This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Odd behavior from monitor only policy

Has anyone else ever seen an issue where a subset of machines all in the same policy group, all showing same as policy, acting differently when processing the same file moves from local storage to a USB thumb drive? That is one machine processes the policy accordingly and flags the data control policy correctly in the logs and the other just notes a file was processed, no policy to be found?

This thread was automatically locked due to age.

Parents

0 dhhhhhh over 11 years ago

We have setup a content rule as shown below and applied it to a DLP pilot group; all members of which are showing same as policy accross the board. We are testing with the same parameters on all 5 machines in this group, i.e. - the same excel doc, copied to the same type of thumb drive via windows explorer however 1 of the machines will not trigger an event while the others do without a hiccup; its almost like this odd machine see's the policy to turn on datacontrol but doesn't get the rest of it to monitor for excessive CC #s.
Policy:
For any file
where the file contains:
1000 or more matches of Credit or debit card numbers [Global],
and where the destination is
Floppy Drive
or Optical Drive
or Removable Storage,
Allow file transfer.
Snippet of log from working machine:
An "allow file transfer" action was taken.
                Username: #######
                Rule names: 'Excessive Credit Card Numbers'
                User action: File copy
                Data Control action: Allow
                File type: Spreadsheet (Microsoft Excel-OPC)
                File size: 14689
                Source path: C:\Users\####\Desktop\CC_test.xlsx
                Destination path: E:\CC_test.xlsx
                Destination type: Removable storage
Snippet from odd machine for same test case as working machine above:
An "allow file transfer" action was taken.
                         Username: ######
                         User action: File save or copy
                         Data Control action: Allow
                         Destination path: G:\CC_test.xlsx
                         Destination type: Removable storage
:37679
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 dhhhhhh over 11 years ago

We have setup a content rule as shown below and applied it to a DLP pilot group; all members of which are showing same as policy accross the board. We are testing with the same parameters on all 5 machines in this group, i.e. - the same excel doc, copied to the same type of thumb drive via windows explorer however 1 of the machines will not trigger an event while the others do without a hiccup; its almost like this odd machine see's the policy to turn on datacontrol but doesn't get the rest of it to monitor for excessive CC #s.
Policy:
For any file
where the file contains:
1000 or more matches of Credit or debit card numbers [Global],
and where the destination is
Floppy Drive
or Optical Drive
or Removable Storage,
Allow file transfer.
Snippet of log from working machine:
An "allow file transfer" action was taken.
                Username: #######
                Rule names: 'Excessive Credit Card Numbers'
                User action: File copy
                Data Control action: Allow
                File type: Spreadsheet (Microsoft Excel-OPC)
                File size: 14689
                Source path: C:\Users\####\Desktop\CC_test.xlsx
                Destination path: E:\CC_test.xlsx
                Destination type: Removable storage
Snippet from odd machine for same test case as working machine above:
An "allow file transfer" action was taken.
                         Username: ######
                         User action: File save or copy
                         Data Control action: Allow
                         Destination path: G:\CC_test.xlsx
                         Destination type: Removable storage
:37679
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data