McAfee DLP 9.0.1 Product Guide.pdf

McAfee Data Loss PreventionProduct Guide

Release 9.0.1

COPYRIGHT

Copyright © 2010 McAfee, Inc. All Rights reserved.

This documentation is protected by copyright and distributed under licenses restricting its use, copying, distribution, and

compilation. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or

translated into any language in any form or by any means without permission of McAfee, Inc. or the suppliers or affiliate

companies.

TRADEMARK ATTRIBUTIONS

Reconnex iGuard, inSight Console, Prevent and Discover, now known as McAfee Network DLP Manager, Monitor,

Discover and Prevent, are Class A digital devices, pursuant to Part 15 of the FCC rules. These limits are designed to

provide reasonable protection against harmful interference when the equipment is operated in a commercial

environment. All McAfee related products contained herein (including Reconnex™) are registered trademarks or

trademarks of McAfee, Inc., and/or its affiliates in the US and/or other countries.

McAfee reserves the right to change aNy products described herein at any time, and without notice. McAfee assumes no

responsibility or liability arising from the use of products described herein, except as expressly agreed to in writing by

McAfee. The use and purchase of this product does not convey a license to any patent copyright, or trademark rights, or

any other intellectual property rights of McAfee.

FCC SPECIFICATIONS

This equipment generates, uses, and can radiate radio frequency energy, and if not installed and used in accordance with

the instruction manual, may cause harmful interference to radio communications. In a residential area, operation of this

equipment is likely to cause harmful interference, in which case the user may be required to take adequate measures. In a

domestic environment this product may cause radio interference, in which case the user may be required to take

adequate measures.

PRODUCT INFORMATION

McAfee Red in connection with security is distinctive of McAfee brand products. Any other non-McAfee related products,

registered and/or unregistered trademarks contained herein are only by reference and are the sole property of their

respective owners.

The documentation is provided "as is" without warranty of any kind, either expressed or implied, including any kind of

implied or expressed warranty of non-infringement or the implied warranties of merchantability or fitness for a particular

purpose.

November 10, 2010

ii McAfee DLP 9.0.1 Product Guide

Contents

Introducing McAfee DLP 9.0 1

McAfee DLP Products 1

Product Naming Conventions 2

Features of McAfee DLP 9.0 2

How DLP Monitor works 2

Unified policy features 3

Incident management features 4

Discovery features 4

Directory server integration features 5

System management features 5

How Host DLP works 6

How Network DLP works 6

Use Cases 6

Examples 6

Protecting Confidential Data 7

Finding leaked documents 7

Identifying and tracking specific documents 8

Finding copied or relocated files 8

Blocking data containing source code 9

Filtering Results 10

Finding documents by file type 10

Finding high-risk incidents 10

Eliminating false positives from results 11

Detecting Insider Activity 11

Monitoring a user's online activity 11

Identifying disgruntled employees 12

Finding unencrypted user data 12

Finding policies violated by a user 13

Getting statistics on website visits 13

Finding message board postings 13

Finding social networking traffic 14

Finding Rogue Communications 15

McAfee DLP 9.0.1 Product Guide iii

Finding encrypted traffic 15

Identifying frequent communications 15

Finding email using non-standard ports 16

Excluding an IP or email address from detection 16

Detecting Privacy Violations 17

Preventing release of privacy information 17

Blocking transmission of financial data 17

Protecting Endpoints 18

Blocking intellectual property residing on endpoints 18

Keeping IP from being copied to a USB drive 19

Keeping intellectual property from being printed 21

Preventing loss of project data from endpoints 22

Protecting intellectual property at a specific network location 23

Protecting Global Business 23

Finding evidence of foreign interference 23

Finding leaks after global close of business 24

Filtering captured data 25

Filtering out configuration-controlled files 25

Storing a portion of filtered traffic 25

Searching captured data 26

How data is captured and processed 26

Using search features 27

Basic search processes 27

How capture works 27

Adding or subtracting search parameters 27

Searching with managed systems 27

Getting notification of results 27

Getting details and search history 28

Stopping searches 28

Cloning searches 28

Finding documents 28

How to find documents 28

Finding Microsoft or Apple documents 29

iv McAfee DLP 9.0.1 Product Guide

Finding documents by type 29

Finding office documents 30

Finding proprietary documents 30

Finding source code 30

Finding email and chat 31

How to find email 31

Finding email by address 31

Finding email by host name 31

Finding email by domain name 32

Finding email by port 32

Finding email by protocol 32

Finding email subjects 33

Finding email attachments 33

Finding email senders 33

Finding email recipients 34

Finding copies of emails 34

Finding blind copies of emails 34

Finding webmail by port 35

Finding webmail by protocol 35

Finding chat sessions 35

Finding files 36

How to find files 36

Finding file name patterns 36

Finding files by file type 37

Finding files by owner 37

Finding files by size 37

Finding files by document type 38

Finding files using MD5 signatures 38

Finding images 39

How to find images 39

Finding images of people 39

Finding images using a template 39

Finding IP addresses 40

McAfee DLP 9.0.1 Product Guide v

How to find IP addresses 40

Finding a range of IP addresses 40

Finding IP addresses on a subnet 40

Excluding incidents using specific IP addresses 41

Finding keywords 41

Excluding keywords from a query 41

Finding exact matches 42

Finding keyword expressions 42

Finding keywords using logical operators 42

Finding non-English matches 43

How to find keywords 44

Supported languages 45

Logical operators supported in keyword queries 45

Finding locations of violations 45

Finding sources of violations 45

Finding violations by website 46

How to find locations 46

List of country codes 47

Finding violations by port 47

How to find violations by port 47

Excluding ports from a query 47

Finding violations by port range 47

List of common port assignments 48

Finding violations by protocol 48

How to find violations by protocol 48

Excluding protocols from a query 49

Finding violations in time 49

How to find time-stamped files 49

Searching in a relative time frame 49

Searching in an exact time frame 50

Searching by file creation time 50

Searching by file last accessed time 51

Searching by last modification time 51

vi McAfee DLP 9.0.1 Product Guide

Searching by local or Greenwich Mean Time 51

Searching with concepts and templates 52

Using concepts and templates in queries 52

Using concepts in queries 52

Using templates in queries 53

Using concept expressions in a query 53

Excluding a concept from a query 54

Understanding search rules 54

Rules used by the indexer 54

How archives are handled 55

Case insensitivity rule 55

How Microsoft Office 2007 files are handled 55

Avoiding negative searches 56

Number of results supported 56

Parts of speech excluded from capture 56

How proper names are treated 56

Handling of short words 56

Special character exceptions 56

How word stemming is handled 57

Monitoring Active Directory users 57

How remote user accounts are monitored 57

Using Active Directory User elements 58

Using DLP on remote LDAP servers 58

Viewing Active Directory incidents 58

Adding Active Directory columns to the dashboard 59

Adding rules to find Active Directory information 59

Advantages of keying on SIDs 60

Types of Active Directory data supported 60

How McAfee Logon Collector is used with DLP 61

How McAfee Logon Collector enables user identification 61

Finding remote user information 61

How remote user data is retrieved 61

Finding remote users by name 62

McAfee DLP 9.0.1 Product Guide vii

Finding remote users by group 62

Finding remote users by city 63

Finding remote users by country 63

Finding remote users by organization 64

Getting and processing results 64

Using the Incidents dashboard 64

Using the DLP Homepage 65

Checking Homepage permissions 65

Configuring the DLP Homepage 65

Customizing the DLP Homepage 66

How to use the Homepage 66

Getting details of results 66

How to get incident details 66

Finding matches that triggered incidents 67

Finding out if an incident is in a case 67

Getting history of an incident 67

Identifying concepts that triggered incidents 67

Generating reports 67

How reports are generated 67

Adding a company name to a report 68

Creating CSV reports 68

Creating HTML reports 68

Creating PDF reports 69

Scheduling reports 69

Setting up views 69

How to set up views 69

Copying views to users 70

Deleting views 70

Saving views 70

Selecting different views 71

Selecting a view vector 71

Selecting pre-configured views 71

Customizing the results dashboards 72

viii McAfee DLP 9.0.1 Product Guide

How dashboards are customized 72

Adding rows to the dashboard 72

Changing dashboard display space 72

Configuring dashboard columns 72

Displaying match strings 73

Grouping and filtering incidents 73

How incidents are grouped and filtered 73

Clearing filters 73

Filtering incidents 73

Grouping incidents 74

Setting a date and time for results 74

Sorting results 75

How to sort results 75

Deleting incidents 75

Deleting similar incidents 75

Finding incidents that violated a policy 76

Sorting incidents by attribute 76

Changing settings 76

How settings are changed 76

Configuring throttling to limit incidents 77

Encrypting incidents 77

Preventing data loss 77

Protecting data with DLP Prevent, Discover, and Endpoint 77

Protecting data with DLP Prevent 78

How DLP Prevent protects data 78

Adding a DLP Prevent action rule 78

Applying a DLP Prevent action rule 79

Types of DLP Prevent actions 79

The role of DLP Prevent in a managed system 80

How DLP Prevent processes email 80

Configuring DLP Prevent for email 80

How DLP Prevent processes webmail 81

Configuring DLP Prevent for webmail 81

McAfee DLP 9.0.1 Product Guide ix

MTA requirements to inter-operate with Prevent 82

Reviewing prevented violations 82

Protecting data with DLP Discover 82

How DLP Discover protects data 82

Adding a remedial action rule 83

Types of remedial action 83

Applying a remedial action to a rule 84

Setting up a location for exported files 84

Copying discovered files 85

Deleting discovered files 85

Encrypting discovered files 86

Moving discovered files 87

Reverting remediated files 88

Reviewing remedial actions 88

Adding columns to display remedial actions 88

Protecting data with Host DLP (Endpoint) 89

Adding an Endpoint action rule 89

Applying an action to a rule with Endpoint parameters 89

How Host DLP protects data 90

Types of DLP Endpoint actions 90

Protecting endpoint data 90

Host DLP: Integrated into Network DLP 90

How Host DLP extends network results 91

How Network DLP protects endpoints 91

Creating Agent Override Passwords 91

Agent events that cannot be reported 92

Viewing endpoint events 92

Types of endpoint events 93

Managing endpoints 93

How Host and Network policies differ 93

How Host DLP rules are mapped to Network DLP 94

Adding endpoints to existing network rules 94

Limitations of rules with Endpoint parameters 94

x McAfee DLP 9.0.1 Product Guide

Excluding printers from protection rules 95

Assigning Host DLP incidents to cases 95

Searching endpoint data 95

Limitations of this release 95

Discovering data at risk 95

Introducing McAfee DLP Discover 95

Setting up Discover 96

Configuring DLP Discover 96

Adding Discover to Manager 96

Preparing Discover for managed mode 96

Republishing Discover policies 97

Setting Discover registration permissions 97

Setting Discover scan permissions 97

Task status messages 98

System status messages 99

Registering sensitive content 100

Registering documents or structured data 100

How signatures register data 101

Managing registered documents 101

Registering documents by uploading 101

Uploading complete paths with Firefox 102

Excluding text from registration 102

Searching with the DocReg concept 102

Adding the DocReg concept to a rule 103

Setting signature types 103

How signatures are shared with managed systems 104

Managing signature generation memory 104

Deregistering content 104

Reregistering content 104

Crawling databases 105

Protecting sensitive database content 105

What is Dynamic Data Registration? 105

Database types supported 106

McAfee DLP 9.0.1 Product Guide xi

Database object hierarchy differences 106

Database terminology differences 107

Registering structured data by uploading 107

Setting up basic database scans 108

Advanced Options definitions for database scan operations 108

Defining catalogs to be scanned 109

Defining columns to be scanned 109

Defining logins for a database scan 109

Defining nodes for database scan operations 110

Defining ports for a database scan 110

Defining records/rows to be scanned 111

Defining schemas to be scanned 111

Defining SSL certificates for a database scan 111

Defining tables to be scanned 112

Managing scans 112

Managing scan operations 112

Types of scan states 113

Viewing scan operations 113

Modifying the state of a scan 113

Deploying scans 114

Starting scans 114

Stopping scans 114

Setting bandwidth for a scan 115

Scanning in full duplex mode 115

Managing scan load 116

Editing scans 116

Deleting scans 116

Setting up scans 117

Preparing to scan 117

Setting up basic scans 117

Repository types supported 118

Configuring inventory scans 118

Configuring discovery scans 119

xii McAfee DLP 9.0.1 Product Guide

Configuring registration scans 120

Firewall configuration to allow scanning 120

Managing credentials 121

Using credentials to access repositories 121

Viewing existing credentials 122

Adding credentials 122

Editing credentials 122

Deleting credentials 122

Scheduling scans 123

Using scan schedules 123

Viewing scan schedules 123

Editing scan schedules 123

Deleting scan schedules 123

Filtering scans 124

Defining scans 124

Filtering scans by browsing 124

Filtering scans manually 125

Filtering IP addresses to be scanned 126

Filtering URLs to be scanned 126

Filtering file properties for a scan 127

Filtering folders to be scanned 128

Filtering shares to be scanned 128

Setting policies for a scan 129

Getting scan results 129

How scan statistic reporting works 129

Understanding scan results 130

Viewing incidents found by a scan 130

Getting reports of scan statistics 130

Getting database scan statistics 131

Adding columns to scan statistics 131

Viewing registered data matches 131

Viewing scan status 131

Getting historical statistics 132

McAfee DLP 9.0.1 Product Guide xiii

Searching discovered data 132

Finding discovered data 132

Finding scan operations 132

Finding registered files in discovered data 133

Finding repository types in discovered data 133

Finding IP addresses in discovered data 133

Finding host names in discovered data 134

Finding file name patterns in discovered data 134

Finding file owners in discovered data 135

Finding file paths in discovered data 135

Finding percentages of registered data at rest 135

Finding share names in discovered data 136

Finding domain names in discovered data 136

Finding catalogs in discovered data 136

Finding schemas in discovered data 137

Finding column names in discovered data 137

Finding table names in discovered data 137

Finding records and rows in discovered data 138

Storage scanning requirements 138

Accessing network storage 138

Accessing Network Attached Storage (NAS) 138

Accessing Storage Area Networks (SANs) 138

Host vs. network discovery 138

How host and network scans differ 138

How host and network remediation differs 139

How host and network registration works 139

Deploying a host package to the agents 139

Registering documents on host computers 140

Setting up a host discovery scan 140

Configuring a policy for host discovery 141

How host scans are scheduled 141

Scheduling a host discovery scan 141

Scheduling a host registration scan 142

xiv McAfee DLP 9.0.1 Product Guide

Using policies and rules 142

How policies and rules are used 142

Using policies 143

How policies work 143

Policy field definitions 143

Using international policies 144

Adding policies 145

Activating policies 145

Deactivating policies 146

How activation works 146

How inheritance works 146

Changing ownership of policies 147

Publishing policies 147

Cloning policies 147

Renaming policies 148

Executing policies 148

Editing policies 148

Deleting policies 148

Using rules 149

How rules work 149

Adding rules 149

Viewing rule parameters 149

Reconfiguring rules for web traffic 150

Copying a rule to a policy 150

Detaching rules from policies 150

Editing rules 151

Deleting rules 151

Defining exceptions to rules 151

What are false positives? 151

How exceptions to rules are defined 151

Defining false positive incidents 152

Adding exceptions to existing rules 152

Adding new rules that contain exceptions 153

McAfee DLP 9.0.1 Product Guide xv

Correcting inaccurate rules 153

Tuning rules 154

Using action rules 155

How action rules are used 155

How action rules are deployed 155

Reacting to violations 155

Comparing Action to Protection rules 156

Assigning status to an incident 156

Applying an action rule 156

Assigning responsibility for an action 156

Using action rules to log incidents 157

Using action rules to notify users 157

Reconfiguring action rules for proxy servers 158

Setting up an action 158

Editing action rules 158

Cloning action rules 159

Removing an action from a rule 159

Deleting action rules 159

Using concepts and templates 159

How concepts and templates are used 159

Using concepts 160

How concepts are used 160

Types of concepts 160

Adding content concepts 160

Adding network concepts 161

Adding session concepts 162

Setting concept conditions 163

Applying concepts to rules 164

Using regular expressions in concepts 164

Restoring factory concepts 165

Editing concepts 166

Deleting concepts 166

Using templates 166

xvi McAfee DLP 9.0.1 Product Guide

How templates are used 166

Adding templates 166

Viewing standard templates 167

Removing a template from a rule 167

Deleting templates 167

Using the case management system 168

How case management works 168

Collecting credit card violations in a case 168

Adding a new case 168

Using incidents to create a case 169

Adding incidents to an existing case 169

Adding comments to a case 170

Notifying users about a case 170

Changing ownership of cases 170

Changing resolution of cases 170

Changing status of cases 171

Customizing Case List columns 171

Customizing case notifications 171

Exporting cases 171

Managing case permissions 172

Reprioritizing cases 172

Deleting an incident from a case 173

Deleting cases 173

Managing DLP systems 173

Managing the system 173

Configuring DLP devices 173

Configuring DLP devices 173

Adding devices to DLP Manager 174

Adding Host DLP servers to DLP Manager 174

ePO installation issues 175

Changing link speed 175

Managing disk space 175

Backing up DLP systems 176

McAfee DLP 9.0.1 Product Guide xvii

Restarting DLP systems 177

Deregistering devices from DLP 177

Adding servers to DLP systems 177

Configuring servers with DLP systems 177

Setting up DHCP services 178

Using DHCP servers with DLP 178

Adding DHCP servers 178

Setting up directory services 179

Using LDAP servers with DLP 179

Adding Active Directory servers 179

Adding LDAP Users 181

Configuring Active Directory servers for DLP 181

Exporting certificates from Active Directory 182

How ADAM servers extend DLP Manager 183

Mapping LDAP directory attributes 183

Setting up McAfee Logon Collector 184

Using McAfee Logon Collector with DLP 184

Authenticating DLP Manager and MLC 184

Setting up syslog and time servers 185

Using syslog and time servers with DLP 185

Connecting to syslog servers 185

Correcting system time in the interface 186

Resetting system time manually 187

Synchronizing DLP devices 187

Managing users and groups 188

Setting up users and groups 188

Managing user groups 189

Working with user groups 189

Using pre-configured user groups 189

Adding user groups 189

Restricting user groups 190

Deleting user groups 190

Managing users 190

xviii McAfee DLP 9.0.1 Product Guide

Working with users 190

Adding users 190

Using pre-configured user types 191

Changing passwords and profiles 191

Creating an ePO database user 191

Using a primary administrator account 191

Viewing active user sessions 192

Setting permissions 192

Assigning permissions 192

Checking permissions 192

Setting policy permissions 193

Setting task permissions 193

Managing user accounts 193

Working with user accounts 193

Customizing login settings 193

Customizing password settings 194

Configuring failover accounts 194

Auditing users 194

Using audit services 194

Filtering audit logs 194

Getting audit log reports 195

Filtering audit log reports 195

Auditing live users 195

Sorting audit log reports 196

Using capture filters 196

Working with capture filters 196

Types of capture filters 196

Types of capture filter actions 196

How content capture filters work 197

Content capture filter actions 197

Adding content capture filters 198

How network capture filters work 198

Network capture filter actions 199

McAfee DLP 9.0.1 Product Guide xix

Ignoring or storing IP addresses 199

Adding network capture filters 200

Reprioritizing network capture filters 200

Deploying capture filters 201

Editing capture filters 201

Using undeployed capture filters 201

Viewing deployed capture filters 202

Deleting capture filters 202

Setting up system alerts 202

Configuring system alerts 202

Configuring device down alerts 202

Types of device down alerts 203

Technical specifications 203

Understanding specifications 203

Power Redundancy 203

Rack Mounting Requirements 203

Safety Compliance Guidelines 204

Contacting Technical Support 204

Contacting DLP Technical Support 204

Creating a Technical Support Package 205

Glossary 207

Index 213

xx McAfee DLP 9.0.1 Product Guide

Introducing McAfee DLP 9.0

McAfee DLP ProductsIn this release, Host DLP 9.0 and the Network DLP 8.6 products are integrated, and both are

also part of ePO 4.5.

McAfee Data Loss Prevention Products

DLP ManagerCoordinates and centralizes all Monitor, Host,Discover and Prevent activity on the network, in filesystems and databases, and on endpoints.

Host DLP

Host DLP monitors data on endpoints (desktops,laptops, removable media, printers, etc.) usingnetwork resources, generates and reports eventswhen violations are detected, and preventssensitive data from being compromised.

DLP Monitor

DLP Monitor sits passively in the network,connected to a core switch router inside the firewallvia span or tap port. It captures and analyzes allTCP traffic, produces incidents that indicateviolations have been detected, and allowsdisposition of those incidents through filtering andcase management.

DLP Discover

DLP Discover scans network file systems,databases, and endpoints, registers sensitive data,detects policy violations, and allows for remediationof those incidents. NAS Intranet portals, wikis, blogs,document management systems, and FTP serverscan also be scanned.

DLP Prevent

Network DLP Prevent works with an email or webgateway via SMTP or ICAP protocols, respectively. Itanalyzes gateway traffic, adds X-headers to indicateactions to be taken on significant content, thenreturns the processed data to the gateway forenforcement. The proxy server or MTA receiving thedata then blocks, bounces, encrypts, quarantines,redirects or allows the marked content.

NOTE: You can use the familiar Host DLP product if you prefer — it is still available as a standalone product.

DLP 9.0 is organized by incidents and events contained in three different databases that contain incidents

found on the network, in network repositories, and on endpoints.

Data-in-Motion

Data-in-Motion on the network is captured and parsed into hundreds of different categories by

DLP Monitor. All real-time and historical data on the network is searchable, allowing for the

creation of rules that adapt to changing content.

McAfee DLP Products

McAfee DLP 9.0.1 Product Guide 1

Data-at-Rest

Data-at-Rest in network repositories can be inventoried, and sensitive data can be registered

automatically by matching it to existing rules and policies. Not only can the contents of

documents be recognized and protected, but individual documents can be explicitly protected

individually or in groups.

DLP Host defines Data-at-Rest on endpoints by location, document properties, user-defined

metadata, file types, text patterns and attributes, encryption types, and user groups.

Data-in-Use

Data-in-Use on endpoints can be matched to the same rules and policies as all other network

data, but addition of one or more Host parameters can add the ability to keep data from being

compromised in a variety of ways. Rule parameters can also be extended to specific shares,

network paths, file or encryption types.

NOTE In DLP Host 9.0 Data-in-Motion refers to sources and destinations of endpoints (for example, email,

webmail, printers, etc.), and Data-in-Use is categorized by the application that created it.

Product Naming ConventionsThe McAfee DLP suite is referenced in the documentation by the following product names.

McAfee Short Name McAfee Product Name

Host DLP McAfee Host DLP

DLP Manager McAfee Network DLP Manager

DLP Monitor McAfee Network DLP Monitor

DLP Prevent McAfee Network DLP Prevent

DLP Discover McAfee Network DLP Discover

Features of McAfee DLP 9.0All DLP products, including Host DLP, are now integrated in ePO 4.5.

In addition, many features in the following categories have been added.

● Unified policy features

● Incident management features

● Discovery features

● Directory server integration features

● System management features

How DLP Monitor worksDLP Monitor captures all network traffic, and performance and results can be improved by

deploying capture filters that limit the amount of data that will be recognized and indexed.

2 McAfee DLP 9.0.1 Product Guide


After capture and classification, incidents can be extracted from the database automatically or

manually.

Automatic Extraction

Standard policies are pre-configured to apply rules to classified network data. When a rule hits

on a match, an incident is created in the database and reported on the Data-in-Motion

dashboards.

For example, if you have the HIPAA policy deployed, the system will identify and report any

medical privacy violation.

Manual Extraction

Through DLP Manager, you can query all DLP Monitor databases directly using the search

options available from the DLP Reporting | Search page. When a query hits on significant data,

the search can be repeated regularly by saving it as a rule under a new or existing policy.

NOTE: When a query or rule matches any stored attribute, the entire object to

which it belongs is reported to the dashboard as an incident.

Unified policy featuresIn this release, international policies apply to both network and host applications. All products

are configured through one interface and need only one policy set, which is applied to all

vectors.

Unified Policies implemented

Host and Network DLP are integrated in this release, making is possible for users to create rules

containing Network and Host DLP parameters and display results on all dashboards. Integration

of Discover, McAfee Logon Collector, and LDAP servers make it possible to extend all features

across global enterprises — protecting data, whether it is on- and off-line.

Internationalized content

Pre-packaged international rules and concepts supporting local laws and business cases have

been added. Ad hoc searches, scans, and document registration can be done in local

languages, and dashboards display incidents in local languages.

Rules configurable with multiple user attributes

Use of Active Directory parameters in rules allows retrieval of data from groups and sites through

directory servers, which may be located anywhere on the globe.

Concept checks added

Algorithms that correspond to specific user-defined concepts can be implemented to detect and

correct transcription errors at runtime, decreasing reports of false positives.

Concept address space added

Up to 512 concepts can be implemented by DLP Manager.

Unified policy features


Incident management featuresIn this release, more options are available to effectively manage incidents.

Databases encrypted

Databases are encrypted, and authorized users can decrypt case, incident and capture data at

will.

Reporting is expanded

HTML reports are available for all three incident modes, and PDF reports are now available for

Incident Details. Special characters are supported in reports.

Case permissions can be assigned

Role-based authorization enables administrators to distribute case privileges according to need

to know.

Case enhancements added

Administrators can set up notifications of case assignments or changes. The Case List can be

customized, and case logs now contain incident history. The timestamp filter is updated to match

the incidents feature.

Discovery featuresIn this release, DLP Discover functionality is expanded to support databases, large volumes of

data, increased remediation options and additional scan features.

Database crawling supported

In addition to the storage repositories already supported, DLP Discover supports ODBC .

DLP Discover now crawls the following structured databases as well as network repositories:

● DB2, versions 5x iSeries, 6.1 iSeries, 7.x-9.x

● MS SQL Server, versions 2000, 2005, 2008,7.0, MSDE 2000

● My SQL (Enterprise), versions 5.0.x, 5.1

● Oracle, versions 8i, 9i, 10g, 11g

Dynamic data registration

Large volumes of data (up to 300 million records) can not only be registered as sensitive and

tracked, but fine distinctions can be made between matches. In addition, data that has been

identified can not only be tracked, but associated with a rule to provide long-term protection.

Increased Discover remediation support

Data at rest detected in non-CIFS repositories (HTTP, HTTPS, FTP, Documentum, NFS, and

HTTP SharePoint) can now be moved, copied, encrypted or deleted.

If data is moved to quarantine an incident, the action can be reverted. If remediation actions fail,



error messages are launched.

Discover scans expanded

Scan operations can be paused and resumed, and notification can be set up to inform users that

a crawl has started and stopped.

Directory server integration featuresIn this release, DLP is extended through integration with additional Active Directory server

functionality.

Individual users can be identified

Through integration with McAfee Logon Collector, the identity of individual users can be

resolved. Previously, only IP addresses and locations could be detected.

Large enterprise environments supported

Through integration with McAfee Logon Collector, McAfee DLP supports multiple domain

controllers used in large-scale operations.

LDAP pagination is supported

User data retrieved from Active Directory servers is displayed in page format.

System management featuresIn this release, DLP administrative control has been improved.

Device status can be updated

DLP Manager can notify users if a device is down (disconnected or turned off), and a variety of

time periods can be defined.

User login security strengthened

Administrators can discourage unauthorized access by setting up lockout conditions for

repetitive logins.

Increased security in password setting

Password requirements can be customized to force users to create more secure passwords.

Audit Logs customizable

Audit logs can be sorted and displayed to filter user data, and specific systems can be targeted.

Technical support package improved

Files generated by users to help tech support resolve problems now contain core file and BIOS

DMI (Desktop Management Interface) logs, ETL (Extract/Transfer/Load) incident count, MySQL

process list log, and case status.

Directory server integration features


How Host DLP worksIn this release, Host DLP is embedded in Network DLP at the rules level, making it possible to

monitor and act on endpoint content on- and off-line.

Host DLP protects all data at network endpoints — not only on desktops and laptops, but on

removable media and printers.

When a policy violation is recognized, an event is generated, stored in the ePO database as

evidence, and a pre-defined reaction is triggered to handle the violation appropriately.

All endpoint events can be viewed on the ePO dashboards, as well as on the Network DLP

Incidents | Data-in-Use dashboard, where they can be filtered, analyzed, reviewed, and

assigned to cases for further investigation.

How Network DLP worksThe core component of Network DLP is a capture engine that runs on DLP Monitor. The engine

captures all packets and reassembles them up to the application layer, where the database

objects are classified into types and stored on capture partitions.

However, Network DLP is extended to discovery of data in network repositories, to directory

servers throughout the enterprise, and to endpoints through Host DLP. In addition, DLP Prevent

monitors and acts on all email and webmail in the enterprise.

Use Cases

ExamplesBy using one of the following examples as a template, you can find a solution to some common

problems quickly.

Protecting Endpoints

● Keeping IP from being copied to a USB drive

● Keeping IP from being printed

● Blocking IP residing on endpoints

● Preventing loss of project data from endpoints

● Protecting IP at a specific network location

Protecting Confidential Data

● Finding leaked documents

● Identifying and tracking confidential documents

● Blocking data containing source code

● Finding copied or relocated files

Detecting Privacy Violations

● Blocking transmission of financial data


Use Cases

● Preventing release of privacy information

Finding Rogue Communications

● Excluding an IP or email address from detection

● Finding email using non-standard ports

● Identifying frequent communications

● Finding encrypted traffic

Protecting Global Business

● Finding evidence of foreign interference

● Finding leaks after global close of business

Filtering Results

● Eliminating false positives from results

● Finding high-risk incidents

● Finding documents by file type

Filtering Captured Traffic

● Filtering out configuration-controlled files

● Storing a portion of filtered traffic

Detecting Insider Activity

● Finding message board postings

● Finding policies violated by a user

● Finding social networking traffic

● Finding unencrypted user data

● Getting statistics on website visits

● Identifying disgruntled employees

● Monitoring a user's online activity


Finding leaked documents

Whether accidental or unintentional, confidential documents on corporate networks are often

open to discovery by unauthorized users.

Use keyword and time-delimited searches to locate those documents, then analyze the incidents

to find out how those documents were leaked.

1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Basic Search.

2. Type in a word or phrase that might be found in the controlled document, such as Confidential.

If you have additional information (such as content type or protocol), use an Advanced Search so you can add

elements to include those values.



3. Select a time frame from the Date/Time menu.

4. Click Search.

Identifying and tracking specific documents

McAfee DLP systems help you to identify documents at risk without knowing exactly what

information they contain.

But in some cases, you might know enough to be able to identify those documents in advance.

You can register them individually, then track them as they move or are copied to different

locations.

1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPPolicies | Registered Documents.

2. From the Actions menu, select Upload New File.

3. Browse to locate a sensitive file that must be protected.

NOTE: Mozilla Firefox 3.5 will not include the path to the uploaded document unless you reconfigure it before

scanning.

4. Select a policy and rule to guide the search.

Example:

Select the Financial and Security Compliance policy and the Financial Statement Documents rule to protect a

document that contains sensitive financial information.

5. Select a device that will receive the uploaded file by checking the box of any DLP appliance.

6. If more documents need protection, select Save & Upload Another and repeat the process.

7. Click Save.

TIP: Schedule a Discover scan that will crawl file shares regularly looking for the document.

Finding copied or relocated files

Confidential documents often proliferate over networks, because employees can copy or move

them to insecure locations to work on them, or share them with other staff members.

Even when confidential information is accessed only by those who have the proper privileges,

finding, registering and controlling every copy is the only way to protect it.

1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPPolicies | Registered Documents | Web

Upload.

2. Select Upload New File from the Actions menu.

3. Browse to the file you want to track.

4. Select a signature type.

NOTE: The web upload feature supports only high granularity mode, which provides full plagiarism detection

and protection by generating overlapping signatures over every bit of text in a file. The original document can

be identified, even if words are transposed. The contents may differ by a couple of lines of text.


Use Cases

5. Select a policy that corresponds to your objective.

For example, you might use the Competitive Edge policy if your goal is to protect a sensitive sales document.

6. Select a rule that corresponds to your objective.

For example, you might use the Pricing Information rule if your goal is to protect a price list.

7. Select one or more DLP devices that will store the uploaded price list.

8. Click Save.

9. On theWeb Upload page, click the Details icon of the price list to view the MD5 signature number. This unique

number will be found during any scan, or in a search of discovery data after a scan has run.

10. Configure a Discover scan and start it.

11. After allowing some time for the document to be found, go to Incidents and click the Columns button.

12. Add the Signature and Path columns to your dashboard.

13. Click Apply.

14. Go to the Incidents page and select Data-at-Rest from the display thumbwheel.

15. Look for the signature number of the document in the results under the added columns.

16. If you want to search the Discover database for that number, right-click the number and select Copy.

17. Go to the Advanced Searchpage.

18. Open File Information.

19. SelectMD5 is any of and paste the signature number into the Value box.

20. Click Search.

NOTE: You might find that you are inadvertently pasting in unrelated text. If so, close the program that contains

that text and repeat the process.

21. Click Search.

22. View the Path column for the exact location of the file.

Blocking data containing source code

Employees who are leaving the company might feel they have a right to the code they have

written. You can protect your company's intellectual property by configuring your systems to

block all source code leaving the network.

1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Advanced Search.

2. Open Content.

3. Select Content Type is any of and click "?".

4. Open Source Code from the popup menu.

5. Select one or more source code types.

TIP: If you don't know the source code type, select Template and is any of. Then click "?" and Select All beside

the Source Code category.



6. Click Apply.

7. Click Save as Rule.

NOTE:When you save a search, it becomes a rule.

8. Go to the Policies tab.

9. Open the policy containing the new rule, then click on it.

10. Click on the Action tab.

11. Click Add Action, then select the Block and Notify Sender action.

12. Click Save.

When the rule runs and source code is found, the action rule automatically blocks it. The sender receives email

notification of the action.

TIP: To notify more users, go to Policies | Action Rules, edit the action rule, and Save.

Filtering Results

Finding documents by file type

You might know that a confidential document you are looking for in your results was created by a

Microsoft Office application. You can find that document by filtering incidents to display only

documents created by that program.

TIP: If you have a limited number of results to sort through, you can simply click any icon on the dashboard

relating to the program. The results will be automatically sorted by that attribute.

1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Incidents.

2. Under Filter by Timestamp, select a time frame.

3. Click plus to add a filter.

4. Select Content from the first menu.

5. Select equals from the second menu.

6. Type in the document type, or click "?" and selectMSWord from the popup menu.

If you know the name of the document, add another element using a Filename equals filter, and type in its

name.

7. Click Apply. The dashboard will reconfigure the results to display the document.

TIP: To add a note to the incident, use the Comments equal filter and type in a text string.

Finding high-risk incidents

When you have a high volume of violations to search through, it may be difficult to find the most

significant ones. Filter your results to display only the most critical incidents.


2. Under Filter by Timestamp, select a time frame.


Use Cases


4. Select Severity from the first menu.


6. Type in a number from 1 to 5, or click "?" from the third menu and select a Severity checkbox from the popup

menu.

7. Click Apply.

8. Click Apply.

Eliminating false positives from results

Suppose you are looking for personal identification numbers that violate privacy standards, but

product part numbers that also match the pattern are being erroneously reported. An exception

that redefines numerical patterns will exclude the incidents containing part numbers, which do

not constitute privacy violations.

1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting.

2. On the Incidents dashboard, find one or more incidents that contain part numbers.

3. From the menu in the Group by... window, select Rule. All incidents produced by that rule will be listed.

4. Check the boxes of the incidents.

TIP: If all incidents on the page were produced by the rule, select the box in the table header to select all of

them.

5. From the Actions menu, selectModify Status | False Positive | Create Exception.

6. When the Edit Rule page launches, type some text describing the exception in the Notes box.

7. Redefine the values reported on that page. For example, if the part number has the same pattern as an

identification number, but is preceded by "PN#", add a Content element that specifies "Keywords | contain

none of | PN#."

TIP: If there is no difference in the pattern, consider eliminating another element the incidents have in common.

For example, if all of the reported part number incidents may have come from the same department, create a

Source/Destination element that specifies an email domain or UserOrganization.

8. Click Save.

TIP: After the rule runs, evaluate the incidents retrieved and make revisions if the results still do not meet your

criteria.


Monitoring a user's online activity

Employees who have been warned to discontinue specific network activities should be

monitored to prevent them from wasting company resources or sabotaging the system.

You can monitor all of a user's communications to determine if they are complying with your

instructions.



TIP: To monitor the user on a regular basis, save the search as a rule. In case of flagrant violations, incidents

and events can be collected in a case and delegated to your legal team for use as evidence in court.


2. Select User ID, Host Name, Host IP, or Email address from the Input Type menu.

3. Type identifying text into the value field.

NOTE: The UserID corresponds to a field found on an LDAP server, so this option cannot be used unless a

directory server has been added. Note that UserID might not necessarily correspond to a user's email address,

since a user could have more than one email address.

4. If the information is on a remote directory server, click Find and select a category of users, then click Apply. If

you select Everyone, the rule will apply to all users on all of your directory servers.

5. If the user is local, click plus to add one or more identifying elements, such as an IP or email address under

Source/Destination.

6. Click Search or Save as Rule.

Identifying disgruntled employees

Unhappy insiders can do a lot of damage to your business operations if they are not found and

stopped.

You can search for instant messaging or email communications that contain clues to potential

trouble by applying a concept that will identify those transmissions.


2. Open Content.

3. Select Concept from the first drop-down menu, and is any of from the second.

4. Click "?".

5. Select DISCONTENT from the Acceptable Use menu.

This concept contains a collection of words and phrases that are often used by unhappy employees. Go to

Policies | Concepts and double-click on one of them to understand what the phrases are, and how the concept

is constructed.

6. Click Apply.

7. Click Search.

Finding unencrypted user data

You might assume that usernames and passwords are protected on your network as a matter of

course, but that may not always be the case.

Find out quickly if user account information is circulating in cleartext on your network by

searching for account passwords.


2. Select Keywords.


Use Cases

3. Type the words account password into the value field.

4. Click Search.

NOTE: If there are any significant results, alert your IT department.

Finding policies violated by a user

If you have a lot of incidents to sort through, it may be hard to find the ones that are related to a

particular user. You can find them by keying on attributes relating to that user.


2. Select Policy from the Group by menu.

3. Double-click the policy the user might have violated (if it generated incidents).

4. Under Filter by, select a time from the Timestampmenu.


6. Select UserID, UserName, or UserEmail from the first menu.


8. Type in the user's ID, name or email address.

TIP: If you don't have exact information but want to guess at the identity of a sender or recipient, select the

Sender or Recipient filter, add a like or not like condition, and type in a string that might match some

characters in the user's ID, name or email address.

9. Click Apply.

Getting statistics on website visits

Even if users are routinely allowed to use the Internet to complete their job duties, they might

have been told to curtail certain web sites that can compromise network security.

TIP: By creating a content capture filter, you can store all traffic to and from inappropriate web sites to find out if

your company policy is being violated.


2. Open Source/Destination.

3. Select URL is any of and type the URL of the website into the value field — for example, www.webrats.com.

4. Click Search.

TIP: If no results are retrieved, check to see if the default ignore_http_header content capture filter is still active.

Finding message board postings

Employees sometimes spend company time on non-work-related posting to internet sites. You

can identify that activity by targeting the protocol that is used to transmit such postings.




2. Select a time frame from the menu under Filter by Timestamp.


4. Select Protocol from the first drop-down list, and is any of from the second.

5. Type in HTTP_Post, or click "?" and select it from the popup menu.

6. Click Apply.

7. Click Apply.

TIP: This filter identifies all posting traffic. If you know what web site is being posted to, add a Content equals

filter and type in its name (for example, webrats.com).

Finding social networking traffic

Employees who are accustomed to using social networking sites might not realize how much

time they are spending on activities that reduce their productivity, or how much sensitive

information might be leaked when they use such sites in the workplace.

You can find out how much social networking activity is occurring on your network by finding all

traffic to and from specific web sites.

Use Site Keywords


2. Type site keywords into the value field (for example, facebook or myspace).

3. Select a time frame from the Date/Time menu.

4. Click Search.

Detect Posting to any Site


2. Select Protocol.

3. Click "?" and select HTTP_Post from the popup menu.

4. Click Apply.

5. Click Search.

Find Blog Postings to Popular Sites


2. Open Content.

3. Select Concept is any of and click "?".

4. Select BLOGPOST from the popup menu.

TIP: Go to Policies | Concepts and customize BLOGPOST by clicking plus to add additional expressions that

cover more sites. Save the edited concept, then repeat the search.


Use Cases

5. Click Apply.

6. Click Search.


Finding encrypted traffic

Insiders attempting to conceal illegal activity or steal your intellectual property routinely use

encryption. Identify the sources and destinations of encrypted traffic on your network to expose

those activities.


2. Open Content.

3. Select Content Typefrom the first drop-down list, and is any of from the second.

4. Click "?".

5. From the Protocolmenu, select Crypto.

6. Click Apply.

7. Click Search.

Identifying frequent communications

You may suspect that a particular user is communicating with an off-site competitor. You might

be able to identify the sources and destinations of frequent communications that will eventually

reveal that leak.

TIP: If you already know a source or destination, find the other side of the session by searching for a UserID or

email address on the Advanced Search page under the Source/Destination category.


2. Select an incident.

3. Select a time frame from the menu under Filter by Timestamp.


5. Select SourceIP or DestinationIP from the first drop-down list, and equals from the second.

NOTE: If the source and destination IP addresses are dynamically assigned, they will change over time. If you

have added a DHCP server to DLP Manager, you can track the previous addresses of a host.

6. Type the known IP address into the Values field.

TIP: Click the Details icon of an incident to find the IP address.

7. Click Apply. The dashboard will display all sender and recipient communications with that IP address, but you

see the SourceIP and DestinationIP addresses by adding those columns to the dashboard.

TIP: Add another filter to identify both source and destination of frequent communications.



Finding email using non-standard ports

When non-standard ports are used to transmit email, a deliberate attempt to conceal illegal

activity should be suspected. By eliminating email that uses well-known ports, unknown or

unsecured transmissions can be revealed.


2. Open Content.

3. Select Content Type from the first drop-down list,, and is any of from the second..

4. Click "?".

5. Open Mail from the popup menu.

6. Select one or more email formats, or Select All.

7. Click Apply.

8. Open Protocol.

9. Select Port is none of and type standard port numbers into the value field.

TIP: Ports 25 and 80 are commonly-used email and webmail ports. Add

10. Type 25 into the Value field. Repeat for port 80 to exclude all email sent by well-known ports.

11. Click Search and evaluate the results.

TIP: You may have to add Columns to your dashboard to see the port information, which is displayed in source

and destination columns.

Excluding an IP or email address from detection

Even network administrators may not be privileged to peruse certain information found in

network data streams. If you want to ensure absolute security for one or more hosts or users who

have access to top secret information, you can protect them from detection by the capture

engine.

1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config | Capture Filters.

2. Click Create Content Filter.

3. Type in a name for the filter. Typing a description is optional.

4. Select Drop Element from the Actionmenu.

5. Open the Source/Destination category.

6. Select IP Address from the first drop-down list, and is any of from the second. You can define an email

address instead, or add an element and protect both email and IP addresses.

7. Type the IP address or email address into the value field.

NOTE: If the address is on a subnet, it is detectable only if the network and host portions of an IP address are

standard classful IP (address fields are separated into four 8-bit groups). Separate multiple addresses by

commas, and IP ranges by dashes.

7. Check the box of the device on which you want the filter deployed, or None if you want to deploy it later.

8. Click Save.


Use Cases

NOTE: CIDR notation is supported, but IPv6 is not.


Preventing release of privacy information

Billions of dollars have been lost by companies that have released privacy information by

accident. You can prevent such losses by implementing existing policies to identify the

information, then setting up automatic blocking to keep it from leaving the network.

1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Policies.

2. Click on a policy that can be used to identify privacy information.

For example, you might select Financial and Security Compliance, Competitive Edge, or Personally Identifiable

Information.

3. Click on the first rule listed under the policy, then click the Actions tab.

4. If no action is listed, or the action listed is not relevant, click the Add Action icon.

5. Select the appropriate action rule.

NOTE: Actions are defined and edited on the Action Rules page. All of the reactions listed in the Actions

column will be applied. If you do not see the one you need, create it under Policies | Actions Rule, then return

to this step.

NOTE: Action rules act only on monitored or discovered data (Data-in-Motion or Data-at-Rest). Only one

action type is allowed for each process.

6. Click Save.

7. Repeat this process for every rule under the policy.

8. When the policy runs, all privacy information defined in its rules will be blocked from leaving the network.

Blocking transmission of financial data

Even the most dedicated employees might not realize the implications of failing to protect

financial documents, or they may not know how to encrypt them.

You can protect this data in either case by creating a concept that flags a variety of financial

documents, then attach an action rule to prevent them from leaving the network.


2. Open Content.

3. Select Concept is any of and click "?".

4. Check the Select All checkboxes on all groups of financial concepts. (For example, if you are in North America

you might select Banking and Financial Sector, and Corporate Financial.)

TIP: Concepts contain words and phrases that identify a broad range of financial content. Go to Policies |

Concepts and double-click on one of them to understand how they are constructed.



7. Click Apply.


NOTE:When you save a search, it becomes a rule.

9. Go back to the Policies page.

10. Open the policy containing the new rule, then click on it.

11. Click on the Action tab.

12. Click Add Action, then select the Block and Notify Sender action.

13. Click Save.

When the rule runs and source code is found, the action rule automatically blocks it. The sender receives email

notification of the action.

TIP: To notify more users, go to Policies | Action Rules, edit the action rule, and Save.


Blocking intellectual property residing on endpoints

If your intellectual property is referenced in email or webmail communications residing on an

endpoint, it can be blocked from being sent to a competitor.

NOTE: This use case requires deployment of NDLP Endpoint functionality and an added directory server.


2. From the Actions menu, select Add Policy. Give the policy a recognizable name, such as Competitor

Policy.

3. Select Active from the State menu, then click on the DLP devices to which you want to publish the policy.

4. Click Save.

5. On the Policies page, open the new policy. From the Actions menu, select Add Rule.

NOTE: You can use an existing policy and add a rule to it, or clone an existing rule from another policy. You

could also do a historical search, then save it as a rule when it returns the type of information you need.

6. Type a name for the rule.

7. Select a Severity and an inheritance state (Enabled rules run when the policy runs).

8. Define the intellectual property by selecting keywords, content type, or concepts from the Content menu. You

may add values to one or more of the following categories.

● Type in Keywords that may be found in sensitive documents.

● Select Content Type from the menu, click "?" to launch the Content Type palette, and make one or more

selections from it.

● Select Concept from the menu and click "?" to launch the definitions palette.


Use Cases

TIP: Inspect the Intellectual Property sub-menu to see if one or more of the default concepts will suit your

purposes. If not, create a new concept and add your own parameters, then return to this page and add that new

concept from the Concepts palette.

NOTE: The following selections are optional, depending on how much you know about what you are looking

for.

4. Open Source/Destination and select UserName from the menu.

5. Select is any of or is none of. The latter selection will indicate an exception to the value provided.

6. Click "?" and select from the remote Directory Server List.

7. Click Find and select a category of users, then click Apply. If you select Everyone, the rule will apply to all

users on your directory servers.

8. Click plus to add another item under Source/Destination.

9. Select Email Address from the menu.

10. Select is all of or another condition to focus the email address.

11. Type in the domain you want to block.

12. Open Protocol and select Protocol from the menu.

13. Select is any of.

14. Click "?" and select from the Internet Protocols menu. For example, if you suspect intellectual property is

being posted, select HTTP_Post.

15. Click Apply.

16. Click the Actions tab, then click Add Action.

NOTE: The same action can be used on all three data types (Data-in-Motion, Data-at-Rest, Data-in-Use), but

only one of each type to a single rule.

17. Scroll down to the Data-in-Use actions and select theWebPost Reaction or Email Reaction action rule.


column will be applied.

18. After you have finished adding as much information as you have to the rule, click Save and let the policy and

rule run. After you get results, tune as needed.

Keeping IP from being copied to a USB drive

If your employees are allowed to work remotely, they may be duplicating material that includes

contains proprietary information in the course of performing legitimate tasks. If USB drives

containing such information are lost or mishandled, your intellectual property could easily be lost

to a competitor.



2. From the Actions menu, select Add Policy. Give the policy a recognizable name, such as Competitor

Policy.




4. Click Save.






8. Open Endpoint and select Protect Removable Media from the menu.

9. Click "?", check Enable, and click Apply.

NOTE: This definition, plus an action rule, constitutes a minimal removable media policy. To refine the rule for

specific content, add the following definitions.

10. Define content by selecting keywords, content type, or concepts from the Content menu. You may add values

to one or more of the following categories.


● Select Content Type from the menu, click "?" to launch the Content Type palette, and make one or more file

types from it.


TIP: Inspect the sub-menus to see if one or more of the default concepts will suit your purposes. If not, create a

new concept and add your own parameters, then return to this page and add that new concept from the palette.


13. Select is any of or is none of. (The latter selection will indicate an exception to the value provided.)

14. Click the "?" and select from the remote Directory Server List..

15. Click Find and select a category of users, then Apply. If you select Everyone, the rule will apply to all users on

your local and directory servers.

16. Click the Actions tab, then Add Action.



17. Scroll down to the Data-in-Use actions and select Removable Media Reaction action rule.


column will be applied.

18. Click Save.


Use Cases

Keeping intellectual property from being printed

If your employees are allowed to work remotely, they may be printing material that includes

contains proprietary information in the course of performing legitimate tasks. If printed copies

containing such information are lost or mishandled, your intellectual property could easily be lost

to a competitor.



2. From the Actions menu, select Add Policy. Give the policy a recognizable name, such as Printer Policy

.


4. Click Save.






8. Open Endpoint and select Protect Local Printers from the menu.

9. Click "?", check Enable, and click Apply.

TIP: You can select one or more Network Printers from the "?" Directory Server List, or type in its network

path and name, to add printer protection for printers on your company site. You can allow exceptions for secure

printers by defining them at DLP Sys Config | Endpoint Configuration | Unmanaged Printers.


NOTE: This definition, plus an action rule, constitutes a minimal printer policy. To refine the rule for specific

content, add the following definitions.

11. Define content by selecting keywords, content type, or concepts from the Content menu. You may add values

to one or more of the following categories.



types from it.





13. Select is any of or is none of. (The latter selection will indicate an exception to the value provided.)

14. Click "?" and select from the remote Directory Server List.



15. Click Find and select a category of users, then Apply. If you select Everyone, the rule will apply to all users on

your directory servers.



16. Scroll down to the Data-in-Use actions and select Printer Reaction action rule.

NOTE: Actions are defined and edited on the Actions page. All of the reactions listed in the Actions column

will be applied.

17. Click Save.

Preventing loss of project data from endpoints

Use this task to keep users from copying project information to a USB drive.


2. From the Actions menu, select Add a Policy.

3. Type a name and optional description for the policy.

4. Select Host or All Devices to publish the policy to host or network DLP devices, then click Save.

5. Click the policy to open it for editing. From the Actions menu, select Add Rule.

6. Type a name and optional description for the rule.


8. Define the project data by selecting keywords, content type, or concepts from the Content menu.

You may add values to one or more of the following categories.



types from it.




12. If the user is known, open Source/Destination and type the username in the Values field.

13. If you want to specify exclusions, go to the Exceptions tab and add project data that may be found, but is

irrelevant. When you have finished, click Save.

14. On the Actions tab, click Add Action and specify the action to be taken when the project data is found.

15. Select Removable Media Reaction from the Actions menu to protect the data. The actions that will be taken

are listed in the Actions column.

16. Click Save.

Example:

Content:


Use Cases

Keywords | contains all of | Project X

Source/Destination:

Email Address | contains all of | tjohnson

Endpoint:

Protect Removable Media | equals | Enable

Actions

Removable Media Reaction

Protecting intellectual property at a specific network location

If documents containing intellectual property are located at specific network locations, you can

protect those locations from access by unauthorized users.


2. Add a policy, and add a rule to the policy.

NOTE: You can use an existing policy and add a rule to it, or edit an existing rule. You can also do a historical

search, then save it as a rule when it returns the type of information you need.

3. Open Endpoint and select Location Tag Path to protect all documents on a single share.

TIP: Use Network File Path to add protection for a single directory.

4. Click "?", check Enable, and Apply.



only one for each type.

6. Scroll down to the Data-in-Use actions and select the Network Communication Reaction action rule.

NOTE: All of the reactions listed in the Actions column will be applied. The copy action will be monitored,

blocked, stored as evidence, and the user will be notified of the violation.



Finding evidence of foreign interference

Protecting intellectual property can be difficult when sensitive data is so easily transported

beyond national borders.

Identifying source and destination IP addresses will help you to identify where suspicious traffic

is coming from and where it is going.



NOTE: Because dynamically-assigned IP addresses change regularly, hosts that are not local can be identified

only if a DHCP server is installed on the network.



3. SelectGeoIP Location.

4. Click "?".

5. Select one or more country names from the popup menu.

6. Click Apply.

7. Open Date/Time.

8. Select File Creation Time between and enter before and after values.

9. Click Search.

TIP: If you do not see locations in your results, click Columns and add Source, Destination, Sender or

Recipient columns.

Finding leaks after global close of business

You might expect confidential data to be entering or leaving a company network during business

hours — after 5 PM, movement of sensitive data may indicate a leak. But global operations make

it difficult to define exactly when close of business occurs in local time zones.

If you are managing several DLP Monitors in different locations, you can find captured data at the same clock

time in each of those locations. Monitoring data at the time most employees are leaving each of those facilities

will help to expose those activities.

Detect this activity by creating a rule that tracks sensitive data between the hours of 5 and 6 PM in your Los

Angeles, New York, London, and Tokyo offices,

1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Advanced Search | Date/Time.

2. Select Exact Time and a local or GMT time frame.

Automatic Conversion to GMT (same moment globally)

before

between

after

Local time (same clock time globally)

before (local time)

between (local time)

after (local time)

3. Click the Calendar icon to select a date.

4. Select the hour, minute and second from the pull-down menus.



Use Cases

Filtering captured data

Filtering out configuration-controlled files

Use a content capture filter to filter out configuration-controlled files. Because network data

streams typically transport large numbers of images, eliminating large multimedia content can

improve performance of the capture engine.

For example, you might have a library of video files that is already protected by a configuration

control system. Setting up a filter to bypass those files will improve system performance.

TIP: A pre-installed filter automatically filters out images (like icons and thumbnails) that are too small to be

significant. You can turn off this filter by removing it from the list under DLP Sysconfig | Capture Filters |

Content Filters.



3. Type in a name for the filter. Typing a description is optional.

4. From the drop-down Action list, select Drop Element.

5. Select the devices for deployment.

NOTE: If you want to deploy a capture filter at a later time, select the None checkbox under Devices, then

select it from the Add Filter menu under the deployment target.

6. Open Content .

7. Select Content type from the first drop-down list, and is any of from the second.. .

8. Click "?" and open the Multimedia popup menu.

9. Check the box of the controlled format (for example, MPEG).

10. Click Apply.

11. Click Save.

Storing a portion of filtered traffic

In some circumstances, you might want to block all encrypted traffic on the network, except for a

particular type. You can do this by setting up multiple action filters that are applied to the data

stream, gradually narrowing the filtering process by applying them one after another.

Isolating traffic using port 443, which commonly transports encrypted data, is one way of filtering

out encrypted traffic. But that port is also used by AOL, and blocking that traffic too might

eliminate traffic you need to monitor.

In such a case, you can set up the capture filters to retain the encrypted AIM traffic while

dropping the broader category of encrypted traffic.

CAUTION: You cannot save sessions or data that have already been eliminated, so pay attention to the

filtering sequence.

1. In ePolicy Orchestrator, go toMenu | Data Loss Prevention | DLP Syslog | Capture Filters.

2. Click Create Network Filter.

Filtering captured data


3. Type the name AOL_Chat and a description (optional).

4. Select Store from the Actionmenu to retain that traffic.

5. Open the Protocol category and select Protocol equals from the first drop-down menu.

6. Click "?" and select AOL_Chat from the Protocol popup menu.

7. Click Apply and Save.

8. Click Create Network Filter to create another filter.

9. Give the policy a recognizable name, such as "SSH traffic". Typing a description is optional.

10. Select Ignore from the Actionmenu.

11. Open Protocol and select Port from the first drop-down list, and source is any of from the second.

12. Type 443 into the value field.

13. Click plus to add a parameter.

14. Repeat the process, but select Port from the first drop-down list, and destination is any of from the second.

NOTE: Traffic through ports and port ranges is bidirectional, so you must define source and destination

transmissions separately.

19. Type 443 into the Value field.

20. Check the box of the device on which you want the filter deployed. To decide later, check None.

21. Click Save. A new Ignore filter is added to the existing list.

22. Use the Priority icons to change the order of the filters. The Store filter must run first, because the Ignore filter

will eliminate all of the rest of the port 443 traffic.

NOTE:When a network capture filter is applied to the network data stream, its position in the list indicates its

priority. Because the BASE filter instructs the system to store all data that has not been dropped from the data

stream, it must always run last.

23. Let the system run. After some time, you can search for AIM traffic in the captured data on the Incidents page.

Searching captured data

How data is captured and processedThe core component of Network DLP is a capture engine that allows reassembly of packets that

have been extracted from network traffic or repositories.

The reassembled objects are classified into object types that are saved in the DLP Monitor

database. Each object has many attributes, all of which can be retrieved by queries.

Captured data is indexed and analyzed in three different databases that hold data in use, data at

rest, and data in motion. You can query the databases directly using the options available in the

user interface, or save queries that are to be run regularly as rules.

When an object matches a query or rule, the result is reported to the DLP dashboards as an

incident. Incidents can be sorted and filtered according to their attributes so that the most

significant information can be identified and displayed.



NOTE: You need not search or save rules to get results. Standard policies that contain collections of rules

automatically search captured data to produce incidents, but you can enter your own queries under the

Capture tab.

Using search features

Basic search processes

DLP search features are designed to make constructing queries and getting results easy. By

scanning just a few of the search topics, you can master the basics quickly.

NOTE: Logical operators are still supported, but only in concept and keyword expressions.

TIP: Specific permissions are required for search tasks. Check DLP Sys Config | System | User

Administration | Groups | Task Permissions | Capture Permissions for details.

How capture works

The core component of Network DLP is a capture engine that extracts packets from network

traffic or repositories. They are indexed and analyzed, classified into object types, and saved in

databases on capture partitions on the DLP Monitor and Discover appliances.

You can query the Monitor and Discover databases directly using the options available in the

user interface, and save queries that are to be run regularly as rules.

When an object matches a query or rule, the result is reported to the dashboard as an incident.

NOTE: You need not search or save rules to get results. Standard policies that contain sets of rules

automatically search captured data to produce incidents, and concepts that match related parameters to

network data can be used as a shortcut to find text-based data quickly.

Adding or subtracting search parameters

Use this task to add an element to any search, rule, filter, or case.

● Click the green plus icon to add an element.

● Click the red minus icon to subtract an element.

Searching with managed systems

When you send a query from an DLP Manager, you are automatically doing a distributed search

through all DLP appliances registered to the system.

NOTE: Although the default is All Devices, you can target an DLP Manager search by selecting one or more

checkboxes of devices from the DLP Reporting | Advanced Search | Devices menu.

Getting notification of results

Any search that takes more than 60 seconds to process is run in background mode. When it is

complete, the user who is logged in is notified by email.

Using search features


NOTE: If a search is aborted, no notification is sent.

Use this task to get notification of search results.

1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Basic or Advanced Search.

2. Define a search.

3. Click the Search List tab to view its status.

4. If it is incomplete, continue with other tasks and check back periodically.

TIP: Set up your email client to prompt you when new email comes in.

Getting details and search history

Use this task to get details about a query.

1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Search List.

2. Click the Details link of the query.

Stopping searches

Use this task to stop a search that is still running.

1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Search List.

2. Click Abort.

NOTE: The search must still be in RUNNING mode.

Cloning searches

Use this task to edit a search and save as a new one.


2. Type in a search term.

3. On the search list, click Clone Search.

4. Modify the parameters and results.

5. Click on Search to create a new search.

Finding documents

How to find documents

The classification engine sorts all network data into content types. This allows you to search for

engineering drawings, different types of source code, office documents, images, and countless

other file types.

Use this task to find out what documents are available.




2. Open the Content category.

3. Select Content Type from the first menu.

4. Select is any of from the second menu.

5. Click "?".

6. Open each document category to review its contents.

7. Click Apply.


Finding Microsoft or Apple documents

The classification engine sorts all network data into content types. This allows you to search for

engineering drawings, different types of source code, office documents, images, and countless

other file types.

Use this task to find out what content types are available.





5. Click "?".

6. Open the Apple or Microsoft categories to review their contents.

7. Check the boxes to define the format you are looking for.

8. Click Apply.


Finding documents by type

Use this task to find specific document types (for example, Adobe FrameMaker, PostScript, ePS,

or XML) on your network.

TIP: Narrow your selection to one or two document types to keep from getting too many results.





5. Click "?".

6. Open the Advanced Documents category to review its contents.

7. Check the boxes to define type of document you are looking for.

8. Click Apply.


Finding documents


Finding office documents

Use this task to find office documents on your network.






5. Click "?".

6. Open the Office Applications category to review its contents.

7. Check the boxes to define type of office document you are looking for.

8. Click Apply.


Finding proprietary documents

Use this task to find proprietary design documents on your network.






5. Click "?".

6. Open the Engineering Drawings and Designs category to review its contents.

7. Check the boxes to define type of document you are looking for.

8. Click Apply.


Finding source code

Use this task to find out if proprietary source code is unsecured on your network.





5. Click "?".

6. Open the Source Code category to review its contents.

7. Check the boxes to define type of source code you are looking for.



8. Click Apply.


Finding email and chat

How to find email

Email objects are stored in capture databases as separate tokens. For that reason, you can

search for one or more components of an email address (for example, user, host or domain

names).

NOTE: Email addresses or domain names that contain numbers are searchable only if they are in the

addressing, subject, cc or bcc fields. Only alphabetic characters are supported in the body of email messages.

NOTE: In rare cases, email addresses that are not present in SMTP mail may be displayed in strikeout mode in

the highlighting on the dashboard.

Finding email by address

Use this task to find email addresses.


TIP: If you use a Basic Search, you can specify the Email to or from address selections. In an Advanced

Search, the condition defines the sender or recipient.


3. Select Email Address from the first menu.

4. Select is any of, all of, or none of (to include or exclude specific addresses) from the second menu.

TIP: Select the sender condition to indicate that the email address found was the source of the email. Use the

green plus to add another parameter if you also want to define the recipient of the email.

5. Type in one or more email addresses.

6. Click Apply.


Finding email by host name

Use this task to find email by host name.

NOTE: This search is limited to data at rest.


2. Select Host Name from the first menu.

3. Type one or more host names into the value field.




Finding email by domain name

Use this task to find email by domain name.

Note: This search is limited to data at rest.


2. Open Discover.

3. Select Domain Name from the first menu.


5. Type the domain name into the value field.


Finding email by port

Use this task to find email by port. This can be useful if you know the protocol of the email you

are looking for. For example, SMTP email is commonly sent through Port 25; webmail uses Port

80.


2. Open Protocol.

3. Select Port from the first menu.


TIP: The system returns port information in both directions, but in separate flows. For complete results, first add

source port, then use the green plus to add an additional parameter that defines the destination port.

5. Type 25 or 80 into the value field.


TIP: Because most email uses one of two ports, searching by port is likely to return too many results. Narrow

your query by using additional qualifiers, such as user, host or domain name.

Finding email by protocol

Use this task to find email by protocol. This can be useful if you know the protocol of the email

you are looking for. For example, you are likely to find local corporate email if you search for

SMTP traffic, and private webmail by looking for HTTP communications.

TIP: You can search for a protocol directly from the Basic Searchmenu, but such a query is likely to return too

many results. Use an Advanced Search so you can add additional qualifiers (like user, host or domain

names).


2. Open the Protocol category.

3. Click "?".

4. Select HTTP_Webmail from the popup menu.



5. Click Apply.


Finding email subjects

Use this task to find email by subject.

TIP: If you know the exact verbiage of the subject line, you might start with a quick Basic Search. Select Email

Subject and type in the exact words, then Search. Use Advanced Search to add parameters if you have some

additional information that will focus your query.



3. Select Email Subject from the first menu.

4. Select contains any of from the second menu.

5. Type the subject into the value field.


Finding email attachments

Use this task to find incidents with email attachments.



3. Click "?".

4. Open the Mail Protocols category.

5. Select one or more attachment types.

TIP: You might select HTTP_Webmail_Attach to find webmail attachments, SMTP_Attach to find email

attachments sent, and POP3_Attach to find email attachments received.

6. Click Apply.


TIP:When an incident is reported, click its Details icon to view the attachment.

NOTE: Attachments larger than 50MB cannot be reported.

Finding email senders

Use this task to find email by sender.

TIP: You can search for an email sender from the Basic Search page, but such a query may return too many

results. Use an Advanced Search so you can add additional qualifiers (like subject, host or IP address).






4. Select sender is any of from the second menu.

5. Type one or more recipient names into the value field.


Finding email recipients

Use this task to find email by recipient.

TIP: You can search for an email recipient from the Basic Search page, but such a query may return too many

results. Use an Advanced Search so you can add additional qualifiers (like subject, host or IP address).




4. Select recipient is any of from the second menu.

5. Type one or more recipient names into the value field.


Finding copies of emails

Use this task to find lind copies of emails (cc).



3. Select Email CC from the first menu.


5. Type the cc: addressee into the value field.


Finding blind copies of emails

Use this task to find blind copies of email (bcc).



3. Select Email BCC from the first menu.


5. Type the bcc: addressee into the value field.




Finding webmail by port

Use this task to search for all traffic using Port 80, which is commonly used for webmail.

TIP: You can use Basic Search to find all traffic on a single port quickly, but such a search is likely to return too

many results. Use Advanced Search to add parameters that will focus your query.




4. Select source is any of from the second menu.

TIP: The system returns port information in both directions, but in separate flows. For complete results, define

both source and destination values.



7. Select destination is any of from the second menu.



Finding webmail by protocol

Use this task to search for all traffic using the HTTP_Webmail protocol.

TIP: You can use Basic Search to find all traffic using a single protocol quickly, but such a search is likely to

return too many results. Use Advanced Search to add parameters that will focus your query.



3. Select Protocol from the first menu.


5. Click "?".

6. Select HTTP_Webmail from the popup menu.

7. Click Apply.


Finding chat sessions

Use this task to find incidents containing chat sessions.

NOTE: Chat sessions lasting up to four hours can be captured. They are reported in chronological order.


If you don't have to exclude incidents containing specific chat sessions, use Basic Search instead.




3. Select Content Types from the first menu.


5. Click "?".

6. Open the Chat category.

7. Select one or more chat protocols.

8. Click Apply.


NOTE: Encrypted chat sessions (for example, Skype and AOL Instant Messenger 6) cannot be captured.

Finding files

How to find files

When the DLP search engine captures files, each attribute is stored as a separate token in the

capture database. You can find files by using any of the attributes of a file, such as type, owner,

size or signature.

● From the Basic Searchmenu, you can find files in data at rest by selecting Host Name, Host IP, File Name

Pattern, or File Owner.

● From the Advanced Searchmenu, you can find files in data in motion and data at rest by selecting parameters

under File Information, Content | Content Types, or Discover.

Finding file name patterns

Use this task to find files by file name pattern.

NOTE: You can find multiple files by entering a word stem and adding an asterisk, but it is the only

metacharacter supported.


2. Select File Name Pattern.


NOTE: You can also find file names in file repositories and databases by going to DLP Reporting | Advanced

Search. Open Discover, select File Name Pattern, and type a pattern into the value field.

Example

Find JPG OR GIFs in a repository:

DLP Reporting | Basic Search | File Name Pattern contains *.jpg,*.doc

NOTE: Only OR is supported for file name pattern searches. You can no longer use a space or ampersand to

combine terms in a search. Use the green plus icon to add an element instead.




Finding files by file type

Use this task to limit your search to files of a specific content type.

TIP: The DLP indexer captures all data on the network and sorts it into content types. If you just want to see

what they are, go to Capture | Basic Search and select Content Type, then click the "?" to launch the popup

menu, which contains all available content types.


2. Open Content.


4. Click "?".

5. Open a content type group.

6. Check one or more file types.

NOTE: The capture engine can extract and evaluate content from ZIP, GZIP and TAR files as long as the type

containing the files is specified. Eight other compressed file types are also supported.

7. Click Apply.


Finding files by owner

Use this task to find all files owned by a user.

NOTE: This feature searches the Discover database, which must contain data in order for results to be

retrieved.


2. Select File Owner.

3. Type the file owner into the value field


Finding files by size

Use this task to find files of a specific size.


2. Open File Information.

3. Select File Size.

4. Select range from the Conditionmenu. You can also specify greater or less than values.

5. Enter a value in bytes. If you define a range, use a dash to separate values.


Finding files


Example

File Size > range > 1024-5000 (must be expressed in bytes)

Finding files by document type

Use this task to find specific document types (for example, all Microsoft Word and Excel

documents).

TIP: You can use Basic Search to find all files of a specific document type, but such a search is likely to return

too many results. Use Advanced Search to add parameters that will focus your query.




4. Click "?".

5. Open Office Applications.

6. Select one or more office document types.

7. Click Apply.




Finding files using MD5 signatures

MD5 is the most widely-used algorithm used for creating compact digital signatures.

NOTE: This procedure can no longer be used in a direct query, but it can be attached to a rule.

Use this task to find all copies of a unique file identified by an MD5 signature.

1. Login to the back end of an DLP Manager or Monitor.

2. Go to the /usr/bin directory and locate the md5sum utility.

3. Use the md5sum utility to generate a signature.

# md5sum filename

4. Select and copy the resulting hexadecimal number.

5. Open a browser and launch the DLP Monitor or Discover user interface.

6. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | DLP Policies.

7. Click on a rule and open File Information.

8. Select Signature.

9. Select is any of from the Conditionmenu.

10. Paste the hexadecimal number into the value field.




Finding images

How to find images

Use this task to find images using specific file formats.

TIP: Add a Thumbnail Match column to your dashboard to scan results quickly.


2. Open Content.

3. Select Content Type.

4. Click "?".

5. Open Images.

6. Select one or more image types.

7. Click Apply.

8. Click Apply.


TIP: Avoid timeouts caused by retrieving large image files by adding additional search terms.

Finding images of people

Use this task to find images containing advertising imagery or pornographic content.



2. Open Content.

3. Select Concepts.

4. Select a Condition.

5. Click "?".

6. Click Fleshtone from the popup menu.

7. Click Apply.



Finding images using a template

Use this task to expedite image searches.



2. Open Content.

Finding images


3. Select Template.

4. Click "?".

5. Select the Common Image Files template.

6. Click Apply.



Finding IP addresses

How to find IP addresses

Use this task to search for incidents containing individual IP addresses, a range of addresses, or

IP addresses on a subnet.



3. Select IP Address from the first menu.


5. Enter one or more IP addresses in the value field.


Example

192.168.1.244,172.25.3.100-172.25.3.199,192.168.2.1/25

Finding a range of IP addresses

Use this task to find a range of IP addresses.

TIP: Use a dash between starting and ending addresses, and a comma to add individual addresses.


2. Open Source/Destination from the first menu.



5. Enter the IP address range in the value field. Do not use spaces.

Example

192.168.4.1-192.168.3.255


Finding IP addresses on a subnet

Use this task to find IP addresses on a subnet.



Subnet searching is supported whether or not network and host portions of an IP address are standard classful

IP (address fields separated into four 8-bit groups). CIDR notation is also supported.





5. Type the subnet into the value field.


Example

For subnet mask 255.255.255.128, you can use CIDR shorthand to translate the value — for example,

192.168.2.1/25

Excluding incidents using specific IP addresses

Use this task to exclude incidents using specific IP addresses from a query or rule.





5. Type an IP address range into the value field.

Example

172.25.3.100-172.25.3.199

6. Click plus to add an element.


8. Select does not equal from the second menu.

9. Type one or more addresses within the range into the value field to exclude addresses from the defined range.

Example

172.25.3.101,172.25.3.197


Finding keywords

Excluding keywords from a query

Use this task to exclude keywords from a query.



Finding keywords


3. Select Keywords from the first menu.

4. Select contains none of from the second menu.

5. Type one or more keywords into the values field.


Finding exact matches

Use this task to search for an exact match using keywords and logical operators.

NOTE: Keywords need not be in the order specified, but all must be present.

NOTE: You can use logical operators to build a keyword query, but only for keyword expressions and exact

phrases.

NOTE: Because search is case-insensitive, you need not capitalize the keywords. Do not add quotation marks

and parentheses; they are added by the search engine.




4. Select exact phrase from the second menu. Do not use quotation marks.

5. Type the phrase into the value field.


Finding keyword expressions

Use this task to enter a keyword query using logical operators.

NOTE: You can use logical operators to build a keyword query, but only for concept or keyword expressions

and exact phrases.




4. Select expression from the second menu.

5. Type keywords and logical operators into the values field.


Finding keywords using logical operators

Use the supported logical operators to enter searches into keyword expressions and exact

phrase fields.



NOTE: Custom searches are not supported in this release. If you created a rule in DLP 8.6 using only logical

operators, it will no longer run. You must rebuild the query using parameters available in the menus available

on the rules pages.

LogicalOperator

Notation Different Ways of Expressing the

Same Query

AND + &&

Confidential Restricted SecretConfidential AND Restricted ANDSecretConfidential and Restricted andSecretConfidential + Restricted + SecretConfidential && Restricted && Secret

OR or ||Confidential OR Restricted OR SecretConfidential or Restricted or Secret(Confidential || Restricted) && Secret

NOT - !Confidential -Restricted -SecretConfidential !Restricted !Secret

Wordstemming

~ Confident~ Restrict~ Secret~

Parentheses ( )Confidential AND (RestrictedOR Secret)

Exact Match " " "Confidential and Secret"

NOTE: All operators, including Exact Match, are case-insensitive. In other words, if you search for a term in

ALL CAPS, the system will return that term not only in capital letters, but initial caps or lowercase as well.

Use logical operators (|| or OR) instead of a comma to construct an OR query. You cannot use AND operators

between URLs and email fields.



Finding non-English matches

Use this task to search for non-English keywords.

NOTE: The search engine supports the UTF-8 standard.




4. Select exact phrase from the second menu.

5. Cut and paste keywords containing the characters into the values field.

6. Click Apply.


Finding keywords


How to find keywords

The keyword search types are illustrated by the following examples.

The examples displayed here show the queries as they are summarized in search boxes. Logical operators

can be entered in value fields only when used with expression and exact phrase conditions.

Find all these words (in any order)

Keywords | Condition contains | Intel AMD NVidia

When using the contains condition, spaces between words imply AND.

Find one or more of these words (in any order)

Keywords | Condition contains any of | Intel AMD NVidia

When using the contains any of condition, spaces between words imply OR.

Find this exact phrase

Keywords | Condition exact phrase | NVidia supports AMD and Intel platforms.

When using the exact phrase condition, do not use quotation marks. Search is case-insensitive;

upper-case characters are ignored.

Find these words, but not this word

Keywords | Condition contains | Intel AMD

Keywords | Condition does not contain | NVidia

Find either of these words, but neither of these

Keywords | Condition expression (Intel || AMD) !(Nvidia && ATI)

Find non-English content

Keywords | exact phrase | <paste in characters>

NOTE: Search keywords are highlighted in your search results, with the exception of high volume retrieval

(when the 50,000 or All Results options are selected in the Basic Search window). This limitation improves

performance.



Supported languages

Supported Languages

English

Chinese (traditional)

Chinese (simplified)

Korean

French

German

Spanish

Portuguese

Dutch

Polish

Russian

Turkish

Logical operators supported in keyword queries

Use these examples to construct keyword queries in the expressions and exact phrases fields.

Examples

These compound queries will produce the same results:

confidential +”Eyes Only” OR “Do Not Distribute” –secret -security

Confidential "Eyes Only" || "Do Not Distribute" !secret !security

This complex query adds grouping of search terms and use of word stemming:

Confidential + (("Eyes Only" || "Do Not Distribute") || (secret~ or secur~))

This query will find documents containing the word "Confidential" that are also marked EITHER "Eyes Only" or "Do

Not Distribute" OR contain variations of the words "secret" or "secure".

Finding locations of violations

Finding sources of violations

Use this task to find violations in traffic sent to or received from a specific country.


2. Open Source/Destination and selectGeoIP Location.

3. Select a sender or recipient condition.

4. Click "?".

Finding locations of violations


5. Select checkboxes of one or more countries.

6. Click Apply.


Finding violations by website

Use this task to find violations associated with a website. If you know the source or destination of

a known transmission, you can find violations in traffic to or from a specific user, host or website.

NOTE:When defining a URL in a Discover scan, the URL must be preceded by the protocol used and

terminated by a slash. If the URL is not terminated, the scan will run not only within the targeted directory and

subdirectories, but will be extended to directories above the parent URL.



3. Select URL from the first menu.


5. Type the URL into the values field.


NOTE: This search assumes that the ignore_http_header capture filter has been removed, making it possible

for the classification engine to find HTTP posts in captured data.

How to find locations

Use this task to search for traffic sent to and received from specific countries, or to exclude

specific geographic traffic.

TIP: Use Basic Search | GeoIP Location to find all incidents involving one or more geographic locations. Use

Advanced Search to add more parameters.



3. SelectGeoIP Location from the first menu.

4. Select a condition from the second menu.

TIP: Add an additional parameter by selecting the green plus icon if you want to define more than one

condition. For example, use is none of to exclude a country, or sender and recipient values to define source or

destination.

5. Click "?".

6. Select checkboxes of one or more countries.

7. Click Apply.




List of country codes

Use country codes to identify sources or destination of violations.

Updated list of country codes

http://www.iso.org/iso/country_codes/iso_3166_code_lists

Finding violations by port

How to find violations by port

Use this task to find violations in traffic that uses well-known ports.

NOTE: Unless you define both source and destination values, the system returns incidents in either direction,

but not both.




4. Select source is any of from the second menu.

5. Type a port number into the values field.

6. Select the green plus icon to add a parameter.

7. Select destination is any of from the second menu.



Excluding ports from a query

Use this task to eliminate a type of traffic that is transmitted through one of the well-known ports.




4. Select source is none of from the second menu.


6. Select Port.

7. Select destination is none of from the second menu.



Finding violations by port range

Use this task to find violations in traffic that uses a specific port range.

TIP: For example, the Solaris operating system often uses the 1000-1023 range.

Finding violations by port






5. Type port numbers (separated by a dash) into the values field.


List of common port assignments

You can select from a list of common port assignments to find a specific type of traffic that uses

one of the well-known ports.

Common Port Assignments

Service Port #

FTP 20/21

SSH 22

Telnet 23

SMTP 25

HTTP 80

POP3 110

NTP 123

IMAP 143

NNTP 144

HTTPS 443

SMTP-SSL 465, 587

IMAP-SSL 993

POP3-SSL 995

TIP: You can find the latest IANA update at http://www.iana.org/assignments/port-numbers.

Finding violations by protocol

How to find violations by protocol

Use this task to search for violations in traffic transmitted by a specific protocol.




4. Click "?".

5. Open categories and check protocol boxes.



6. Click Apply.


Excluding protocols from a query

Use this task to exclude violations in traffic that uses a specific protocol.



3. Select is none of from the second menu.

4. Click "?".

5. Select one or more protocol checkboxes.

6. Click Apply.


Finding violations in time

How to find time-stamped files

Because the DLP Monitor captures every packet in a network data stream and time-stamps

every significant object found, it is essential to set a time frame for your search or rule.

Objects are time-stamped in UTC, but you can use either local or global time conditions. The

system does the conversion for you.

TIP: Remember the date of installation of the DLP appliance when searching in time. The system cannot

retrieve results that were never captured.

NOTE: If you have a time frame set under Incidents | Filter by... , it takes precedence over one set in Advanced

Search.

Searching in a relative time frame

Use this task to find a file time-stamped within a relative time frame.


2. Open the Date/Time category.

3. Select any parameter from the first menu.

4. Select a local or global before, between or after time from the drop-down menus.






Searching in an exact time frame

When you define a time in a search or rule, your local time is automatically converted to Greenwich Mean Time.

If you are managing several DLP Monitors in different locations, you can find captured data at the same clock

time in each of those locations.

Use this task to select an Exact Time in local or Greenwich Mean Time.



3. Select Exact Time from the first menu.



before

between

after


before (local time)


after (local time)




Searching by file creation time

Use this task to find a file that was created in a specific time frame.

NOTE: The interface displays the time zone of the DLP appliance.



3. Select File Creation Time from the first menu.

4. Select before, between or after from the second menu.

5. Click the Calendar icon and select a date.



Example

File Creation Time > between > 16:30:00 and 17:00:00.



Searching by file last accessed time

Use this task to find out when a file was last accessed.



3. Select File Last Accessed from the first menu.





Example

Last Accessed > before > 17:00:00

TIP: If a Discover crawl processes more than 50,000 files, the date and time is reported in a

yyyyMMddHHmmss format (for example, 20090820120000). Because Microsoft Excel interprets this as a large

real number, it is displayed in scientific notation (for example, 2.01+E13).

Recover the date by selecting the column, then set the number to zero decimal places under Tools | Format |

Cell | Number.

Searching by last modification time

Use this task to find out when a file was last modified.


2. Select the Date/Time category.

3. Select Last Modification Time from the first menu.





Example

Last Modification Time > after > 13:30:00

Searching by local or Greenwich Mean Time

Use this task to search for an event that occurs at the same local time in different time zones.

When you define a time in a search or rule, your local time is automatically converted to Greenwich Mean Time

. But if you are managing several DLP Monitors in different locations, you will want to know what the local time

is in each of those locations.



Example:

If you are managing a global network, you may expect confidential data to be entering or leaving the network data

stream during business hours. But after 5 PM local time, movement of sensitive data may indicate a leak.

By creating a rule that tracks sensitive data between the hours of 5 and 6 PM in your Los Angeles, New York,

London, and Tokyo offices, you can monitor data at the time most employees are leaving each of those facilities.


2. Select Date/Time from the first menu.

3. Select Exact Time from the second menu.



before

between

after


before (local time)


after (local time)




Searching with concepts and templates

Using concepts and templates in queries

Concepts and templates can be used to expedite queries. Concepts provide ready-made

parameters to find all data of a similar type, while templates can be used to avoid repetitive

searching.

Using concepts in queries

Use this task to find concepts (collections of data related to a single issue) in a search.



3. Select Concept from the first menu.


5. Click "?".

6. Select one or more concepts from the popup menu.



7. Click Apply.


NOTE: The number of concepts usable in a compound search or a rule is limited only by the number of

concepts defined in the system.

Using templates in queries

Use this task to search using a template.

For example, you might use a template to find all documents of a certain type, or give a name to

an IP address range.

TIP: Go to Policies | Templates and open any template to learn to construct one of your own.



3. Select Template from the first menu.

NOTE: Each category on the Advanced Search and Add/Edit Rule pages includes a Template element

containing a set of templates related to that category.


5. Click "?".

6. Select a template from the popup menu.

NOTE: All templates are available from the popup menu. If you add a custom template, it is automatically added

to the menu.


TIP:When you tune a rule, use a template to run repetitive queries that vary slightly.

Using concept expressions in a query

Use this task to create a complex concept query using logical operators.

NOTE: You can use logical operators to build a keyword query, but only for concept or keyword expressions

and exact phrases.




4. Select expression from the second menu.

5. Type an expression into the value field.


Searching with concepts and templates


Example:

The expression concept:CCN -concept:AMEX(concept:SSN OR concept:EIN)finds credit cardnumbers that are not American Express AND either Social Security or Employee Identification numbers.

Excluding a concept from a query

Use this task to exclude an entire concept from a query.

NOTE: Concepts identify collections of data related to a single issue. Content concepts, the type most widely

used, use patterns to identify related data objects.

For example, if you wanted to find credit cards using any possible numbering pattern except American Express,

you could eliminate the AMEX concept from a general credit card query.


TIP: You may also exclude a concept from an existing rule by editing it.

2. Open the Content category



5. Click "?".

6. Select one or more VISA, DISCOVER, MASTERCARD, DINERS or JCB checkboxes.

7. Click Apply.

8. Select plus to add an element.


10. Select is none of from the second menu.

11. Click "?".

12. Select the AMEX checkbox.

13. Click Apply.


Understanding search rules

Rules used by the indexer

Because DLP systems capture all network data, some rules are needed to classify and store it.

Search rules

● How archives are handled

● Understanding case insensitivity

● How Microsoft Office 2007 files are handled



● Avoiding negative searches

● Number of results supported

● Parts of speech excluded from capture

● How proper names are treated

● Handling of short words

● Special character exceptions

● How word stemming is handled

How archives are handled

The search engine finds, extracts and evaluates content in ZIP, GZIP and TAR archives, but only

if the compressed file type is identified in the query.

Case insensitivity rule

The search engine is case-insensitive.

For example, if you search for a term in ALL CAPS, the system will retrieve and report the

matching content, whether it is in upper or lower case.

How Microsoft Office 2007 files are handled

The indexer ignores certain Microsoft Office 2007 content because of the way the applications

handle fonts, colors, macros, and page definition.

● If two dictionary words are merged together, the merged word will not be found.

Example:

American and Recovery are two dictionary words. If they are merged into the word AmericanRecovery, they will

not be found.

● If a word in a Microsoft Office 2007 document has different fonts and colors, the word will not be read as a

whole and will not be found.

Example:

If all the letters in the word Recovery are of different fonts and colors, it will not be found.

● If a word continues across two different pages, it will not be found.

Example:

If the word Recovery is spread across two pages (one page contains Rec and the second page contains overy), it

will not be found.

● Words in documents that use special Microsoft Office 2007 font features likeWordArt, SmartArt, and

watermarks will not be found.

● Words present in macros in Microsoft Office 2007 documents, and headers and footers in PowerPoint and

Excel, will not be found.

Understanding search rules


Avoiding negative searches

The search engine does not recognize queries that consists entirely of negative search terms.

A query containing only words not to be found is instructing the search engine not to search.

Therefore, you must define a scope of data within which the term will not be found.

Number of results supported

The search engine is designed to retrieve no more than 10,000 results at a time. If this limit is

exceeded, match strings will not be retrieved, and hits on substrings may return overly broad

results.

The dashboard incident list is limited to 5,000 results, but up to 150,000 incidents can be exported via CSV.

Export from dashboard is limited to 5K.

TIP: If your search results exceed this number, narrow your query and repeat the search.

Parts of speech excluded from capture

The indexer ignores some common parts of speech.

Parts of speech like a, and, this, therefore, else, while, and with are excluded from capture.

How proper names are treated

The indexer treats proper name searches like keyword searches. It is not necessary to capitalize

them.

Handling of short words

The indexer ignores words that are less than or equal to three characters. Short words like air,

eye, mac, pet, sox, and zip are excluded from capture.

Exceptions

● Postal codes are reported [AL, CA, CT, TX, NY...]

● Common governmental acronyms are reported [DMV, CIA, DOJ, FAA, NSA, IRS]

Special character exceptions

The indexer reports words including non-alphabetic characters, such as number or spaces, only

if they are identified in an Exact Search.

The following characters have special meaning and cannot be used in searches.



Character Description

. period

; semicolon

| pipe

` back tick

< > less than/greater than

( ) parentheses

\ \\ backslashes

/> ]]> markup

* control characters

/ escape characters

If you enter any of these characters in a query, you might get the following error messages:

>>Invalid character(s) in the input for the field; or Search didnot complete.

How word stemming is handled

The search engine does not recognize Incomplete or partial words, but word stemming is

supported.

NOTE: If an exact search is defined, stemming is disabled.

Example

● Searching for "basket" to retrieve "basketball" will not return a result.

● Searching for "run" in "running" will return a result.

NOTE: If the plural of a complete word used in a search is found, the result is reported as if it were a word stem.

Monitoring Active Directory users

How remote user accounts are monitoredHistorically, DLP Manager has been linked to SAMAccountName as the main user identification

element. But if that attribute is applied to users in the same domain who have similar or matching

user names, they cannot be positively identified. DLP now keys on the unique alphanumeric SID

(Security Identifier) that is assigned to each user account by the Windows domain controller.

For example, the user name jsmith may belong to John Smith or Jack Smith, so more information

would be needed to distinguish between those two users. Those individuals may even be using

the same IP address, which would aggravate the problem of discovering the identity of the actual

user.

How remote user accounts are monitored


But each account on an Active Directory server is made up of attributes that identify the

individual who owns the account. McAfee Logon Collector matches the unique SIDs that are

assigned to each Active Directory user to IP addresses, and all of the parameters associated

with that SID are extracted when MLC moves binding updates from the Active Directory server to

DLP.

NOTE: Because SAMAccountName was used to index data in earlier releases, that information may be lost

during ad hoc searches when the user has upgraded to 9.0, or when the data residing in the capture database

pre-dates the upgrade.

Using Active Directory User elements.All Active Directory elements are treated as word queries, and can be directed to specific

LDAP servers.

When these elements are used in a query, columns supporting the parameter are configured in

the search popup and on the dashboard.

NOTE: Each of the user elements retrieves the attributes listed.

Parameters available

● User Name: user's name, alias, department, location

● User Groups: user's group

● User City: user's city

● User Country: user's country

● User Organization: user's company or organization

Using DLP on remote LDAP serversThe ability to monitor user traffic on Active Directory servers now has been extended to directory

servers, making global user management a reality.

The ability of DLP 9.0 to connect to multiple domain controllers makes this possible. Not only is

data on local networks captured, but it is extended to all traffic on up to two LDAP servers.

When users can be recognized by name, group, department, city or country, a DLP administrator

can extract a great deal of significant information by using a few seminal facts to gradually gather

more details about potential violations.

Viewing Active Directory incidentsIn ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Incidents. When

you get results from querying a directory server, you can view them on the Data-in-Motion

dashboard or the corresponding ePO dashboard.

Click Columns to see what other data categories are available for display.

NOTE: Not all of these parameters can be used for queries. This accounts for the disparity of data categories on

search and rule pages.



Adding Active Directory columns to the dashboardWhen you view Active Directory results, you will want to see all the user data available for the

query you made. Use this task to add user columns to the dashboard.

NOTE: The columns available reflect the scope of data available. Not all of these parameters can be used for

searching captured data or implementing rules. In an ad hoc search, some Active Directory attributes (user

names, companies, email, managers, titles) are not displayed.


2. Click Columns.

3. Use the Add and Remove buttons to move Available columns to the Selected box.

NOTE: There are many more columns available than there are searchable network elements.

They were added to the interface to accommodate Host DLP. You can use them to display

additional attributes that are reported, but not displayed by default.

Columns available

● User Custom

● UserCity

● UserCompany

● UserCountry

● UserEmail

● UserGroups

● UserID

● UserManager

● UserName

● UserGroup

● UserOrganization

● Network printer

● Network path

● Location Tag Path

4. Use Move buttons to move all User columns to the top of the Selected pane.

TIP: If you cannot see the Move buttons, expand your dashboard.

5. Click Apply.

Adding rules to find Active Directory informationAfter you have configured your DLP system to get Active Directory user parameters, you will be

able to search network traffic for any user information on that server. Use this task to create rules

that will find significant information in that traffic.

Adding Active Directory columns to the dashboard


TIP: You can construct a rule to keep administrators, who are responsible for handling privileged information,

from being reported as violators.


2. From the Actions menu, select Add a Policy.

NOTE: You can skip this step and add a rule to an existing policy, or add Active Directory user parameters to an

existing rule.

3. Select Add a rule from the Actions menu.

4. Select a Severity to classify the rule.

5. Set the Inherit Policy State to Enabled to bind the rule to the policy.

6. Open Content and add a keyword, concept, or content type to retrieve specific content (optional).

7. Open Source/Destination and click on a user parameter.

8. Click "?" and select an Active Directory server.

9. Click Find to retrieve all available patterns.

TIP: If you know what you are looking for, you can type it into the search field.

10. Click on one or more patterns and Apply.

11. Add other parameters as needed.

12. If you want to apply an action when a match is found, click on the Actions tab and add one or more.

13. Click Save.

Advantages of keying on SIDsBecause McAfee Logon Collector allows DLP to key on SIDs instead of sAMAccountnames, the

identities of individual users can be resolved and their traffic can be monitored. By leveraging

multiple user attributes, it is now possible to identify end users conclusively, regardless of what

email or IP addresses they are using.

When a SID is retrieved from the Active Directory server, all of its associated attributes, such as

domain name, location, department and user group, come with it. That collection of information

can then be used in rules, templates, action rules, and notifications to find and stop security

violations by specific users.

Types of Active Directory data supportedThe following Active Directory parameters are supported by this release.

● UserCity (ucity)

● UserCountry (ucountry)

● UserDepartment (udepartment)

● UserGroups (ugroup)

● UserName (uname)



NOTE: These are the parameters that can be used for queries and rules, but incidents that are reported on the

dashboard may have more objects available in the database. That information can be viewed by adding

columns that can display those fields.

The following Active Directory parameters are supported by the standalone Host DLP 9.0.

● Network path

● Network printer

● Location Tag Path

How McAfee Logon Collector is used with DLPSuppose you know that your company has lost intellectual property to a Chinese firm, and you

suspect that the leak came from an insider in your Shanghai branch. Because McAfee

DLP captures all traffic on your company's network, you can add an Active Directory server that

contains the user account of that insider to DLP Manager, then search for the UserName of that

individual and monitor his communications.

You might then search his communications for the name of the lost component, then find the

email address and geographical location of users outside the company who may have received

the information.

You might not know what will be in those communications, but you can use what you find to ask

the next logical question.

TIP: If you don't know the user's name, you can gradually develop his identity by searching for users in

Shanghai, searching the user groups in your Engineering division, and identifying a sub-group that may

contain the user.

How McAfee Logon Collector enables user identificationMcAfee Logon Collector is used to map IP addresses to user identities within Active Directory

servers. Without it, users may be hard to identify because they may be logged into different or

multiple workstations. IP addresses change when DHCP servers automatically assign new

addresses, and more than one user might be logged on to the same workstation.

When a McAfee Logon Collector is configured with an DLP Manager, it resolves user identities

by retrieving collections of user account information from all Active Directory servers that have

been added to the DLP system. Supporting multiple domain controllers means that large-scale

enterprise operations can be served by McAfee applications.

For DLP, that means that after McAfee Logon Collector is enabled, DLP administrators can

configure Active Directory-based queries and rules to find out what activities specific users are

engaging in on the network.

Finding remote user information

How remote user data is retrieved

The extension of McAfee DLP capabilities through multiple Active Directory controllers makes it

possible to retrieve more information about remote users than ever before.

How McAfee Logon Collector is used with DLP


If your local network is connected through McAfee Login Collector to remote Active Directory

servers, this capability brings your global security problems down to local control.

TIP: When a user parameter is used to bring in remote information, it is best to use it as a key within a larger

search or rule. Add other qualifiers to target the information that is needed.

NOTE: Before you can search for user information on remote servers, you will have to add an Active Directory

server and establish secure connections between a McAfee Login Collector and DLP Manager.

Finding remote users by name

Use this task to get information about specific users on remote networks.


TIP: Use Basic Search to do exploratory searches, and Advanced Search to create complex searches or

rules.


3. Select User Name from the first menu.


TIP: Using the is none of condition might retrieve too many records.

5. Click "?".

6. Select a Directory Server from the popup menu.

7. Click Find to fetch the first 1000 user name entries.

8. Select Local User or Everyone.

9. Click Apply. The selected user names will populate the value field.

10. Add parameters from other categories to define the information that is needed from the records of the remote

users.


Finding remote users by group

Use this task to get information about users on remote networks who are members of specific

groups.



rules.


3. Select User Group from the first menu.





5. Click "?".


7. Click Find to fetch the first 1000 user group entries.

8. Select one or more groups.

9. Click Apply. The selected groups will populate the value field.


groups.


Finding remote users by city

Use this task to get information about users on remote networks who reside in specific cities.



rules.


3. Select User City from the first menu.



5. Click "?".


7. Click Find to fetch the first 1000 user city entries.

8. Select one or more cities.

9. Click Apply. The selected city's users will populate the value field.


users of the selected city.


Finding remote users by country

Use this task to get information about users on remote networks who reside in a specific country.



rules.


3. Select User Country from the first menu.

How McAfee Logon Collector is used with DLP




5. Click "?".


7. Click Find to fetch the first 1000 user country entries.

8. Select one or more cities.

9. Click Apply. The selected country's users will populate the value field.


users of the selected country.


Finding remote users by organization

Use this task to get information about users on remote networks who work for specific

organizations or companies.



rules.


3. Select User Organization from the first menu.



5. Click "?".


7. Click Find to fetch the first 1000 user organization entries.

8. Select one or more organizations.

9. Click Apply. The selected organizations will populate the value field.


organizations.


Getting and processing results

Using the Incidents dashboardThe Incidents dashboard gives you a detailed and comprehensive picture of the risks faced by

your organization. The incidents and events reported are stored in three different databases,

which correspond to the appliances that produced them.



Database vectors

● Data-in-Motion incidents are produced by DLP Monitor when its rules match data in the network stream.

● Data-at-Rest incidents are produced by DLP Discover when a scan finds sensitive data in network

repositories or databases.

● Data-in-Use events are produced by DLP Host when data violations are found at network endpoints.

The dashboard tools give you the means to sort through all of the databases to reveal the most

significant objects.

Dashboard tools

● Selecting pre-defined views, such as Incident Listing, offer different configurations of the incidents on the

dashboard.

● Clicking the List,Group Detail, and Summary buttons display some typically useful configurations.

● Clicking on any link on the dashboard changes the sorting keys in the Group by pane change to reveal

different attributes of the incidents.

● Building filters using the Filter by pane offers dozens of options for viewing the data stored in the databases.

● Selecting the Disk or Options icons allows you to save significant collections of data as views or reports.

If you are using DLP through ePolicy Orchestrator, all DLP dashboard tools are available to you.

In addition, you can get summaries of the incidents and events on the main ePO dashboards.

TIP: Assign incidents to cases to collaborate on investigating and resolving problems.

Using the DLP Homepage

Checking Homepage permissions

In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | DLP HomePage.

Your role in the organization determines what you will be able to see on this page.

You can check your permissions by checking DLP Sys Config | User Administration | Groups |

Details | Task Permissions | Incident Permissions.

NOTE: Because permissions are assigned by group, you will have to find out what group you belong to before

checking permissions.

Configuring the DLP Homepage

The DLP Homepage gives you a quick overview of incidents found on your network or in

network repositories. You can also get a summary of events that have taken place at network

endpoints on this page.

Incidents are categorized by the Data-in-Motion, Data-at-Rest, or Data-in-Use vectors. These

correspond to data moving over the network, data in network repositories, and events taking

place at network endpoints.

Using the DLP Homepage


Customizing the DLP Homepage

Use this task to display up to four different reports on your home page.

TIP: You can control the details of incidents you see on the Incidents dashboard by sorting, grouping and

filtering them.

1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | DLP HomePage.

2. Select Customize from the Options menu.

3. Select up to four reports.

4. Click Apply.

How to use the Homepage

All incidents and events that are reported on the Incidents dashboard can also be viewed

directly by clicking the ePO Dashboard icon.

NOTE: If you want to sort, filter, or manage any of the incidents, you must go to the DLP Reporting | Incidents

dashboard.

● DLP Status Summary

● DLP Executive

● DLP Manager

● DLP Data-in-Motion

● DLP Data-at-Rest

● DLP Data-in-Use

Getting details of results

How to get incident details

Use this task to get details about an incident.

TIP: If you cannot see incident details, you may not have the right permissions set. See your administrator.


2. Click on a Details icon.

3. On the Incident Details page, click any available link.

NOTE: The document will launch if the supporting software is installed. If there is another link inside the

document, it is likely to be the database object that triggered the incident.

4. Click any tab to get additional information.

NOTE: Incidents that are captured in real time, like chat and FTP sessions, cannot display details (like file

names and user information) because they cannot be synchronized with the existing flow.



Finding matches that triggered incidents

Use this task to find the match string that triggered an incident.

TIP: If you cannot see incident details, you may not have the right permissions set. See your administrator.



3. In the Incident Details window, click Matches.

Finding out if an incident is in a case

Use this task to find out if an incident has been included in a case.

TIP: If you cannot see incident details, you may not have the right permissions. See your administrator.



3. On the Incident Details page, click Case.

Getting history of an incident

Use this task to find out who looked at an incident and what actions were taken.

TIP: If you cannot see incident details, you may not have the right permissions. See your administrator.



3. In the Incident Details window, click History.

Identifying concepts that triggered incidents

Use this task to find out what concept triggered an incident.

TIP: If you cannot see incident details, you might not have the right permissions. See your administrator.



3. In the Incident Details window, click Concepts.

Generating reports

How reports are generated

When you save a report, you are saving the content of what you are seeing on the dashboard in

PDF, HTML or CSV format.

Generating reports


NOTE: CSV output is limited to150,000 incidents. The maximum size of the exported report is 5 MB. There are

no limits on the number of incidents exported in a case.

If you want to save the dashboard settings, save a view instead.

NOTE: An incident that is exported from the dashboard cannot be saved if it is larger than 5 KB.

Adding a company name to a report

Use this task to display a company name on a report.

1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config | System Administration.

2. Select a Configure link for the DLP Manager being used to create the report.

3. Scroll down to Company Information.

4. Type in your company name.

5. Click Update.

Creating CSV reports

Use this task to export an ASCII report in CSV format.

NOTE: The CSV format is available only under List view.Group Detail and Summary are not supported.

NOTE: Unlike the HTML and PDF Incident List Reports, there is no maximum number of incidents or maximum

size for the exported report.


2. Select a view vector (Data-in-Motion, Data-at-Rest, Data-in-Use).

3. Click List.

4. Click Options.

5. Select Export as CSV.

6. SelectOpen or Save.

If you selectOpen, the report will launch in spreadsheet format if you have Microsoft Excel installed.

If you select Save, the report will be saved to your desktop.

Creating HTML reports

Use this task to export an report in HTML format.

NOTE: Tne maximum number of incidents displayed in the HTML Incident List Report is 5,000. The maximum

size of the exported report is 5 MB.



3. Click List, Group Detail, or Summary.

4. Select Export as HTML from the Options menu.




If you selectOpen, the report will open it in a web browser.


Creating PDF reports

Use this task to export a report in Adobe PDF format.

NOTE: The maximum number of incidents displayed in the PDF Incident List Report is 5,000. The maximum

size of the exported report is 5 MB.



3. Click List,Group Detail, or Summary.

4. Select Export as PDF from the Options menu.


If you selectOpen, the report will launch if you have Adobe Reader installed.


Scheduling reports

Use this task to set up a report to run on a regular basis and send an email notification.


2. Click the Disk icon.

3. Name the view.

4. Select an owner.

NOTE: Ownership is determined by the group to which a user belongs. If the user's group is not listed, go to

DLP Sysconfig | User Administration | Groups and add the group.

1. Click Set as Home View (optional).

2. Click Schedule Reports.

3. Click Types.

4. Fill in the report frequency parameters.

5. Type in the email parameters.

6. Click Save.

Setting up views

How to set up views

In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | My Views. Use

this page to manage all standard and custom views you have collected. Using a variety of

significant data patterns will help you to understand and manipulate the incidents that are found.

Setting up views


TIP: Pull down the Incident Listingmenu on the Incidents page and select another view to see how results can

be rearranged.

Attachments can be displayed if they are under 50 MB. The number of incidents that can be

reported is limited to 150,000. After that number is reached, chunks of supporting data are

wiped, starting with the oldest incidents first.

Copying views to users

Use this task to copy a view that you have created to another group of users.

1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | My Views.

2. Check a view box.

3. Select Copy View to Users from the Actions menu.

4. Check a group box.

5. Click Apply.

TIP: Add a user group if the one you need is not listed.

Deleting views

Use this task to delete views from the Incident Listingmenu.


2. Check a view box.

3. Select Delete from the Actions menu.

4. Confirm or cancel.

Saving views

Use this task to save a customized view to the Incident Listingmenu.

NOTE:When you save a view, you are storing your current dashboard settings. To save the content you are

seeing, create a report instead.


2. Select a vector from the Data-in-Motion dashboard menu.

3. Reconfigure your dashboard (optional).

4. Group your results (optional).

5. Filter your results (optional).

6. Click the Disk icon.

7. Name the view.

8. Select an owner.



NOTE: Ownership is determined by the group to which a user belongs. Add a group if the user's group is not

listed.

9. Check Set as Home View (optional).

10. Schedule a report that will use the view (optional).

11. Click Save.

Selecting different views

You can switch to different Incident configurations by selecting from a variety of different

dashboard menus.

TIP: Many views keyed on different attributes of reported incidents are available in the Incident Listingmenu. If

none suit your purposes, save a custom view; it will be added automatically to the list.

NOTE: Each of the view vector menus (Data-in-Motion, Data-at-Rest, Data-in-Use) references a different

database.

Selecting a view vector

Use this task to control the display of incidents from the three databases that support

DLP devices.

The vector menu is located over the Actions menu on the Incidents dashboard.

● Select Data-in-Motion from the vector menu to view incidents found in the network data stream.

● Select Data-at-Rest from the vector menu to view incidents found by scanning repositories.

● Select Data-in-Use from the vector menu to view events that have occurred on endpoints.

Selecting pre-configured views

The Incidents dashboard displays icons that access three pre-configured views.

Pre-configured Views

List Displays all incidents in page format

Group DetailDisplays incidents graphically using two sortkeys

SummaryReports incident highlights arranged in agraphical framework

TIP: Customize each view type by sorting, grouping, or filtering incidents. The Incident Listingmenu contains a

large number of sample views that you can add to by saving your own custom views.

Setting up views


Customizing the results dashboards

How dashboards are customized

Customizing the results dashboard allows expansion of the display area, listing of more

incidents, or display of additional attributes that are hidden by the default configuration.

TIP: Pull down the Incident Listingmenu and select another view to change the default configuration quickly.

Adding rows to the dashboard

Use this task to view more than 25 rows of incidents on the dashboard.

NOTE: Viewing a large number of incident rows at one time (1,000 or more) could cause an HTTP REQUEST

timeout.


2. Click Columns.

3. Select a number from the Incidents per page menu.

4. Click Apply.

Changing dashboard display space

Use this task to change incident display space on the dashboard by expanding or collapsing

dashboard panes.

TIP: To adjust the size of the navigation pane, drag the vertical rule to the desired location.


2. Double-click the expansion bar between panes to collapse the navigation pane.

3. Double-click the expansion bar to restore the navigation pane.

TIP: Drag the expansion bar to adjust the space used by each frame.

Configuring dashboard columns

Use this task to change the number of attributes reported per item by adding or removing

dashboard columns.

TIP: Try changing the view type (List, Group Detail, Summary) or views under Incident Listing before adding

columns. One of the views may already provide the framework you need.


2. Click Columns.


4. Use Move buttons to move Selected column headers up or down.




5. Click Apply.

TIP: If you add a column to display ThumbnailMatch images, do not add rows. Moving 1,000 or more incident

rows at one time could cause an HTTP REQUEST timeout.

Displaying match strings

Use this task to add a Matchstrings row to the incidents dashboard.

TIP: Because Matchstrings use more space on your dashboard, you may prefer to view them using the Details

icon of each incident..


2. Click Columns.

3. Select the Display Matchstring checkbox.

4. Click Apply.

Grouping and filtering incidents

How incidents are grouped and filtered

DLP Monitor captures all network data, though portions of traffic might be filtered out to improve

performance.

NOTE: You can set a capture filter to focus the capture engine on significant traffic.

Because each incident displayed on the DLP dashboard is supported by a huge collection of

database objects, a vast amount of data is available for viewing.

TIP: Click on a data cell to see how the dashboard uses attributes as sorting keys.

Because you can see and understand only a small percentage of those objects at one time, you

should try to filter incidents so that only the most significant attributes will be displayed.

Clearing filters

Use this task to clear any filters you have set.

CAUTION:When you finish using a filter, Clear All, or the configuration will block all other results.


2. Go to Filter by... .

3. Click Clear All.

4. Click Apply.

Filtering incidents

Use this task to eliminate irrelevant results that block significant data.

Grouping and filtering incidents


TIP: Before filtering, always define a time frame.


2. Click any view type (List,Group Detail, or Summary).

TIP: You can filter incidents instantaneously by clicking on any cell. The dashboard will

immediately display all other incidents that contain the attribute that was selected.


4. Set the time frame filter.

5. Click the green plus sign to add a filter.

6. Set another data filter (for example, Content equals MSWord).

NOTE: You can type attributes into the value field, but it is easier to click "?" to launch a popup

menu.

7. Click Apply.

8. Add filters that will narrow the results further (for example, Filename equals <filename>).

9. Click Apply.

10. Click the Disk icon to save the configuration (optional).

NOTE:When you finish using a filter, Clear All, or the configuration will block all other results.

Grouping incidents

By focusing only on categories that are relevant, you will learn how to get more focused results.

Use this task to select up to two group types that will provide a framework for your incidents.

TIP: Before grouping, always set a time frame filter.


2. Select a view vector (Data-at-Rest, Data-in-Motion, Data-in-Use).

3. Click Group Details.

4. In the Group by... pane, select two categories that will act as your primary and secondary sort keys.

5. For each category, select the number of occurrences to display.

6. Click the disk icon to save the view (optional).

The workspace automatically adjusts to the configuration you define.

NOTE:When you finish using a filter, Clear All, or the configuration will block all other results.

Setting a date and time for results

Because Monitor captures everything on your network, you must specify a general or specific

time frame to focus your results — but make sure you have data available for the period you

specify. If you select a date range before your systems started capturing data, you will not get

any results.



Use this task to find all results captured at a specific time or within a certain time frame.

NOTE: Time filters are associated with dashboard views. For example, if you select a view different from the

default Incident List, you can see the Timestamp and other filter settings change.

TIP: Keep the time setting constant by saving a Home View.


2. Select Timestamp (default).

3. Select a time frame from the Anytime menu.

TIP: Click "?" to select a Custom Date.

4. Click Apply.

When you finish using a filter, Clear All, or the configuration will block all other results.

Sorting results

How to sort results

In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Incidents to sort

incidents. Sorting allows you to set aside results that are not immediately relevant, but might be

significant at a later time.

TIP: Save a view or a report to track your changes.

Deleting incidents

Use this task to delete incidents that do not contain useful information.

NOTE: You can delete over 100,000 incidents from the capture database at one time.


2. Select one or more checkboxes.

TIP: Click the box in the column header to Select All Results on Page if you want to delete more results.


4. Click OK to confirm, or Cancel.

TIP: You can mark incidents as false positives to prevent them from being retrieved again, or flag them for

deletion later.

Deleting similar incidents

Use this task to delete all incidents produced by a single rule, policy, or any other attribute.

Sorting results


NOTE: Using this method, you can delete over 100,000 incidents from the capture database at one time.


2. Select a category from the Group by...menu.

3. Select All Results or All on Page from the Actions menu.



TIP: You can mark incidents as false positives to prevent them from being retrieved again, or flag them for

deletion later.

Finding incidents that violated a policy

Use this task to find all incidents that violated a single policy.


2. Select List or Summary.

3. Double-click any policy listed under Group by... .

The incidents that violated that policy will be displayed on the dashboard.

Sorting incidents by attribute

Use this task to sort incidents that contain common attributes (for example, the same recipient,

timestamp, severity, reviewer, etc.).

TIP: Select Columns and add more columns to display more attributes.


2. Click on the column of the state.

The incidents will sort according to the attribute selected.

Changing settings

How settings are changed

Because DLP systems capture everything on the network (except traffic which is deliberately

filtered out using capture filters), you may find that you need to change the settings that

determine how many incidents are reported at once, and how they are delivered to the

dashboard.

For example, you might want to expand the number of incidents reported to the dashboard by

default, but avoid overburdening the system. You can experiment with different settings by

configuring throttling.

Similarly, you can comply with PII requirements by encrypting certain elements, but you can

manage the system resources that are being consumed while doing so.



Configuring throttling to limit incidents

You can set throttling to report between 1 and 9,999 incidents in from 10 to 3600 seconds.

Throttling is enabled by default; to report all incidents, uncheck the Enable Throttling box.

Use this task to change the number of incidents found in a specific time frame.

1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Policies | Settings.

2. Under Configure Throttling Parameters, leave the Enable Throttling box checked.

3. Type in the maximum Number of Incidents to be reported.

4. Type in the maximum Time Duration in seconds.

5. Click Save.

Encrypting incidents

Use this task to ensure compliance with PII requirements.

When the encryption feature is enabled, two significant files (subject and matchstring) that might

contain PII information are encrypted before storing to the database. They are decrypted before

displaying on the dashboard.

NOTE: This feature is disabled by default to conserve resources.

1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Policies | Settings | Security

Settings.

2. Check the Sensitive Incident Data box to encrypt all incidents found.

3. Check the Encrypt Capture Data box to encrypt the entire capture database.

NOTE: Selecting this option might impede performance.

4. Click Save.

Preventing data loss

Protecting data with DLP Prevent, Discover, and EndpointMcAfee DLP devices use three different mechanisms to prevent data loss. Actions taken depend

upon whether the violations are detected in network communications, network repositories and

databases, or at network endpoints.

● DLP Prevent evaluates email and webmail that has been forwarded from an MTA or proxy server, marks

messages that violate active rules with certain actions, and passes them back to the email or webmail server to

be enforced.

● DLP Discover supports remedial actions that can be taken when sensitive or registered content has been

detected in a network repository or database.

● Host DLP uses pre-programmed rules with specific actions that may be deployed on- or offline when violations

are found at endpoints.

Protecting data with DLP Prevent, Discover, and Endpoint


Whether they are generated by Prevent, Discover, or Host DLP devices, Incidents and events on

DLP dashboards can be resolved manually or automatically. Users might apply actions directly

to incidents from the Actions menu, or pre-program rules to automatically trigger specific

actions.

Protecting data with DLP Prevent

How DLP Prevent protects data

DLP Prevent uses a rules evaluation mechanism with applied actions to provide automatic

resolution of problems found in email and webmail that is circulating on a network.

When a violation is found in network communications, an optional action rule is triggered to

neutralize or dispose of the incident.

NOTE: DLP Prevent must be deployed with an MTA or proxy server. Communications are forwarded over

SMTP or ICAP, depending on whether an email or web gateway is used.

When violations are found in network email, DLP Prevent might be used to do the following:

● block confidential data breaches

● encrypt authorized transmissions

● quarantine suspicious traffic

● bounce email that violates policies

● notify supervisory personnel

● record incidents in a system log

● allow email that is determined to be legitimate.

When violations are found in webmail, the seven DLP actions are attenuated to BLOCK and

ALLOW.

TIP: Use DLP Prevent to capture network traffic for later forensic analysis or block the transmission of sensitive

data sent using specific mail protocols (for example, HTTP POST, SMTP_Request, etc.).

Adding a DLP Prevent action rule

McAfee DLP 9.0 provides default action rules that can be applied to any rule, and they are used

by DLP Prevent to process violations in email communications.

Use this task to create a custom action rule, if one is needed.

1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Policies | Action Rules.

2. From the Actions menu under Data-in-Motion, select Add Action Rule.

3. Type in a name for the action rule.

4. Open Email Notification to alert one or more users when the action is triggered.

TIP: You can use Dynamic Variables to inform users of the prevented action automatically. For example,

##Filename found by the ##Rule violated the ##Policy and was quarantined.



5. Open Syslog Notification and select Enable to log the incident (optional).

6. Open Incident Reviewer to assign a reviewer when the action takes place (recommended).

7. Open Incident Status to change the stage of resolution when the action takes place (recommended).

8. Select an action from the Data-in-Motion Prevent Actionmenu.

9. Click Save.

After you have created the action rule, apply it to one or more rules.

Applying a DLP Prevent action rule

DLP Prevent contains a set if international rules that are automatically applied against email

communications, and many of them already have default actions that will be taken when the

rules hit.

If the correct action has not yet been applied, use the following task to add an action to a rule.

1. Go to Policies and click on a policy.

2. Click on a rule.

3. Click on the Actions tab.

4. Click on the Add Action plus sign.

5. Select the action from the Data-in-Motion list.

6. Click Save.

TIP:Wait for the edited rule to produce results, or create some traffic that will execute it. Then verify that the

action rule applied to the rule implements the correct action.

Types of DLP Prevent actions

Violations found by DLP Monitor capture engine may be processed using one of seven

preventive actions.

Actions

● Allow

● Block

● Bounce

● Encrypt

● Monitor

● Notify

● Quarantine

● Redirect

Each action can be configured to automatically notify users that a preventive action has been

applied.

Each action can also be configured to place a record in a system log, assign the incident to one

or more reviewers, or apply a status that indicates its stage of resolution.



The role of DLP Prevent in a managed system

DLP Monitor is a passive component on the network, so the default preventive action has to be

set to ALLOW. This setting changes only if DLP Prevent is installed — preventive actions are not

supported without it.

If DLP Prevent is managed by DLP Manager, rules that are deployed to All Devices are directed

to DLP Prevent, but only if they contain preventive actions.

NOTE: If DLP Monitor, Discover and Endpoint devices are managed by DLP Manager, every rule can be

configured to deploy one action of each of the three incident types.

How DLP Prevent processes email

Use this task to understand the DLP Prevent process.

1. A host sends an email message to an email gateway.

2. The message is relayed to the smart host, which routes it to the DLP Prevent appliance.

3. On receiving the email, the DLP Prevent appliance compares it to existing rules.

4. If a rule matches, DLP Prevent adds an X-RCIS-Action header and stores the event in its database.

5. The DLP Prevent then sends the email back to the smart host, and it is relayed back to the email server.

6. Based on the action specified in the X-RCIS-Action header appended by the Prevent appliance, the message

is allowed, blocked, bounced, encrypted, monitored, quarantined or redirected.

7. Notification of the action is sent to the defined user.

Configuring DLP Prevent for email

When configured with an email gateway, DLP Prevent can monitor transmissions and apply

preventive actions to protect data in network communications.

Use this task to configure DLP Prevent.

1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config.

2. Select the DLP Prevent appliance and click Configure.

3. Scroll down to the Smart Host section of the page and enter an IP address to which the email to be processed

will be routed.

NOTE: Host names are not supported; an IP address must be used. A smart host is configured only if

SMTP email is being processed, and configuring more than one is not supported.

4. If you configured a rule and you want email notification when the rule hits, you must add an email address. The

mail server sends notification to that address after the action is taken.

5. Click Send test mail to verify that the smart host connection is alive.

6. Click Update.

NOTE: Both MTA and proxy servers can be handled by one DLP Prevent system, but contact a McAfee Service

Representative to assure proper performance.



How DLP Prevent processes webmail

Use this task to understand the DLP Prevent webmail process.

1. A host sends a webmail message to a network address.

2. If a web proxy server is set up, it intercepts the message and routes it to the DLP Prevent appliance.

3. On receiving the email, the DLP Prevent appliance compares it to existing rules.


5. The DLP Prevent then sends the webmail back to the proxy server, and it is either blocked or delivered to its

addressee.

NOTE: Although DLP Prevent supports block, bounce, encrypt, monitor, quarantine and redirect actions, proxy

servers can only BLOCK or ALLOWwebmail.

6. Notification of the action is sent to the defined email address.

Configuring DLP Prevent for webmail

When configured with a web proxy server, DLP Prevent can monitor transmissions and identify

traffic to and from wikis, portals, blogs and other collaborative sites using HTTP and HTTPS

protocols.

Use this task to set DLP Prevent up to work with webmail.

1. Set up DLP Prevent to work with Bluecoat, McAfee Web Gateway (formerly Webwasher), or McAfee Email

Security Appliance.

McAfee Email Security Appliance is set to handle up to 30 concurrent SMTP connections — but Prevent

exceeds this limit. To get these two appliances to work together, you must modify the ESA configuration files.

2. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sysconfig.

3. Add the DLP Prevent device to DLP Manager.

4. Click on the configure link of the DLP Prevent.

5. Scroll down to the Email Setting fields and add an email address for notification.

NOTE: If you are monitoring traffic through a proxy server, no configuration is needed because that server is

already part of the network, so smart hosts are not used when DLP Prevent is configured with a proxy server.

Do not enter anything in this box.

6. Click Update.

NOTE: SSL-encrypted webmail transmissions might become visible during this process.

7. The web proxy server captures outgoing HTTP traffic (including webmail) and sends that the DLP Prevent over

ICAP (Internet Control Adaptation Protocol).


9. If the action specified in the header is not ALLOW, the webmail is BLOCKED.

10. Notification of the action is sent to the defined user.



MTA requirements to inter-operate with Prevent

Whether or not a generic MTA can inter-operate with Prevent depends upon the capabilities of

the MTA in question. In what follows, we distinguish between the terms incoming/outgoing and

entering/leaving when discussing emails.

● By incoming and outgoing, we mean emails that are either being sent to or received from the outside world.

● By entering and leaving, we mean emails that are entering or leaving the MTA.

Any MTA that is expected to inter-operate with Prevent must comply with the following

requirements.

1. Must be capable of sending either all or a portion of outgoing traffic to the Prevent application. DLP Prevent is

not typically used to inspect incoming email. Examples of a requirement where only a portion of the traffic

needs to be scanned may be in environments where only traffic with attachments is to be scanned, or where

scanning is limited to traffic directed to public sites (for example, Yahoo).

2. Must be capable of inspecting email headers of messages entering the MTA.

3. Must be capable of taking actions based on specified match expressions for email headers. The specific

header strings received from Prevent are the X header X-RCIS-Action header with values ALLOW, BLOCK,

QUART, ENCRYPT, BOUNCE, REDIR and NOTIFY.

4. Based on entering port or some other metric, must be capable of distinguishing between all emails arriving

from the Prevent appliance, then applying header inspection and header-based action rules exclusively to

incoming email from Prevent.

5. Must be capable of ensuring that emails arriving from the Prevent appliance are not routed back to the Prevent

appliance. This can be done either by using port / srcIP-based mail routing, checking to see if an X-RCIS-

Action header already exists in an email scheduled to be routed to the Prevent appliance, or by some other

means.

6. Must be capable of implementing all of the Prevent-based actions. If the MTA does not have all of the required

capabilities, inter-operation is still possible — but in that case, the actions that can be set when rules are

created must be limited to those supported by the MTA.

7. Must be able to inter-operate with an email encryption appliance (if this capability is needed) and instruct the

encryption appliance to encrypt specific messages based on header information or other metrics.

Reviewing prevented violations

Use this task to see what preventive actions have been applied to an incident.

1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Policies | Incidents.

2. Click List.

3. Select an incident and click its Details icon.

4. At the bottom of the Incident Details page, check for prevented actions.

Protecting data with DLP Discover

How DLP Discover protects data

DLP Discover remediation allows immediate resolution of problems found in a repository or

database.



When a violation is found, a Data-at-Rest action rule can be configured to prevent or correct the

situation that produced the incident.

NOTE: Remediation is part of the incident workflow, and any time incidents are wiped from the system,

remediated files will also be wiped.

When violations are found in Data-at-Rest, the remediation feature may be used to do the

following:

● Copy files containing violations to another location on the network

● Move files containing violations to another location on the network

● Password-protect files containing violations

● Delete files containing violations

Each of these actions also includes the capability to do the following:

● Notify users of violations found in scanned data

● Record violations found in scanned data in a system log

● Assign incidents to one or more reviewers

● Set a status that indicates the state of resolution

Remediation can be applied directly to incidents reported on the Data-at-Rest dashboard, or

pre-programmed by attaching an action rule to rules that produce incidents.

Adding a remedial action rule

Use this task to add a remedial action rule that will be applied in a Discover scan.


2. Select Add Action Rule from the Actions menu under Data-at-Rest.

3. Type a name for the action rule.

4. Open Email Notification to alert one or more users to the action.

TIP: You can use Dynamic Variables to inform users of the remedial action automatically. For example,

##Filename found by ##ScanOperation violated the ##Policy and was moved to <export location>.

5. Open Syslog Notification and select Enable to log the incident.

6. Open Incident Reviewer and Incident Status to assign a reviewer.

7. Open Incident Status to define its stage of resolution.

8. Open Remediation Policy and select the corrective action that is to be taken.

9. Click Save.

Types of remedial action

Violations found by a Discover scan may be processed using one of four remedial actions.

● Copy

● Move



● Encrypt

● Delete

Each action can be configured to automatically notify users that a remedial action has been

applied to a violation found in Data-at-Rest.

Each action can also be configured to place a record in a system log, assign the incident to one

or more reviewers, or apply a status that indicates its stage of resolution.

Applying a remedial action to a rule

Use this task to apply a remedial action to a rule that will be used in a Discover scan. If the rule

hits, the action defined in the rule will be taken.

NOTE: If Monitor and Discover devices are managed by DLP Manager, every rule can be configured to deploy

one action to each of the three incident types.


2. Click on the policy defined in the scan.

3. Click on one of the rules.


5. Click on the Add Action plus sign.

6. Select the remedial action from the Data-at-Rest menu.

7. Click Save. Repeat until all rules have the action applied.

TIP: Re-scan to produce updated results, then verify that the action rule applied to the rule implements the

correct remedial action.

Setting up a location for exported files

Before sensitive files found in a database or repository can be copied or moved, a folder must be

set up to receive them, and it must also be set up for sharing.

Use this task to set up and configure an export location.

1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config | Discover Configuration |

Export Locations.

2. From the Actions menu, select New.

3. Name the Export Location.

NOTE: If the folder does not already exist, it is created.

4. Type the IP address/Host Name, Share Name and Directory Path in the appropriate boxes.

5. Select a type from the Repository Type drop-down list.

NOTE: Only Windows shares (CIFS) are supported.



6. Select a Credential to access the repository, or click New to create a new one using authentication parameters

of an existing account.

7. Click Test to verify read/write access to the repository. If the credential is correct but the test is negative, use

Windows Explorer to verify that sharing is enabled and read-write privilege has been granted.

8. In Microsoft Windows Explorer, right-click on the target folder and select Properties.

9. On the General tab, deselect the Read-only checkbox.

10. On the Sharing tab, select Share this folder.

11. Click OK.

12. Click Save, then re-test.

Copying discovered files

After defining an export location, use this task to copy a file found by a discovery scan to that

location.

NOTE:When a file is copied, moved, deleted or encrypted, DLP Discover leaves a trace file at the original

location to leave a record of the remedial process that has been applied.

1. Use the export location task to define a folder that will receive the file.


3. Under Data-at-Rest, from the Actions menu, select Add Action Rule.








9. Open Remediation Policy and select Copy from the Action drop-down list.

10. Select the export location from the Destination drop-down list.

11. Click Save.

TIP: If you copy an incident from the dashboard, select its checkbox and select Remediate | Action | <copy

action rule> from the Actions menu. If an incident is to be copied when it is hit on by a rule, add the <copy

action rule> to the rule and click Save, then start a Discover scan that applies the rule containing the action

rule.

Deleting discovered files

Use this task to delete a file found during a discovery scan. Deleted incidents cannot be

recovered.





1. Check the permissions of the file to be deleted.


3. From the Actions menu, select Add Action Rule.


5. Open Remediation Policy and select Delete from the Action drop-down list.

6. If you have read and understood theWarning, select the I Accept checkbox.

NOTE: The action can be completed only if there is no conflicting instruction in the rule to which the action rule

is attached.

7. Add File Marker Text as appropriate.

TIP: You can add Dynamic Variables to the file marker text at the text cursor position by clicking the variable

on the drop-down list. For example, ##Filename found by ##ScanOperation violated ##Policy and was deleted.

8. Click Save.

9. Apply the new action rule to one or more rules.

10. Go to Menu | Data Loss Prevention | DLP Sys Config. Click Discover Configuration. The Scan Operations

page is displayed.

11. Select a scan.

12. From the Actions menu, select Rescan .

13. Check results to verify that the file gets deleted.

Encrypting discovered files

Use this task to password-protect a file found by a discovery scan.












8. Open Remediation Policy and select Encrypt from the Action drop-down list.



9. Type in a password and confirm it.

10. Add File Marker Text as appropriate.

TIP: You can use Dynamic Variables to the file marker text at the test cursor position by clicking the variable on

the drop-down list. For example, ##Filename found by ##ScanOperation violated the ##Policy and was

password-protected. Consult <administrator> for more information.

11. Click Save.

TIP: If you relocate an incident from the dashboard, select its checkbox and select Remediate | Action | <move

action rule> from the Actions menu. If you want an incident to trigger a move, add the <move action rule> to the

rule and click Save, then start a discovery scan that applies the rule containing the action rule.

Moving discovered files

After defining an export location, use this task to move a file found by a discovery scan to that

location.



1. Use the export location task to define a folder that will receive the file.










9. Open Remediation Policy and selectMove from the Action drop-down list.

10. Select the export location from the Destination drop-down list.

TIP: You can use Dynamic Variables to the file marker text at the test cursor position by clicking the variable on

the drop-down list. This informs users of the relocation automatically. For example, ##Filename found by

##ScanOperation violated the ##Policy and was moved to <export location>.

11. Click Save.

TIP: If you relocate an incident from the dashboard, select its checkbox and select Remediate | Action | <move

action rule> from the Actions menu. If you want an incident to trigger a move, add the <move action rule> to the

rule and click Save, then start a discovery scan that applies the rule containing the action rule.



Reverting remediated files

Use this task to reverse a remedial action that has been applied to a file that was found during a

discovery scan.

NOTE: Deleted incidents cannot be reverted or recovered.

1. In ePolicy Orchestrator, go to to Menu | Data Loss Prevention | DLP Reporting | Incidents.

2. Check one or more incident boxes.

3. Click on the Actions menu, and select Remediate | Revert.


5. Verify that the action has been reverted by rescanning (optional).

Reviewing remedial actions

Use this task to see what remedial actions have been applied to an incident.

1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting Incidents.

2. Select Data-at-Rest from the display thumbwheel.

3. Click an incident to display the DLP Incident Details page. Any remedial actions are listed.

TIP: Click Columns to add the three Rem columns to the dashboard.

Adding columns to display remedial actions

Use this task to configure the Incidents | Data-at-Rest page to display the remedial actions that

have been applied to a file.


2. Click Incidents, then select Data-at-Rest from the display thumbwheel.

3. Click Columns.

4. On the Table Columns page, scroll down the Available list of columns.

5. Select one or more of the Remediation column headers.

● RemActionRule

● RemActionType

● RemTaskStatus

5. Click Add to move the column headers to the Selected list.

TIP: To move column headers out of the Selected list, select them, then click Remove.

6. Click the Move buttons to rearrange the placement of column headers.

7. Click Apply.



Protecting data with Host DLP (Endpoint)

Adding an Endpoint action rule

Endpoint action rules contain elements that are used in rules supported by the Host DLP product

— but in this release, they can also include network parameters. However, the endpoint

parameters used in the rule must be enabled before they can be used.

Use this task to create an action rule that can be added to any network rule containing an

Endpoint parameter.


2. From the Data-in-Use Actions menu, select Add Action Rule.

3. Type a name for the action rule. Typing a description is optional.

4. Select one or more actions to be taken when a protected endpoint is detected.

● If the endpoint data detected is to be encrypted, provide an encryption key. Consult the updated Endpoint

Encryption for Files and Folders 4.0 Product Guide for more information.

● If the data detected is significant, select a Severity from the drop-down list.

● If users are to be notified when endpoint data is detected, type in a message. Typing in link text or a URL is

optional.

5. Select a Data-in-Use Policy Action.

6. Select from the available actions.

NOTE: Endpoint actions can be taken if the detected device is online or offline. Select one or both.

5. Click Save.

After you have created the endpoint action rule, apply it to one or more rules.

Applying an action to a rule with Endpoint parameters

Endpoint action rules are defined in the same way as DLP Prevent and DLP Discover action

rules, but if protection rules are to employ those actions, they must first be enabled (after

selecting them from a rule's Endpoint menu).

NOTE: You can add one of the existing Endpoint action rules to the unified rule, or configure an action

containing one or more of the Data-in-Use actions. Any rule can contain actions based on moving traffic or

static files, as well as endpoint reactions.

Because all parameters in a rule may have actions added, many different combinations are

possible. If an action is needed in a rule containing Endpoint parameters, use this task to add

one.

1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Policies and click on a rule that has one or

more Endpoint parameters.

2. Click on the Actions tab and select Add Action.

3. Select one or more Data-in-Use actions to be taken when a protected endpoint is detected.

4. Click Save.

Protecting data with Host DLP (Endpoint)


How Host DLP protects data

Host DLP 9.0 protection rules have reactions defined by default, but in the unified release,

actions are optional, and they can be pre-programmed in the same way as DLP Prevent and

Discover. But rules containing Endpoint protection parameters are disabled by default, and

reactions fire only if they are enabled.

Endpoint protection rules cover clipboards, local printers, PDFs and image writers, removable

media, and screen captures — and by combining them with network parameters, massive

amounts of data that needs protection can be precisely defined.

In addition, Host DLP allows targeting of specific network paths and shares, printers, file and

encryption types, making it possible to protect a wide range of network endpoint types.

When any of these targets is compromised, a violation is generated and reported to Data-in-Use

dashboards on ePO or DLP Manager.

If an Endpoint action rule has been pre-defined, an action is triggered when a violation is found.

If not, the Actions menu provides many other ways to resolve problems that are reported to the

dashboards.

Types of DLP Endpoint actions

Events found on an endpoint by McAfee Agent may be processed using one of nine preventive

actions.

Actions

● Block

● Delete

● Encrypt

● Monitor

● Notify User

● Quarantine

● Request Justification

● Store Evidence

● Tag

Each of these actions can be applied to endpoints whether on- or offline.

Protecting endpoint data

Host DLP: Integrated into Network DLPIn this release, Host DLP has been redesigned and embedded in Network DLP. With this

addition, Network DLP has been extended to protect enterprises from the risk associated with

unauthorized transfer of data to unsecured endpoints. In addition, network file systems and

shares can now be protected using both host and network products.



The new Host DLP product interface is now known as Endpoint protection and configuration.

Events are identified by McAfee Agent and displayed through a Host DLP server on the ePO and

DLP Data-in-Use dashboards.

For example, data that has been moved, copied, printed or screen-captured from a laptop or

desktop to another device or location is monitored and controlled.

Endpoints that are protected include desktops, laptops, removable media, and printers.

How Host DLP extends network resultsWith the addition of Host DLP 9.0, significant host events are reported along with network

incidents. Like Network DLP, when violations are found, actions that prevent the misuse of

sensitive data fire automatically.

Because each host event can be embedded in a network rule, additional network parameters

can be added. For example, content, protocols, time definitions, and file and location parameters

may amplify the information available for each host event.

This is done by constructing network-oriented rules that include endpoint definitions. Open any

rule and pull down the Endpoint menu to select one or more of the Host DLP protection rules.

Then use the menu choices under other categories to add attributes that will produce more

relevant hits — on or off the network.

NOTE: If your DLP Manager is configured with McAfee Logon Collector and an Active Directory server,

endpoint protection can be extended to directory servers managing users all over the world.

How Network DLP protects endpointsHost DLP protects endpoints by using the McAfee DLP Agent, which resides on hosts, to

administer and enforce the global Host DLP policy. Network DLP works with the Agent through

Host DLP by adding host parameters to existing network rules and policies.

When a significant event is detected by one of the integrated host protection rules, it is reported

to the Data-in-Use dashboards through DLP Manager. When a rule hits, reactions that are

associated with Host DLP rules are deployed.

Creating Agent Override PasswordsAfter McAfee Agent reports an event, an agent override key must be used to reverse any of its

actions. An Agent Override Passwordmust therefore be set before starting any network tasks

related to DLP Host.

For example, a key must be used to unblock quarantined files, unlock and decrypt encrypted

files, request justification for blocked actions, or work around any other events that have been

generated by the McAfee Agent.

Use this task to set an agent override password.


2. Click Endpoint Configuration, then Agent Override Password.

How Host DLP extends network results


3. Type in and confirm a password.

4. Click Submit.

Agent events that cannot be reportedSome of the events detected by McAfee Agent cannot be reported to DLP dashboards. For

example, the Incident Details page cannot identify content, content type, or the evidence server

that generated the event.

None of the following events can be reported to DLP Manager.

● Agent enters bypass mode

● Agent leaves bypass mode

● User returned from Safe Mode

● Device plugged in

● New device class found

Viewing endpoint eventsEvents that are generated by DLP agents at endpoints are stored in the ePO database, which is

accessed through DLP Manager. They can be viewed on the Incidents dashboard on the

Network DLP Data-in-Use dashboard, and a summary of those events is also displayed on

ePO's main dashboard.

NOTE: If you cannot see endpoint event details, you might not have the right permissions set. Contact your

administrator.

Use this task to view endpoint events on ePO.


2. Click Incidents.

3. Select the Data-in-Use vector.

4. Click List.

5. Select a view from the Incident Listingmenu.

6. Click a Details icon.

7. On the Incident Details page, click any available link.

If you select a document link, it will launch if the supporting software is installed. If

there is another link inside the document, it is likely to be the database object that

triggered the incident.

8. Click any tab on the Incidents Details page to get additional information.

TIP: The columns configured on the dashboard determine the attributes displayed on the Incident Details

page. Add or subtract columns by clicking the Columns button on the Incidents dashboard.



Types of endpoint eventsHost DLP events are generated by the McAfee DLP Agent, which is deployed by the Host

DLP Monitor, and any significant events found are displayed through the DLP Manager.

Problems identified by the McAfee Agent might include critical system events, rule violations, or

events associated with a particular user or computer. The roles users play in an organization

determine what types of events they are allowed to view.

The events displayed may also include registered and classified content that has been tagged

for protection purposes, disallowed user actions, access violations, or detection of a controlled

element.

Events can be filtered by general, administrative, or outgoing conditions. For example, an

administrative event may indicate that an agent or policy state has changed, and an outgoing

event may be generated when protected data is in motion.

Managing endpointsThe DLP 9.0 system must be set up to record incidents and events to the Host and Network

DLP databases through DLP Manager. Because existing Host DLP operations must not be

affected, the default configuration is to allow them.

As long as device control, application tagging, and rights management features are not needed,

you can manage endpoints with Network DLP. This is done by creating a global policy to enable

all of the supported Host DLP features.

The policy for host operations must be created on the DLP Sysconfig | Endpoint Configuration |

Manage Endpoints page. Its rule definitions are updated on the Host DLP extension every 30

seconds by default, but a different interval can be defined by editing the Time Duration for

Posting Policy Definition setting.

After the policy is generated, it is posted from DLP Manager to ePO, saved in the ePO database,

forwarded to the connected agents, and updated at the defined interval.

NOTE: If you don't check the Generate Policy for Endpoint box, incidents found by the existing policies are

sent to the Network DLP databases and reported to the Data-in-Motion dashboard. If the box is checked,

incidents and events will be sent to both Host and Network DLP databases, and reported to both Data-in-Use

and Data-in-Motion dashboards.

How Host and Network policies differRule definitions for Host DLP are all consolidated within a single global policy definition, so

there is only one global policy that supports multiple rules. Network DLP, however, is designed

around an international collection of unified policies, and all Host rules are accommodated

within that system.

The systems are merged by adding an Endpoint category to every rule of every policy. When

that category is opened on the Add or Edit Rule page, a menu listing all Host DLP rules is

displayed. One or more can be selected to add specific endpoints to the parameters of any rule.

For example, existing privacy policies that have been deployed on a DLP Monitor can be

configured to identify violations not only in network traffic, but on specific endpoints.

Types of endpoint events


Multiple endpoints can be added to a rule as a group by creating a template, then selecting it

from the menu before saving the rule. Adding frequently-used collections of endpoints to a rule

increases its efficiency and scope.

How Host DLP rules are mapped to Network DLPNetwork DLP rules are organized under sets of policies that may have multiple owners. To

preserve this hierarchy, Host DLP rules feed into this structure by becoming an attribute, or rule

type.

The merged structure then becomes

<policy owner> | <policy> | <rule> | <rule type>.

Adding endpoints to existing network rulesUse this task to add a DLP Host endpoint parameter to an existing rule.


2. Click a policy to open it for editing.

3. Click the rule to which you are adding endpoint parameters.

4. Open Endpoint.

5. Select an endpoint rule and define it. If it is a protection rule, click "?"; select Enable and Apply.


7. Select a suitable action from the Data-in-Use section.

8. Click Save.

9. Click Save.

Limitations of rules with Endpoint parametersIf a rule contains attributes that are supported by Network DLP, but not Host DLP, the rule will not

produce accurate results.

Unsupported DLP Network Parameters

● Email address sender variants

● Email subjects

● GeoIP locations

● User city

● User country

● File size

● Keyword expressions

● Complex Boolean algebra



Excluding printers from protection rulesBefore you use printer protection rules, you should whitelist any printers that need not be

monitored.

Identify the printers that do not require protection by going to Menu | Data Loss Prevention |

DLP Sys Config, and open the Endpoint Configuration | Unmanaged Printer Models page.

You can type printer paths and names directly into the Printer Model field, but if you have added

Active Directory servers to DLP Manager, you can click "?" and select them from an existing

Directory Server list.

Assigning Host DLP incidents to casesAll events reported on Data-in-Use dashboards can be assigned to cases if further investigation

is warranted. They might even be assigned to the same cases as Data-at-Rest and Data-in-

Motion incidents.

NOTE: If an error is encountered while assigning incidents to a case (for example, the object cannot be fetched

from the evidence share), a message launches indicating that the failed incidents must be reassigned to the

case.

Searching endpoint dataEndpoint data can be identified if it is tagged or registered, and user activities can be monitored

and controlled to prevent compromise of sensitive data.

But because it is not indexed, endpoint data cannot be searched.

Limitations of this releaseIf you have to implement device control, application tagging, or digital rights management

features of Host DLP, you cannot also use Network DLP.

● Device control prevents unauthorized use of removable media (including USB drives), iPods, Buetooth

devices, CDs, and DVDs.

● Application-based tagging rules are used to monitor or block files created by applications.

● Digital rights management controls use of digital content not authorized by the content provider.

Discovering data at risk

Introducing McAfee DLP DiscoverDLP Discover scans document or database repositories on network or managed client (host)

computers to identify and protect sensitive data.

Crawling is implemented by scan tasks, which find, fetch, and analyze sensitive content.

Depending on the type of scan used, files found may be listed, registered, or evaluated and

protected, producing incidents and violations.

Excluding printers from protection rules


Setting up Discover

Configuring DLP Discover

Before DLP Discover can be configured to in cooperation with other DLP appliances, you must

prepare it to run in managed mode, register it to DLP manager and ePO, and configure policies

to find incidents in data at rest.

Users who are tasked with registering documents and running scans must be given permission

to do so. See Setting Discover scan permissions.

Adding Discover to Manager

Use this task to integrate the DLP Discover appliance into the DLP system.

NOTE: Because registering wipes the current configuration, you must recreate any scan tasks manually.

If you are upgrading from a standalone DLP Discover, you cannot register it to DLP Manager if any registration

task is in Running state. Wait for the task to finish, or stop it manually.

1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config | Devices.

2. From the Actions menu, select New Device .

3. Fill in the blank fields. The database port and ePO UI port are predefined, and should not normally be

changed. If you are adding a DLP Host server, check the box.

4. Click Add.

5. Click OK to confirm.

6. Wait for the Status icon in the device list to turn green. If registration seems to be taking a long time, try

refreshing the page.

If the Status icon changes to a Critical or Unknown state, you might have to overwrite an old configuration or re-

synchronize the systems. Deregister the machine, then reregister it.

Preparing Discover for managed mode

Because registering Discover to DLP Manager wipes its configuration, take notes so you can

recreate all user-defined elements.

NOTE: Only captured data and incidents are retained after the Discover device is added to DLP Manager.

User-defined elements

● Scan tasks

● Schedules

● Credentials

● Scan statistics

● Export locations

● Users and user preferences



● Custom rules and policies.

Contact McAfee Professional Services if you need assistance.

Republishing Discover policies

Use this task to publish policies to Discover after it has been registered to DLP Manager.

This process copies policies, rules, concepts, and content capture filters to Discover.


2. Select a policy that will be used by Discover.

3. Select a rule in the policy.

4. Select the Discover Devices checkbox.

5. Repeat for each rule that is to be used.

6. Click Save.

Setting Discover registration permissions

Use this task to assign privileges to register documents.

NOTE: You must have administrative permission to make these changes.

Document Registration Permissions

● Web Upload: Upload documents or structured data to be registered; no deletion or de-registration rights;

view user's own registered documents

● Manage Uploaded Documents: Upload documents or structured data to be registered; view and manage

documents uploaded by all users; delete and deregister uploaded files; update and delete excluded text

● Discover Registration: Register documents or structured data.

NOTE: If group permissions are modified, all members will have to log out and relogin.

1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config. Click User Administration |

Groups.

2. Click the Details icon of a group.

3. Select the Task Permissions tab.

4. Open Discover Registration Permissions.

5. Select one or more permissions checkboxes.

6. Click Apply.

Setting Discover scan permissions

Use this task to assign privileges to users who will be using Discover.

NOTE: You must have administrative permission to make these changes.

Setting up Discover


Discover Scan Permissions

● Manage Schedules: Create, edit and delete schedules

● Manage Credentials: Create, view, edit and delete credentials

● Manage Scans: Create, view, edit, activate, deactivate and delete scans; register documents; view and

export scan statistics, history and registered files; add and view excluded text

● Control Scans: Create new actions, view, start, stop, re-scan, and clone tasks; View and export scan

statistics, history and registered files; add and view excluded text

1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config. Click User Administration |

Groups.

2. Click the Details icon of a group.


4. Open Discover Scan Permissions.

5. Select one or more permissions checkboxes.

6. Click Apply.

NOTE: Policy Execute and Task View Dashboards permissions are required to for DLP Discover users to see

the Incidents dashboard.

Task status messages

Status messages indicate anomalies or updates that may respond to remedial actions.



StatusMessage

Definition Remedy

ResourceMissing

The path does not exist, or the file may be missing. It was foundduring the investigation phase (indexing) but is missing during thecrawling phase.

Check on the repository to seeif it is really missing. If not,restart the scan.

ConfigurationError

The task database may have been corrupted.Recreate the task. Call McAfeeTechnical Support if that doesnot resolve the problem.

Connectiontimed out -IncompleteListing

Cannot connect to the repository while investigation phase is inprogress.

Wait for awhile, then try again.

Complete The scan is complete.

IncompleteThe scan is incomplete, probably due to a network error. Therepository may have become unavailable.

Reconnect and restart the scan.

IncompleteListing

The node is down, there was a network failure, credentials werechanged between task, or the server is busy.

Wait for awhile, then rescan.

Serverstoppedresponding

The server is busy.Wait for awhile, then resumethe task.

TaskTerminated

The Stop action was applied to the scan operation, the task stoppedaccording to schedule, or it was killed by some extraneous means(for example, a system crash or health check).

Wait for awhile, then rescan.

TaskTerminated -IncompleteListing

The task stopped (or its scheduled end time arrived) duringinvestigation phase.

Restart the task.

Waiting -crawlers busy

The system has reached the maximum limit.The task will continue when thesystem is free.

System status messages

Status messages indicate anomalies or updates that may respond to remedial actions.

Setting up Discover


StatusMessage

Definition Remedy

Connection Timed OutThe repository is busy, too many connections havebeen made to the repository, or the network is down.

Wait for the network or repositoryto idle, then restart the scan.

Account is locked The account (username) is locked.Provide a valid account, orcontact administrator of therepository.

Authentication Failed An incorrect credential has been entered.Check the user name, passwordand domain in the credential, ortry another one.

Authentication OK Authentication was successful.

Permission DeniedAlthough authentication was successful, you do nothave the privilege needed to use the resource.

Contact your administrator.

Do not have permissionto update last access time

on repository

Permission to access the repository is needed.Supply the correct credentials(read/write access) and restart

the task.

Share (or Shares)Inaccessible

A share may be inaccessible because of insufficientuser privilege, or because he share is being usedexclusively by another process.

Go to the Filters tab and try tobrowse to the share.

Socket CommunicationFailure

Could not establish socket connection to the database.Verify the IP address and port,then restart.

UnknownThis error is rare, but may be related to a configurationerror.

Call Technical Support if theerror persists.

Unknown database The login database given was wrong.Provide correct login database,then restart.

Unsupported databaseversion

Database version on the repository is not supported.Check documentation forsupported version.

Registering sensitive content

Registering documents or structured data

Registered documents are indexed files. During a Registration scan, algorithms generate

signatures according to defined criteria that identify the text in the documents. They are used by

rules and policies to identify sensitive content.

The signatures are stored in the DocReg or DBReg system attributes for network scans. For host

scans, the signatures are stored in registered document packages that are deployed to the host

computers.

There are four ways to register content:

● Scanning network devices

● Embedding the DocReg or DBReg attribute in network rules

● Uploading individual files or databases

● Scanning the endpoint and deploying the signature package to the DLP Agent.



Crawling a repository using a Registration scan is the most efficient way to create unique

signatures for many at-risk documents. The scan can be set to run at regularly scheduled times,

or it may be started manually.

How signatures register data

Signatures that identify sensitive data are generated by complex algorithms during registration.

The registration process runs whenever a document is uploaded to Discover, or when a

Registration scan runs on a designated file system.

Each protected document may contain hundreds of overlapping signatures, which are

expressed as hexadecimal numbers. The density, or fidelity, of the signature tiling depends on

the level of detection you need.

Managing registered documents

Use these tasks to manage registered documents.

There are two ways of registering sensitive document or structured data.

● UseWeb Upload under DLP Policies | Registered Documents to register single documents or objects.

● Use Data Registration to register groups of documents or database tables.

TIP: All signatures generated by these methods are stored in the DocReg or DBReg system attributes. Embed

the DocReg concept in a rule to find registered data on a regular basis, or run an ad hoc query by selecting it

from a popup menu.

Registering documents by uploading

Use this task to register documents on network repositories one at a time.

NOTE: If you want to upload a CSV (comma-separated values) file larger than 100 MB,

compress the data file (zip, jar, gzip, tar, etc.) before uploading. Net DLP device caps the size of

uploaded files from browsers to 100 MB. However, a larger data file can easily be compressed

into an archive smaller than 100 MB. The DLP server does not impose any size limits on files

after they are uploaded and uncompressed.

NOTE: If you use DLP Manager to upload a document, it will automatically be registered on all managed

devices.

1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Policies | Registered Documents | Web

Upload.

2. From the Actions menu, select Upload New File.

3. Browse to the file you want to register.

The file to be registered cannot be over 10 MB.

4. Select the policy and rule you want to use to detect the document.

Example

If your goal is to protect design documents, you might select the High Technology Industry IP policy



and the Design Documents Emailed to Competition rule.

5. Click Save or Save, Upload Another.

When you click Save, the signature of the document is added to the DocReg attribute. All web uploaded

documents are collected in the DocReg concept; they are treated as a group, not registered individually.

NOTE: If you are using Mozilla Firefox 3.x, you may get an error message advising you of a security risk after

clicking Save. The file will be uploaded anyway, but unless you reconfigure Firefox, the complete path to it will

not be recorded when using that browser.

Uploading complete paths with Firefox

Use this task to determine the complete path to the uploaded file when using Mozilla Firefox

3.5.x. Other browsers do not require reconfiguration.

1. Type about:config in the Firefox address bar.

2. Click the button acknowledging the warning.

3. Double-click signed.applets.codebase_principal_support.

4. Close and re-open Firefox.

5. Upload a file.

6. Click Allow on the Internet Security popup.

Excluding text from registration

Use this task to register text that should be ignored by a scan.

1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Policies | Registered Documents |

Excluded Text.

2. From the Actions menu, select New Text.

3. Open the document containing the text to be excluded.

4. Cut and paste the text into the Text to Exclude box.

5. Click Save.

TIP: You can also exclude text by tuning rules or identifying incidents as false positives.

Searching with the DocReg concept

Use this task to search for documents that have been registered.

1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting. Click Advanced Search and

open Content.

2. Select Concept from the first drop-down list, and is any of from the second..

3. Type DocReg in the text box

4. Select the search results threshold from the drop-down list, then click Search.



NOTE: You can embed the DocReg concept in a rule to regularly match its signatures to data-at-rest or data-in-

motion on the network.

Adding the DocReg concept to a rule

Use this task to add the DocReg concept to a rule.

You can add up to two scan tasks to a rule, but only one of each type (Data-in-Motion or Data at

Rest). The definition of the rule determines which type is targeted.

TIP: If you add a scan operation to a rule after the DocReg concept is added, you can restrict the incidents

reported to a specific task by clicking "?" and selecting it from the popup menu.


2. Select a policy, then select a rule to open it.

3. On the Define tab, select Content.

4. Click the plus icon to add an element.

5. In the new element, select Concept from the first drop-down list, and is any of from the second..

6. Click "?", then open Corporate Confidential and select DocReg. This instructs the rule to match all existing

signatures to the content you defined.

7. Click Save.

TIP: Alternatively, click Save as Rule to open a rule definition page. Adding this rule to a policy allows you to

use the DocReg concept to identify sensitive documents automatically whenever that policy is used to find

incidents.

Example

If DocReg is added to the PII rule Social Security Number in Documents, it will find signatures only

in stationary documents.

If DocReg is added to Social Security Number in Email and Instant Messaging Conversations, it

will find signatures only in streaming network data.

TIP: If a Registration task is used with the DocReg concept, the rule will also be evaluated by any Discover

scan that uses its policy. You must manually configure the rule to include the DocReg concept if you want to

register the same document across multiple rules.

Setting signature types

The density of signatures generated during registration is determined by the signature type

selected when a Registration scan is configured.

NOTE: Only High Granularity signature types are generated for Web Uploaded documents.

High granularity

High granularity signatures provide full plagiarism detection and protection by generating



overlapping tiles over every bit of text. The original document can be identified, even if words are

transposed or the contents differ by a couple of lines of text.

If this signature type is used, a percentage of matching signatures can be detected.

Medium granularity

Medium granularity signatures provide basic plagiarism detection and protection by generating

tiles over every eighth word. The original document can be identified even if the contents differ by a

couple of pages of text.

Low granularity

Low granularity signatures include a single compact digital signature for each document

registered. Exact copies of the file can be detected.

How signatures are shared with managed systems

When Discover and Monitor are in communication through DLP Manager, the registration

records produced on a Discover system are automatically shared with the Monitor signature

agents.

When signatures are shared, protection for content that has been identified in data at rest is

extended to data in motion on the network.

NOTE: Signatures are automatically transferred from Discover to any managed Monitor when a registration

scan is run. Rescanning is not necessary.

Managing signature generation memory

Generating signatures consumes memory resources; one gigabyte is available for the process.

The signature type defines the amount of memory used.

NOTE: In general, the larger the signature set, the more memory used while completing a registration task. For

example, a high granularity signature that provides full plagiarism detection consumes more resources than a

low granularity signature, which detects only documents that are identical to the one registered.

Deregistering content

Use this task to keep registered documents or objects from being identified again by any scan.

1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Policies | Data Registration.

A list of registered items is displayed.

2. From the Actions menu, select Unregister. When this is done, the registration crawler will exclude the

document or object from future registration.

Reregistering content

Use this task to re-register documents or objects that have been deregistered.



1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Policies | Data Registration. A list of

unregistered items is displayed.

2. From the Actions menu, select Reregister. When this is done, the registration crawler will restore the

registered document or object.

Crawling databases

Protecting sensitive database content

McAfee DLP Discover can crawl databases to protect known sensitive content or determine if

files that violate confidentiality are stored, then return the results of the crawl. You can drill down

to database catalogs, schemas, table, and column level with a scan, just as you can scan for

data at specific levels of a file system hierarchy.

There are three ways to register database content:

● Run a registration scan on network devices or storage

● Embed the DBReg attribute in network rules

● Upload individual files or databases

NOTE: The structured data found can be saved to your desktop and uploaded, so that it can be used in

subsequent scans.

Different database vendors support different object hierarchies, and terminologies can differ from

vendor to vendor.

NOTE: Since the configuration of the filters page depends on the database type chosen, only the

relevant objects are displayed.

Example:

Database X might have the hierarchy Database -> Catalog -> Schema -> Table -> Columns/rows

Database Y might have the hierarchy Database -> Schema -> Table -> column/rows

What is Dynamic Data Registration?

Dynamic data registration (DDR) is a method for making the system aware of specific data items

that need protection. This could include lists of customer names and account numbers, credit

card numbers, patient records, and more.

DDR matches specific data values, not just patterns that describe the data, so fine distinctions

can be made between matches. For example, customer credit card numbers might be reported

as privacy violations, but an employee's own credit card number would be ignored.

With the DDR feature of McAfee DLP Discover, large volumes of data in a database (~10 million

records) can be registered as sensitive and tracked. This feature is also known as Dynamic Data

Match. The signatures produced by data matching are collected in a factory default concept

(DBREG).

Crawling databases


The same mechanisms that support registration of flat files also support registration of database

records. For example, the DBREG factory default concept collects structured data in the form of

comma-separated values found in databases, just as DocREG does for documents.

Database types supported

When you access a database, you are connecting to a central network location where data is

stored, organized and maintained.

DatabaseType/Version

Filtering Options

Oracle Schemas, Tables, Columns, Records/Rows

DB2 Schemas, Tables, Columns, Records/Rows

MS SQL ServerCatalogs, Schemas, Tables, Columns,Records/Rows

MySQL Catalogs, Tables, Columns, Records/Rows

NOTE: Only MySQL Enterprise is supported. MySQL CE cannot be used for a database scan task because

DataDirect, publisher of the JDBC driver used in DLP products, does not support free GPL database versions.

Database object hierarchy differences

The database types available for scanning by DLP Discover use the following object hierarchy.

DatabaseType

Object Hierarchy

MySQL There is no concept of a difference between catalogs and schemas. Databases and tables can be listed.

OracleSchemas corresponds to users, and users can be listed. Catalogs cannot be listed (remotely), but alltables the current user can access can be listed.

DB2Schemas can be listed, and databases/catalogs cannot be listed (remotely). Tables in a schema can belisted.

MS SQLServer

Schemas and tables can be listed.

TIP: Try selecting different database types, then go to the Filter tab to observe the options available for each

database type.

All filters are applied across the database server. For example, if you set filter

"Table=Employees", the crawler will scan all databases and fetch records for tables whose

names match "Employees". If you set filter "Column=LAST_NAME, the crawler will scan all tables

and fetch records from the columns whose name is LAST_NAME in any table crawler scan

access.

To restrict a particular column in a particular table, enter filter for both table and column names,

and make sure no other table has the same name and has similarly-named columns.



Database terminology differences

Database object hierarchy differs according to the terminologies used by the vendors of different

database types. The object hierarchy displayed on the Filters tab is determined by the selection

of the database type on the Add Scan Operation page.

DLP Discover follows ANSI SQL 92 standards, which defines a catalog/schema model for data

stores. In this model, catalogs (databases) contain schemas, and schemas contain tables.

● Catalogs may be a collection of related schemas. Because many databases have only one catalog, metadata

is sometimes simply called schema information.

● Schema is a collection of database objects that are owned or have been created by a particular user.

● Tables are collections of columns arranged in specific orders.

Registering structured data by uploading

Use this task to upload significant structured data found in a database. You might want to do this

if you find significant data in one database, and want to set up a task to detect it in others.

NOTE: If you use DLP Manager to upload structured data, it will automatically be registered on all managed

devices.

1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Policies | Registered Documents |

Database Registration.

2. From the Actions menu, select Upload New Data File.

3. Browse to the objects you want to register. The compressed file to be registered cannot be over 100 MB.

TIP: You can generate a CSV file by creating a database scan, filtering the scan, and then copying and pasting

the data you find in a folder into a spreadsheet document. Save the document to your desktop, then browse to

that location to upload it.

4. In the Registration Name text box, type a name.

5. If there is no significant data in the first row of the table (for example, a header), check Skip First Row.

6. Select a Signature Type. Only High Granularity signature types are generated for uploaded CSV documents.

7. Select the policy and rule you want to use to detect the document.

Example

If the data to be protected is of a financial nature, you might select the Banking and Financial sector

policy and the Unencrypted Bank Transactions with ABA Routing Number rule.

8. Click Save or Save, Upload Another.

When you click Save, the signatures of the structured data are added to the DBReg attribute. As with the

DocReg attribute, signatures are treated as a group, regardless of registration method.

NOTE: If you are using Mozilla Firefox 3.x, you may get an error message advising you of a security risk after

clicking Save. The file will be uploaded anyway, but unless you reconfigure Firefox, the complete path to it will

not be recorded when using that browser.

Crawling databases


Setting up basic database scans

Use this task to set up a basic database scan, then adapt it to your purpose by characterizing it

as an inventory, registration or discovery scan.

NOTE: Because integrated Windows authentication is not supported for Microsoft SQL Server, you must create

an MS SQL Server user with the correct credentials for use in a scan task operation.


Scan Operations.


3. In the Scan Operation text box, type a name. Typing a description is optional.

TIP: Include the scan mode in the name — for example, a name like Finance_registration will help you to

remember what the scan does when applied to a rule.

4. Select a Database Type. This defines the support protocol that allows DLP Discover to access the database.

5. Select a Credential definition to enable access to the repository, if necessary, or click New to create a new

one.

6. Select a Schedule, or click New to create a new one.

7. Select a scan Mode. See Types of network scans for a definition of the different modes.

8. Under Devices, select the appliance from which the scan will be run.

NOTE: Select None if you want to save a scan, but do not want to deploy it immediately.

9. On the Node Definition tab, define the IP type by making a selection from the menu.

10. Type the IP Address, then click Include or Exclude to add the IP address to the list. Select Test to verify the

connection.

10. On the Filters tab, filter the scan to define the location to be scanned.

11. On the Advanced Options tab, make the following settings.

● Throttle the bandwidth available to the scan if necessary. See Setting bandwidth for a scan.

● SelectOn Start or On End to determine if and when you want email notification sent.

NOTE: Subject fields are not customizable. There may be a lag of a few minutes between the actual task

start/stop time and the email posting. The end notification is sent at the end of scanning, and file processing

might continue after notification.

12. Click Save.

Advanced Options definitions for database scan operations

Advanced Options are used to set the throttling bandwidth and set up email notification of

scanning operations. Notifications can be sent at scan start, stop, or both.

Customize the email notification by selecting from the dynamic variables available or adding the

message of your choice.

Use this page to set the Advanced Options definitions.



Option Definition

Bandwidth Specifies the bandwidth when throttling is activated.

Email To A standard email address text box.

End Message /Start Message

Specifies the text of the message. A default message is included. Dynamic variables can bepasted in by clicking them when the cursor is in the text box.

On End / On Start Checkboxes that specify when email is sent.


start/stop time and the email posting. The end notification is sent at the end of scanning. File processing might

continue after notification.

Defining catalogs to be scanned

MySQL and Microsoft SQL Server catalogs can be scanned. In MySQL databases, there is no

difference between catalogs and schemas.

Use these options to set a catalog filter for MySQL or Microsoft SQL Server scans.

CONDITION Definition

All Default value; equivalent to no filtering.

Exact Match Filters by exact match to the schema/table/column name entered in the VALUE parameter.

Pattern Filters by text pattern match to the schema/table/column name entered in the VALUE parameter.

Defining columns to be scanned

Columns for all four database types can be scanned. Use these options to set a column filter for

any scan.





Defining logins for a database scan

When Repository Type for a scan operation is set to DATABASE, specific parameters appear on

the Node Definition tab. The parameters are slightly different for different database types, but

remain the same for all modes.

Use this page to determine the login for a database scan.

Crawling databases


Option Definition

Login

Database(for Oracle:SID)

Type the name of the database. For SQL, this is the database instance. ForOracle, it is the System ID.

When you have completed the node entries, click Include. You can also Test the database

connection.

Defining nodes for database scan operations


the Node Definition tab. The parameters are slightly different for different Database Types, but

remain the same for all Modes.

Use this page to determine the Node Definition settings for database scan operations.

Option Definition

IP Address Only single IP Addresses are allowed. You must enter a valid IP Address to create a validscan operation.

Port The port is automatically configured, according to the Database Type:

● DB2 — 50000

● Microsoft

● Server — 1433

● MySQL — 3306

● Oracle — 1521

If you are using a non-standard port, type the address in the text

box.

Login Database (forOracle: SID)

Type the name of the database. For SQL, this is the database instance. For Oracle, theSystem ID.

SSL Certificate Certificates are created and saved on the Discover Configuration | SSL Certificates page.Click New to create a new certificate on the fly .


connection.

Defining ports for a database scan


the Node Definition tab. The parameters are different for different database types, but remain the

same for all modes.

Use this page to determine a port setting for a database scan.



Option Definition

Port The port is automatically configured, according to the database type.

If you are using a non-standard port, type the address in the text box.

● DB2— 50000

● Microsoft SQL Server— 1433

● MySQL— 3306

● Oracle— 1521


connection.

Defining records/rows to be scanned

Records for all four database types can be scanned. Use these options to set a record/row filter

for any scan.

Option Definition

Where Allows entry of any SQL where clause. For example, retrieve matching names from columns in

a table by entering surname like '%lang'; .

Limit(#Rows)

Limits the number of rows fetched from each table. If you set a limit of 100, it means at most onehundred rows will be fetched from each table crawled.

Defining schemas to be scanned

Schemas for all four database types can be scanned. In MS SQL database, there is a distinction

between catalogs and schemas.

Use these options to set a schema filter for any scan.





Defining SSL certificates for a database scan


the Node Definition tab. The parameters are slightly different for different Database Types, but

remain the same for all Modes.

Crawling databases


NOTE: You have the option of using an SSL certificate to identify the database server host and encrypt the data

exchanged between database server and the DLP device. This is particularly useful if the database server is

using a non-standard/self-signed certificate. Client certificate handling is currently not supported.

Use these options to determine the SSL certificate needed for a database scan.

Option Definition

SSLCertificate

Certificates are created and saved on the Discover Configuration | SSL Certificates page. Click Newto create a new certificate on the fly.


connection.

Defining tables to be scanned

Tables for all four database types can be scanned.

Use these options to set a table filter for any scan.





Managing scans

Managing scan operations

You can manage one or more scans by applying different states from the Actions menu on the

Scan Operations page.



ScanAction

Description

New Launches the Add Scan Operation dialog box

CloneCopies the selected scan and opens the Edit ScanOperation dialog box; allows name and otherparameters to be changed

ActivateActivates the selected scan; causes system to fetch filesand analyze content

Deactivate Deactivates the selected scan (keeps it from running)

Start Starts the scan; fetches only new content

Stop Stops the scan

RescanResubmits the scan for tasks that not running, but are ina Ready state. Re-fetches files and re-analyzes allcontent, and generates new incidents

Delete Deletes the scan

Up to 100 scans can be queued.

TIP: Configure firewalls and set bandwidth when you set up a scan.

Types of scan states

The Last Status column on the Scan Operations page always displays one of the following

states.

● Ready: Task is ready to run and user can start tasks.

● Running: Task (crawler) is running

● Inactive: Task is removed from the schedule queue and tasks cannot be run (even manually). Such tasks must

be activated before they can be run.

● Starting: Task is starting and about to run.

● Stopping: Task is stopping.

● Stopped: (Rare) Task was killed/crashed by some unforeseen situation. Such tasks can be started again.

Viewing scan operations

All scan operations are listed on the Scan Operations page. In ePolicy Orchestrator, go to Menu |

Data Loss Prevention | DLP Sys Config | Discover Configuration | Scan Operations.

TIP: You can get details on scans that are in progress or completed by selecting the Statistics icon.

Modifying the state of a scan

Use this task to modify a scan.

Managing scans



Scan Operations.

2. Select the radio button of the scan.

3. From the Actions menu, select a state.

Deploying scans

A scan is deployed when the scan targetsare defined.

Use this task to identify the Discover and Monitor devices that run the scan and store the

signatures.

TIP: On Monitor and Discover appliances managed by DLP Manager, you can store the signatures on more

than one DLP device.


Scan Operations.

2. Double-click the name of the scan.

3. Select the radio button of an appliance from the Devices checkbox.

TIP: Select None if you want to save a scan, but do not want to run it right away.

Starting scans

Use this task to start a scan.

NOTE: You cannot start a task until it is in Ready state. A new scan will remain inactive until its associated

policies are published. If the status column does not display Ready, wait until this happens (you may refresh

the screen if you wish). Then click the radio button of the task and select Start from the Actions menu.

NOTE:When you rescan, all files are fetched again and reanalyzed.


Scan Operations.

2. Note the Last Status column of the scan. If the scan status is Inactive, select the radio button and select

Activate from the Actions menu.


4. From the Actions menu, select Start.

TIP: Click on the Refresh icon to refresh the status of the scan.

NOTE: If a scan is stopped, you can resume it without restarting by simply selecting Start from the Actions

menu.

Stopping scans

Use this task to stop a scan.



NOTE: The task must be in a RUNNING state.


Scan Operations.

2. Note the Last Status column of the scan.


4. From the Actions menu, select Stop

NOTE:When you stop a scan, the process pauses, and selecting Start from the Actions causes it to resume.

Setting bandwidth for a scan

Discover is set up to use all bandwidth needed to perform a scan (No Throttling is the default).

Use this task to conserve bandwidth by configuring bandwidth throttling.

TIP: Consider the transmission capacity of your network and the amount of network traffic before deciding how

much bandwidth to allocate to the scan.


Scan Operations.


3. Define the credential, schedule, mode, devices and node.

4. Select the Advanced Options tab.

5. Type a rate into the Bandwidth field, or select No Throttling from the menu.

● No Throttling

● Kbps

● Mbps

Example:

On a 100-Mbps LAN, limit bandwidth to 50 Mbps to limit the crawler to half of the bandwidth available.

NOTE: If bandwidth is throttled correctly and there is L3 connectivity between networks, Discover can be

deployed across a WAN, though object viewing might be slower due to WAN latency. For example, if a 1 Gbps

link between Tokyo and London is used, only ~10 Kbps throughput may be available for a CIFS scan.

4. Click Save after completing all other scan parameters.

NOTE: Bandwidth throttling is applied as an average across the entire scan rather than as each individual file

is being fetched. A Discover scan might burst above or below the configured throttle limit, but the average

throughput measured across the entire scan will remain very close to the configured limit.

Scanning in full duplex mode

Discover cannot be deployed in half-duplex mode. Every interface between Discover and target

nodes (intermediary switch, router, firewall, etc.) must be set to full duplex.

Managing scans


Guidelines for Fast Ethernet networks

● Hard-code the speed and duplex of the Discover appliance to 100 Mbps and full duplex.

● Ensure that all intermediary devices are either hard-coded to 100 Mbps and full duplex, or validate that all

intermediary devices have negotiated to full duplex if configured for automatic negotiation

Guidelines for Gigabit Ethernet networks

● Set the speed and duplex of the Discover appliance to 1000 Mbps and full duplex or to auto-detect.

● Ensure that all intermediary devices are either hard-coded to 1000 Mbps and full duplex, or validate that all

intermediary devices have negotiated to full duplex if configured for automatic negotiation

Managing scan load

Scan load may have an impact on performance of DLP systems. If too many operations are

running concurrently, a Discover scan might appear to be stalled in a Not Ready state.

Operations that add load to the system include:

● Deleting or creating scans in the same time frame;

● Crawlers are running and processing files from an extended scan;

● Multiple policies and rules are being decoupled from deleted scans.

If a Discover scan appears to have stopped, wait for 30 minutes. If the task does not reactivate,

select it and Activate from the Actions menu.

If several retries fail, save the scan as a new task to republish all policies, then delete the old

task.

Editing scans

Use this task to edit a scan.


Scan Operations.

2. Double-click the name of scan you want to modify.

3. Make changes in the Edit Scan Operation window.

4. Click Save.

Deleting scans

Use this task to delete a scan.

NOTE: If a scan is in Running state, it must be stopped before it can be deleted.


Scan Operations.

2. By clicking one or more radio buttons, select the scans to be deleted.

3. From the Actions menu, select Delete.



NOTE: Deleting a scan will also clear all scan statistics and the entire history of the scan, and any incidents

found by a scan that is later deleted will not be remediable or recoverable.

Setting up scans

Preparing to scan

Plan your scan before setting it up. Gather all of the following information.

● Scan mode - Inventory, Registration, or Discover

● Credentials to access the repository

● Database type and version (for database scans)

● IP address, subnet, or range including required ports

● Login database or SID and SSL certificate (for database scans)

● File systems to be scanned

● Schedule for the scan

● Configuration of firewalls

● Bandwidth to be used

● Projected scan load

Setting up basic scans

Use this task to set up a basic scan, then adapt it to your purpose by characterizing it as an

inventory, registration or discovery scan.

1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config. Click Discover Configuration |

Scan Operations.


3. In the Scan Operation text box, type a name. Typing a description is optional.

TIP: Include the scan mode in the name. For example, a name like Finance_registration will help you to

remember what the scan does when applied to a rule.

4. Select a Repository Type. This defines the support protocol that allows DLP Discover to access the repository.

See Repository types supported for a list of protocols.

5. Select a Credential definition to enable access to the repository, if necessary, or click New to create a new

one.


7. Select a scan Mode. See Discovering data at risk for a definition of the different modes.


NOTE: Select None if you want to save a scan, but do not want to deploy it immediately.

9. On the Node Definition tab, select a Node definition.

● For a Single IP, type the IP Address, then click Include or Exclude to add the IP address to the list.

Setting up scans


● For an IP Subnet, type a Base IP and a Subnet Mask. Click Include or Exclude to add the IP subnet to the list.

● For an IP Range, type a Start IP and an End IP. Click Include or Exclude to add the IP range to the list.

Depending on the protocol used, you might have to enter the URL instead.

NOTE: You must include at least one IP address, subnet, or range. Including or excluding additional

addresses, subnets, or ranges is optional. See Defining URLs to be scanned.

10. On the Filters tab, filter the scan to define the location to be scanned.

11. On the Advanced Options tab, make the following settings.

● Throttle the bandwidth available to the scan if necessary. See Setting bandwidth for a scan.

● If you do not want the scan to update the file's last access time, select Preserve and run the scan manually.

● Type email notification information. Notification can be send for scan start or stop or both, with a default

message or the message of your choice.


start/stop time and the email posting. The end notification is sent at the end of scanning. File processing might

continue after notification.

12. Click Save.

Repository types supported

When you access a repository, you are connecting to a central network location where data is

stored, organized and maintained. The repository type is determined by the protocol used to

access data on the device.

Configuring inventory scans

Inventory scans crawl all directories and files residing on a targeted repository and generate an

index, or manifest.

Use this task to configure a basic scan as an inventory scan.



1. Set up a basic scan.

2. Select a Repository Type. This defines the support protocol that allows DLP Discover to access the repository.

See Repository types supported for a list of protocols.

3. Set up filters to define the location to be crawled. The inventory scan identifies all files that are available to be

scanned in a targeted repository.

4. Set the Advanced Options. See Setting up basic scans for details.

5. Click Save.

TIP: You can export a report of the index from the Scan Statistics window.

Configuring discovery scans

Discovery scans find data that has been registered or is residing on a file share in violation of a

policy.

Network discovery scans are defined and scheduled as described below. Host discovery scans

are defined as described below, but are scheduled on the ePolicy Orchestrator Agent

Configuration page.

Discovery scans act according to specified policies. Go to Menu | Data Loss Prevention | DLP

Policies to verify that a suitable policy exists, or to create a new policy. For more information, see

Using policies and rules. For host discovery, see Configuring a policy for host discovery for host-

specific instructions.

Use this task to configure a basic scan as a discovery scan.


2. Select a Repository Type.

NOTE: For host discovery scans, use CIFS.


NOTE: For host discovery scans, accept the default schedule. The schedule set in the HDLP policy in the

ePolicy Orchestrator Policy Catalog overrides the value set here.

4. For Mode, select Discover.


NOTE: For host discovery, select None.

6. On the Node Definition tab, select a Node definition. See Setting up basic scans for more details.

NOTE: For host discovery, you must select Single IP. Type a dummy IP address, for example, 1.1.1.1. Host

discovery is run only on the host computer, and the DLP Agent on the host ignores this information, but you

must include a valid IP address to create a valid scan definition.


8. On the Policies tab, select policies from the Available Policies list and Add them to the Selected Policies list

Setting up scans


NOTE: You must add at least one policy to create a valid definition.

9. Click Save.

Configuring registration scans

Registration scans register sensitive data by generating digital fingerprints, or signatures, that

identify whole or partial documents.

Network registration scans are defined and scheduled as described below. Host registration

scans are defined as described below, but are scheduled with ePolicy Orchestrator Server Tasks

.

Use this task to configure a basic scan as a Registration scan.

TIP: Do an inventory scan first to get an idea of what directories, folders and documents are available to be

scanned.


2. Select a Repository Type.

NOTE: For Host discovery scans, use CIFS.

3. Select a Credential definition to enable access to the repository, or click New to create a new one.


NOTE: For Host registration scans, accept the default schedule. The schedule set in ePolicy Orchestrator

Server Tasks overrides the value set here.

5. For Mode select Registration.

NOTE: For database registration, select Data Match.

6. Select one or more Devices that will receive the registration signatures.

NOTE: For Host registration scans, select None.


8. On the Registration tab, define signature type and targets.

9. Click Save.

NOTE: If Discover reboots (or the application is restarted) while the registration task is in the RUNNING state, a

few documents might be re-registered, and duplicate incidents could be reported.

Firewall configuration to allow scanning

Before you crawl a repository, make sure the scan will not be impeded by a firewall.



NOTE: Source ports are randomly chosen unless explicitly noted. Network and host-based firewalls typically

permit connections only on certain ports and might have to be configured to permit connections on others.

Managing credentials

Using credentials to access repositories

Credentials enabling access to an existing account on a repository are needed before a scan

can be created. Some systems may also require a domain name to complete the authentication

process.

Use these tasks to add, view, edit, or delete credentials.

NOTE: If the data in a file system is openly accessible, you can use the default credential None.

Managing credentials


Viewing existing credentials

Use this task to view the credentials available for logging on to a repository.


Scan Operations | Credentials.

2. Click a credential to view its properties.

Adding credentials

Use this task to add a credential, which will allow you access to a repository to be scanned.


Scan Operations.


3. Name and describe (optional) the credential.

4. Type a User Name of an existing account.

5. Add a Domain Name (may not be required).

6. Type and confirm the Password.

7. Click Save.

Editing credentials

Use this task to edit a credential that must be modified before it can be used to access a

repository.



2. Click a credential to display its properties.

3. Modify the parameters, then click Save.

Deleting credentials

Use this task to delete credentials that can no longer be used to access a repository.



2. Select one or more credential checkboxes.

3. From the Actions menu, select Delete Selected.

TIP: Click trash can icons to delete credentials one by one.



Scheduling scans

Using scan schedules

Use this task to define a schedule for a scan task. Continuous, periodic and on-demand scans

are supported.

NOTE: To schedule a host discovery scan, go to Menu | Policy | Policy Catalog and click on the Discovery

Schedule tab of the Agent Configuration settings. See Scheduling a host discovery scan for details.

1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config | Discover Configuration

| Schedules.


3. Type in a name for the schedule. Typing a description is optional.

4. Set the time parameters for the schedule.

5. Click Save.

Viewing scan schedules

Use this task to view available schedules.

1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config | Discover Configuration.

2. Click Schedules.

3. View the Description and Details columns.

NOTE: By opening the schedule, you can find out what scans are controlled by it.

Editing scan schedules

Use this task to edit a scan schedule.

1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config | Discover Configuration

| Schedules.

2. Open a schedule and modify the parameters.

3. Click Save.

Deleting scan schedules

Use this task to delete scan schedules.


Schedules.

2. Select one or more schedule checkboxes.

TIP: Click trash can icons to delete schedules one by one.

3. From the Actions menu, select Delete Selected.

Scheduling scans


Filtering scans

Defining scans

After you decide whether to inventory, register, or discover files in a repository, you must set up

filtering, registration, and policy options.

The scan definition must include the credentials to be used to access the repository, and a

schedule that determines when the scan will be run.

Because Last Access Updating is enabled in all Microsoft Windows operating systems before

Vista, the DLP Discover crawler automatically changes the access time of each file it touches.

The original timestamps can be preserved by selecting the Preserve Last Access Time

checkbox and filtering the scan manually.

NOTE: This feature is applicable only to CIFS and NFS repositories.

Use these tasks to set filters, locations, policies, and other scan parameters.

Filtering scans by browsing

Use this task to define a filter when browsing databases and file systems.

Database Filtering

Filter definitions allow the scan to look for data at a specific level of the database hierarchy. The

hierarchy is specific for the database type, and includes catalogs, schema, table, column, or row

level.





File System Filtering

Filter definitions allow the scan to look for data at a specific levels of a file system hierarchy. The

hierarchy is specific for the file system, and includes shares, folders, and file properties.

CAUTION: Because Last Access Updating is enabled in all Microsoft Windows operating systems before Vista,

the DLP Discover crawler automatically changes the Last Accessed Time of each file it touches. If you do not

want the files changed, click the Preserve Last Access Time box and filter the scan manually.


Scan Operations.





4. Select a target for storage of the signatures by selecting one or more Devices.

5. Click the Filters tab.

6. Click Browse.

7. Click the plus icon to open the repository. If Authentication Failed appears when you filter a repository, check

the credential you are using to access it. If authentication succeeds for the repository, but fails for a share, you

might not have permission to view it.

8. Select the shares, folders and file properties.

NOTE: For browsing document repositories, only file properties (File pattern and size) are supported for HTTP,

HTTPS, FTP and SharePoint. Database repositories attributes differ according to database type.

TIP: Use only a single click; double-clicking will duplicate your selection.

9. Click X to close the browse window.

10. Click Save.

Filtering scans manually

Use this task to define a filter manually.

TIP: Use the Browse feature to research the path before entering options manually.


Scan Operations.



4. Select one or more Devices from which the scan will be deployed.

5. Select the Filters tab and open Filter.

6. Define the shares to be scanned.

NOTE: If you define an absolute path on an NFS repository manually, Discover will not crawl the share unless

you replace the "/" character in the share name with "%2F".

Example:

For /home/nfs_local/mydirectory

use /%2Fhome%2Fnfs_local/mydirectory

where /home/nfs_local is the name of the exported share and /mydirectory is a

directory under this share.

7. Define the folders to be scanned.

8. Define the file properties to use when scanning.

9. Click Save.

Filtering scans


Filtering IP addresses to be scanned

Use this task to define IP addresses of hosts to be scanned.

NOTE: Only single IP addresses are allowed for database scans. You must enter a valid IP

Address to create a valid scan operation.


Scan Operations.



4. Set the repository type to CIFS, NFS or Documentum.

NOTE: The protocol used determines the repository type and method of node definition. CIFS, NFS and

Documentum require IP addresses.

5. Select Single IP, IP Subnet or IP Range from the Node Definitionmenu.

6. Type addresses in the IP Address field.

TIP: If some addresses do not fit in the sequence, you can define those addresses or ranges and exclude them.

Examples

Single IP address

192.168.1.0

IP Range

Type 192.168.3.128-192.168.3.200 and click Include;

Type 192.168.3.245-192.168.3.254 and click Exclude.

IP Subnet

192.168.1.0

255.255.255.0

NOTE: You cannot define a range across subnets; only 255 addresses can be defined at a time (0-254). CIDR

is not supported in the address field — decimal notation is required.

7. Click Include or Exclude, as appropriate.

8. Click Save.

9. Define filters and policies.

Filtering URLs to be scanned

Use this task to define URLs to be scanned.




Scan Operations.



4. Set the repository to one of the following:

● FTP

● HTTP

● HTTPS

● Microsoft SharePoint

5. Select URL from the Node Definitionmenu.

6. Type a URL into the URL field followed by a slash, which establishes the boundaries of the scan.

Example:

http://www.yahoo.com/

https://reconnex-host.reconnex.net:8181/dir/

7. Click Include.

8. Click Save.

9. Define filters and policies.

Filtering file properties for a scan

Use this task to define file properties before scanning.


Scan Operations.




5. Open Folders.

6. Open File Properties.

7. Select an Element and Condition.

8. Type a path or pattern into the value field.

Absolute Directory Path is recognized as the base directory.

Examples

Absolute Directory Path > equals >C$/Eng/Network/Drawings

File Pattern > equals > *.jpg,*.doc

File Owner > equals > bjones

File Size > range > 1024-5000 (requires numbers expressed in bytes)

Filtering scans


File Creation Time > between > 16:30:00 and 17:00:00.

Last Modification Time > after > 13:30:00

Last Accessed > before > 17:00:00

9. Define policies.

10. Click Save.

Filtering folders to be scanned

Use this task to define the folders to be scanned.


Scan Operations.




5. Open Folders.

6. Select an Element and Condition.

7. Type a path or pattern into the value field. Absolute Directory Path is recognized as the base directory.

Examples

Absolute Directory Path > equals > C$/Eng/Network/Drawings

Directory Pattern > contains > Human Resources

Directory Pattern > does not contain > Employee Records

NOTE: All subdirectories matching the pattern will be crawled.

8. Define policies.

9. Click Save.

Filtering shares to be scanned

Use this task to define shares to be scanned.


Scan Operations.



4. Select one or more Devices from which the scan will be deployed.

5. Select the Filters tab.

6. Open Filter.

7. Open Shares.



NOTE:When you scan all the shares on a system, you do not have to define a filter at all. The default filter will

always crawl all the shares on the system with the base directory / (root).

8. From the Shares menu, select equals.

9. Select Exact Match or Pattern from the Conditionmenu.

TIP: The All condition, indicating that all shares will be scanned, is the default.

10. Type the share name into the Value menu.

11. Define the folders to be scanned, if needed.

12. Define the file properties to use when scanning, if needed.

13. Click Save.

Setting policies for a scan

Use this task to match specific policies and rules to the data found by a Discover scan. The scan

cannot be saved until you choose at least one policy.


Scan Operations.

2. Select the Policies tab.

3. Click on one or more policies.

4. Click Add or Add All.

Use the Remove or Remove All buttons to make adjustments to your selection.

Getting scan results

How scan statistic reporting works

While files are being fetched, counters increment as nodes are identified and shares are

authenticated. The incident database is updated every 15 minutes until the conclusion of the

task.

Incident files are downloaded directly to Discover from the host on which they were detected, but the files are

not saved indefinitely. They are fetched from the source when needed and the cache is flushed regularly to

optimize disk utilization.

The index keeps running in the background until all files are reported, even if the task has

completed.

NOTE: To maximize performance during a CIFS/NFS/Documentum inventory scan, the crawler updates the

database only after 100,000 files have been processed. If fewer files are detected, the counters are updated

after the scan has been completed.



Understanding scan results

When you run a scan operation, files that have been registered or matched to rule conditions are

indexed and fetched from the repository. Scan results are displayed on the Incidents | Data-at-

Rest dashboard.

Statistics describing the status of the scan are displayed under the Statistics icon. In ePolicy

Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config | Discover Configuration.

Viewing incidents found by a scan

Incidents found by a scan are reported on the Incidents dashboard. Select Details to display the

file and its attributes, and the Match tab to find out why it was reported, or add the MatchString

column to the dashboard.

After a standalone Discover is registered to DLP Manager, the number of total incidents

displayed will not include incidents that were reported before Discover was added to the

network. Because a few documents might be re-registered after a reboot or restart, duplicate

incidents might be reported.

TIP: Use the Actions menu to change the status of incidents that have been found, and set up action rules to

remediate them.

Getting reports of scan statistics

Use this task to save all statistics produced during a scan to your dashboard.

NOTE: Export from the dashboard is limited to 5 KB. Although the dashboard incident list is limited to 5,000

results, up to 150,000 results can be exported.


Scan Operations.

2. Click the icon in the Statistics column of the scan.

3. From the Reports menu, select a report.

Report Types Description

CurrentStatistics

Reports statistics which are currently viewable. They could be fromthe current scan, the last one run, or any other historical scan.

All Statistics Reports all the statistics of all the runs of the scan task.

Export File List

Reports the file list at share level (only files of the required share),IP level (only files of a required host), or task level (all files detectedby the task across hosts and shares). If there is a single host with asingle share, all three reports will be the same.

4. Click Save.

If you have Microsoft Excel installed and are using Internet Explorer, the reports will automatically open in Excel

. If not, a CSV text file will launch.



NOTE: Because CSV is a generic ASCII format, it can be opened with any text editor, spreadsheet or database

program. If the CSV file is very large (50,000+ records), it will be compressed into a zip file before it is available

for opening or saving.

Getting database scan statistics

Use this task to get statistics from running and completed database scans.


Scan Operations.

2. Click the icon in the Statistics column of a database scan.

3. View database scan statistics and counters.

TIP: Select an export option from the Report Options menu to get a report of the historical scan.

Adding columns to scan statistics

Use this task to display scan statistics in a different configuration.


Scan Operations.

2. Click the Statistics icon.

3. Select the Repository Details tab.

4. Open Share Details per Host.

5. Click on Shares Detected, Shares Crawled, or Shares Failed. Click underlined numbers for more

information.

● Click Files Fetched to get a full page report.

● Select Columns and move them to the Available or Selected windows.

● Click the Move buttons to change the display order.

6. Click Apply.

Viewing registered data matches

Registered data results do not display match strings on the Incident Details page, because the

file found is itself evidence of an exact match. However, the Match tab under Incident Details

does display the document matched and the matching text snippet.

Viewing scan status

Use this task to get information on the status of a crawl.


Scan Operations.

2. Click the Statistics icon for the scan of interest.

3. Select the Repository Details tab.



4. Open Share Details per Host.

5. Click on Shares Detected, Shares Crawled, or Shares Failed. Underlines under numbers indicate that there

is more information available.

NOTE: The Files yet to be fetched counter increments when new shares are detected and decreases as files

are detected and fetched. If a database scan is interrupted when records have been fetched but not processed,

those records are not processed when the scan is rerun.

TIP: Select a Report Option to keep a record of the scan after it has completed.

TIP: If you need updates before the scan status is synchronized, click the Refresh button. This action

consumes resources, so use it judiciously.

Getting historical statistics

Use this task to get statistics from previously completed scans.


Scan Operations.

2. Click the icon in the Statistics column of the scan.

3. Select a report from the History menu.

4. View.

TIP: Select an export option from the Report Options menu to get a report of the historical scan.

Searching discovered data

Finding discovered data

In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting. Click Advanced

Search, then open Discoverto search for data in the Discover database.

Finding scan operations

Use this task to find existing scan operations.

TIP: Use this parameter with other options to find files discovered by a specific scan.

1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting. Click Advanced Search, then

open Discover.

2. Select Scan Operation from the first drop-down list, and is any of from the second..

3. Click "?".

4. Select the scan task from the popup menu.




Finding registered files in discovered data

Use this task to find registered files in the Discover scanned data database.


open Content.

2. Select Concept from the first drop-down list and is any of from the second..

3. Click "?", then open Corporate Confidential.

4. Select DocReg. The DocReg concept contains all the signatures that identify registered data. When this

concept is used in a search, its signatures are applied against all objects in the Discover database. Any

matches are reported on the Incidents dashboard.

5. Click Apply.

6. Click Search.

TIP: Alternately, save as rule to open a rule definition page. Adding this rule to a policy allows you to use the

DocReg concept to identify sensitive documents automatically whenever that policy is used to find incidents.

Finding repository types in discovered data

Use this task to find repository types in a data at rest.

Repository Type Definition

CIFS Microsoft Common Internet File Services

SharePoint Microsoft SharePoint

NFS Sun Network File System

Documentum EMC Documentum

FTP_Crawl File Transfer Protocol Crawl

HTTP_Crawl Hypertext Transfer Protocol Crawl

HTTPS_Crawl Secure Hypertext Transfer Protocol Crawl


open Discover.

2. Select Repository Type from the first drop-down list, and is any of from the second..

3. Click "?".

4. Select one or more repositories.


Finding IP addresses in discovered data

Use this task to find IP addresses in the Discover scanned data database.


open Discover.

2. Select Host IP from the first drop-down list, and is any of from the second..



3. Click "?".

4. Type the IP address of the repository into the value field.

NOTE: You can type in a single address, a range, or a subnet CIDR notation is supported.

Examples

192.168.3.225

10.1.0-10.0.1.255

172.16.1.1/24


Finding host names in discovered data

Use this task to find host names in the Discover scanned data database.


open Discover.

2. Select Host Name from the first drop-down list, and is any of from the second..

3. Click "?".

4. Type the host name of the repository into the value field.


Finding file name patterns in discovered data

Use this task to find files by pattern in the Discover scanned data database.

NOTE: The only metacharacter supported is a single asterisk .


open Discover.

2. Select Share Name, Host IP or Host Name from the drop-down list to define the target of the search.

3. Click the plus icon to add an element.

4. Select File Name Pattern from the first drop-down list, and contains any of from the second..

NOTE: Use Basic Search | File Name Pattern to find files in streaming network data.

5. Type a name, or a single file type extension into the value field.


NOTE: Comma- and space-separated values signifying AND and OR are not supported.

Example

Find a JPG in a database or repository:



Capture | Advanced Search | Discover | File Name Pattern contains *.jpg

Find Microsoft Office Word AND Excel files in a database or repository:

Capture | Advanced Search | Discover | File Name Pattern contains *.xls

NOTE: You can use a keyword with an asterisk (for example, Financ*), but a File Name Pattern search is

faster.


Finding file owners in discovered data

Use this task to find all files belonging to a single user in the Discover scanned data database.


open Discover.

2. Select File Owner.

3. Select is any of from the drop-down list.

TIP: If the files belong to a prolific user, adding other search elements to the query will help to focus on exactly

what is needed.

4. Type the file owner into the value field.


Finding file paths in discovered data

Use this task to find file paths in the Discover scanned data database.


open Discover.

2. Select File Path from the first drop-down list, and contains any of from the second.

3. Type the file path of the repository into the value field.


NOTE: Absolute or relative file paths in Microsoft Windows (\) or UNIX (/) systems are indexed in the database,

but only UNIX paths are supported when searching.

Finding percentages of registered data at rest

When registered text is plagiarized, it is unlikely that a 100% match will be found to the original

document, so searching for match to a percentage of the registered material is more likely to

expose intellectual property theft.

Use this task to match files containing a percentage of registered data in the Discover database.

NOTE: This function cannot be used to search; it can only be added a rule to supplement other parameters that

have been defined.



1. Go to DLP Reporting | Advanced Search.

2. Open Discover.

3. Select Signature Percentage Match from the first menu.

4. Select greater than from the second menu.

NOTE: Because an exact percentage match is unlikely, you can only ask that the match be greater than the

percentage you specify.

5. Enter an integer in the value field.

6. Click Save.

Finding share names in discovered data

Use this task to find share names in the Discover scanned data database.

NOTE: You need not know the server on which the share resides, but the targeted file system will have to be

configured as a share.


open Discover.

2. Select Share Name from the first drop-down list, and is any of from the second..

3. Click "?".

4. Type a share name into the value field.


NOTE: On Microsoft Windows computers, the default share is C$.

Finding domain names in discovered data

Use this task to find domain names in the Discover scanned data database.


open Discover.

2. Select Domain Name from the first drop-down list, and contains any of from the second..

3. Type a domain name into the value field.

4. Select contains any of from the drop-down list.


Example:

Find a domain name:

DLP Reporting | Advanced Search | Discover | Domain Name contains any of Mercury

Finding catalogs in discovered data

Use this task to match files containing a catalog in the Discover database.



When registered text is plagiarized, it is unlikely that a 100% match will be found to the original document, so

searching for match to a percentage of the registered material is more likely to expose intellectual property

theft.


open Discover.

2. Select Catalog from the drop-down list, then click Search or Save as Rule.

Finding schemas in discovered data

Use this task to match files containing a catalog in the Discover database.

When registered text is plagiarized, it is unlikely that a 100% match will be found to the original document, so

searching for match to a percentage of the registered material is more likely to expose intellectual property

theft.


open Discover.

2. Select Catalog from the drop-down list.


Finding column names in discovered data





open Discover

2. Select Share Name from the drop-down list, and is any of from the second..

3. Click "?"




Finding table names in discovered data





open Discover.




3. Click "?".




Finding records and rows in discovered data





open Discover.


3. Click "?".




Storage scanning requirements

Accessing network storage

Before scanning data storage devices, you must understand what is required for DLP Discover

to access the file system.

Accessing Network Attached Storage (NAS)

Network Attached Storage presents a conventional file system to the network, and can be

accessed directly by DLP systems.

Accessing Storage Area Networks (SANs)

Store data in an unusable format using physical blocks of disk space, but DLP Discover can

connect through any server that owns a pool of data on that device.

Host vs. network discovery

How host and network scans differ

Network scans find content that has been registered, or has been discovered during a

registration scan. Host scans use either content or context.



● Using content categories. Categories can match specific text patterns, dictionaries, or registered documents

repositories to the files.

● Using file context. You can specify file types, file extensions, document properties, encryption type, and user

assignment in the discovery rule.

How host and network remediation differs

When sensitive content is found during a network scan, it can be remediated by pre-configuring

actions that will automatically copy, encrypt, move (quarantine), or delete it.

● For host discovery scans, a setting on the Policy tab allows you to delete files instead of quarantining them. In

Policy Orchestrator, go to Menu | Data Protection | DLP Monitor | Tools | Options.

You will need a release key to release files from quarantine. This is done by generating a challenge key and

sending it to the administrator, who issues an Agent Quarantine Release Key.

● For network scans, quarantined files can be remediated from the DLP Reporting | Incidents page. No release

key is required.

How host and network registration works

Registration works slightly differently in the host and network implementations.

Unique signatures that identify documents or data on the network are collected in the DocReg

and DBReg concepts. They are proprietary concepts that hold all signatures generated for

registered documents or structured data during registration.

In host document registration, a host registration scan deploys registered document packages to

the DLP Agents, and the index packages are distributed to all endpoint workstations. The DLP

Agent on the endpoint blocks distribution of documents containing registered content fragments

outside of the host system.

Deploying a host package to the agents

Use this task to deploy a registered document package to host computers when working in

ePolicy Orchestrator.

NOTE: The registered document package must be indexed in ePolicy Orchestrator.

1. In ePolicy Orchestrator, click System Tree.

2. In the System Tree, select the level at which to deploy the registered document package.

TIP: Leaving the level atMy Organization deploys to all workstations managed by ePolicy Orchestrator. If you

select a level under My Organization, the right-hand pane displays the available workstations. You can also

deploy the registered document package to individua workstations.

3. Click the Client Tasks tab. Under Actions click New Task. The Client Task Builder wizard opens.

4. In the Name field, type a suitable name, for example, Deploy registered document package.

5. In the Type field, select Product Deployment. Click Next.

6. In the Products and Components field, select DLP Registered Documents 9.0.0.0. Leave the Action on

Install.



7. Click Next.

8. Select a suitable Schedule type and set the options, date, and schedule parameters. Click Next.

9. Review the task summary. When you are satisfied that it is correct, click Save.

Registering documents on host computers

There are two advantages of registering documents over traditional location-based tagging.

● Documents that existed before the location-based tag was defined are not detected by location-based tagging

rules — unless the user opens or copies the original file from its network location. Registered document

classification rules detect all files in the defined folders.

● If the same confidential content exists in several documents, you need to categorize it only once using a

registered document repository. When you use location-based tagging you have to identify every network

share where the confidential content is located, and tag each one.

Setting up a host discovery scan

Use this task to set up a host discovery scan. Changes in discovery setting parameters take

effect on the next scan. They are not applied to scans already in progress.

NOTE: To run a discovery scan on a host computer, you must activate the discovery module on the

Miscellaneous tab of the Agent Configuration dialog box.

1. In ePolicy Orchestrator, go to Menu | Policy | Policy Catalog. From the Product drop-down list, select Data

Loss Prevention 9.0.0.0:Policies. From the Category drop-down list select Agent Configuration.

2. Create a new Agent Configuration, or edit an existing one.

3. Click the Discovery Setup tab. Set the performance parameters. To prevent excessive demand on the system,

you can pause the scan when the CPU or RAM usage exceeds a preset value. The default for each of these is

80%. You can also speed up scans by setting a maximum file size to scan.

4. Set the notification details. When the Quarantine action is selected in a discovery rule, discovery removes files

with sensitive content to the quarantine folder. If no notifications are set, users might wonder why their files

disappeared. The notification feature replaces files with stand-in files with the same name containing the

notification text. If the discovery rule is set to encrypt files, no notification is needed because the files remain in

place.

5. To get files out of quarantine, users must request a quarantine release key from the administrator. This works

in a similar manner to the agent override key. To unlock encrypted files, users must have the encryption key

specified in the discovery rule.

NOTE: If you select the Encrypt action and McAfee Endpoint Encryption is not installed, the files are

quarantined.

6. Select the folders to scan, and the folders to skip. UseWindows Explorer to browse to a folder, then cut and

paste the address into the Enter folder text box. Use the plus icon to the add the folder to the scan list. You can

remove folders with the minus icon.



NOTE: If you don't specify any folders for either scan or skip, all folders on the computer are scanned. The only

folder that is skipped by default is C:\Windows. The following file types will always be skipped, no matter which

folder they are in:

● The specific files ntldr, boot.ini, and .cekey

● Executable files (*.com, *.exe, *.sys)

Configuring a policy for host discovery

Use this task to set the discovery policy.

1. Go to Menu | Data Loss Prevention | DLP Policies.

2. On the Policies page, from the Actions menu, select Add Policy.

3. Type a name for the policy. Under Devices select Host. From the State drop-down list select Active. From the

Actions menu, select Add Rule.

4. Type a name for the rule. For Inherit Policy State select Enabled. On the Define tab, define at least one rule

element. The element should be one of Keywords or Concept (under Content) or Location Tag Path (under

Endpoint).

5. On the Actions tab, click to add an action rule, and select the discovery action rule created previously from the

list.

6. Click Save to save the rule, then click Save to save the policy. See Configuring discovery scans to configure

the scan operation.

How host scans are scheduled

Host discovery scans are set up and scheduled on standalone systems on the Agent

Configuration page in the Policy Catalog.

You can run a host scan at a specific time daily, or on specified days of the week or month. You

can specify start and stop dates, or run a scan when the DLP Agent configuration is enforced.

You can suspend the scan when the computer's CPU or RAM exceeds a specified limit.

If you change the discovery policy while a host scan is running, rules and schedule parameters

will change immediately. Changes to which parameters are enabled or disabled will take effect

with the next scan. If the computer is restarted while a scan is running, the scan continues where

it left off.

For network discovery, scheduling is set on the Scan Operations page. If you make changes to network scans,

you must stop the scan, make the changes, save, and re-scan.

Scheduling a host discovery scan

Use this task to schedule a host discovery scan.

NOTE: To run a discovery scan on a host computer, you must activate the discovery module on the

Miscellaneous tab of the Agent Configuration dialog box.



1. In ePolicy Orchestrator, go to Menu | Policy | Policy Catalog. From the Product drop-down list, select Data

Loss Prevention 9.0.0.0:Policies.

2. Create a new Agent Configuration, or edit an existing one.

3. Click the Discovery Schedule tab. Set the time of day for the scan to start using the thumbwheel.

4. Set the scanning frequency using the option buttons and checkboxes.

5. If you want to run a discovery scan immediately, select Run now.

6. If you want to prevent runs being missed due to the user being logged off, select Resume discovery missed

runs after login.

7. Set the start and end dates for discovery scans. Click Save.

Scheduling a host registration scan

Use this task to schedule indexing of host registered document repositories in ePolicy

Orchestrator.

Create a registered documents repository definition, then create and enable a registered

documents classification rule and a protection rule using the content category specified in the

classification rule. Apply the policy to ePolicy Orchestrator.

1. In ePolicy Orchestrator, go to Menu | Server Tasks.

2. Click New Task.

3. In the Server Task Builder, name the new task and click Next.

4. On the Actions page, select DLP Register Documents Scanner from the pull-down menu. Click Next to

schedule the scan, review your task, and click Save. The task now appears in the Server Tasks list. Select it

and click Run to run the scan immediately.

Using policies and rules

How policies and rules are usedOn DLP systems, rules are used to match network and endpoint data to produce incidents.

Related rules are collected in policies that target specific issues.

Many standard policies are installed on DLP Monitor, and users can choose which ones to

activate and publish to other DLP devices. By default, policies and their rules act as a single unit,

but if inheritance is disabled, rules can be run individually.

After one or more DLP Monitors have captured and processed data for some time, incidents that

are found by the rules under standard policies are reported to the Incidents dashboard.

On endpoint systems, all deployed rules are collected in a single global DLP policy. That policy

is implicit, and is not visible on the DLP dashboards as a separate entity.



Using policies

How policies work

Policies are containers for groups of related rules. When the rules of a policy produce an

incident, the navigation pane displays the name of the policy used. However, the Group by

menu can be configured to display other attributes as well.

TIP: SelectGroup by Rule to find out exactly why the incident was reported.

Standard policies are installed on DLP Monitor, Discover or Prevent appliances before

shipment. Your geographic location, industry sector, and business type determine which ones

are activated during installation, but activation can also be done from the Policies page.

Customized policies can be created at any time to address issues specific to your business

operations.

All standard and customized policies are listed under the Policies tab.

Policy field definitions

Use the following field definitions when adding or editing policies.

Policy Name

Type in a descriptive name. Use of certain non-alphanumeric characters may generate an error

message.

Policy Description

Type in a description (optional).

Owner

Select a group whose members can access the policy. If you are logged in as a member of one

of the default groups, only that group is displayed, and other options are not available.

State

Policies must be published to a device to be used, so new policies are inactive by default. If you

plan to use the new policy, check one or more boxes under Devices.

Those appliances will then match the policy's rules to network traffic or repositories, and report

results to the Data-at-Rest or Data-in-Motiondashboards.

Region

In this release, groups of international policies can be used to add rules relevant to specific

geographic regions.

For example, to define a new policy for Ukraine, select Europe and Middle East from this menu

to add the new Ukrainian policy to that regional group. If the EMEA group is not on the menu,

select it from the Regional Policy menu on the Policies page and click Add.

Using policies


Suppress incidents

Check either Data-at-Rest or Data-in-Motion if your purpose is to find incidents only in static

network repositories or moving network traffic. Eliminating reporting of irrelevant hits will exclude

results that are not useful and improve performance.

Note: Data-in-Use events will display only if DLP Host is installed, and cannot be suppressed if

they are found.

Devices

Devices that are attached to DLP Manager are listed so that you can publish the new policy to

one or more of the available DLP appliances.

If you are not going to publish the policy right away, check None. If you check the Host box, you

must already have it installed on DLP Manager.

Using international policies

International policies containing rules supporting regional documents have been added to this

release. Regional users can not only conduct searches and view incidents in local languages,

but use rules constructed to provide privacy protection for local identification numbers (drivers'

licenses, international bank account numbers, etc.),

Asia Pacific

Australia

China

Hong Kong

India

Korea

Singapore

Taiwan

Europe and Middle East

Austria

France

Germany

Israel

Netherlands

Poland

Russia

Spain



Turkey

United Kingdom

Latin America

Brazil

Mexico

Use this task to add and activate local policies and rules.

1. In ePolicy Orchestrator, go to Menu | DLP Prevention | DLP Policies.

2. Click Add, then confirm or cancel the operation.

3. Select the checkboxes of the appropriate local policies.

4. From the Actions menu, select Activate.

Adding policies

Use this task to add customized policies that address a specific need in your organization.


2. Select Add Policy from the Actions menu.

3. Type in a name and an optional description.

4. Select an Owner.

NOTE: Standard policies are owned by the admin user. If another policy owner is needed but not listed, add the

user to an existing group, or create a new one before adding the policy.

5. If you are going to use the policy immediately, set State to Active. An inactive policy cannot produce incidents.

6. If you want to limit the rule to acting on static or moving data, check Data-at-Rest or Data-in-Motion.

7. Select one or more device checkboxes to publish the policy to specific appliances.

TIP: Select None if you want to publish the policy at a later time.

8. Click Save.

9. Go to System | User Administration to assign access rights to the policy.

10. SelectGroups, then click the Details icon of a group that will use the policy.

11. Click Policy Permissions.

12. Select the checkboxes of the permissions needed by the group.

13. Click Apply.

14. Click the Policy tab and open the new policy.

15. Add rules to the policy.

Activating policies

Use this task to activate a policy that was not initially activated during installation of

DLP appliances. A policy that is inactive cannot find and report incidents to the dashboard.

Using policies


NOTE: Policies have the default state Inactive. To use a policy, you can activate it while editing — or, to

activate multiple policies, select the policy checkboxes and select Activate from the Actions menu.


2. Select a policy checkbox.

3. Select Activate from the Actions menu.

4. Verify the change in the State column.

TIP: Rules inherit activation from their policies, but inheritance can be disabled to allow them to run

independently.

Deactivating policies

Use this task to deactivate a policy so that it will not produce any incidents.



3. Select Deactivate from the Actions menu.

4. View the State column of the policy to verify the change.

NOTE: The rules of a policy may be active or inactive, depending on inheritance.

How activation works

Policies must be activated and published to at least one DLP appliance before the system can

report incidents and events. They are inactive by default to allow users to focus only on the rule

sets that meet their needs.

For example, United Kingdom users may add the EMEA regional policy package, but activate

only the UK policy. Similarly, North American users may want to use only the U.S. government

regulatory policies, like HIPAA, SOX and ITAR.

There are three ways to activate a policy.

● During installation, check the boxes of the policies to be activated.

● On the Policies page, check the boxes of the policies to be activated, then select Activate from the Actions

menu.

● Open a policy and select Active from the State menu.

NOTE: State is inherited by the rules of a policy, but can be disabled to allow rules to run independently.

How inheritance works

The Inherit Policy State establishes the relationship of a rule to its policy. If a rule inherits Active

state from its policy, it runs only when the policy runs, and cannot be run independently.

NOTE: Policy-based inheritance is enabled by default because it allows policies to work efficiently as a unit.

User-defined rules are disabled by default, allowing the flexibility needed for non-standard applications.



Changing ownership of policies

Use this task to change ownership of a policy.

NOTE: Ownership is granted to users through the Manage Policy and Rules group permission.



3. SelectModify Owner from the Actions menu.

4. Select a group from the sub-menu.

Publishing policies

Use this task to publish policies to one or more appliances. A published policy is one that is

deployed on one or more DLP devices.

NOTE: Policies can be published by checking Device boxes during creation or modification.


2. Select one or more policy checkboxes.

3. SelectModify Devices from the Actions menu.

4. Check the boxes of one or more appliances.

NOTE: If the All Devices deployment target is selected, all rules of all policies that have been activated on

DLP Manager will run on all its managed devices. If the appliance to which you need to publish is not listed

under Devices, you must first add that device to the system.

5. Click Apply.

6. Select one or more devices from the submenu.

TIP: Select None if you want to publish the policy at a later time.

7. Check the Deployed On column to verify redeployment.

Cloning policies

Use this task to create a new policy that resembles an existing one.

NOTE: You cannot save and edit the rules, but all policy attributes will be replicated.


2. Click on the policy you want to use as a template.

3. Type in a new name.

4. Type in a new description (optional).

5. Edit other parameters as needed.

6. Click Save As.

Using policies


7. Verify that the new policy is listed under Policies.

8. Add rules to the policy.

Renaming policies

Use this task to rename a policy.

NOTE: If you rename a policy, you will lose incidents already found by its rules.


2. Click on a policy.

3. Type in a new name and description (optional). When you start typing, a Save As button will pop up.

4. Click Save.

NOTE: No confirmation is required. The new policy is immediately added to the policy list.

Executing policies

Use this task to assign policy permissions to users.

NOTE: Users tasked with viewing incidents and events must have Execute Policy permission, because policies

have been used to find them.

1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention |DLP Sysconfig | System | User Administration.

2. Click on the Details icon of the user's group.

3. Click on the Policy Permissions tab.

4. Open Policies.

5. Select one or more Execute checkboxes corresponding to the policies to be used to find incidents.

6. Click Apply.

Editing policies

Use this task to modify the parameters of a policy.


2. Click on the policy.

3. Modify one or more parameters.

4. Click Save.

Deleting policies

Use this task to delete policies.

NOTE: You can delete a policy only if you own it.




2. Select one or more policy checkboxes.


TIP: To delete policies one by one, click the trash can icons.

Using rules

How rules work

Rules define patterns that are matched against network or endpoint data to identify violations of

policy. When a rule hits on a data match, an incident or event is saved in a database and

reported to the dashboard.

NOTE: Only active rules report results, and the system cannot manage more than a total of 512 active rules. To

activate a 513th rule, you must deactivate an active rule.

TIP: User permissions, including the ability to create or use rules, depend on group membership. Group

permissions are displayed under DLP Sysdmin | User Administration | <Details> | Groups | Task

Permissions | Policy Permissions.

Adding rules

Use this task to add a rule to a policy. However, you may also search captured data and save the

search as a rule.


2. Enter a query and examine the results.

3. If the results are useful, and you want to run the query on a regular basis, click Save as Rule. The Edit Rule

page launches.

4. Type in a rule name.

5. Assign the rule to a policy by selecting an appropriate one from the Policy menu.

6. Select a Severity to classify the rule.

7. Set the Inherit Policy State to Enabled to bind the rule to the policy.

8. Make any changes or additions to the rule's parameters.


TIP: If you want to tune the rule, select the Disabled state and run it apart from the policy until it is perfected.

Viewing rule parameters

Use this task to review the parameters of a rule.



3. Click on a rule.

Using rules


4. Open the categories under the Define, Actions and Exceptions tabs.

5. View any of the defined parameters.

Reconfiguring rules for web traffic

Use this task to reconfigure rules to monitor web traffic.


2. Click on a policy, then click on a rule you want to adapt for web traffic.

3. Type a new name and click Save As to create a copy of the rule.

4. Click on the new rule.

5. Open Protocol.

6. Select Protocol from the Element menu.

7. Select is any of from the Conditionmenu.

8. Click "?".

9. If any boxes are checked on the popup menu, uncheck them.

10. Select all HTTP checkboxes.

11. Click Apply.

12. Click Save.

Copying a rule to a policy

Use this task to save the same rule under two different policies.



In the Rule Name field, type in a new name. To have the appearance of an exact duplicate, you can or add a

single character or a space to distinguish it from the original.

3. Select a different policy from the Policy menu.

4. Click Save As.

5. Go to Policies.

6. Click on the policy you selected from the Policy menu.

7. Verify that the copied rule has been added to the rule list.

Detaching rules from policies

Use this task to detach a rule so that it can be run independent of its policy.

NOTE: This process is used primarily for tuning rules.


2. Click on an Active policy.

3. Click on a rule.



4. Disable the Inherit Policy State.

5. Click Save.

Editing rules

Use this task to modify the parameters of a rule.



3. Click on a rule.


5. Click Save.

NOTE: Inactive rules that belong to standard policies are automatically activated when they are saved.

Deleting rules

Use this task to delete one or more rules from a policy.



3. Select one or more rule checkboxes.


TIP: To delete rules one by one, click the trash can icons.

Defining exceptions to rules

What are false positives?

When the parameters of a rule literally match network data but produce no useful information,

the resulting incident is referred to as a false positive.

Creating an exception keeps the rule that tagged false data from reporting it again. The

classification engine responds by ignoring incidents that include certain attributes.

How exceptions to rules are defined

An incident may technically match a rule, but it might not contain any useful information, which

makes it a false positive. False positives get in the way of significant results, preventing accurate

reporting of the problems detected in network traffic.

In such a case, you can redefine the rule that produced the incident by adding an exception.

When the rule runs again, the classification engine will ignore any incidents that contain the

misleading attributes.

There are several ways to assure that only legitimate violations are reported to the dashboards.



● Add new rules that contain exceptions

● Add exceptions to an existing rules

● Use existing incidents to build more accurate rules

● Define an incident that has already been detected as a false positive

TIP: To prevent false positive matches, tune rules after they are created using historical data.

Defining false positive incidents

Use this task to define false positive incidents.

1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | Incidents.

2. Find one or more incidents that contain useless or insignificant information.


4. Check the boxes of the rules you want to define as exceptions.

TIP: Select the box in the table header to select all incidents on the current page, or Select All Results from the

Actions menu to define every incident with a specific false positive parameter from being reported again.

5. From the Actions menu, selectModify Status | False Positive | Set Status.

6. Click the Columns icon.

7. Select Status from the Available list.

8. Add it to the selected columns.

TIP: Before clicking Apply, select Status and click the Move Up or Top buttons to move the false positive status

to the left.

9. Click Apply.

10. Scroll the list of incidents to view those that are false positives.

TIP: Click the Status column header to display all false positives at the top of the list.

Adding exceptions to existing rules

Use this task to add an exception to an existing rule.

1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Policies

2. Click on a policy, then the rule to be modified.

3. Click on the Exceptions tab, and open the Exception 1 element.

4. Type text describing the exception into the Notes box.

5. Open the element categories and define parameters that should be ignored when the rule is run.

NOTE: Eight exceptions are supported for each rule, so you can define precisely the conditions that are NOT to

be matched. The capture engine will DROP any incident matching the exceptions.



6. Type in a Note describing the exception.

7. Using the existing categories, define each aspect of the exception.

8. Click Save.

NOTE: Exceptions apply to real-time searches only. You cannot use Test Rule because it is available only

when tuning rules, which requires historical data.

Adding new rules that contain exceptions

Use this task to define a new rule with an exception.


2. From the Actions menu, select Add Policy.

3. Type in a name for the policy. Typing a description is optional.

4. From the State menu, select Active.

NOTE: If you are not going to use the rule right away, you can leave it in an Inactive state.

5. From the Regionmenu, select the region in which the policy will be used.

6. Select the devices to which the policy will be deployed.

7. Click Save.

8. Click on the policy, and select Add Rule from the Actions menu.

9. Click on the policy that contains the rule.

10. Type in a name for the policy. Typing a description is optional.

11. From the Severity menu, select a severity.

12. If the rule is to be run whenever its policy is run, select the Enable radio button from the Inherit Policy State.

13. On the Define tab, define the parameters of the rule.

14. Click on the Actions tab, and add actions to be performed when the rule is active.

15. Click on the Exceptions tab, and open the Exception 1 element.

16. Type text describing the exception into the Notes box.

17. Open the element categories and define parameters that must NOT be flagged when the rule is run.

NOTE: Eight exceptions are supported for each rule, so you can define precisely the conditions that are to be

ignored. The capture engine will drop any incident matching the exceptions.

18. Click Save.

NOTE: Exceptions apply to real-time searches only. You cannot use Test Rule because it is available only

when tuning rules, which requires historical data.

Correcting inaccurate rules

Use this task to adjust rules that produced false positive results.



1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | Incidents.

2. Find an incident that contains useless or insignificant information.


4. Check the boxes of the rules you want to define as exceptions, or Select All Results from the Actions menu.

TIP: Check the box in the table header to select all incidents on the current page.

5. From the Actions menu, selectModify Status | False Positive | Create Exception.

6. When the Edit Rule page launches, define the exception by adding or deleting parameters.

NOTE: When an exception is created from the Actions menu, the Edit Rule page is populated with the current

values of the rule under the Exceptions tab. This makes it easy to edit those elements to prevent a similar

incident from being reported again.

7. Type some text describing the exception in the Notes box.

8. Click Save.

Tuning rules

Use this task to tune rules, and save the search when all extraneous search terms have been

eliminated. Tuning is done by running multiple searches on historical data and gradually

tightening conditions and parameters with each modification.


2. Select Rule from the Group by menu.

3. Click on a rule that produces some useful results.

4. Make a note of incidents that include irrelevant information.

5. Go to Policies.

6. Click on the policy of the rule that produced the hits.

7. Click on the rule that produced the hits.

8. In Inherit Policy State, click Disabled.

NOTE: Disabling inheritance allows the rule to run independently of the other rules in the policy, allowing for

multiple revisions.

9. On the Define tab of the rule, remove any parameters that are producing false positives.

TIP: Using the conditions is none of or contains none of will help to eliminate extraneous information.

10. Click on Test Rule to start searching the historical data for a match.

11. Go to Incidents and inspect the results.

12. Repeat the process until all incidents contain useful information.

13. Reset Inherit Policy State to Enabled.




Using action rules

How action rules are used

When a rule produces an incident in network data or a scanned repository, use of an action rule

can prevent damage, trigger a remedial action, or react to an action that has been taken at a

network endpoint.

● A Data-in-Motion action rule applies preventive actions to incidents found by Monitor in network data.

● A Data-at-Rest action rule applies corrective actions to incidents found by Discover after scanning a

repository.

● A Data-in-Use action rule is applied when a specific event takes place on an endpoint.

How action rules are deployed

Action rules may be are applied to Data-in-Motion, Data-at-Rest or Data-in-Use,

● An action rule can be applied to data in motion if DLP Prevent is configured with an MTA or proxy server and

registered to DLP Manager.

● An action rule can be applied to data at rest if DLP Discover crawls a repository and finds files that should be

remediated.

● An action rule must be applied to data in use if any rule acts on an endpoint event.

NOTE: If Monitor and Discover devices are both managed by DLP Manager, every rule can be configured to

deploy one action of each of the three incident types.

Reacting to violations

When DLP Prevent is deployed with an MTA or proxy server, problems found in email and

webmail can be identified and resolved immediately by associating an action with a rule.

For example, DLP Prevent might use action rules to:

● block confidential data breaches

● encrypt authorized transmissions

● quarantine suspicious traffic

● bounce email that violates policies

● notify supervisory personnel

● record incidents in a system log

● allow email that is determined to be legitimate.

TIP: Use DLP Prevent to capture network traffic for later forensic analysis, or block the transmission of sensitive

data sent using specific protocols (for example, HTTP, SMTP, HTTP POST, etc.).

Using action rules


Comparing Action to Protection rules

In this release, all DLP products use Action rules to define the disposition of a detected incident

or event, but some actions were originally defined as reactions attached to Host DLP protection

rules.

● In this release, a single Action rule can be attached to many different rules. Each of the rules to which the

action has been added can deploy that action once to network data in motion, data in repositories, or data in

use at endpoints.

Several actions can be combined in a single Action rule. For example, when a rule hits, the file found may be

blocked or quarantined, its sender may be notified, and it may be assigned to a group for investigation.

● In the Host DLP 9.0 standalone product, reactions are pre-configured when a Protection rule is defined. They

may be applied to different endpoints under a variety of circumstances.

Reactions can vary, depending on what action is to be taken and whether the endpoint is on- or offline (in contact

with a domain controller) when the violation occurs.

Assigning status to an incident

Use this task to identify the state of an incident in the resolution process.


2. Click on an action rule.

3. Open the Incident Status category.

4. From the drop-down list, select a state.

5. Click Save.

Applying an action rule

Use this task to add an action to a rule before it runs. Actions can be added to rules monitoring

data in motion, scanning data at rest, or identifying significant events on endpoints.


2. Click on a policy, then click on a rule.

3. Click on Actions tab, then click Add Action.

4. Select an action.

5. Click Save.

The list displayed will include the standard action rules, plus any custom ones you have created.

Assigning responsibility for an action

Use this task to assign an action rule to one or more reviewers who will assume responsibility for

the result.



NOTE: Only one reviewer can be assigned to an action rule, but a user group can be considered a single

reviewer.



3. Open the Incident Reviewer category.

4. From the drop-down list, select a reviewer.

5. Click Save.

Using action rules to log incidents

Use this task to set up an action rule to log system events.

NOTE: You must have a syslog server configured on your network to receive system log entries.



3. From the Syslog Notificationmenu, select Enable.

4. Click Save.

Using action rules to notify users

Use this task to set up notifications that inform users of problems found.


2. Click on an action rule, or add a new one from the Actions menu.

3. Open Email Notification.

4. Enter a valid email address in the From field.

NOTE: If an existing action rule is edited, the From field must be completed, even if it was not there when the

rule was created.

NOTE: If an email address containing a special character (e.g. “&, *, %”) is added to the Email Notification

component of an action rule, notification will not be sent. However, additional valid email addresses added to

the same rule will provide notification to other users.

5. Enter one or more addresses in the "To" and "cc:" fields.

6. Check a box to send a copy to the Manager, Reviewer, Sender or Recipients (optional).

The options available depend upon which DLP appliance you are using. Managers can be identified only if an

Active Directory server has been added, but other categories are user-defined. Reviewer is the only option

available on Discover.

7. Type in a Subject and Message (optional).

8. Click Save.

Using action rules


NOTE: The Subject and Message fields accept dynamic variables, enabling you to set up automatic responses

to routine situations.

TIP: You can use Dynamic Variables to alert users to details of the violation automatically. For example,

##Filename found by the ##Rule violated the ##Policy.

Reconfiguring action rules for proxy servers

Use this task to reconfigure action rules for use on proxy servers. This is necessary because

BOUNCE, ENCRYPT, NOTIFY, QUARANTINE or REDIRECT actions cannot be used on proxy

servers, which support only ALLOW or BLOCK.


2. Click on the action rule you want to reconfigure.

3. Type a new name and click Save As to create a copy of the action rule.

4. Click on the new action rule.

5. Open the Prevent actions menu.

6. Select Allow or Block, then click Save.

Setting up an action

Use this task to set up an action that will be taken whenever a rule identifies an incident or event.


2. From the Data-in-Motion or Data-at-Rest Actions menu, select Add Action Rule. You can configure one rule

for each vector.

NOTE: See Setting up an Endpoint action rule to add an action rule to the Data-in-Use vector.

3. Type a name for the action rule. Typing a description is optional.

4. Enabling email and syslog notification is optional.

5. From the Incident Reviewer and Incident Status menus, select from the drop-down lists.

6. Depending on the Actions menu selected, select a Prevent or Remediation action and supply the required

parameters.

7. Click Save.

Editing action rules

Use this task to modify the parameters of any action rule.


2. Click on the action rule to be edited.


4. Click Save.



Cloning action rules

Use this task to clone any action rule so you can apply the same action to another rule.



3. Type in a new name. Typing in different parameters is optional.

4. Click Save As.

Removing an action from a rule

Use this task to remove an action that has been applied to a rule.

NOTE: This task removes only actions that have been applied to rules. Action rules that have been applied to

rules are in use, so they cannot be removed.


2. Click on a policy, then click on a rule.


4. Find the action to be removed from the rule.

5. Click on "X".

6. Click Save.

Deleting action rules

You can delete action rules one by one, or as a group.

NOTE: Action rules that have been applied to rules are in use, so they cannot be removed.


2. Check the box of one or more action rules.


TIP: To delete templates one by one, click the trash can icons.

4. Click Confirm or Cancel.

Using concepts and templates

How concepts and templates are usedContent concepts, the most common type, find collections of significant data related to a single

issue in application data (Flow A). If you are an advanced user, you can construct network or

session concepts to identify data in the transport and session layers.

Templates contain collections of elements that save time when searching, creating rules, or

building capture filters. They eliminate the need to enter the same values repetitively.

How concepts and templates are used


NOTE: Network DLP policies contain collections of related rules, while Host DLP rules are all part of a single

global policy.

Using concepts

How concepts are used

Content concepts, the most common type, find collections of significant data related to a single

issue in application data.

Most of the concepts that are shipped with your DLP appliances are listed under the User-

Defined tab. Only a few Factory Default concepts are constructed with proprietary algorithms.

TIP: Use a content concept with one or more templates to look for patterns in specific data types.

For example, a content concept can be used to collect credit card numbering patterns that can

be matched to network data. You might use one of the factory default concepts (AMEX, CCN,

DISCOVER, MASTERCARD) to find them quickly, or you can add one that focuses only on

patterns used by retail cards.

If you are an advanced user, you can construct network or session concepts to identify data in

the Transport and Session layers.

Types of concepts

There are three types of concepts.

● Content concepts contain text patterns and regular expressions to match patterns to data on the Application

layer (Layer 7).

● Network concepts monitor activity on the Transport layer (Layer 4). They can be used to find spiders, robots,

crawlers, types of webmail, browser versions, and operating systems in use.

● Session concepts focus on exchanges of data between applications on the Session layer (Layer 5). They can

be used to recognize content found in multiple objects contained in a single flow.

Adding content concepts

Use a content concept to regularly search application-level traffic for specific patterns defined by

regular expressions.

TIP: Open and examine an existing concept to understand its construction.

1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Policies | Concepts.

2. Select Add Concept from the Actions menu.

NOTE: DLP Manager can manage up to 512 concepts.

3. Type in a name (uppercase only).

4. Type in a description (optional).



5. If you want to discourage false positives, select an algorithm that is associated with the regular expression you

will define or upload (optional). When the concept hits, the system will run checksums to verify accuracy, and

results that do not match exactly will be discarded.

Example:

If you create a MasterCard expression that uses an incorrect numbering sequence, the algorithm

will ignore the pattern and replace it with the correct sequence.

6. Select a category for the expression (optional).

TIP: Later you might want to use a package of related concepts in a query to expedite the search process.

7. If you have patterns recorded in a document, Upload it by browsing. Only text documents can be uploaded.

8. Click Import Expressions to load in the expressions from the file you selected.

TIP: If you want to edit the list of expressions or just keep a copy, click Export Expressions to save them to

your desktop. You can debug them in a text editor, then re-import them.

9. If you don't have a document to upload, use text and regular expressions to build one or more expressions,

starting with Expression 0.

TIP: Add additional expressions by clicking the green plus icon.

10. Click Validate, then enter the expression and a sample of a string it should match.

11. Click Validate in the dialog box, then check the Matches String box to get a true or false result.

12. Set conditions for the concept, if needed.

13. Click Save.

NOTE:When creating concepts that have multiple words, you must escape spaces between words with a

backslash (for example, hello\_world).

Other metacharacters and ASCII characters (such as &#x200B for space, tab,

form feed, zero-width space) can also be used to define concept expressions.

TIP: Add a template using your custom concept. This will save you keystrokes when searching, creating rules,

and building capture filters.

Adding network concepts

Use a network concept to find spiders, robots, crawlers, types of webmail, browser versions, and

operating systems.

1. Open a browser and post to the problem website.

2. Use a packet analyzer likeWireshark on your system to locate the type of traffic you are looking for. For

example, you might focus on a GET instruction.

3. Right-click on the instruction in the TCP stream and copy the string.


Using concepts



6. Open Advanced at the bottom of the page and select the Network Type radio button.

7. Type in a name (uppercase only) and description (optional).


will define or upload. When the concept hits, the system will run checksums to verify accuracy, and results that

do not match exactly will be discarded.

Example:




TIP: Later you may want to use a package of related concepts in a query to expedite the search process.

10. Paste the string from the TCP stream into an Expression field.

NOTE: Escape all metacharacters with a backslash to ensure literal interpretation. For example,

www\.deadspin\.com.




14. Click Save.

Adding session concepts

Use a session concept to inspect all communications between two parties when a pattern is

matched. Because the session layer is monitored, you will be able to find multiple objects

contained in a single flow (for example, an email attachment as well as the mail body).



3. Open Advanced at the bottom of the page and select the Session Type radio button.

4. Type in a name (uppercase only).



will define or upload (optional). When the concept hits, the system will run checksums to verify accuracy, and

results that do not match exactly will be discarded.

Example:






TIP: Later you may want to use a package of related concepts in a query to expedite the search process.

8. If you have patterns recorded in a document, Upload it by browsing. Only text documents can be uploaded.

9. Click Import Expressions to load in the expressions from the file you selected.

TIP: If you want to edit the list of expressions or just keep a copy, click Export Expressions to save them to

your desktop. You can debug them in a text editor, then re-import them.

10. If you don't have a document to upload, use text and regular expressions to build one or more expressions,

starting with Expression 0, on the fly.

TIP: Add additional expressions by clicking the green plus sign.




14. Click Save.

NOTE:When creating concepts that have multiple words, you must escape spaces between words with a

backslash (e.g., \_).

Setting concept conditions

Use this task to narrow the focus of any content, network or session concept. Matches are

reported only if certain conditions are met.

NOTE: Only User-Defined or custom concepts accept conditions.


2. Click on a concept.

3. Open a component.

● Use the Count category to set a number of objects that must be found before a match is reported.

● Use the Percentage Match category to define a percentage of objects that must be found before a match is

reported.

● Use the Number of lines from the beginning category to define the number of lines within which an object

must be found (starting from the beginning of a captured object) before a match is reported.

● Use the Number of bytes from the beginning category to define the number of bytes within which an

object must be found (starting from the beginning of a captured object) before a match is reported.

● Use the Proximity category to define the relative proximity to a specified byte of an object before a match is

reported.

NOTE: Imposing multiple conditions could cause conflicts. Consider carefully what the conditions will do before

setting them.

Using concepts


6. Use the Condition, Value and Expressions fields to set the parameters of a condition.

7. Use the Advanced component to change the concept type only if the conditions you have set will apply to a

different type of concept.

8. Click Save.

Applying concepts to rules

Use this task to apply a content concept to a rule. Whenever the rule runs, the pattern identified

in the concept will find matches in captured data.


2. Open a related policy and click on a rule.

3. If you want the rule to run independently of its policy, set its Inherit State to Disabled.

TIP: This is especially useful for trying out rules before they are implemented with the other rules in the policy.




6. Click "?" .

7. Select one or more concept categories from the popup menu.

TIP: Open a concept category to select one or more concepts in the category.

8. Click Apply.

9. Click Save.

10. Wait for the rule to run, then go to Incidents to view the result.

TIP: If you can't find a relevant incident, group by policy and rule to filter results. You can set up an action rule to

notify you when there is a hit.

Using regular expressions in concepts

When you build concepts using regular expressions, use only the syntax supported by DLP.



Expression Definition

\n line feed

\r carriage return

\f form feed

\b backspace

\a bell

\t tab

\k disables Perl/POSIX set range restrictions

\K enables Perl/POSIX set range restrictions

\0xN the hex ascii character equivalent to N

\nnn the octal character of value nnn

\d digit 0-9

\D not digit 0-9

\c any alpha A-Z or a-z

\C not any alpha A-Z or a-z

\w any alphanumeric \c or \d

\W not alphanumeric ^\w

\s any space [\ \f \n \r \t]

\S not any space ^\s

\p any space or field delimiter [\ -\\ :-@ \[-‘ {-~ ]

\P not any space or field delimiter ^\p

\i case sensitivity off

\I case sensitivity on

[…] character sets, e.g. [3-6a-c] = 3,4,5,6,a,b,c

x-y character ranges T-X = T,U,V,W,X

^ invert, e.g. ^\0x0 are all characters except NULL

\literal backslash (transforms metacharacters intoordinary characters)Examples: \\ \. \& \[ \] \<space> \* \+

Restoring factory concepts

If you have accidentally written over an original concept, use this task to restore it to its original

state.

NOTE: Only the original list of concepts under the User-Defined tab can be restored. Custom concepts cannot

be recovered. Concepts listed under the Factory Default tab cannot be edited, so they need not be restored.

Using concepts



2. Select one or more concepts.

3. Select Restore Default from the Actions menu.

Editing concepts

Use this task to modify the parameters of a concept.

For example, you might want to remove one of the expressions used in a content concept if it

generates false positive results.


2. Click a concept.


4. Click Save.

Deleting concepts

Use this task to delete more than one concept.

NOTE: Factory Default templates cannot be deleted.


2. Select one or more concept checkboxes.


Using templates

How templates are used

Templates contain collections of elements that save time when searching, creating rules, or

building capture filters. They eliminate the need to enter the same values repetitively.

For example, when you search for data containing source code of any type, you might use the Source Code

template. Similarly, to find data containing images, you might use the Common Image Files template.

TIP: You can use any of the standard templates, or you can add your own custom templates to the list under

Policies | Templates.

Adding templates

Use this task to add a template to save time on repetitive or complex searches.

TIP: You can use a template to create a name for a range of IP addresses so you can refer to them as a group.

1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Policies | Templates.

2. Select Add Template from the Actions menu.



3. Type in a name.


5. Open Construction.

6. Select an element from the first menu.

7. Select a condition from the second menu.

8. Click "?". If no popup menu launches, type a string into the values field.

9. Click Save.

NOTE:When a template element is used in a search or rule, a list of available templates pops up from the "?" at

the end of the values field. Each category may pop up a different set of templates, and more than one can be

used at a time.

Viewing standard templates

All templates, including the ones you created and added to those included with the DLP devices,

are listed on the Templates page. In ePolicy Orchestrator, go to Menu | Data Loss Prevention |

DLP Policies | Templates.

TIP: Open any template to learn to construct one of your own.

Removing a template from a rule

Use this task to remove a template that has been applied to a rule or filter.

NOTE: This task does not remove the template. Templates that are attached to rules or capture filters cannot be

removed.


2. Click on the rule or filter to which it is attached.

3. Click on the red minus icon to remove the element containing the template.

4. Click Save.


Deleting templates

Use this task to delete templates one by one, or as a group.

1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Policies | Templates.

2. Click the box of one or more templates.


4. Click Confirm or Cancel.


Using templates


Using the case management system

How case management worksAssigning incidents with common attributes to a single case allows employees to collaborate to

resolve them more quickly. Each staff member involved can focus on a single attribute to

advance the resolution of the case.

For example, a case that contains emailed evidence might be assigned to members of a legal

team, who might develop it so that it can be used in court. Each member of that team might add

notes and citations, change status and priority, notify stakeholders, or redirect the case to

another user who may be able to add information.

NOTE: Case dashboards display information based on organizational responsibilities. For example, Human

Resources personnel might see Acceptable Use violations, but not SOX compliance issues.

Collecting credit card violations in a caseIf credit card violations are being detected on a regular basis, start a case with the first few, then

add others as they come in.

NOTE: A privacy policy must be installed to produce the credit card violations.

1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Case Management and select

one or more incidents.

2. From the Actions menu, select Assign to Case | New Case.

TIP: If a case has already been opened, select Existing Case.

3. Type a name into the Headline field.

4. Type in one or more Keywords.

5. Set an Owner for the case — for example, Compliance:group.

6. Set the Resolution status — for example, Under Investigation.

7. Select the Notify Owner checkbox (optional).

8. Select the Notify Submitter checkbox (optional).

9. Select a Status— for example, In Progress.

10. Select a Priority— for example, Urgent.

11. Add a note (optional) — for example, Visa and MasterCard numbers found.

12. Click Apply.

Adding a new caseUse this task to add a new case to contain incidents that have not been detected yet.

1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Case Management.


3. Type in a Headline.



4. Select an Owner.

5. Select a Resolution state (optional).

6. Select a Status (optional).

7. Select a Priority (optional)

8. Type in one or more Keywords.

9. Check the Notify Submitter box (optional).

10. Check the Notify Owner box (optional).

11. Type in Notes (optional).

12. Click Apply.

NOTE: No more than 100 incidents can be added to a case at one time.

Using incidents to create a caseUse this task to create a case from one or more incidents.


2. Check one or more incident boxes.


3. From the Actions menu, select Assign to Case | New Case.

4. Type in a Headline.

5. Select an Owner.

6. Select a Resolution state (optional).

7. Select a Status (optional).

8. Select a Priority (optional).

9. Type in Keywords.

10. Chuck the Notify Owner box (optional).

11. Check the Notify Submitter box (optional).

12. Type in Notes (optional).

13. Click Apply.

Adding incidents to an existing caseUse this task to add an incident to an existing case.


2. Select one or more incidents.

3. From the Actions menu, select Assign to Case or Existing Case.

4. After completing the assignment, click on the Assign link of the case to view the case details.

TIP: If you cannot see the Assign link on the right, expand your dashboard.

Using incidents to create a case


5. Click Apply.


Adding comments to a caseUse this task to add a comment to a case.


2. Select a case.

3. Click the Details icon.

4. Type text into Add Notes.

5. Click Apply.

Notifying users about a caseUse this task to send notification of an action taken to the submitter or owner of a case.

1. IIn ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Case Management.


3. Check the Notify Submitter or Notify Owner boxes.

4. Click Apply.

Changing ownership of casesUse this task to reassign the case to another user or group.


2. Select the Details icon of the case.

3. From the Owner menu, select a new or existing user.

If the owner you want to select is not listed, add the new user or user group, then return to the case.

TIP: To notify the owner or originator by email, select the Notify Owner or Notify Submitter box.

4. Click Apply.

Changing resolution of casesUse this task to change the state of resolution of a case.



3. From the Resolutionmenu, select a new status.

TIP: To notify the owner or originator by email, select the Notify Owner or Notify Submitter box.



4. Click Apply.

Changing status of casesUse this task to change the status of a case.



3. From the Status menu, select a new status.

TIP: To notify the originator by email, select the Notify Submitter box.

4. Click Apply.

Customizing Case List columnsUse this task to add or remove Case List columns on the dashboard.


2. From the Options menu, select Customize columns.


4. Use Move buttons to move Selected column headers up or down.


5. Click Apply.

Customizing case notificationsUse this task to set up notifications of changes in a case. For example, the case owner might set

up a daily status update notification to himself and the submitter.


2. Select one or more cases.

3. From the Options menu, select Customize Case Config.

4. Select checkboxes to automatically send email to the Submitter or Owner when the case is updated.

TIP: Set up a daily email reminder to those responsible for new or pending cases.

5. Select radio buttons to set a standard interval, or add items from the weekly and monthly menus to add more

specific parameters.

6. Click Save.

Exporting casesUse this task to save a case to the Exported Cases list.

Changing status of cases


NOTE: Exported cases can be downloaded to local computers. There are no limits on the number of incidents

that can be exported.


2. Select one or more case checkboxes, or export a single case by clicking its Export icon.

TIP: Click the box in the column header to Select All cases.

3. From the Actions menu, select Export Selected Cases.

4. Click OK to verify export. The case will appear in the file list under Exported Cases.

5. Click on the exported case link to open or save it.

Managing case permissionsIf you are an administrator, you can control access to cases so that they can be seen and

processed only by authorized users.

NOTE: Users who create cases are automatically allocated all three permissions (Read,Write and Delete) —

but if the case owner is changed, those permissions are lost.


2. Click the Details icon of the case.

3. Scroll down to the Options menu and select Permissions.

4. Select the Read,Write and Delete boxes corresponding to the assignment of the case to users and groups.

5. Click Apply.

NOTE: Global permissions that are set under DLP Sys Config | System | User Administration | Groups |

Details | Task Permissions | Case Permissions take precedence over cases configured individually. If there

is a conflict between permissions assigned under an individual case and those that are assigned globally,

global group permissions take precedence.

Example:

If Lee has a need to know about a case and he has been given read access, case information

might display on his DLP Homepage— but Apply, Save, Delete or Assign buttons will not

display because he is not allowed to take those actions.

Example:

If Juan is given responsibility for a group of legal cases, an administrator might assign Read and

Write but not Delete privileges. All menus and buttons except the Delete icon will be available to

him.

NOTE: WhenWrite permission is assigned, Read permission is implicit.

Reprioritizing casesUse this task to reprioritize the severity of a case.





3. From the Priority menu, select a new severity.

TIP: To notify the originator by email, select the Notify Submitter box.

4. Click Apply.

Deleting an incident from a caseUse this task to delete an incident from a case.



3. Inside the case, select an incident box.

4. Select Delete from the Options menu.

TIP: If you cannot see the link, expand your dashboard.

5. Click Apply.

Deleting casesUse this task to remove a case from the Case List.


2. Click the Delete icon.

TIP: If you cannot see the icon, expand your dashboard.

Managing DLP systems

Managing the system

All DLP setup, configuration and management tasks are handled by DLP Manager, which coordinates all

DLP systems. Managed devices may include the DLP product appliances (Monitor, Discover, Prevent) and

servers (DHCP, LDAP, NTP, DLP Host and syslog) that provide added functionality.

If you have the proper administrative permissions, you can monitor and manage your DLP

systems from the System Administration dashboard.

Configuring DLP devices

Configuring DLP devices

Use this task to reconfigure any DLP device.

Deleting an incident from a case



2. Click the configure link of the device to be configured.

3. Change parameters on the System Configuration page.

4. Click Update after each change is made.

TIP: If you are on a standalone appliance, you can click on SetupWizard to review all settings.

If the setup is not changed, you can select Cancel to leave the SetupWizard and go directly to the dashboard.

Adding devices to DLP Manager

Use this task to add a DLP appliance. This process creates an SSH communication tunnel

between DLP Manager and the DLP appliances.

The CPU usage indicates that the registration tasks being performed. DLP Manager does not

display any CPU activity, because it serves only as a collection point for the data. Other

machines are capturing and indexing data and the processor indicates the CPU utilization. It

should not go over 70-80%.

On some networks you can choose a port configuration. The DLP appliance is a Gigabit network

device, so the bringing it down is possible.

NOTE: Adding a Network DLP appliance wipes the current configuration of that machine, but captured data,

cases and incidents will not be lost. Unless you have previously deployed policies to All Devices, you will have

to edit them to add the device.


2. Select New Device from the Actions menu.

3. Type in the IP address and password.

NOTE: The user account used for association is root. It is recommended that you change the root passwordon the appliance before adding it to NDLP Manager. If you change the IP address, the network service needs to

be restarted. Stingray will automatically restart the box to register the change.

The Add Device page is also used to add a Host DLP server. Several fields are not available

until the DLP Host Server box is checked.

4. Click Add.

5. Click OK to confirm or cancel registration.

6. Wait for the Status icon in the device list to turn green.

TIP: If registration seems to be taking a long time, try refreshing the page.

Adding Host DLP servers to DLP Manager

Use this task to add a DLP Host server to DLP Manager.


2. Check the DLP Host Server box.



3. Select a Host DLP Version.

NOTE: Version 3.0 is required to use Host and Network DLP separately in the ePO interface.

4. Type in the IP or host name and password.

5. Type in the database port, user, and database names.

6. Type in the ePO database, IP address, user name and password, and port.

7. Click Add.

8. Click OK to confirm or cancel registration.

9. Wait for the Status icon to turn green.

TIP: If registration seems to be taking a long time, try refreshing the page.

ePO installation issues

In this release, Host and Network DLP are integrated in an ePO 4.5 framework or in a Linux-

based configuration. For more information, download the McAfee Installation Guide for DLP 9.0

on ePO 4.5 from the ServicePortal.

NOTE: If the ePO 4.5 server loses connection to the database, you cannot use

https://servername:port/core/config to reconnect the ePO 4.5 server to the database. Refer to

KB66320 in the McAfee Knowledgebase for more information.

Changing link speed

If DLP is installed on a network that supports devices that have specific speed and duplexing

requirements, DLP Monitor might not be able to auto-negotiate traffic to capture interfaces.

Use this task to change link speed to accommodate existing hardware.

NOTE: Depending on your network configuration, you might have to replace your standard Ethernet cable with

one that is appropriate for your network.


2. Select a device from the list.

3. Click on the Configure link.

4. Select link speeds for each capture interface from the Speed and Duplex menus.

5. Click Update. A notification message will launch to verify the change.

Managing disk space

The Reconnex file system (RFS) divides the DLP Monitor disk into partitions.

● Capture partitions hold all the content captured, which is organized by type.

● Non-Capture partitions contain the operating system and the results partitions (A-Z), which fill sequentially.

Deleting an incident from a case


Use this task to get a complete report of disk space, including information about partitions and

volumes.


2. Selecting the More link of the device.

3. Under Utilities | Application Information, click on Disk Usage.

NOTE: Space-based wiping is the default policy. It erases the earliest results after 80% of the disk is used.

When that threshold is reached, the system erases data to the 70% watermark.

Backing up DLP systems

Use this task to create a backup archive to ensure that configuration files, users, logs and cases

are not lost during system operations.

TIP: Back up whenever there is a change in content or configuration. After 30 days or 150,000 incidents, the

oldest incidents are lost, and if a managed mode device is deregistered, all incidents are lost.

1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config | Backup.

2. Type in the Remote Host Name of an external storage device.

NOTE: Only Linux devices are supported.Microsoft Windows computers have not been tested.

1. Type in the user name and password required to log on to that machine.

2. Browse to the directory that will receive the backup.

3. Select the Port to be used to connect to the remote host.

4. Click Backup.

NOTE: The local archive filename will be made up of a date and backup number (for example, 20091030-1346). But on the Remote Host and other DLP devices, the filename will also include the FQHN (fully-qualified

host name) and device type (inSight = Manager, iGuard = Monitor), followed by date_backup#.tar>.

Example

abc-123.lab.company.net-inSight-20091030-1346.tar

TIP: Refresh the File List and select the archive with the latest date and highest backup number. You will be

able to verify the build number after extraction.

Archive contents

● Active configuration files (policies, rules, action rules, concepts, templates, network and content capture

filters, DHCP settings, schedules, task definitions and credentials)

● Local and Active Directory users

● Network settings

● User Action Logs

● Cases



Depending on the volume of data to be backed up, processing time might be lengthy. When the process is

complete, email is sent to the address in the user's profile, and the file list is populated with the name of the new

archive.

Restarting DLP systems

Use this task to restart, shut down or reboot any of the McAfee Network DLP appliances or

services.


2. SelectMore for the device you want to restart or shut down.

3. Scroll down to the bottom of the Utilities window.

4. Select the appropriate link.

Deregistering devices from DLP

If you have to re-synchronize a timed-out system, overwrite an older configuration, or register a

device to a different DLP Manager, you might have to use this task to deregister a device.

NOTE: If the device is to be reconfigured as a standalone system, you must reinstall it.


2. SelectMore.

3. Scroll down and select Deregister Device.

4. Click confirm or cancel.

NOTE: Because the messaging service must be restarted whenever a device is deregistered, you might get a

log in error message like "could not connect to service" before you can log in again. If so, the messaging

service will generally be back up in 1-3 minutes.

5. Confirm that the deregistered device has been removed from the list.

Adding servers to DLP systems

Configuring servers with DLP systems

DLP systems support several different types of servers that extend its functionality. Enterprise

DLP configurations usually have DHCP, DNS and LDAP (Active Directory) services configured,

as well as connections to mail, NTP and syslog servers. McAfee Logon Collector must also be

installed if Active Directory servers are to be supported.

These connections can be made from the DLP Manager interface, or from the DLP ePO frame-in.

If the applications are set up to work through ePO, Host DLP and McAfee Agent will also have to

be installed.

● Adding a DHCP server supports accurate resolution of the sources and destinations of network

transmissions.



● Adding an LDAP server supports integration with existing user systems, enables notification of users, and

authenticates user accounts. DLP supports Microsoft Active Directory LDAP services.

● McAfee Logon Collector can be configured with DLP Manager to resolve user identities by retrieving

collections of user account information from all Active Directory servers that have been added to the DLP

system.

● Adding a Host DLP server supports integration with ePO .

● Syslog servers receive DLP error messages.

● NTP servers make it possible to synchronize DLP systems.

Setting up DHCP services

Using DHCP servers with DLP

DLP systems can accurately resolve the sources and destination of network transmissions by

using DHCP services. A DHCP server must be added to the system to provide those services.

NOTE: Senders and receivers can be easily identified if they have static IP addresses, but dynamic addresses

are more commonly used. Because they change frequently, it is often difficult to pinpoint the sources and

destinations of transmissions.

The DHCP server automatically assigns an IP address from an appropriate pool of addresses to

the clients connecting to the system. The server then extracts, parses and loads log files to

resolve the address to a host name, and the information is passed along to the DLP system.

Adding DHCP servers

Use this task to set up DLP to get location information about incidents that have been flagged by

the DLP capture database.

NOTE: DHCP servers are used by most ISPs to assign dynamic addresses to the hosts they administer.

Because dynamic addresses expire at specified times, hosts using them can be tracked only through DHCP

server records.

1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config | DHCP Servers.

2. From the Actions menu, select Add DHCP.

3. Type in a name for the server. Typing in a description is optional.

4. Select the Server Type. Internet Systems Consortium, Solaris and Microsoft Windows types are supported.

5. Select an Access Mode to retrieve directory information, get and put log files, and perform related transfer

tasks. The access mode determines the method of transfer.

NOTE: SMBClient access mode is supported only for Windows Server.

6. Type in the IP address, domain name, user name, and password to log on to the server.

7. Type in the Folder name, if needed.

8. Add the File Pattern name to enable DHCP logging.

NOTE: The DHCP log file name depends on the DHCP server operating system. DhcpSrvLog is a Windows

file name pattern. Use dhcpd* for ISC and Solaris DHCP logs (dhcpd.leases).



Matching this pattern enables DHCP logging.

For the SMB client, 'mget DhcpSrvLog*' can be used from the SMB prompt to link to Windows files such as

DhcpSrvLog-Wed.log or DhcpSrvLog-Sun.log.For SCP or SFTP, use /var/state/dhcp/dhcpd.leases or /var/state/dhcp/dhcpd*.

9. Set a Lease expiration interval to determine when IP addresses will be reassigned.

The interval must be set because some DHCP servers (Windows) do not put the expiration time in the logs.

10. Set the Frequency to indicate how often the server should be polled to pull down new information.

11. Check the boxes of devices to be connected to the DHCP server.

12. Click Save.

Setting up directory services

Using LDAP servers with DLP

DLP products use Lightweight Directory Access Protocol services to integrate with existing user

systems, authenticate user accounts, extend notification to users by role, and support other

objects that might be imported from an LDAP server.

DLP supports Microsoft Active Directory LDAP services. Importing multiple user accounts is a

common task that is made possible by adding an Active Directory server to DLP Manager. If

customized attributes are added to the directory database, the information in those fields will

automatically populate the default user fields on the DLP dashboards.

Adding Active Directory servers

Use this task to add a Microsoft Active Directory (LDAP) server to DLP.

NOTE: The server must be configured before adding users to the system.

Sample Configuration

LDAP Label: myserver

Domain:

Authorization Server abc.example.net

Server Port 389

Timeout (sec) 3

Retries (sec) 3

LoginID Attribute samaccountname

Login DN admin or username

Password ******

Confirm Password ******

Base DN dc=example,dc=net

Limit Search Results to 20



NOTE: Although more than one LDAP server can be added from the user interface, multiple LDAP servers

require ip2user mapping, which is not currently supported.

1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config | DHCP Servers. | Directory

Services.

2. Select Create Directory Server from the Actions menu.

3. Type in a label to identify the LDAP server.

4. Type in the domain of the LDAP server (optional).

NOTE: If you use this option, you must login to an administrative account on the LDAP server. The system will

then query the Domain Name Server to find the domain controller for the Active Directory domain.

5. If you are not using the LDAP domain server name, type in the name or IP address of the authorization server.

If you are using SSL to encrypt the connection, you must enter the FQDN cited in the uploaded certificate (see

below).

NOTE: Unlike the LDAP server domain name, you can use any valid account that has permission to read from

the LDAP server (an administrative account is not necessary). If you have already entered the domain name of

the LDAP server in the previous step, any information you enter here will be ignored.

6. Type in the port to be used for the connection.

7. Set intervals for connection timeouts and retries (in seconds).

8. Type in the LoginID attribute. Use samaccountname to retrieve user names from the server.

9. Type in the user name. Use an administrative account whose password does not expire to maintain the

connection, but a non-administrative account name is acceptable when using an authorization server.

10. Identify the local domain components (for example, dc=mydomain,dc=com).

11. Type in the number of records you want to retrieve at one time. Before entering a value higher than 10, consult

the administrator of the Active Directory server to find out how many records can be served per request.

12. Check the SSL box to encrypt the connection and enable LDAP over SSL (LDAPS).

NOTE: A secure connection is not required, but is strongly recommended. Accept any available

certificate, or select one by uploading it. If you take this step, you must find the FQDN name of the

authorization server in the encrypted file by logging in to the back end of the DLP appliance and

running the following command:

# openssl x509 -noout -in <filename>.cer -subject

The FQDN will be returned in reverse order:

subject= /DC=net/DC=reconnex/CN=tyche

Read from right to left to get the name of the authorization server.

tyche.reconnex.net

13. Type the name into the authorization server name field.

14. Select a Scope to set the directory depth to be accessed on the server,

15. Click Apply.



Adding LDAP Users

Use this task to add users after an LDAP server has been added to DLP Manager.

NOTE: LDAP users must be assigned to existing groups. If you have not yet decided on a user group design,

review user group management.

1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config | DHCP Servers | User

Administration | Actions | Create LDAP User.

2. Select the LDAP host.

3. Retrieve one or more users using one of the following techniques.

● Enter an asterisk (*) to retrieve a list of all users on the server and select a radio button.

● Type in a known Login ID or user name.

● Use an asterisk (*) as a metacharacter to retrieve related users (for example, R* or *st*).

NOTE: User names containing special characters cannot be retrieved.

5. Click Find.

6. Click a radio button to select a user.

7. Select one or more groups from the Available groups for the new user and Add.

8. Click Apply.

NOTE: User permissions are assigned by membership in a user group. When permissions have been changed

by addition or subtraction of membership in a group, users must log in again for the change to register.

7. Go to Incidents | My Views | Actions | Copy View to Users to copy over views available to new users.

8. Check the boxes of all views the new user should be able to see.

9. Pull down the Actions menu.

10. Select Copy View to Users.

11. Select one or more checkboxes of users who should see the selected views.

12. Click Apply.

To make changes to the user's status later, go to System | User Administration | Users and select the Detail

icon of the user. For example, you can use the Actionmenu to Disable or Delete the user.

Configuring Active Directory servers for DLP

The LDAP RWL client works with directory services to enable retrieval of all LDAP data. Use this task to provide

basic LDAP functions to DLP systems.

1. Log on to DLP Manager.

2. Get the integration files by typing the zip file location into the address bar.

https://<DLP_address>/activedir/ADintegration.zip.

3. Save the zip file to your desktop.



NOTE: The rwl_client.exe file in this zip file has been changed in the 9.0 release. If you already have it

installed on an 8.6 appliance, you must reinstall it.

4. Extract the two files from the archive to your desktop.

5. On the Microsoft Windows server desktop, go to Start | Administrative Tools | Active Directory Users and

Computers.

6. Right-click on the domain name (currently reconnex.net) in the navigation bar.

7. Go to Properties | Group Policy | Default Domain Policy.

8. Select Edit.

9. Under User Configuration, click onWindows Settings | Scripts | Logon.

10. On the Scripts tab, click Show Files.

11. Drag the rwl_client.exe and logon.bat from your desktop to the Group Policy Object Editor window.

12. Right-click the logon.bat file.

13. Select Edit and Run.

14. After rwl_client.exe, type in the IP address of the DLP Manager or Monitor (if you are on a standalone

machine).

Example

REM Substitute the following 'hostname.example.org' argumentREM with the hostname or IP address of your Monitorrwl_client.exe iGuardHostname.reconnex.net

When the batch file gets executed, DLP Monitor is notified that a user has logged in.

15. Save.

16. Close the window containing the rwl_client.exe and logon.bat files.

17. Click OK on the Scripts tab of the Logon Properties dialog box.

18. Close the Group Policy Object Editor window.

19. Click OK on the Group Policy tab of the reconnex.net Properties dialog box.

20. Close the Active Directory Users and Computers window.

The next step is to add the server to DLP Manager.

Exporting certificates from Active Directory

Use this task to get a certificate from a Microsoft Active Directory server, export it, and add it in

the DLP Manager interface. This process supports encryption of an LDAP connection.

By default, LDAP traffic is transmitted unsecured, but using secure LDAP over SSL technology encrypts the

connection.

1. Log in as either a member of the local Administrator security group for standalone computers, or as a member

of the Domain Administrator security group for any computers that are connected to the domain.

2. Install the certificate on the Microsoft Windows server, which will install the server certificate on the Microsoft

Active Directory server.



a. Click Start | Administrative Tools | Certificate Authority to launch the Microsoft Management Console.

b. Select the CA machine.

c. Right-click and select Properties.

d. From the Generalmenu, click View Certificate.

e. Select the Details view.

f. Click the Copy to File button on the lower right corner of the window.

g. Use the Certificate Export Wizard to save the CA certificate in a file.

NOTE: Save the CA certificate in either DER Encoded Binary X-509 format, or Based-64 Encoded X-509

format.

3. Verify that SSL is enabled on the Microsoft Active Directory server (Microsoft Windows 2000 or Microsoft

Windows 2003).

a. Ensure thatWindows 2000 Support Tools (Windows Support Tools on Microsoft Windows 2003) is

installed on the Microsoft Active Directory machine.

b. Find the suptools.msi setup program in the \Support\Tools\ directory on your Microsoft Windows CD.

c. Start the ldp tool.

For Microsoft Windows 2000 systems, go to Start | Windows 2000 Support Tools | Tools | Active Directory

Administration Tool. ForWindows 2003, go to Start | Windows Support Tools | Tools | Command Prompt.

4. Select Connection | Connect from the ldp window.

5. Type in the host name and port number (secure port 636 is required).

If the connection is successful, a window will be displayed listing information related to the Microsoft Active

Directory SSL connection. If it is unsuccessful, restart your system and repeat the procedure.

How ADAM servers extend DLP Manager

DLP products now enable retrieval of information from Microsoft Active Directory Application

Mode servers. ADAM allows DLP to access objects in customized database schemas by

modifying its default attribute mappings to recognize the names of equivalent fields.

Use of a Certificate Authority supports secure transmissions through LDAPS or HTTPS. Verification can be

disabled by selecting Accept Any Certificate when adding the server.

NOTE:Whenever SSL communication is requested, the hostname should be name of the server with domain

clearly specified. An IP address will not work.

Mapping LDAP directory attributes

Use this task to map the customized user attributes of an LDAP directory server to the Network

DLP defaults.

1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config | DHCP Servers | Directory

Services.

2. Click on Edit.



3. Type the new attribute names into the Directory Server Mapping Attributes fields.

4. Click Apply.

Default Attribute Mappings

UserName=cn

UserID=sAMAccountName

UserTitle=title

UserCompany=company

UserDepartment=department

UserCity=givenName

UserZipcode=postalCode

UserCountry=countryCode

UserManager=manager

UserGroups=memberOf

UserEmail=proxyAddresses

NOTE:When an incident is reported to the dashboard, user attribute columns will contain the information found

in the corresponding fields on the existing LDAP server.

Setting up McAfee Logon Collector

Using McAfee Logon Collector with DLP

Before MLC can be used with DLP, an Active Directory server must be added to DLP Manager.

Then secure communications must be established between DLP and MLC.

Use the following tasks in this sequence to complete the SSL connections.

1. Export a certificate from MLC.

2. Import the MLC certificate into DLP Manager.

3. Export a certificate from DLP.

4. Import the DLP certificate into MLC.

5. Restart MLC.

After these steps are complete, secure communications between DLP and MLC are enabled,

and data on Active Directory servers is available for searching and rule construction.

Authenticating DLP Manager and MLC

Use this task to connect DLP to a McAfee Logon Collector so that certificates can be exchanged,

authenticating each to the other.

When the process is complete, an SSL connection will be set up between them.

1. Open a web browser and login to the MLC.

2. In ePolicy Orchestrator, go to Menu | Configuration | Server Settings | Identity Replication Certificate.



3. Scroll to the bottom of the page.

4. Highlight and copy all text in the Base 64 field.

5. Open a web browser and login to the DLP Manager.

6. Go to System | Directory Services.

7. Select Add a McAfee Logon Collector from the Actions menu.

8. Type in the IP address of the MLC.

9. Click the paste radio button and paste the text into the box.

TIP: Save this Base 64 data to a text file on your desktop so you can re-use it.

10. Click Apply.

11. Click Export to save the Network DLP certificate to your desktop.

12. Open a web browser and type in the address of the McAfee Logon Collector.

13. Go to Menu | Configuration | Trusted CA.

14. Click New Authority.

15. Browse to the netdlp_certificate.cer file you saved to your desktop.

16. Click Open.

17. Click Save. This adds the DLP Manager to MLC.

18. Open a Remote Desktop session on the MLC server.

19. Shut down and restart the MLC server.

The connection is now complete.

Setting up syslog and time servers

Using syslog and time servers with DLP

You will need an NTP server on your network to synchronize the DLP devices and servers. A

syslog server is not required, but does not require setup and can be useful for managing the

system.

Connecting to syslog servers

If a syslog server is installed on the network, DLP automatically sends messages about

significant events in the following format. The health of the box as well as the rule hits are

automatically transferred to the syslog server.

Jul 7 15:38:18 172.16.0.50 RTS:CEF:0|McAfee|Monitor|3.2|-test-rule1|3|cs1=-chein-prevent cs1Label=policies cn1=1cn1Label=MatchCount src=51.0.16.172 dst=53.0.16.172 spt= 5281dpt= 25 suser= duser=cs2="testing" cs2Label=Subjectfilename="specscdrom.pdf"



Message Structure and Format

Date Date the event was logged

HostNameName or IP address of the machine that loggedthe event

Component Component or Process that generated the alert

Format Format version of the syslog output

Device Vendor Vendor name

Device Product Manager, Monitor, Discover or Prevent

Device Version Product version

Rule Search rule

Severity # Critical, High, Medium, Low, Informational

Policy Policy name

Policy label Type of object

Match Count Matches found

Match CountLabel

Type of object

Source IP Source IP address

Destination IP Destination IP address

Source Port Source port

Destination Port Destination Port

Source username

Source user name

Destinationname

Destination user name

Email subject Email subject

File name File name

NOTE: Syslog servers are automatically recognized if they reside on the same network as DLP devices; no

special connection is needed.

Correcting system time in the interface

If an error message is displayed when logging in, you might be able to use this task to re-

synchronize DLP appliances with the server.

1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config. Click on the configure link for

the local system.

2. On the System Configuration page, scroll down to Time Configuration.

3. Select the Manual radio button,

4. Enter the correct time and date.

5. Select Update.



6. Click Logout.

7. Click Login.

If this doesn't work, login to the back end as root and reset the time from the DLP Monitor command line.

Resetting system time manually

Use this task to stop and restart the NTP service before resetting the time manually.

1. Stop the NTP daemon.

# service ntpd stop

# chkconfig --level 2345 ntpd off

2. Restart the NTP daemon.

# service ntpd start

# chkconfig --level 2345 ntpd on

The service command will control the service while the system is running; the chkconfig commands will

control what happened at boot time.

Synchronizing DLP devices

If you get a system time error when attempting to log in to the user interface, use this task to re-

synchronize DLP device time with your desktop.

1. Open the Microsoft Windows date/time display.

2. Adjust local time to Greenwich Mean Time.

3. Log on to DLP Monitor and use the date --utc command to enter the corrected data and time.

# date --utc MMDDhhmmCCYY

4. Use the GMT setting to provide the correct time.

# date --utc 080216492009

5. Watch the clock on the date/time display and press enter to send the command when the two times sync up.

6. Type in the hardware time command.

# hwclock -w

7. Type in the date command.

# date

8. If the date is correct, reset Stingray.

# service stingray reset

9. Find and kill the current process.

# ps -ef | grep java



# kill -9 <process id number>

10. Relogin to DLP Monitor root.

11. Restart Stingray and reboot the machine.

# service stingray restart

# reboot

12. Log in to the web browser. The user interface should launch normally.

13. Return the Microsoft Windows clock setting to the correct time zone.

Managing users and groups

Setting up users and groups

McAfee DLP is designed to use RBAC , which makes it possible to give users different levels of

permissions depending on their roles in the organization.

User accounts are dependent on the groups to which they belong. Users may be created locally,

or an Active Directory server may be used to import existing accounts.

TIP: Before creating a new user group scheme, review the task and policy permissions of the pre-configured

user groups. Clone or reconfigure them as templates to design a user system that will fit your existing

organization.

Administrative Example

A CSO of a large company might log in as primary user and create administrative groups with

specific sets of rights to manage the DLP Manager. These groups might include the following:

● System Administrators

● Network Administrators

● Installation and Setup Administrators

● Policy Administrators

Each administrator might then create Forensics and Analyst groups for users who report to them.

Organizational Example

The primary DLP administrator might decide that user groups should reflect user roles in existing

departments. New groups like the following might be created to reflect the current organization of

the company.

● Engineering Group

● Manufacturing Group

● Marketing Group

● Sales Group



In this example, the rights assigned to each of these groups match departmental tasks and

responsibilities.

Managing user groups

Working with user groups

DLP User Administration matches the rights of individual users to their roles, which are defined

by user group permissions. In ePolicy Orchestrator, go to Menu | Data Loss Prevention |

DLP Sys Config | User Administration | Groupsto add, delete, and and assign group privileges.

NOTE: Click on the Details icon of any user or group to review task and policy permissions. You must have

administrative permission to assign them.

Using pre-configured user groups

Pre-configured groups provide useful templates for user group design. DLP systems include

eight customizable users and user groups that correspond to common organizational roles.

In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config | User

Administration | Groups to view pre-configured user groups.

NOTE: Click on the Details icon of any user or group to review task and policy permissions. You must have

administrative permission to modify them.

Adding user groups

Use this task to add a user group. You must be an administrator to do this.

1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config | User Administration | Groups.

2. Select Create New Group from the Actions menu.

3. Type in the name and description (optional) of the new group.

4. Type in an email address.

5. Select users in the Available Users box.

6. Click Add to move them to the Current Members pane.

7. Click Apply.

TIP: Alternatively, you can create a group first, then add users and assign them to the group.

8. Click on the Task Permissions tab.

9. Open the Permissions groups and select one or more checkboxes.

10. Click Apply.

11. Click on the Policy Permissions tab.

12. Open the Policies group and select one or more checkboxes.

13. Click Apply.

TIP: Check View and Execute for all policies.

NOTE: Policy Execute and Task View Dashboards permissions are required to see the Incidents dashboard.



Restricting user groups

Use this task to add restrictions to user groups. For example, you might create a view only group

for users who do not act on incidents.



3. Click the Task Permissions or Policy Permissions tab.

4. Open a Permissions group.


6. Click Apply.

7. Repeat until all permissions are set.

8. Click Apply.

TIP: Select the top Delete checkbox under Policy Permissions to keep users from deleting policies.

Deleting user groups

Use this task to delete a user group. You must be an administrator to do this.


2. Click on the Details link of the group you want to delete.


4. Click Go.

5. Confirm or cancel.

Managing users

Working with users

DLP User Administration matches the rights of individual users to their roles, which are defined

by user group permissions.

Go to ePolicy Orchestrator Menu | Data Loss Prevention | DLP Sys Config | Users to view

existing users.

TIP: Click on the Details icon of any user or group to review task and policy permissions.

NOTE: Administrative permission is required to add, delete or disable users.

Adding users

Use this task to add users.

1. Go to ePolicy Orchestrator Menu | Data Loss Prevention | DLP Sys Config | Users | Actions | Create Local

User.

TIP: You can add multiple users by importing them from an LDAP server.



2. Type in the user's login ID, name, email address and password.

3. Select an Available group to which you want the user to belong.

4. Click Add to move it to Current group membership.

5. Repeat until the user is a member of all appropriate groups.

6. Apply.

NOTE: If the user doesn't fit logically into the available groups, you must add a new group.

Using pre-configured user types

Pre-configured users provide useful templates for user account design. DLP systems include

eight customizable users and user groups that correspond to common organizational roles.

All pre-configured user groups are listed on the System | User Administration | Groups page.

Administrative permission is required to add or delete them.

TIP: Click on the Details icon of any user or group to review task and policy permissions.

Changing passwords and profiles

Use this task to make changes in your user profile.

1. Go to ePolicy Orchestrator Menu | Data Loss Prevention | DLP Sys Config | Users.

2. Select the Details icon for the account to be changed.

3. In the User Information dialog box, type in the old password and confirm the new one.

4. Click Update.

Creating an ePO database user

ePO is a Windows server, and DLP Manager is a Linux system that does not support Windows-

based authentication of users. For this reason, you must create an ePO database user to

establish a connection between DLP and ePO systems.

This task is just one aspect of establishing that connection. Consult Installing Host and Network

DLP 9.0 on ePO for more information.

Using a primary administrator account

The primary administrator account is owned by the initial user of the DLP system.

TIP: Create an equivalent administrative user immediately after logging on to preserve the integrity of the

default account.

Primary administrators have complete access to all task and policy permissions and are

responsible for creating users and custom user groups. However, the primary administrator can

assign that task to other administrators.

If you need primary administrator permission to log in, contact McAfee Technical Support.



Viewing active user sessions

Go to ePolicy Orchestrator Menu | Data Loss Prevention | DLP Sys Config| Live Users to view

active user sessions.

Only administrators can view and manage Live User sessions. Click on the Session ID link of a user to see

what actions have been taken.

TIP: Select Clear All from the Filter by... pane to view all the actions that can be reported.

Setting permissions

Assigning permissions

Use this task to assign permissions to users. Only administrators can assign permissions, and if

group permissions are modified, all its members will have to log out and re-login.


2. Select the Details icon of a group.

3. Select the Task Permissions or Policy Permissions tab.



6. Click Apply.

7. Repeat until all permissions are set.

8. Click Apply.


Checking permissions

All rights are inherited from group affiliation, so users must know their group affiliations to check

permissions. Only administrators can assign permissions.

Use this task to check permissions. This procedure will work only if an administrator has given

the user's group permission to view permissions.

1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config | User Administration | Users.

2. Select the Detail icon of the user.

3. Make a note of Current group membership.

4. Go to System | User Administration | Groups.

5. Select the Detail icon of the group.

6. Select the Task or Policy Permissions tab.


8. Review the checked boxes.

9. Repeat until all permissions are viewed.

10. Click Cancel.



Setting policy permissions

Users who are tasked with ensuring compliance with company policies might be given view, edit and execute

permission for policies like Acceptable Use, Human Resources, and Suspicious Activity. Similarly, users

responsible for implementation of regulatory issues might have view and execute permission for policies like

SOX Compliance, State Privacy Laws, PCI and GLBA Compliance.

Use this task to assign policy permissions to a user group.



3. Select the Policy Permissions tab.

4. Open Policies.

5. Select or clear the View, Edit, Execute or Delete boxes.

6. Click Apply.


Setting task permissions

For example, users who are tasked with Discover scanning repositories might have Select All boxes selected

under Document Registration and Discover Scan Permissions. Similarly, users who process incidents and

cases might have checkboxes under Case and Incident Permissions selected.

Use this task to assign task permissions to a user group.





5. Select or clear the relevant checkboxes.

6. Click Apply.


Managing user accounts

Working with user accounts

With this release, security is enhanced by the addition of customized login and password

settings.

Type in alphanumeric entries in the values fields to configure password settings and select from

the drop-down lists to enable lockout.

Customizing login settings

Use this task to discourage unauthorized logins.

NOTE: Lockout is disabled by default.



1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config | User Administration | User

Settings.

2. Check the Enable Lockout box.

3. Enter login parameters in the Login Settings dialog box.

When a user exceeds the maximum number of attempts, the system will no longer respond.

When automatic lockout is set, the session will time out for the time set in minutes.

4. Click Submit.

Customizing password settings

Use this task to force users to create more secure passwords.

NOTE: You must have administrative permissions to change password settings.

1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config | User Administration | User

Settings.

2. Enter password parameters in the Password Settings dialog box.

When a user creates a password, the requirements will be displayed.

3. Click Submit.

Configuring failover accounts

Failover accounts are disabled by default because failover accounts allow backdoor access to DLP Monitor.

The link between DLP Manager and Monitor is open, and the default failover account could be used to log on

to Monitor.

The username and password for the failover account are the same as that of the primary administrator. Use this

task to disallow failover logins.

1. Go to DLP Sys Config | User Administration | Failover Account.

2. Type in a username and password for the account.

3. SelectOff from the Allow Loginmenu.

4. Click Update.

If a attempt is made to log in, an error message is launched indicating that the capability has

been turned off.

Auditing users

Using audit services

The user audit log records all user activity on DLP systems. Users who have administrative

permissions can monitor them.

Re-order the audit log elements by clicking the column headers, or use the Filter by feature in

the navigation bar to sort the results for greater readability.

Filtering audit logs

Use this task to find out who has logged into DLP Monitors and what actions have been taken.



For example, if you suspect a system problem was caused by a single user or action, checking

entries at the time the problem appeared might reveal its source.

1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config | User Administration | Audit

Logs.

2. Pull down the Timestampmenu under Filter by... .

3. Select a period of interest.

4. Click plus to add a filtering category.

5. Pull down the Filter by...menu and select Device to sort by DLP system.

6. Select equals or not equal from the second pull-down menu.

7. Click "?" to launch a pop-up with the names of the available DLP devices.

Alternatively, you can type in the host name of the machine (listed in the Device column).

8. Repeat the action for any of the other elements listed in the log.

9. Click Apply.

10. Review the log information.

11. Correct or reverse the action.

NOTE: Clear All before creating another filter.

Getting audit log reports

Use this task to get a CSV report of an audit log.


Logs.

2. Select Export as CSV from the Actions menu.

3. Open or save the log using the existing tools in your browser.

NOTE: IfMicrosoft Excel is installed and you selectOpen, the CSV report will launch in a

spreadsheet.

Filtering audit log reports

Use this task to filter audit log entries.


Logs.

2. Determine which cell in the audit log table will act as the primary key.

3. Click on the cell to automatically create a filter in the Filter by... pane.

The dashboard data will immediately change to reflect your selection.

NOTE: Clear All before creating another filter.

Auditing live users

The Live Users feature records all activity in all live sessions. Click on the Session ID to launch

the user audit log .



Re-order the audit log elements by clicking the column headers, or use the Filter by feature in

the navigation bar to sort the results for greater readability.

Sorting audit log reports

Use this task to sort audit log entries.


Logs.

2. Determine which column will act as the primary key.

3. Click a column header to rearrange the log entries.

NOTE: Actions are reported chronologically, so the Timestamp column cannot be sorted by clicking the header.

Using capture filters

Working with capture filters

DLP Monitor capture engine captures all network traffic. The indexer captures and identifies all

TCP/IP traffic, breaking it down into content types. Anything that cannot be identified is tagged

Unknown Protocol.

Because all content is indexed, a capture filter can be used to filter out large portions of network

traffic that do not need to be analyzed by the capture engine.

Filtering network data can cut down on the vast amounts of data captured and analyzed, so it is

important to tune the system using capture filters when it is set up.

This not only improves performance, but makes it easier to expose only the most significant data

for investigation.

NOTE: Under certain circumstances, capture filters can also be used to store critical sessions and applications-

level data.

Types of capture filters

Capture filter types are determined by the layer of the OSI model that is recognized and stored

by the capture database.

● Content capture filters reveal significant data types and improve performance by eliminating selected

portions of Flow A (Layer 1) traffic.

● Network capture filters reveal significant data streams and improve performance by eliminating large

portions of Transport (Layer 4) traffic, usually in a specific sequence.

Types of capture filter actions

Content and network capture filters allow different types of user actions.



● Content capture filter actions keep certain types of traffic from being recognized by the capture engine.

● Network capture filter actions ignore specific components of network traffic or store data that is

transmitted via certain protocols.

How content capture filters work

Standard content capture filters included with DLP systems reveal significant data types and

improve performance by eliminating selected portions of Flow A (Layer 1) traffic.

NOTE: Unlike network capture filters, content capture filters can be applied to the network data stream in any

order.

Standard Content Capture Filters

Ignore binary Excludes all binary files

Ignore BMP and

GIF imagesExcludes images in BMP and GIF formats

Ignore crypto Excludes encrypted data

Ignore HTTP Gzipresponses

Keeps compressed files from beingopenedmore than once (excludes HTTP Gzipresponses)

Ignore HTTP headers Excludes HTTP headers

Ignore P2P Excludes all peer-to-peer traffic

Ignore small JPGimages

Excludes insignificant images(JPG images smaller than 4 MB)

Ignore flow headers Excludes flow headers

Content capture filter actions

Content capture filter actions may drop elements or sessions, or store only metadata.

Drop Element

For example, if your network has a large cache of video files that you know are not a security threat because you

have controlled them with configuration management software, you can set up a filter that drops these secure files,

saving time and resources for analysis of data at risk.

Drop Sessions

For example, if your employees are authorized to send or receive any SMTP content that is processed by your

company's mail server, you can drop those communications.

Drop elements and store metadata only

For example, if you want to know what kind of data is moving through the network data stream without storing its

content, storing metadata allows you to keep incidental information (like the source and destination of the data,



data types being transmitted, and protocols being used to transmit it).

Adding content capture filters

Use this task to design and add a content capture filter.

For example, suppose you want to create a filter to ignore all traffic to and from your web server that contains

RTSP files. This would eliminate a significant portion of network activity, making it easier to focus on other types

of traffic that you suspect might be compromised.


2. Go to System | Capture Filters.


4. Type in a name and description.

5. Select Ignore or Store from the Actionmenu.

In this case, you want to ignore RTSP files.

6. Select the DLP Monitor on which you want to install the filter.

If you want to deploy a capture filter at a later time, select the None checkbox under Devices.

7. Open Protocol.

8. Select Protocol from the Element menu.

9. Click "?".

10. Select RTSP from the popup menu.

11. Click Apply.

12. Click Save.

TIP: Add more elements to focus the concept, like size of the files, date and time transmitted, and source and

destination of the traffic.

How network capture filters work

Standard network capture filters included with DLP systems reveal significant data streams and

improve performance by eliminating large portions of Transport (Layer 4) traffic, usually in a

specific sequence.

For example, most businesses are interested in monitoring traffic carried to or from external IP addresses.

When the RFC 1918 filter is active, IP addresses set aside by IANA for internal use can be excluded from

analysis by the capture engine.



Standard Network Capture Filters

Ignore RFC1918

Excludes traffic routed to 10.0.0.0.-10.255.255.255,172.16.0.0.-172.31.255.255 and 192.168.0.0-192.168.255.255

IgnoreHTTPResponses

Excludes program output sent from a server afterreceiving and interpreting an HTTP Request

Ignoreunknown

Excludes traffic using unknown protocols

IgnoreSMB

Excludes Session Message Block and MicrosoftBasic Input/Output System (NetBIOS) traffic

Ignore SSH Excludes secure shell traffic

Ignore POP Excludes Post Office Protocol 3 traffic

Ignore

IMAPExcludes Internet Message Access Protocol traffic

IgnoreHTTPS

Excludes secure Hypertext Transport Protocol Traffic

IgnoreLDAP

Excludes Lightweight Directory Access Protocol traffic

IgnoreNTLM

Excludes Microsoft New Technology Local AreaNetwork Manager traffic

BASEBase Configuration filter (opens the system for storageof incoming data)

Network capture filter actions

Network capture filter actions may ignore or store network data depending on port or protocol

used.

Ignore

For example, you can ignore all web traffic by using HTTP filters, or eliminate authorized email by ignoring traffic

using port 25 (SMTP).

Store

For example, you can store chat traffic by creating a filter that identifies and keeps data transmitted using AOL_

Chat,MSN_Chat, or Yahoo_Chat protocols.

Ignoring or storing IP addresses

Use this task to find to search for individual IP addresses, a range of addresses, or addresses on

a subnet.


2. Click Content or Network filter.




4. Select IP Address.

5. Select source or destination.

6. Enter IP addresses in the value field.

7. Click Search.

Example

192.168.1.244,172.25.3.100-172.25.3.199,192.168.2.1/25

Adding network capture filters

Use this task to add a network capture filter. Designing one requires experimentation, but taking

the time to streamline the capture process can save a lot of processing time.

TIP: Before creating a network capture filter, open the All category in the Network Filter dialog box. This action

either captures or cuts off all traffic, depending on the capture action you select, so that you can observe a

limited pool of data before deciding what to filter.




1. Make a list of the sessions you want the capture engine to store or ignore.


3. Select Create Network Filter.

4. Name and describe the filter.

5. Select the devices for deployment.


6. Select a capture action.

7. Configure the Source/Destination, Protocol, and Date/Time components to define the sessions to be stored

or ignored by the capture filter.

8. Click Save.

9. Use the Priority icons to change the order in which filters will be run.

10. Test the filter and modify it, if necessary.

TIP:When establishing a sequence for applying network capture filters to the network data stream, remember

that changing the order of a single filter might skew your results.

Reprioritizing network capture filters

Use this task to reprioritize network capture filters that modify others. Please filters that define the

largest portions of traffic at or near the top of the list to improve processing time.






For example, if you add a filter to ignore all traffic to and from ports 80 and 453, the capture engine would

ignore all HTTP and HTTPS traffic.


2. Click Create Network Filter and define its parameters.

The new filter is added to the bottom of the Network Filters list.

3. Use the UP arrow in the Priority column to move it up to the correct position.

4. Click Apply.

TIP: Move the new filter up until it is in a position to filter out more traffic than the filters below it, but less than

those above it.

Deploying capture filters

Use this task to deploy a capture filter.


2. Double-click the filter you want to deploy.

3. In the Devices box, check the appliance on which you want to install the capture filter.

4. Click Save.

NOTE: If you want to deploy a capture filter at a later time, select the None checkbox under Devices.

Editing capture filters

Use this task to edit a capture filter.


2. Double-click on the name of the filter.

3. Redefine the filter by changing its parameters.

4. Click Save.

Using undeployed capture filters

Use this task to apply capture filters to targets after they have been created.



2. Click on the undeployed capture filter.

3. Select one or more checkboxes of devices on which the filters should be deployed.

4. Click Save.



Viewing deployed capture filters

Use this task to find out which filters are deployed on each DLP Monitor.


2. If DLP Manager is managing several Monitors, scroll down the page to see all the filters.

NOTE: If you are using a standalone DLP Monitor, you will see only the filters deployed on your own machine.

If you are using an DLP Manager, scroll down the list to get complete information on all managed systems.

Deleting capture filters

Use this task to delete a capture filter.

If you are on a standalone DLP Monitor, you can delete a capture filter — but on DLP Manager, you can only

remove a capture filter from the Monitor to which it has been deployed.


2. Select the Remove icon next to the filter you want to delete.

3. Click OK or cancel.

TIP: Before deleting, view deployed filters to determine which DLP Monitors are using the filter.

Setting up system alerts

Configuring system alerts

This release supports device down alerts.

Device down alerts allow you to set up DLP Manager to notify up to 25 users whenever one of

the registered DLP devices goes down.

NOTE: If you have a syslog server, system events are regularly reported to the events database. The database

is polled every 2 minutes, and every alert in the database is sent to the dashboard within this interval. A

timestamp is reported for each alert.

Configuring device down alerts

Use this task to set up notification for users who need to know when DLP devices go down.

NOTE: The notification is the same whether the devices are disconnected or just turned off.

1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config | Devices | System Alerts.

2. Type in the email addresses of the users to be notified. Up to 25 email addresses are supported.

3. Select the alert types you want to send.

4. Click Apply.



Types of device down alerts

There are three possible configuration intervals for a device down alert.

● Notification that the device has recovered and has been up for X minutes

● Notification that the device was down for X minutes

● Notification is sent every X minutes after the device went down

Technical specifications

Understanding specifications

Any modifications to DLP equipment, unless expressly approved by the party responsible for compliance, could

void authority to operate the equipment.

DLP hardware has been tested and found to comply with the limits for a Class A digital device,

pursuant to Part 16 of the Federal Communications Commission rules.

Operation is subject to the following two conditions:

● the device may not cause harmful interference, and

● the device must accept any interference received, including interference that may cause unwanted

operation.

These limits are designed to provide reasonable protection against harmful interference when

the equipment is operated in a commercial environment.

DLP equipment generates, uses, and can radiate radio frequency energy. If not installed and

used in accordance with the instruction manual, it might cause harmful interference to radio

communications. If operation of this equipment in a residential area causes harmful interference,

it must be corrected at owner expense.

Power Redundancy

To ensure redundancy on the DLP appliances with more than one power supply, all must be

active to share the load while operating at nominal power.

Additional protection is provided if two electrical outlets that are on different circuit breakers are used.

Should one power supply fail, a back-up fan automatically turns on, an alarm sounds and a

warning LED is illuminated. If this occurs, contact McAfee Technical Support for a replacement

unit.

NOTE: If the appliance loses power for any reason, it will not come back up unless you change the BIOS setting

in advance. The motherboard is set to off by default.

Rack Mounting Requirements

Use this information to ensure safe configuration of DLP appliances.

Technical specifications


A) Elevated Operating Ambient Temperature

If installed in a closed or multi-unit rack assembly, the operating ambient temperature of the rack environment

may be greater than room ambient. Therefore, consideration should be given to installing the equipment in an

environment compatible with the TMA specified by the manufacturer.

B) Reduced Air Flow

Installation of the equipment in a rack should be such that the amount of air flow required for safe operation of the

equipment is not compromised.

C) Mechanical Loading

Mounting of the equipment in the rack should be such that a hazardous condition is not created due to uneven

mechanical loading.

D) Circuit Overloading

Consideration should be given to the connection of the equipment to the supply circuit and the effect that

overloading of the circuits might have on overcurrent protection and supply wiring. Appropriate consideration of

equipment nameplate ratings should be used when addressing this concern.

E) Reliable Earthing

Reliable earthing of rack-mounted equipment should be maintained. Particular attention should be given to supply

connections other than direct connections to the branch circuit (use of power strips).

Safety Compliance Guidelines

DLP hardware must be installed only in Restricted Access locations (dedicated equipment

rooms, electrical closets, or the like).

CAUTION: Disconnect all power supply cords before servicing. RISK OF EXPLOSION if battery is replaced by

an incorrect type. Dispose of used batteries according to the instructions.

Contacting Technical Support

Contacting DLP Technical SupportContact McAfee Technical Support by phone, email or web.

Telephone (800) 937-2237; (408) 988-3832

Email www.mcafee.com/us/about/contact/index.html

Support Portal mysupport.mcafee.com

TIP: Troubleshooting tips are available on the WebHelp home page. You can also get system information by

clicking More or Configure links atMenu | Data Loss Prevention | DLP Sys Config.


Contacting Technical Support

Creating a Technical Support PackageUse this task to give your technical support representative background information.


2. Select a Monitor or Discover system and click More.

TIP: If you cannot see the link, expand your dashboard.

3. Click Create tech support package.

The system will automatically build a file. It may take a few minutes.

4. Click check back.

5. Click Save to download the file to your desktop.

6. Email the file to your McAfee support representative.

Creating a Technical Support Package



Creating a Technical Support Package

Glossary

A

action ruleAn automatic rule that uses one or more specific Prevent Policy actions (allow, block, bounce, encrypt, notify,quarantine, redirect) to resolve violations flagged by the capture engine.

Active DirectoryMicrosoft directory service used to provide basic organizational LDAP functions, such as integration with exist-ing user systems.

administrator accountDefault user account for the primary NDLP administrator (admin).

alertA message triggered by a significant system event that may require a response.

anchor commandsReference markers that set conditions for matches found in network data by a Concept.

archiveCompressed files that can be extracted and evaluated by the search engine.

audit logA record of all actions taken by DLP users.

authenticationA security measure that confirms the identity of a user or entity attempting to access a system.

B

bandwidth throttlingA setting that restricts the quantity of data transmitted to prevent network congestion.

blockingAn action taken to prevent transmision of data outside of a network.

C

capture engineA DLP component that captures, analyzes, processes, and saves all data on a network.

capture filterA component that is used to isolate significant portions of data to streamline processing by the DLP captureengine.

case systemA collaborative framework that centralizes resolution of incidents flagged by DLP queries and rules.

centralized alertingAn alert notification process controlled by McAfee DLP Manager.


Glossary

certificateA digital component generated by a Certificate Authority that authenticates a secure connection between usersor servers.

certificate authorityAn entity or service that issues and manages digital security certificates.

CIDR (Classless Inter-Domain Routing)Notation used to define IP addresses and subnet masks beyond 8-bit 'classful' limits to efficiently describe rout-ing of IPv4 or IPv6 packets.

cipher textEncrypted text that is unreadable until it has been converted into plain text.

cleartextUnencrypted plain text that is readable by anyone on a network.

compliantA state that indicates that no policy violations have been found after rules have been applied to the network datastream.

ConceptA DLP component that finds collections of significant data related to a single issue.

consoleThe centralized Manager device that coordinates DLP appliances.

content filteringThe process of classifying all network data into content types that can be processed by a capture engine.

content typeA database object that defines data according to file type.

crawlAn automated process that scans and indexes the contents of a database or file system.

credentialA utility made up of user name, domain, and password that authenticates entry to a repository or database.

D

Data at RestStatic data at risk that can be found in a repository or database during a DLP scanning process.

Data in MotionDynamic data at risk that is flagged by DLP Monitor in the network data stream.

Data in UseStatic data at risk that can be found on host devices that use network resources.

deploymentThe process of distributing policies and rules from DLP Manager to its attached appliances.


Glossary

DHCPServices used to assign dynamic IP addresses whose sources and destinations can be traced and identified.

Discover scanA type of scan that uses policies, rules, and Concepts to find data that is at risk.

distributed searchingA technique used by DLP Manager to construct queries of network data through multiple DLP Monitors.

drilldownThe process of discovering increasingly granular information about an incident by clicking through link levels onDLP dashboards.

Dynamic Host Configuration ProtocolServices used to assign dynamic IP addresses whose sources and destinations can be traced and identified.

E

endpointsHost devices, including laptops, desktops, servers, printers, removeable media and mobile devices that utilizecorporate resources.

exceptionA parameter added to a rule that keeps the capture engine from reporting false positives.

exclude listA collection of documents that are not to be reported if they are detected during a scan.

F

failover accountA default account that provides backdoor access to a DLP appliance if the link to its Manager is broken.

false positiveAn incident that is reported when a rule produces a hit that resembles, but does not match the definition of a vio-lation.

filterA feature that provides customized views of captured data by selectively screening results on DLP dashboards.

fingerprintingThe process of using an algorithm to create a digital signature that identifies data at risk.

I

incidentAn object of interest that is reported to a DLP device when a rule parameter matches a string in network or end-point data.

inheritanceThe application of settings of a DLP policy to its rules.


Glossary

Inventory scanA type of scan that produces a manifest of all data available in a repository or database.

L

Lightweight Directory Access ProtocolDirectory services used by DLP Manager to identify and extract user accounts residing on external servers.

link speedA setting that may need to be changed if devices on a network monitored by DLP devices have specific speedand duplex requirements that prevent auto-negotiation.

logical operatorA symbol that is used to construct DLP keyword queries in a shorthand fashion.

M

Mail Transfer AgentAn email relay server used by DLP Prevent to communicate actions to be implemented when data at risk is iden-tified.

Message digest (MD5)A cryptographic hash function used by DLP devices to identify data that has been fingerprinted.

N

network storage scanA type of Discover scan that crawls network attached storage repositories or databases.

Network Time ServerA local or remote server used by DLP to synchronize date and time with other network devices.

nodeA host connected to a network.

P

permissionsPrivileges allowing role-based access to DLP users who are assigned specific tasks based on their role in theorganization.

policyA collection of related rules used by DLP devices to identify and classify data at risk.

Prevent Policy actionsA set of actions (allow, block, bounce, encrypt, notify, quarantine, redirect) that can be automatically applied todata at risk by an action rule.

proxy serverA component that acts as an intermediary between a group of intranet devices and the internet.

publishingThe act of distributing policies to DLP appliances from a centralized DLP Manager.


Glossary

Q

quarantineEnforced isolation of a file or folder that violates policy or poses a risk to the system.

R

RBAC (Role-Based Access Control)A system that assigns privileges to DLP users based on their roles in an organization.

reactionAn aspect of a host DLP rule that uses one or more specific actions (encrypt, monitor, notify, quarantine, storeevidence, delete) to process incidents or violations flagged by the McAfee Agent.

Registration scanA type of scan that crawls a designated database or file share and generates unique signatures to protect dataat risk.

remediationThe process of using action rules to resolve violations found during a DLP discovery scan of a repository or data-base.

repositoryA server, or a share on a server, containing files that are to be crawled by DLP Discover.

repository typeA file system defined by the protocol used to access it.

ruleAn entity that identifies anomalies in network or endpoint data by matching its parameters to one or more attrib-utes of data at risk.

RWL (Real World Locality)An entity whose name is likely to be used in a directory search request.

S

scanA process that locates data at risk while crawling a network repository or database at a designated time.

shareA device, volume, partition, directory that has been targeted for remote access by a scan operation.

signatureA unique hexidecimal number generated by an algorithm that identifies data at risk.

syslog serverA system log server that automatically receives and records messages from a DLP Manager or Monitor.


Glossary

T

tar fileA UNIX or Linux archive containing compressed files.

templateA DLP component used to save keystrokes when searching network data, adding rules, or creating capturefilters.

tuning a ruleThe process of modifying a rule in stages to gradually eliminate false positives from search results.

U

unpublishingThe act of removing policies from deployment on DLP appliances.

V

view vectorA configuration that displays incidents from one of three capture databases (Data-in-Motion, Data-at-Rest, Data-in-Use) on DLP dashboards.

viewsA framework that displays incidents found in captured or scanned data in a variety of different configurations onDLP dashboards.

violationA risk that is reported when a query or rule matches an attribute in the capture database.

W

wiping policyA setting regulating use of disk space on a DLP Monitor appliance.


Glossary

Index

A

Action Rules

configuring 89-91, 156, 158-159

deleting 159

types 157

using 155-157

Activation

defining 146

Active Directory 177, 181-183,185

Alerts

defining 202

notification 202

types 203

Audit logs

defining 194-195

filtering 194-196

C

Capture Filters

actions 196-197, 199

activating 201

by size 25

creating 198, 200

default network 198

default standard 197

definition 196

deploying 201

IP address 16

modifying 201-202

ports 25

reprioritizing 200

types 196

viewing 202

Cases

adding to existing 169, 173

assigning 169

changing owner 170

changing priority 172

changing resolution 170

changing status 171

creating 168

deleting 27-28, 170, 173

managing 168

Concepts

adding conditions 159-160,163

creating 160, 162, 165-166

defining 160

deleting 166

DocReg 102

network 161, 164

syntax 164

Configuring

backing up 175-176

dashboard 65-66, 72-73, 171

NDLP devices 173, 175

restarting 177

restoring 175-176

shutting down 177

time 186-187

Content types 28

company 29


Index

document 29

office 30

proprietary 30

source code 30

Credentials

creating 122

deleting 122

modifying 122

D

Database crawling 105-112

Devices

adding 174

deregistering 177

viewing 173

DHCP services

adding 178

using 178

Disk space

managing 175

E

Error messages

Discover 98-99

F

Filtering

by browsing 124

by group 74

by time 73-74

examples 10, 13, 15, 168

manually 125

Filters

clearing 73

H

Host DLP

defining 91-95, 156

I

Incidents

deleting 75-76

details 66-67

labeling 76

match strings 131

L

LDAP

adding a server 57-61, 179,184

adding users 181-183

N

NDLP

overview 1-6

product naming 2

P

Permissions

assigning 97, 192

checking 192

Discover 97

policy 193

task 193


Index

Policies

activating 145-146

changing ownership 147

creating 143, 145

deactivating 146

defining 142

deleting 148

executing 148

inheritance 146

modifying 148

publishing 147

renaming 147-148

standard 143-144

Prevent

actions 78-80, 82, 90, 155

configuring 80, 82

how it works 77, 80-81

using 17

Profile

changing passwords 191

R

registering

by scanning 100

by web upload 101

complete doc paths 102

deregistering data 104, 139

documents in motion 101, 104

excluding text 102

managing resources 104

methods 101, 139-140, 142

signature types 103

with rules 103

registering devices

Discover 96-97

Registration

endpoint data 92-93

Remediation

adding columns 88

applying actions 78-79, 83-84

copying incidents 85

deleting incidents 85

encrypting 86

exporting incidents 84

methods 82

moving incidents 87

resolving problems 83

reverting actions 88

viewing actions 88

Reports

CSV 68

My Reports 64, 69, 76-77

PDF 68-69

save 67, 73

scan history 131-132

schedule 69

Rules

activating 150

creating 22, 94-95, 149-150

deactivating 150

deleting 151

exceptions 58, 61, 151-153

inheritance 150

modifying 77, 151

reconfiguring 150

tuning 154


Index

viewing 149

S

Scan 123

Scanning

default directory 129

defining file properties 127

defining folders 128

defining nodes 126

defining shares 128

fetching files 129

in duplex mode 115

reports 130

results 130

setting bandwidth 115

setting policies 129

statistics 131

storage 138

Scans

configuring 117-120, 138-141

deleting 116

deleting schedules 123

deploying 114

managing 112

modifying 116

modifying schedules 123

modifying states 113

scheduling 123

starting 114

stopping 113-114

viewing 113

viewing scheduled scans 123

Search

by concept 52-54

by content type 38

by digest 38

by email address 31

by email attachment 33

by file owner 37

by file size 37

by file type 37

by filename 36

by filename pattern 36

by IP address 40-41, 199

by keyword 41-45

by location 45-46

by protocol 47-49

by URL 46

by user ID 61-64

chat 31, 35

country codes list 47

custom templates 53

data at rest 132

discovered data 134-137

discovered data\ 134

distributed 27

email by domain 32

email by hostname 31

email by recipient 34

email by sender 33

email by subject 33-34

finding share names 136-138

fleshtone images 39

images 39

IP addresses in data at rest 133


Index

limitations 26, 54-57

logical operators 42, 45

on subnet 40

repositories 133

results 27

scan operations 132

search List 28

using DocReg 133

Webmail 32, 35

Searching

filters 24, 49-51

Specifications 203-204

T

Tech support

create a summary 205

how to contact 204

Templates

creating 166

deleting 167

standard 167

U

Use Cases 6

confidential data 8

covert email 16

data leaked 7-8

Discover 12

encrypted data 15

financial leaks 17

overseas leaks 23

source code leak 9

unhappy employees 12

user investigation 11, 18-19,21, 23

website posts 14

websites visited 13

Users

add user 189-190, 193-194

add user group 189-190

design a system 188

failover account 191, 194

preconfigured groups 189,

191

primary admin 191-192

V

Views

copying 70

default 66, 71

deleting 70

saving 70

vectors 71


Index
