Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 3 subscribers
  • Views 5307 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Data Control not logging to Console

andy Cerasoli

 Hi,

 

I have a data control policy to log only files saved to removable media. I can see in the log on the local PC that it is logging fine, but the log does not appear in the console. I am not choosing an application, just leaving that part blank. If i enable an application like chrome, that works and is logged in the console. I am using console 5.5 and AV 10.7.6. Any idea would be very helpful. thanks



This thread was automatically locked due to age.
Parents
  • 0

    Hello andy Cerasoli,

    first of all, an audit trail of data transfers is not the intended use of Data Control, it's purpose is blocking transfers or logging  those explicitly requested by the user despite the preceding warning. IIRC Allow and log isn't guaranteed to to log an Event with the console.

    Is this a file or a content rule, and could you perhaps show what's in the log on the local PC?

    Christian

  • 0 in reply to QC

    Hi Christian,

    Here is the log file from the local pc. We are just trying to determine what files are being transferred for now so that we can build a policy. If there is another way we can see this and what is also transferred from a USB device that would be great but i guess. Thanks Andy 

     

    20180319 093143              Data Control has started on this machine.

    20180319 093358              An "allow file transfer" action was taken.

                                    Username: SCOTMID\AndyCerasoli

                                    User action: File save or copy

                                    Data Control action: Allow

                                    Destination path: D:\Wildlife.wmv

                                    Destination type: Removable storage

    20180319 093819              An "allow file transfer" action was taken.

                                    Username: SCOTMID\AndyCerasoli

                                    User action: File save or copy

                                    Data Control action: Allow

                                    Destination path: D:\Desert.jpg

                                    Destination type: Removable storage

    20180319 093916              An "allow file transfer" action was taken.

                                    Username: SCOTMID\AndyCerasoli

                                    User action: File save or copy

                                    Data Control action: Allow

                                    Destination path: D:\Tulips.jpg

                                    Destination type: Removable storage

    20180319 095304              An "allow file transfer" action was taken.

Reply
  • 0 in reply to QC

    Hi Christian,

    Here is the log file from the local pc. We are just trying to determine what files are being transferred for now so that we can build a policy. If there is another way we can see this and what is also transferred from a USB device that would be great but i guess. Thanks Andy 

     

    20180319 093143              Data Control has started on this machine.

    20180319 093358              An "allow file transfer" action was taken.

                                    Username: SCOTMID\AndyCerasoli

                                    User action: File save or copy

                                    Data Control action: Allow

                                    Destination path: D:\Wildlife.wmv

                                    Destination type: Removable storage

    20180319 093819              An "allow file transfer" action was taken.

                                    Username: SCOTMID\AndyCerasoli

                                    User action: File save or copy

                                    Data Control action: Allow

                                    Destination path: D:\Desert.jpg

                                    Destination type: Removable storage

    20180319 093916              An "allow file transfer" action was taken.

                                    Username: SCOTMID\AndyCerasoli

                                    User action: File save or copy

                                    Data Control action: Allow

                                    Destination path: D:\Tulips.jpg

                                    Destination type: Removable storage

    20180319 095304              An "allow file transfer" action was taken.

Children
  • 0 in reply to andy Cerasoli

    Hello Andy,

    did some tests to help me remember ... now, it says User action: File save or copy. For external storage if you want to at least potentially block the transfer only writes using Explorer (i.e. file copy/move) are permitted and no saves by some other application. While the all writes are logged locally only the ones made with Explorer are sent to SEC. Discussibly the attempt to save (when a potentially block policy is in effect) with an application other than Explorer is not an infringement of a rule - as no rule is checked at this point.
    I know this might be a little bit confusing. Consider the case you set your policy to Block but exclude Tulips.jpg. If the user attempts to copy Desert.jpg and Tulips.jpg the former will be blocked, you'll get a log entry and an event. For the latter you'll get neither (unless you've turned on verbose logging in which case there'll be No rules matched for the latter in the log but also no event).

    This is intentional - Data Control is intended for prevention, not auditing (or eavesdropping). It's assumed that you have an idea about the content you don't want to get copied to removable storage. What about files you haven't encountered during an "assessment phase" -  once you have "armed" your policy it would be possible to transfer these without any indication.

    Christian   

  • 0 in reply to QC

    Hi Christian,

    I understand. 

    Thanks for your help

     

    Andy

Unfiltered HTML