Create the scan using the classification and definitions you created.

5 Enable the scan:

a Select the checkbox for the scans you want to enable or disable.

The icon in the state column shows if the scan is enabled or disabled.

• A solid blue icon means that the scan is enabled

• A blue and white icon means the scan is disabled

Scanning data with McAfee DLP Discover 10.xUse case: Schedule a scan and filter the results 6


b Select Actions | Change State, then select Enabled.

c Apply the policy.

6 Check the scan results in the Data Analytics and Data Inventory tabs.

6 Scanning data with McAfee DLP Discover 10.xUse case: Create a one-time scan that runs until it completes


7 Monitoring and reporting

McAfee DLP offers several features for managing incidents, cases, and appliance status.

• Use the DLP Incident Manager console to view and manage incidents created when rules aretriggered.

• Use the DLP Case Management console to view and manage incidents that are assigned to cases.

• Use the DLP Operations console to view errors and administrative events.

• Use the Appliance Management system health cards to monitor the status of each of your McAfee DLPappliances.

• Use the McAfee DLP dashboards in McAfee ePO to retrieve incident information.

Contents Incidents and cases Monitoring system health and status

Incidents and casesIncident and case management is handled similarly between McAfee Network DLP 9.3.x and McAfeeDLP10.x.

7


With McAfee DLP10.x, incidents are sent to the McAfee ePO Event Parser and stored in a database.Incidents contain the details about the violation, and can optionally include evidence information. Youcan view incidents and evidence as they are received in the DLP Incident Manager console. It has threetabbed sections:

• Incident List — the current list of policy violation events. The following operations can beperformed on incidents:

• Case management — Create cases and add selected incidents to a case

• Comments — Add comments to selected incidents

• Email events — Send selected events

• Export device parameters — Export device parameters to a CSV file (Data in-use/motion listonly)

• Labels — Set a label for filtering by label

• Release redaction — Remove redaction to view protected fields (requires correct permission)

• Set properties — Edit the severity, status, or resolution; assign a user or group for incidentreview

7 Monitoring and reportingIncidents and cases


• Incident Tasks — Use the Incident Tasks or Operational Event Tasks tab to set criteria for scheduledtasks. Tasks set up on the pages work with the McAfee ePO Server Tasks feature to schedule tasks.Tasks can also include assigning reviewers to incidents, setting automatic email notifications, andpurging all or part of the list.

• Incident History — A list containing all historic incidents. Purging the incident list does not affectthe history. Displays historical incidents or events based on the current selections. Selections canbe View, Time, and Filter.

When a rule is triggered, the incident is reported to the DLP Incident Manager console. Use thisconsole to view, sort, modify, and add additional to incidents. The DLP Incident Manager displaysincidents for all McAfee DLP products. The type of incidents displayed depends on the Present fieldselection. The Data in-use/motion option includes incidents generated by McAfee DLP Prevent.

Best practice: The incidents that relate to your McAfee Network DLP 9.3.x setup can't be migrated toMcAfee ePO unless you were using the unified incident management feature in McAfee ePO 9.3.4. If youcontinue to need access to any legacy incidents, run your McAfee Network DLP 9.3.x setup in parallelwith McAfee DLP 10.x until the legacy incidents are no longer required.

Use the DLP Case Management console to group related incidents to a case for further tracking andreview. Cases allow administrators to collaborate on the resolution of related incidents. In manysituations, a single incident is not an isolated event. You might see multiple incidents in the DLPIncident Manager that share common properties or are related to each other. You can assign theserelated incidents to a case. Multiple administrators can monitor and manage a case depending on theirroles in the organization.

Sort and filter incidentsArrange the way incidents appear based on attributes such as time, location, user, or severity.


1 In McAfee ePO, select DLP Incident Manager.

2 From the Present drop-down list, select Data in-use/motion.

3 Perform any of these tasks.

• To sort by column, click a column header.

• To change columns to a custom view, from the View drop-down list, select a custom view.

• To filter by time, from the Time drop-down list, select a time frame.

• To apply a custom filter, from the Filter drop-down list, select a custom filter.

• To group by attribute:

1 From the Group By drop-down list, select an attribute.

A list of available options appears. The list contains up to 250 of the most frequentlyoccurring options.

2 Select an option from the list. Incidents that match the selection are displayed.

View incident detailsView the information related to an incident.

Monitoring and reportingIncidents and cases 7





3 Click an Incident ID.

For McAfee DLP Endpoint and McAfee DLP Prevent incidents, the page displays general details andsource information. Depending on the incident type, destination or device details appear. ForMcAfee DLP Discover incidents, the page displays general details about the incident.

4 To view additional information, perform any of these tasks.

• To view user information for McAfee DLP Endpoint incidents, click the user name in the Sourcearea.

• To view evidence files:

1 Click the Evidence tab.

2 Click a file name to open the file with an appropriate program.

The Evidence tab also displays the Short Match String, which contains up to three hit highlights as asingle string.

• To view rules that triggered the incident, click the Rules tab.

• To view classifications, click the Classifications tab.

For McAfee DLP Endpoint incidents, the Classifications tab does not appear for some incidenttypes.

• To view incident history, click the Audit Logs tab.

• To view comments added to the incident, click the Comments tab.

• To email the incident details, including decrypted evidence and hit highlight files, select Actions |Email Selected Events.

• To return to the incident manager, click OK.

Tasks

• Change the view on page 48In addition to using filters to change the view, you can also customize the fields and theorder of display. Customized views can be saved and reused.

Change the viewIn addition to using filters to change the view, you can also customize the fields and the order ofdisplay. Customized views can be saved and reused.

When you save the view, you can also save the time and custom filters. Saved views can be chosenfrom the drop-down list at the top of the page.


1 To open the Edit View window, click Actions | View | Choose Columns.

2 To move columns to the left or right, use the arrow icons.



3 Use the x icon to delete columns.

4 To apply the customized view, click Update View.

5 To save for future use, click Actions | View | Save View.

Update a single incidentUpdate incident information such as the severity, status, and reviewer.

The Audit Logs tab reports all updates and modifications performed on an incident.




3 Click an incident.

The incident details window opens.

4 In the General Details pane, perform any of these tasks.

• To update the severity, status, or resolution:

1 From the Severity, Status, or Resolution drop-down lists, select an option.

2 Click Save.

• To update the reviewer:

1 Next to the Reviewer field, click ...

2 Select the group or user and click OK.

3 Click Save.

• To add a comment:

1 Select Actions | Add Comment.

2 Enter a comment, then click OK.

Update multiple incidentsUpdate multiple incidents with the same information simultaneously.

Example: You have applied a filter to display all incidents from a particular user or scan, and you wantto change the severity of these incidents to Major.




3 Select the checkboxes of the incidents to update.

To update all incidents displayed by the current filter, click Select all in this page.




• To add a comment, select Actions | Add Comment, enter a comment, then click OK.

• To send the incidents in an email, select Actions | Email Selected Events, enter the information, thenclick OK.

You can select a template, or create a template by entering the information and clicking Save.

• To export the incidents, select Actions | Export Selected Events, enter the information, then click OK.

• To release redaction on the incidents, select Actions | Release Redaction, enter a user name andpassword, then click OK.

You must have data redaction permission to remove redaction.

• To change the properties, select Actions | Set Properties, change the options, then click OK.

Create email notificationsThe process to add email notifications is similar for DLP Incident Manager and DLP Operations.


1 In McAfee ePO, select Menu | Data Protection | DLP Incident Manager or Menu | Data Protection | DLP Operations.

2 Select either Incident Tasks or Operational Event Tasks, then select Automatic mail Notification.

If you chose Incident Tasks, you must also select the type of incident, such as Data-in-use/motion.

3 Click Actions | New Rule and enter a name and optional description.

Rules are enabled by default. You can change this setting to delay running the rule.

4 Select which events you want to process, then specify the following information:

• Recipients

• Subject

• Body

Apart from Body, these fields are required. You can insert variables from the drop-down list asneeded.

5 Add the email body text.

6 (Optional for DLP Incident Manager) Select the checkbox to attach evidence information to the email.

7 Click Next to add the rule criteria and their Comparison and Value parameters, then click Save.

Create casesCreate a case to group and review related incidents.


1 In McAfee ePO, select Menu | Data Protection | DLP Case Management.




3 Enter a title name and configure the options.

4 Click OK.

Assign a reviewerAssign reviewers to incidents and operational events. Assignments can be by reviewer group orindividual reviewer.

Use the Permission Sets feature under User Management to create reviewers.

The process to set reviewers is similar for DLP Incident Manager and DLP Operations.


1 In McAfee ePO, select Menu | Data Protection | DLP Incident Manager or Menu | Data Protection | DLP Operations.

2 Select either Incident Tasks or Operational Event Tasks, then select Set Reviewer.

3 Click Actions | New Rule and enter a name and optional description.

Rules are enabled by default. You can change this setting to delay running the rule.

4 Select a reviewer or group, then click Next.

5 Click Next to add the rule criteria and their Comparison and Value parameters, then click Save.

View case informationView audit logs, user comments, and incidents assigned to a case.



2 Click on a case ID.


• To view incidents assigned to the case, click the Incidents tab.

• To view user comments, click the Comments tab.

• To view the audit logs, click the Audit Log tab.

4 Click OK.

Update casesUpdate case information such as changing the owner, sending notifications, or adding comments.

Notifications are sent to the case creator, case owner, and selected users when:

• An email is added or changed.

• Incidents are added to or deleted from the case.

• The case title is changed.

• The owner details are changed.

• The priority is changed.



• The resolution is changed.

• Comments are added.

• An attachment is added.

You can disable automatic email notifications to the case creator and owner from Menu | Configuration |Server Settings | Data Loss Prevention.



2 Click a case ID.


• To update the case name, in the Title field, enter a new name, then click Save.

• To update the owner:

1 Next to the Owner field, click ...

2 Select the group or user.

3 Click OK.

4 Click Save.

• To update the Priority, Status, or Resolution options, use the drop-down lists to select the items,then click Save.

• To send email notifications:

1 Next to the Send notifications to field, click ...

2 Select the users to send notifications to.

If no contacts are listed, specify an email server for McAfee ePO and add email addresses forusers. Configure the email server from Menu | Configuration | Server Settings | Email Server.Configure users from Menu | User Management | Users.

3 Click Save.

• To add a comment to the case:

1 Click the Comments tab.

2 Enter the comment in the text field.

3 Click Add Comment.

4 Click OK.

Assign incidents to a caseAdd related incidents to a new or existing case.




1 In McAfee ePO, select Menu | Data Protection | DLP Incident Manager.


3 Select the checkboxes of one or more incidents.

Use options such as Filter or Group By to show related incidents. To update all incidents displayed bythe current filter, click Select all in this page.

4 Assign the incidents to a case.

• To add to a new case, select Actions | Case Management | Add to new case, enter a title name, andconfigure the options.

• To add to an existing case, select Actions | Case Management | Add to existing case, filter by the case IDor title, and select the case.

5 Click OK.

Use case: Find policy violations by userIf you have a lot of incidents to review, it can be difficult to find incidents that are related to aparticular user. To find related policy violations, use attributes that identify a user.



2 From the Present drop-down list, select the option for your product.

3 Select the desired time.

4 Click Actions, then select Filter | Edit Filter.

5 From Available properties, select a user attribute, such as User Name, or User Primary Email or User City.

The following conditions can be selected from the drop-down list: Equals, Not Equals, Value is Blank, Valueis Not Blank, Contains, Does not Contain.

6 Specify the user information in the text field.

If you don't have a user's exact information, select the Sender or Recipient filter, add a Contains or Doesnot Contain condition, and type a string that might match some characters in the user's name, oremail address.

7 Click Policy Name, then select … to choose policy from the list.

This displays the incidents generated from above user Information and also from the policyselected. Polices that did not generate any matching incidents are not listed.

8 Click Update Filter.

Incidents that match the filter criteria are displayed.

9 Click the Save link next to the Filter drop-down list.

This filter can be used again for later use.



Use case: Find high-risk incidentsTo find high-risk incidents, filter incidents by severity.



2 From the Present drop-down list, select the option for your product

3 From Group by list, select Severity from the drop-down list.

4 Select the severity you want to apply, such as critical or warning.

Incidents that match the filter criteria are displayed.

Use case: Set properties to incidentsYou can change incident properties such as the severity to help search for and track certain incidents.

The properties are Severity, Status, Resolution, Reviewing Group, and Reviewing User.



2 From the Present drop-down list, select the option for your product.

3 Click an incident.

The Incident Details window opens.

4 In the General Details pane, perform any of these tasks, then click Save.• To update the severity, status, or resolution, select the options you want from the drop-down

list, then click Save.

• Click ... next to the Reviewer field, select the group or user, then click OK.

5 Select Actions | Add Comment.

6 Enter a comment, then click OK.

Use case: Filter incidents by date, destination, and userCreate a filter that identifies incidents sent within the last 24 hours by a particular user.


1 In McAfee ePO, select Menu | Data Protection | DLP Incident Manager.

2 Select Data-in-use/motion from Present.

3 Select Last 24 hours from the Time drop-down list.

4 In Filters, click Edit.

5 In Destination equals add the required destination.



6 Select Username equals and add the name you want to look for.

7 Select Update Filter.

8 In the left-hand panel select Group-by, and choose Rule Set from the drop-down list.

Assign incident viewing permissions to users in an ActiveDirectorySelect users from the Active Directory who can view incidents in the DLP Incident Manager.

Before you beginRegister an Active Directory server in McAfee ePO.



2 Select the role you want to edit, then click the Edit link under Name and users.

3 Click Add, select the Active Directory users you want to add, then click OK.

4 Click Save.

5 In Data Loss Prevention, click the Edit link.

6 Select Incident Management, then click User can view all incidents.

7 Click Save.

Assign case management viewing permissions to a userAllow a specific user to view their cases in DLP Case Management.

Before you beginCreate a user in McAfee ePO and assign a permission set to the user.


1 In McAfee ePO, select Menu | User Management | Permission Sets and select the permission set that theuser belongs to.

2 Click the Edit link under Name and users.

3 Select the recently created user, and click Save.

4 In Data Loss Prevention, click the Edit link.

5 Select Case Management, and click Users can view cases assigned to them.

6 Click Save.



Monitoring system health and statusUse the Appliance Management dashboard in McAfee ePO to manage your appliances, view system healthstatus, and get detailed information about alerts.

For information about the McAfee DLP Prevent appliance status reported in Appliance Management systemhealth cards, see the latest version of the McAfee Data Loss Prevention Product Guide.

For information specifically relating to the Appliance Management options, see the Appliance Managementonline Help.

McAfee DLP dashboardsMcAfee DLP 10.x adds four incident-related charts in McAfee ePO dashboards. You can create newdashboards that contain any of the McAfee DLP charts.

• DLP: Number of Incidents per day (data in-use/in-motion) in a line chart format

• DLP: Number of Incidents per severity (data in-use/in-motion) in a pie-chart format

• DLP: Number of Incidents per type (data in-use/in-motion) in a pie-chart format

• DLP: Number of Incidents per rule set (data in-use/in-motion) in a bar chart format

Appliance Management dashboardThe Appliance Management dashboard combines the Appliances tree view, System Health cards, Alerts and Detailspanes.

The dashboard shows the following information for all of your managed appliances.

• A selection of information about each McAfee DLP Prevent appliance or cluster of appliances

In a cluster environment, the system health cards show the tree view display of the cluster masterand a number of cluster scanners

• Indicators to show whether an appliance needs attention

• Detailed information about any detected issues

The information bar includes the appliance name, the number of currently reported alerts, and otherinformation specific to the reported appliance.

McAfee DLP Prevent eventsMcAfee DLP Prevent sends events to the Client Events log or the DLP Operations log.

Client Events log events

Some events include reason codes that you can use to search log files.

Best practice: Ensure you regularly purge the Client Events log.

Event ID UI event text Description

15001 LDAP query failure The query failed. Reasons are provided in the event descriptions.

15007 LDAP directorysynchronization

Directory synchronization status.

210003 Resource usage reachedcritical level

McAfee DLP Prevent cannot analyze a message because thedirectory is critically full.

7 Monitoring and reportingMonitoring system health and status



210900 Appliance ISO upgradesuccess

Appliance ISO upgradefailed

Appliance downgrading tolower version

Internal install imageupdated successfully

Failed to update internalinstall image

Appliance upgrade events:

• 983 —Appliance ISO upgrade failed. Detailed logs can be foundunder /rescue/logs/.

• 984 — Appliance ISO upgrade success. The appliancesuccessfully upgraded to a higher version.

• 985 — Appliance downgrading to lower version. This event is sentwhen the downgrade attempt is initiated. Upgrade success orfailure events are sent after the upgrade completes.If a clean upgrade or downgrade is requested, the success orfailure event is sent after the McAfee ePO connection isestablished.

Internal install image updates using SCP events:

• 986 — Internal install image updated successfully.

• 987 — Failed to update internal install image.

220000 User logon A user logged on to McAfee DLP Prevent:• 354 — GUI logon

successful• 426 — Appliance console

logon successful

• 355 — GUI logon failed • 427 — Appliance consolelogon failed

• 424 — SSH logonsuccessful

• 430 — User switchsuccessful

• 425 — SSH logon failed • 431 — User switch failed

220001 User logoff A user logged off McAfee DLP Prevent:• 356 — GUI user logged off.

• 357 — The session has expired.

• 428 — The SSH user logged off.

• 429 — The appliance console user logged off.

• 432 — The user logged off.

220900 Certificate Install • Certificate install success.

• Certificate install failed : <reason>.

A certificate might not install due to one of the following reasons:• Bad passphrase • Bad signature

• No private key • Bad CA certificate

• Chain error • Chain too long

• Bad certificate • Wrong purpose

• Expired certificate • Revoked

• Not yet valid • Bad or missing CRL

The reason is also reported in the syslog. If the reason does notmatch any of the available reasons, it gives the default Certificateinstall failed event.

Monitoring and reportingMonitoring system health and status 7


DLP Operations log events


19100 Policy Change Appliance Management successfully pushed a policy to theappliance.

19500 Policy Push Failed Appliance Management failed to push a policy to the appliance.

19105 Evidence Replication Failed • An evidence file could not be encrypted.

• An evidence file could not be copied to the evidence server.

19501 Analysis Failed • Possible denial-of-service attack.

• The content could not be decomposed for analysis.

19502 DLP Prevent Registered The appliance successfully registered with McAfee ePO

7 Monitoring and reportingMonitoring system health and status


8 Maintenance and troubleshooting

Use the appliance console for general maintenance tasks such as changing network settings andperforming software updates. Troubleshooting options, sanity checks, and error messages areavailable to help you identify and resolve problems with a McAfee DLP Prevent appliance.

For more information about troubleshooting and maintenance tasks, and information about McAfee DLPPrevent client and operational events, see the McAfee Data Loss Prevention Product Guide.

The appliance failed to register with McAfee ePO

Verify the network connection is working, and any static routes that you created are correct. Ping thedefault gateway and McAfee ePO from the appliance console to test your network connection.

If the registration continues to fail, call technical support. Do not attempt the registration again.

Connection between McAfee ePO and the McAfee DLP Prevent appliance is lost

You can check the connection status for all your physical and virtual appliances using the ApplianceManagement feature in McAfee ePO.

To restore a failed connection, open the System Tree and select the McAfee DLP Prevent appliance thathas lost the connection. Then select Action | Agent | Wake Up Agents and click OK.

McAfee DLP Prevent registration failures

McAfee DLP Prevent registration events are available from the DLP Operations log in McAfee ePO.


19502 DLP Prevent Registered The appliance successfully registered with McAfee ePO.

No events are registered if the McAfee DLP Prevent appliance is unregistered. You can get moreinformation from /var/log/messages.

Email delivery issues

If email is not delivered, check whether it is blocked by the McAfee DLP Prevent appliance. Go to theDLP Incident Manager on McAfee ePO to check if there is any corresponding incident for the message.

If email notification is configured on McAfee ePO as a Reaction, the sender is notified.

Check if the Smart Host can receive email if:

8


• McAfee DLP Prevent could not connect to the Smart Host to send the message.

• The connection to Smart Host was dropped during a conversation.

Email rejection issues

If a Smart Host is not configured, McAfee DLP Prevent cannot accept email messages because it hasnowhere to send them to.

Web Gateway and McAfee DLP Prevent ICAP issues

Check the Web Settings category settings in DLP Prevent Server in the Policy Catalog. McAfee DLP Preventprocesses ICAP and ICAPs traffic based on selected services from secure ICAP, unencrypted.

If neither are selected, the ICAP server on McAfee DLP Prevent does not accept any connection.

If only secure ICAP is enabled, ensure that the ICAP client is ICAPs capable.

You can select the modes in which McAfee DLP Prevent can operate for the ICAP traffic from REQMODand RESPMOD. If any of the modes are deselected, that traffic is ignored by the McAfee DLP Preventappliance and is not processed. Both REQMOD and RESPMOD cannot be disabled at the same time.

LDAP and Logon Collector issues

If there are communication issues between the McAfee DLP Prevent appliance and the Active Directorywhile querying user information:

• Check the Active Directory credentials configured on McAfee ePO.

• If SSL is selected, check that Active Directory accepts secure connections.

If you configured Active Directory to use Global Catalog ports, check that at least one of these attributesis replicated to the Global Catalog server from the domains in the forest:

• Proxy addresses

• Mail

If a McAfee DLP Prevent appliance needs to use NTLM authentication for ICAP traffic, these LDAPattributes must also be replicated:

• configurationNamingContext

• netbiosname

• msDS-PrincipalName

For Logon Collector, check the Logon Collector certificate on the McAfee DLP Prevent appliance.

Installation failures

• Dependency issues — There might be a dependency issue if the following extensions are missed:

• Common UI package

• Appliance Management Extension

• Data Loss Prevention Management Extension

• Upgrade issues — the following error occurs if you install the same version or earlier version of theextension: Can't upgrade the extension dlp-prevent-server-app to <version x.x.x.x > because<version x.x.x.x> is already installed.

8 Maintenance and troubleshooting


Policy push failures

Policy push events are also available from the DLP Operations log in McAfee ePO.

If policy push fails, details can be obtained from the McAfee DLP Prevent appliance at /wk/mca/ame_policy_DLPPS___1000_error.log

Incident Manger issues

Issues with user, LDAP, or certificate installation are listed under Client Events Log.

1 In McAfee ePO, go to the System Tree.

2 Select the checkbox next to the McAfee DLP Prevent server.

3 Select Actions, then go to Agent | Show Client Events.

Incidents are not showing in the DLP Incident Manager

1 Use the Remote Desktop Protocol (RDP) to access McAfee ePO.

2 Go to Services.

3 Confirm that the McAfee ePO Event Parser is running. If it has stopped or paused, restart it to resolvethe issue.

McAfee DLP Prevent sends SMTP and hardware logging information to the local syslog, and one ormore remote logging servers if you have them enabled. Syslog entries contain information aboutthe device itself (the vendor, product name, and version), the severity of the event, and the datethe event occurred.

Use settings in the General category of the Common Appliance policy to set up remote logging servers.

Contents Managing with the McAfee DLP Prevent appliance console Accessing the appliance console Replace the default certificate Error messages Configuration backups

Managing with the McAfee DLP Prevent appliance consoleUse administrator credentials to open the appliance console to edit network settings you entered inthe Setup Wizard and perform other maintenance and troubleshooting tasks.

Table 8-1 Appliance console menu options

Option Definition

Graphical configuration wizard Open the graphical configuration wizard.

If you log on using SSH, the graphical configuration wizard option is notavailable.

Shell Open the appliance Shell.

Enable/Disable SSH Enable or disable SSH as a method of connecting to the appliance.

Generate MER Create a Minimum Escalation Report (MER) to send to McAfee Support todiagnose problems with the appliance.

Maintenance and troubleshootingManaging with the McAfee DLP Prevent appliance console 8


Table 8-1 Appliance console menu options (continued)

Option Definition

Power down Shut down the appliance.

Reboot Restart the appliance.

Rescue Image Create a rescue image for the appliance to boot from.

Reset to factory defaults Reset the appliance to its factory default settings.

Change password Change the administrator account password.

Logout Log off the master appliance.

Accessing the appliance consoleThe appliance console allows you to perform various maintenance tasks. There are different ways toaccess the console depending on the type of appliance you have.Table 8-2 Methods for accessing the console

Method Virtual appliance Hardware appliance

SSH X X

vSphere Client X

Local KVM (keyboard, monitor, mouse) X

RMM X

Serial port X

Replace the default certificate You can replace the self-signed certificate with one issued by a certificate authority (CA) so that otherhosts on the network can validate the appliance's SSL certificate.

Before you beginSSH must be enabled.

To replace the certificate, you can either:

• Upload a new certificate and private key.

• Download a certificate signing request (CSR) from the appliance, have it signed by a CA, andupload the certificate that the CA gives you.

Best practice: Downloading a CSR from the appliance ensures that the appliance's private key cannotbe inadvertently exposed.

Only ECDSA and RSA certificates and keys are allowed in the uploaded file. The certificate must besuitable for use as both a TLS server and a TLS client and the upload must include the wholecertificate chain. Uploads can be in the following formats:

• PEM (Base64) — Certificate chain and private key or certificate chain only

• PKCS#12 — Certificate chain and private key

• PKCS#7 — Certificate chain only

If the upload format is PKCS#12 or PKCS#7, the correct file endings must be used:

8 Maintenance and troubleshootingAccessing the appliance console


• PKCS#12 must have the file ending .p12 or .pfx.

• PKCS#7 must have the file ending .p7b.

The certificate might fail to install if:

• The certificate is not usable for its intended role.

• The certificate has expired.

• The uploaded file does not contain the CA certificates that it needs to verify it.

• The certificate uses an unsupported public key algorithm, such as DSA.

If installation fails, detailed information is available in the appliance syslog. To view it, log on to theappliance console, select the Shell option, and type $ grep import_ssl_cert /var/log/messages.


1 In a browser, go to https://APPLIANCE:10443/certificates/ and select one of the CSR links fordownload.

Two files are available: one contains an RSA public key (the file ending in .rsa.csr) and the othercontains an ECDSA public key (the file ending in .ec.csr).

2 Follow your CA's instructions to get the request signed.

3 Use an SFTP client, such as winscp, to copy the file to the /home/admin/upload/cert directory onthe appliance.

The Client Events log reports whether the installation succeeded or failed.

The file installs automatically.

Error messagesIf the appliance is not configured correctly, it tries to identify the problem and sends a temporary orpermanent failure message.

The text in parentheses in the error message provides additional information about the problem. Someerror messages relay the response from the Smart Host so the McAfee DLP Prevent response containsthe IP address, which is indicated by x.x.x.x.

For example, 442 192.168.0.1 : Connection refused indicates that the Smart Host with the address192.168.0.1 did not accept the SMTP connection.

Table 8-3 Temporary failure messages

Text Cause Recommended action

451 (The system hasnot been registeredwith an ePO server)

The initial setup was not completed. Register the appliance with a McAfeeePO server using the GraphicalConfiguration Wizard option in theappliance console.

451 (No DNS servershave been configured)

The configuration applied fromMcAfee ePO did not specify any DNSservers.

Configure at least one DNS server inthe General category of the CommonAppliance policy.

451 (No Smart Hosthas been configured)

The configuration applied fromMcAfee ePO did not specify a SmartHost.

Configure a Smart Host in the EmailSettings policy category.

Maintenance and troubleshootingError messages 8


Table 8-3 Temporary failure messages (continued)

Text Cause Recommended action

451 (Policy OPG filenot found in configuredlocation)

The configuration applied fromMcAfee ePO was incomplete.

• Ensure that the Data Loss Preventionextension is installed.

• Configure a Data Loss Preventionpolicy.

• Contact your technical supportrepresentative. The configurationOPG file must be applied with thepolicy OPG file.

451 (ConfigurationOPG file not found inconfigured location)

The configuration applied fromMcAfee ePO was incomplete.

• Ensure that the Data Loss Preventionextension is installed.

• Configure a Data Loss Preventionpolicy.

• Contact your technical supportrepresentative. The configurationOPG file must be applied with thepolicy OPG file.

451 (LDAP serverconfiguration missing)

This error occurs when both theseconditions are met:• McAfee DLP Prevent contains a rule

that specifies a sender as amember of an LDAP user group.

• McAfee DLP Prevent is notconfigured to receive groupinformation from the LDAP serverthat contains that user group.

Check that the LDAP server isselected in the Users and Groups policycategory.

451 (Error resolvingsender based policy)

A policy contains LDAP senderconditions, but cannot get theinformation from the LDAP serverbecause:• McAfee DLP Prevent and the LDAP

server have not synchronized.

• The LDAP server is not responding.

Check that the LDAP server isavailable.

451 (FIPS test failed) The cryptographic self-tests requiredfor FIPS compliance failed

Contact your technical supportrepresentative.

442 x.x.x.x:Connection refused

McAfee DLP Prevent could notconnect to the Smart Host to sendthe message, or the connection toSmart Host was dropped during aconversation.

Check that the Smart Host canreceive email.

8 Maintenance and troubleshootingError messages


Table 8-4 Permanent failure messages

Error Cause Action

550 Host / domain is notpermitted

McAfee DLP Prevent refused theconnection from the source MTA.

Check that the MTA is in the listof permitted hosts in the EmailSettings policy category.

550 x.x.x.x: Denied bypolicy. TLS conversationrequired

The Smart Host did not accept aSTARTTLS command but McAfee DLPPrevent is configured to always sendemail over a TLS connection.

Check the TLS configuration onthe host.

Table 8-5 ICAP error messages

Error Cause Action

500 (LDAP serverconfigurationmissing)

This error occurs when both these conditions are met:• McAfee DLP Prevent contains a rule that specifies an

end-user as a member of an LDAP user group.

• McAfee DLP Prevent is not configured to receivegroup information from the LDAP server that containsthat user group.

Check that the LDAPserver is selected inthe Users and Groupspolicy category.

500 (Error resolvingend-user basedpolicy)

A policy contains LDAP sender conditions, but cannotget the information from the LDAP server because:• McAfee DLP Prevent and the LDAP server have not

synchronized.

• The LDAP server is not responding.

Check that the LDAPserver is available.

Configuration backupsIn McAfee DLP 10.x, you can create backups of your configuration data that can be restored. However,appliance settings are not backed up. Backup tasks are run as needed from the backend, and cannotbe scheduled.

The following components are included in a McAfee DLP 10.x backup.

• The SQL database.

• The installed extensions.

• Keys for McAfee ePO agent-server communication and the repositories.

• All products that have been checked into the Master Repository.

• The server configuration settings for Apache, the SSL certificates needed to authorize the server tohandle agent requests, and console certificates.

To create a backup of your McAfee DLP 10.x configuration, see KB66616

Maintenance and troubleshootingConfiguration backups 8


https://kc.mcafee.com/corporate/index?page=content&id=KB66616

8 Maintenance and troubleshootingConfiguration backups


Index

Aaccess control 17

action rulesreaction 7

Active Directory 15

administrator rolepermission set 18

advanced patterncreating 26

advanced pattern definitions 21, 23

alerts 56

appliancestatus 56

Appliance Management 18, 45, 56

alerts 56

appliance ports 10

architecturedifferences in versions 7

authentication 17

Bbackups

creating 65

Box repositories 39

Box scan 39

Ccase management 45

casesadding comments 51

assigning incidents 52

audit logs 51

creating 50

sending notifications 51

updating 51

Certificate authentication 17

certificates 62

CIFS repositories 39

classification 21

advanced pattern 27

advanced pattern definition 26

create new 28

criteria 22

classification 21

document properties 22

definitions 21

keyword definition creation 25

regular expression 27

unsupported options 26

classification scan 39

client events 56

Common Appliance Management 18

conceptsclassification and definitions 21

definitions 23

dictionary and advanced pattern definitions 7configuration

backups 65

Ddashboards 45, 56

Appliance Management 56

dataclassifying 24

date and timeCommon Appliance Management 18

definitionsclassification 21

dictionaries 24

text pattern 26

device rules 30

dictionariesabout 24

creating 24

importing entries 24

dictionary definitioncreate 25

dictionary definitions 21, 23

DLP Case Management 45

DLP data, classifying 26

DLP Incident Manager 45

DLP Operations 45, 56

DNS server definitionCommon Appliance Management 18

document propertiesclassification 21, 22


Eemail addresses

creating 32

importing 32

email protection rulereactions 30

end-user definitionsLDAP 16

endpoint discovery rules 30

events 56

evidence serveradding 19

exceptions to rules 30

extension 11

Ffeatures

new and renamed 7unsupported 7

GGlobal Catalog 15

grouppermission set 7

Iincidents

assign a reviewer 51

charts 56

details 47

email notifications 50

evidence server 19

filtering 47

sorting 47

updating 49

incidents and cases 45

installation 9extension 11

Setup Wizard 12

inventory scan 39

Kkeyword

definition creation 25

keywordsdefinitions 23

LLDAP end-user definitions 16

LDAP server registration 15

local groupMcAfee DLP Prevent permission set 18

permission set 7

local group

creation 18

see permission set 18

local usersee user creation 17

Mmanagement

differences in versions 7McAfee DLP

dashboards 45, 56

McAfee DLP Discover 39

create a classification scan 41

create rules for remediation scan 42

create scan definitions 40

installation 9scheduling a one-off scan 43

scheduling a scan 43

types of repository 39

types of scan 39

McAfee DLP Preventevents 56

extension 11

permission sets 18

replace the default certificate 62

troubleshooting 59

migration workflow 5monitoring 45

Appliance Management 56

Nnetwork definitions

address range 32

port range 33

network ports 10

OOpenLDAP server 15

operations events 56

Ppermission sets

create a reviewer 51

permission sets, defining 18

policies 29

assign to McAfee DLP Prevent 34

rule set 7ports 10

product namesdifferences in versions 7

protection rules 30

Index


Rreactions 30

registered documentsclassification 21

registration scan 39

regular expressionsdefinitions 23

remediation scan 39

Remote loggingCommon Appliance Management 18

remote logonCommon Appliance Management 18

reporting 45

repositories 39

REST API 24, 32, 33

reviewer rolepermission set 18

role-based access control 18

rule definitions 30

rule sets 29

creating 31

rules 29

creating 30

definitions 30

exceptions 30

reactions 30

Sscans

create definitions 40

types of 39

schedulingMcAfee DLP Discover scans 43

one-off McAfee DLP Discover scans 43

Secure Shell logonCommon Appliance Management 18

SharePoint repositories 39

SNMPCommon Appliance Management 18

static routingCommon Appliance Management 18

system health cards 56

Ttemplate

classifications and definitions 7terminology

differences in versions 7text patterns

about 26

time zone specificationCommon Appliance Management 18

troubleshootingMcAfee DLP Prevent 59

Uunsupported features 7URL lists

creating 33

user creation 17

Vvalidator

algorithm 7validators 26

Wweb protection rule

reactions 30

Windows authentication 17

Index


0A00