This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Odd behavior from monitor only policy

Has anyone else ever seen an issue where a subset of machines all in the same policy group, all showing same as policy, acting differently when processing the same file moves from local storage to a USB thumb drive? That is one machine processes the policy accordingly and flags the data control policy correctly in the logs and the other just notes a file was processed, no policy to be found?

:37645


This thread was automatically locked due to age.
  • Hello dhhhhhh,

    the other just notes a file was processed

    I'm not sure what you are seeing (and what not) and where. Could you please tell us the rule you are using and also post the relevant sections of the logs where you see the discrepancy?

    Christian

    :37651
  • We have setup a content rule as shown below and applied it to a DLP pilot group; all members of which are showing same as policy accross the board. We are testing with the same parameters on all 5 machines in this group, i.e. - the same excel doc, copied to the same type of thumb drive via windows explorer however 1 of the machines will not trigger an event while the others do without a hiccup; its almost like this odd machine see's the policy to turn on datacontrol but doesn't get the rest of it to monitor for excessive CC #s.

    Policy:

    For any file

    where the file contains:

    1000 or more matches of Credit or debit card numbers [Global],

    and where the destination is

    Floppy Drive

    or Optical Drive

    or Removable Storage,

    Allow file transfer.

    Snippet of log from working machine:

    An "allow file transfer" action was taken.

                    Username: #######

                    Rule names: 'Excessive Credit Card Numbers'

                    User action: File copy

                    Data Control action: Allow

                    File type: Spreadsheet (Microsoft Excel-OPC)

                    File size: 14689

                    Source path: C:\Users\####\Desktop\CC_test.xlsx

                    Destination path: E:\CC_test.xlsx

                    Destination type: Removable storage

    Snippet from odd machine for same test case as working machine above:

    An "allow file transfer" action was taken.

                             Username: ######

                             User action: File save or copy

                             Data Control action: Allow

                             Destination path: G:\CC_test.xlsx

                             Destination type: Removable storage

    :37679
  • Hello dhhhhhh,

    DLP does kick in and logs an event but details of the source are missing. Can't say what could cause this. All 5 machines the same (OS, compliant with all the other policies)? Don't think that turning on verbose logging (locally from the client's GUI) will give more insight but you could give it a try.

    Christian

    :37723
  • All machines are identical and compliant with policy accross the board. The advanced logging was useless so I have kicked the issue up to support and will let you know what they come back with.

    :37807
  • If you send a set of test CC#'s does the overflow pick a particular 'external' destination? (that you notice) :smileyindifferent:

    :42045