How to setup and run data loss prevention (DLP) scans in Endpoint Manager

Release Time
05/13/2020
Download PDF
Views
1764 times
Category
Endpoint manager portal
Tags


Click 'Configuration Templates' > 'Data Loss Prevention'

  • Data loss prevention (DLP) rules let you scan Windows devices for files that contain sensitive information.
     
  • For example, the scan finds card numbers, social security numbers, bank account numbers, bank routing numbers, and more.
     
  • There are two types of DLP rules:
     
  • Discovery rules - Define the areas you want to scan, the type of information you want to search for, and the action you want to take on discovered files.
     
    • Discovery rules are added to profiles, which are in turn applied to managed devices. You also have the option to run on-demand discovery scans on devices.
       
    • You can review all files which contain sensitive data from the Endpoint Manager interface. You can then take actions to secure that data where required.
       
  • Monitoring rules – Block users from copying files to external storage devices.
     
    • EM monitors attempted data transfers to devices like USB drives and allows/blocks the transfer in real time.
       
    • Monitoring rules are added to profiles which are in-turn applied to managed devices for continuous monitoring.

Use the following links to jump to the task you need help with:

Overview

  •   You first create a discovery scan rule at ‘Configuration Templates' > 'Data Loss Prevention' > 'Create Discovery'.  
     
  •   You then add the scan to the DLP section of a profile. The scan will run on all devices on which the profile is active.
     
  •   You can view scan results at 'Security Subsystems' > 'Data Loss Prevention' > 'Logs'.
     
  •   You can also manually run discovery scans on devices at ‘Security Sub-systems’ > ‘Data Loss Prevention’ >  'Device List'

Create a DLP scan rule

  • Click 'Configuration Templates' > 'Data Loss Prevention' >  'Create Discovery'

Scan rules tell the DLP scan exactly what type of data to search for. You will define the following items:

  • Location - The folders or drives that you want to scan on target devices. For example, 'C:\Users\'.
     
  • File types - The file extensions you want to inspect. For example, .doc, .xls, .txt.
     
  • Search pattern - The type of data you want to search for. For example, card numbers, bank account numbers, social security numbers, dates-of-birth, etc.
     
  • Action - The response Endpoint Manager should take when the rule conditions are met. The options are ‘ignore’ and ‘quarantine’.

You add the scan rule to a profile, which is in turn applied to target devices or users.

  • Click 'Configuration Templates' > 'Data Loss Prevention'
     
  • You can see the DLP rule with validity status here whether it is valid or invalid to use. If a rule does not have any of the following criteria, 'Targets',’ Exclusions’,’ Patterns’,’ Documents Types’ and ‘Profiles’ are empty the rule should be invalid, you cannot get expected results in scanning



     
  • To create a ‘Discovery Rule’, Click 'Create' > 'Discovery Rule'
     


Complete the following fields:

Name - Enter a label for the rule

Description – Add a short note for your reference

Action - The response Endpoint Manager should take on files which meet the rule conditions. The options are:

  •   Ignore – Take no action on the file. You can still review the files at ‘Security Sub-systems’ > ‘Data Loss Prevention’ > ‘Logs’.
     
  •   Quarantine – The file is moved from its original location on the endpoint and placed in a secure holding area. Users cannot open quarantined files. You can review quarantined files as follows:
     
    •    Local Endpoint - Open Comodo Client Security > Click ‘Tasks’ > ‘DLP Tasks’ > ‘Data Loss Prevention Quarantine’. You can restore the files to the original location from here if required.
       
    •  Endpoint Manager - Click ‘Security Sub-Systems’ > ‘Data Loss Prevention’ > ‘Quarantined Files’. You can restore the files to original location or delete the files on the local endpoint.

Show match results with first and last symbols in View Logs - If enabled, the log details of a file intercepted by the rule shows the actual data discovered in the file. Only the first and last characters of the record are shown. For example, a ten digit social security number would be shown as 3 - - - - - - - 9. See View scan results for more on the viewing logs and details of files that created a DLP event.

  • Click 'Create’ to move to the rule configuration screen:

 

  • Click 'Edit' on the right.
     
  • Use the following links for help with each tab

General

Targets

Exclusions

Patterns

Document Types

General

The general tab shows the name, description and action you chose for the rule in the previous step. The tab also lets you configure log options.

  • Click 'Edit'


Name, Description, Action and log option – Your choices made while creating the rule. Change these if required.

  • Click 'Save'

Target/ Scan locations

Targets are the folders or drives that you want to scan on your managed devices.

  • Click the 'Targets' tab > 'Edit'
     
  • 'C:\Users' is included by default.
     
  • Click 'Add' > 'File Path' to add a new scan location:


 

  • Enter the location you want to scan then click 'Ok'
     
  • Repeat the process to add more locations
     
  • Click the pencil icon in the 'Action' column to edit a location
     
  • Click 'Save'

Exclusions

You can omit specific locations and/or file types from your discovery scan.

  • Click the 'Exclusions' tab, followed by 'Edit'
     
  • Click 'Add'
     
    • File path -  Exclude a folder or file
       
    • File Groups - Exclude a specific set of file types:



       
    •  Filegroups make it easy to exclude an entire class of file. Choose the group you want to exclude then click ‘Save’.
       
    •  Click 'Settings' > 'Data Protection Templates' > 'File Groups Variables' to view and manage file groups
       
    • See this wiki if you need help to create and manage file groups.
       
  • Repeat the process to add more exclusions.


 

Patterns

The patterns tab is where you tell the scan what types of data you want to search for.

  •  A 'pattern' is the format used by the type of data you want to find. Each pattern is a combination of a keyword group and information format.
     
  • For example, the ‘Name with SSN’ pattern consists of:
     
    • Keyword group = ‘Names’ group.
       
    • Information format =  9 digit number arranged in 3-2-4 formation, like '123-45-6789'.
       
  • EM ships with a number of patterns which you can use to search for sensitive data.
     
  • You can also create custom patterns as combinations of information formats and keyword groups. See Manage data patterns if you need help with creating custom patterns.

Add patterns

  • Click the 'Patterns' tab then 'Edit'
     
  • Click 'Add Pattern'


 

  • Pattern - Choose the type of information that you want to search for in scanned locations.
     
    • The drop-down shows the pre-defined patterns shipped with EM and the custom patterns added by you. For example, credit card numbers, social security numbers, bank routing numbers, etc.
       
    • Each pattern can contain a single data format or can be a combination of specific data format(s) and keyword(s) or keyword group(s)
       
    •  You can view, create and manage available patterns in the 'Settings' >  'Data Protection Templates' > 'Patterns' interface.
       
    • See Manage data patterns if you need help with this.
       
    • You can customize the selected pattern to narrow down the search only for data containing specific values in certain fields. For example, only search for data containing names and 10 digit bank account number, starting with '4687'.
  • Threshold - The number of times that data matching the pattern must be found in a document. Endpoint Manager will flag a document if it contains the threshold quantity of pattern examples.


 


Once you select a pattern the components of the pattern are shown:
 


Narrow down the search (optional):

You can customize the pattern to search only for data containing specified values in certain positions in the sequence. This is optional.

The left pane shows the components in the pattern and the right pane shows an expanded view of the component chosen in left pane.

  • Click a component to expand it on the right pane
     
    • For keyword group, the right pane lets you select a keyword group
       
    • For data format (Custom Mask), the right pane shows the arrangement of characters in it.

                   A = any character / symbol

                   D = number

                   L = alphabetical letter

                   S = Special symbol


 

  • Select 'Allow to specify Mask'
     
  • Enter the specific/constant characters for which you want to limit your search, in the text fields of the respective positions
     
  • Click 'Set Mask Configuration'
     
  • Click 'OK'

Note - You cannot specify mask characters for pre-defined-standard information types like credit card numbers and social security number that ship with EM. If you want to use mask characters for any of those data, create a similar custom information type with a different name, add it to a custom pattern and use the custom pattern in the rule. See Manage data patterns to know more about adding custom information types to a pattern.

Illustration:

For example, you add 'Name with 10 digit account number' as search pattern but want to narrow down the search to only identify account numbers starting from '1234'.

  • Choose 'Name with 10 Digit Account Number' as your pattern
  • Click 'Custom Mask' to expand it on the right pane
     
  • Select 'Allow to specify Mask'
     
  • Enter '1', '2', '3' and '4' in the first four text fields

The values are automatically added to their positions in the data type.



 

  • Click 'Set Mask Configuration'
     
  • Click 'Ok'

Repeat the process to add more patterns.



 

  • Click the pencil icon on the left if you want to edit a pattern
     
  • Click 'Save'.

Note – You MUST add keywords to the keyword group used in a pattern, or the search will not work. For example, you must add some names to the ‘Names’ group.

Document types

  • This tab lets you choose which types of file you want to scan for sensitive data.
     
  • You can choose PDFs, Word documents, HTML files, text files and/or ZIP files.
     
  • The scan will search the content of all files which have a matching file extension in the locations you specified.

Click the 'Document Types' tab then 'Edit':



 

  • Use the switches in the status column to choose which types of files you want to scan.
     
  • Click 'Save'
  • Repeat the process to add more rules.

You can now add the rule to a profile. If your pattern contains the ‘Name’ group, please make sure you have added keywords to the group

Manage data patterns

You can view,create and manage available patterns in 'Settings' > 'Data Protection Templates' > 'Patterns'

  • Patterns are used by DLP scans to identify sensitive data.
     
  • A pattern can just be an ‘information format’ or be a combination of an ‘information format’ and keywords.
     
    • An information format is the notation used by the type of data you want to find. For example, the information format of an SSN is a nine digit number in 3-2-4 formation, like '123-45-6789'.
       
    • Keywords can be indivudual keywords or keyword groups. Each keyword group can contain a set of keywords that belong to a category, like names and network terms
       
  • EM ships with a set of pre-defined patterns
     
  • You can also create custom patterns to define custom information formats

View data patterns

  • Click 'Settings' > 'Data Protection Templates'
     
  • Click the 'Patterns' tab

The pattern variables interface shows a list of pre-defined and custom patterns and lets you create new patterns:


The following table shows the information formats and keyword groups contained in each predefined  pattern:
 

                Pattern 

                                   Description
Turkish Nationality ID Number
Consists of citizen number in Turkey
 

 Name with 5-8 Digit Account Number
 

 Consists of Keyword Group 'Names' and a bank account number

 Name with 9 Digit Account Number
 

 Consists of Keyword Group 'Names' and 9 digit bank account number

 Name with 10 Digit Account Number
 

 Consists of Keyword Group 'Names' and 10 digit bank account number

 Name with SSN
 

 Consists of Social Security Number and Keyword Group 'Names'

 ABA Routing number

 Consists of American Bankers Association (ABA) routing number. This is the nine digit bank code printed in negotiable instruments in the US.

 Date of birth 
 

 Consists of Birth Date

 Credit Card Number
 

 Consists of Credit Card Number

 IP Network

 Consists of IPv4 and IPv6 IP Addresses

 Examples:

 192.0.2.0/24

 198.51.100.0

 2001:0db8:85a3:0000:0000:8a2e:0370:7334

 2001:db8:1234::/48

 Network Address 

 Consists of URLs, and domain names

 Examples:

 http://domain.name

 https://domain.name

 www.domain.name

 domain.com

 local.net

 IBAN Code
 

 Bank account number in International Bank Account Number (IBAN) format.

 MAC Address
 

 Searches for mac addresses, the unique identifier assigned to network cards.

 

Create a custom pattern

  • Click 'Settings' > 'Data Protection Templates'
     
  • Click the 'Patterns' tab
     
  • Click 'Create Pattern'

 

  • Enter a label for the pattern and click 'Create'
     


 

  • Click the 'Pattern Elements' tab
     
  • Click 'Add Element' and choose a component information type or keyword group to add to the pattern:




 

Keyword                                      

Specify a single keyword as a component of the pattern

Keyword Groups

Add a keyword group to the pattern. You can manage term in a keyword group in 'Settings' > 'Data Protection Templates' > 'Static Keyword' interface. See Add keywords to keyword groups if you need help with this.
Custom Mask

Specify a custom information type. You can define a sequence of different character types like alphabets, numerals and special characters in the order they appear in the data you want to search.



 

Use:

'A' in place of any character

'D' in place of a numeral

'L' in place of an alphabet letter

'S' in place of a special character

For example, to define a 7 character vehicle license plate number, you can specify:

                                                         'DLLLDDD'

Match All

  • Enabled – Only the data that match fully with the information type are identified by the rule in which the pattern is used
     
  • Disabled – Data that match partially  with the information type are identified by the rule in which the pattern is used

You can narrow down the scope of search by specifying constant characters in place of variables, while adding the pattern to a discovery rule. See Patterns for more details.

ABA Routing Number                       
Date of Birth

SSN

Mac Address

IP Network Address

Network Address        

IBAN Bode

Credit Card Number

Turkish Nationality ID Number

 Predefined - standard information types.

 

  • Repeat the process to add more elements to the pattern

Edit or delete a pattern

  • Click 'Settings' > 'Data Protection Templates'
     
  • Click the 'Patterns' tab
     
  • Click a custom pattern to edit it.
     
  • The process of editing is similar to adding a pattern
     
  • Select a pattern and click 'Delete Pattern(s)' to remove it.
     
  • Note – You can edit or delete only custom pattern. Pre-defined patterns cannot be edited or deleted.

Add keywords to keyword groups

Click 'Settings' > 'Data Protection Templates' > 'Static Keywords'

  • Keyword groups are used by DLP scans to identify sensitive data. Each group is a list of specific items which the scan will search for.
     
  • For example, the ‘Names’ group should contain the surnames of the employees/users in your protected network.
     
  • The keyword group is paired with an ‘information format’ to form a 'pattern'.
     
    • An information format is a notation used by the type of data you want to find. For example, the information format of an SSN is a nine-digit number in 3-2-4 formation, like '123-45-6789'.
       
    • So a search for the SSN ‘pattern’ will identify all instances of ‘Name + SSN’ in target documents.
       
  • You MUST add some names to the ‘Names’ group or the search will not work. Patterns that have an empty keyword group will not produce any results.

Add names to the ‘Names’ keyword group

  • Click 'Settings' > 'Data Protection Templates'
     
  • Click the 'Static Keywords' tab
     
  • Click '+' at the left of a group name





There are two ways you can add keywords:

1    Type them in the field provided. Click ‘Add’ after each keyword.
 


 

  • Repeat the process to add more keywords

2    Import them from .csv file. Click the import icon on the right then browse to your .csv file:
 

 

 
   Advice:

  • The scan searches for an exact match on the keywords you add.
     
  • Because of this, we advise you add only surnames to the ‘Names’ group at first. This will detect the most variants of the subject’s name.
     
  • For example, the keyword ‘Bowman’ will catch the following variants in an SSN pattern search:

    Robert T Bowman 123-45-6789
    Rob Bowman 123-45-6789
    Robert Bowman 123-45-6789
    R. Bowman 123-45-6789
    Bowman Robert 123-45-6789
    etc.


Manage User Permissions

  • Click 'Users' > 'Role Management'
     
  • Click the 'Roles' tab. 



 

  • The 'Roles' interface allows you to create and manage user roles.
     
  • Endpoint Manager ships with four roles, 'Account Admin', 'Administrators', 'Technician' and 'Users'. The 'Account Admin' role can be viewed but not edited. The permissions in the other three roles can be modified.
     
  • Each role defines a staff member's rights to access the certain EM modules and to manage users/devices belonging to different companies. You can restrict a role to manage specific companies and specific device groups. See this wiki if u need help to create or manage user roles. 

Add or remove permissions assigned to a role

  • Click a role name to view 'Role Details'.
     
  • Click the 'Role Permissions' tab if it is not open


 

  • Role Permissions defines the access rights and privileges for the role

Apply to all - Use 'Apply to all' will enable or disable all the permissions

Read Only Portal - Read-only mode allows the user to view the page in the Endpoint Manager. If we are enabling the button user can only view the page cannot make changes in the Endpoint Manager.

Each item in the list lets you choose permissions for a specific area.

  • Click the down arrow next to a module name to view its permissions

               OR

  • Click 'Expand' at the top to view all permissions

You can now view or manage the ‘Data Protection Templates’ role permissions.

  • Use the switches on the right to enable or disable specific permissions

 

  • Select the checkboxes of the permissions to be assigned to the role and click the save button at the top.

For Example, The Permission: "settings.data-protection-templates.patterns" has been selected to add to the role.

  • Deselect the checkboxes, if you want to be removed from the role.

If we disable ‘’settings.data-protection.patterns’ permission, the user cannot access to 'Patterns' at Data Protection Template page

  • Click 'Save' for your settings to take effect

Note – Please refer this wiki if you need to know more about assign and reassign of roles
 

Add DLP discovery rules to a profile

The final step is to add a DLP section to your profile, then populate it with your scan rules.

  • Click 'Configuration Templates' > 'Profiles'
     
  • Click the ‘Profiles’ tab
     
  • Open the Windows profile applied to your target devices
     
    • Open the 'Data Loss Prevention' tab

      OR
       
    • Click 'Add Profile Section' > 'Data Loss Prevention', if it hasn't yet been added
       
  • Click the 'Discovery' tab (if it is not open already)



 

  • Click 'Add'



 

Choose Data Loss Prevention rule - Add an existing discovery rule to the profile.

  • Start typing the first few letters of a rule name then select from the suggestions.
     
  • You can be able to view the DLP rule is valid or invalid to use. If a rule is invalid, you can’t get the expected results
     
    • If you can’t remember your rule names, click ‘Configuration Templates’ > ‘Data Loss Prevention’
       
  • Repeat the process to add more rules to the profile
     
  • Click 'Add'

The interface shows all discovery rules you have added:


The profile pushes the DLP scan to the target devices.

Manually run a DLP scan

You can run DLP scans on-demand from the data loss prevention section:

  • Click 'Security Sub-systems' > 'Data Loss Prevention'
     
  • Select the 'Device List' tab
     
  • Select your target devices
     
  • Click 'Action on Endpoint' > 'Run all discoveries':


 

  • The scan command is sent to the selected devices. CCS runs the scans based on the rules included in the profile active on the device.
     
  • Click the 'Details' link when the scan finishes viewing files containing sensitive information
     
  • See View scan results for more on the results.

View scan results

Click 'Security Sub-systems' > 'Data Loss Prevention' > 'Logs'

  • The logs tab shows DLP events on endpoints.
     
  • Log details include the name of the file, its location on the device, the rule that discovered the file, and the type of sensitive information in the file.
     
  • You can use the 'Remote Tools' feature to connect to the target device and access the files on the path provided. You can then move/ remove/ edit file permissions as required.

View DLP scan logs

  • Click 'Security Sub-systems' > 'Data Loss Prevention'
     
  • Click the 'Logs' tab



 

  • Date Time - The date and time at which the file was discovered
     
  • Component - The type of rule that generated the log. This can be either a discovery rule or a monitoring rule.
     
  • Action - The CCS response when the rule was triggered. The possible values are:
     
    • Quarantined – The file is moved to quarantine in the local CCS installation. You can restore or delete quarantined files. See Manage DLP quarantined files for help with this.
       
    • Ignored – No action has been taken on the identified file. You can manually take actions on the file by remotely accessing the device through the 'Remote Tools' feature.

      See the next section Take action on identified files for help with this.
  • Device Name - The device on which the files reside.
     
    • Click the name of the device to view its details.
       
  • Rule - The DLP rule that triggered the event:
     
    • DLP Discovery events - The name of the DLP discovery rule that identified the file.
       
    • Monitoring events - Shows the rule name as 'Removable Storage Rule'
       
  • File Name - The label of the file
     
    • Click the    icon to copy the file name to the clipboard.
       
  • File Path - The location of the file on the device.
     
    • Click the   icon to copy the file path to the clipboard.
       
  • File Hash - The SHA 1 hash value of the file
     
  • Pattern - The type of data contained in the file.
     
  • Match Count - The number of times the data of the type occurred in the file.
     
  • Details - Click the 'Details' link to view the information on the detected file. An example is shown below:


 

Take action on identified files

There are two ways you can connect to remote devices in order to manage files that contain sensitive data:

1) Endpoint Manager - Click 'Devices' > 'Device List' > select a running Windows device > Click 'Remote Tools' > 'File Explorer'.

  • See this wiki for help to use the 'Remote Tools' feature.

2) Remote Control app - Click 'Devices' > 'Device List' > 'Device Management' > select a Windows device > Click the 'File Transfer' button.

You need to download and install the remote control app to use this feature.

  • See this wiki for help to use both of these remote control apps.

Manage DLP quarantined files

Click 'Security Sub-systems' > 'Data Loss Prevention' > ‘Quarantined Files’

The DLP quarantined files screen shows files that were quarantined on endpoints by a discovery rule.

  • Click 'Security Sub-systems' > 'Data Loss Prevention'
     
  • Click the 'Quarantined Files' tab.



 

  • Date - The date and time the file was quarantined
     
  • File Name - The file in which sensitive data was found.
     
    • Click the    icon to copy the file name to clipboard.
       
    • Click the name to view file details. The file details pane shows the general information of the file and the devices on which the file was found. You can restore or delete the file on the devices. See View details of DLP quarantined files to read more.
       
  • File Path - The location of the file on the device.
     
    • Click the   icon to copy the file path to clipboard.
       
  • File Hash - The SHA1 hash value of the executable file.
     
    • Click the    icon to copy the hash value to the clipboard.
       
  • Rule Name - The discovery rule that quarantined the file
     
  • Pattern Name - The data format that the rule searched for. For example, an ‘ABA routing number’ is a nine digit code.
     
  • Device Count - Number of devices on which the file was quarantined. Click the number to view the device details. 
     
  • Last Action on group - The admin’s response to the quarantined file. The possible values are:
     
    • Delete
       
    • Restore

The controls on the top lets you take actions on the quarantined files:

  • Restore File on Devices - Select a file and click 'Restore file on Devices' to move the file from quarantine back to its original location
     
  • Delete Files from Devices - Select a file and click 'Delete Files from Devices' to remove the file from the devices

Create a DLP monitoring rule

Click 'Configuration Templates' > 'Data Loss Prevention' > 'Create' > 'Monitoring Rule'

  • Monitoring rules let you prevent users from copying files to external devices and the ability to restrict their users to take screenshots and log the performed actions according to their preferences. You will define the following items in a rule.

    You can create the following monitoring rules:

Removable Storage Rule 

Removable Storage Rules block or allow copy/move operations to external storage devices like USB data devices. You can add the monitoring rule to a profile, which is in turn applied to target devices or users.

  • Click 'Configuration Templates' > 'Data Loss Prevention'
     
  • Click 'Create' > 'Monitoring Rule' > Select ‘Monitoring Type’ > ‘Removable Storage Rule’


 

Name - Enter a label for the rule

Description – Add a short note for your reference

Monitoring type – Choose the channel to be monitored for data transfer. 

Action - The response Endpoint Manager should take on files that meet the rule conditions. The options are:

  • Ignore – Data transfers to the external storage device are allowed.
     
  • Quarantine - The storage device is set to ‘Read-only’ mode. Users cannot copy data to/from the storage device.

Log when this action is performed - Choose whether you want to create an event log whenever the rule is enforced. You can view the logs in the  'Security Sub-systems' > 'Data Loss Prevention' > 'Logs' interface in EM.

  • Click 'Create’ to move to the rule configuration screen:


 

  • Click 'Edit' on the right.
     
  • Use the following links for help with each tab

General

Criteria

General

The general tab shows the name, description and action you chose for the rule in the previous step.

  • Click 'Edit'


 

  • Name, Description, Action and log option – Your choices made while creating the rule. Change these if required.
     
  • Click 'Save'

Criteria

The criteria tab lets you select the type of target external storage devices.

  • Click the 'Criteria' tab > 'Edit'



 

  • Select the type of storage device. The only option available is 'USB DATA Devices'. This covers the following storage devices:
     
    • USB Data Devices like pen drives
       
    • External HDDs /SSDs
       
    • USB connected external optical disk drives (CD/DVD)
       
    • SD, Micro SD Cards, SDXC-SDHC cards
       
    • eSata removable drives
       
    • FireWire connected devices
       
    • Devices using MTP protocol
       
  • Click 'Save'

The monitoring rule is created.

  • Repeat the process to add more rules.

You can now add the rule to a profile.

Screenshot Rule

The Screenshot Rule can be used to prevent screenshot captures when a certain defined process is running. If the admin adds this rule and assigns it to any device profile, the associated devices should not be able to take a screenshot while the defined processes are running.

  • Click 'Configuration Templates' > 'Data Loss Prevention'
     
  • Click 'Create' > 'Monitoring Rule' > Select ‘Monitoring Type’ > ‘Screenshot Rule’


 

  • Name - Enter an appropriate label for the rule
     
  • Description - Enter short notes for the rule
     
  • Monitoring type - Select 'Screenshot Rule' from the drop-down
     
  • Reputation - The admin should be able to select a rating for the application created, these rating block the user to take a screenshot while the process is running. The available ratings are ‘Any’, ‘Trusted’, ‘Malicious’ or ‘Unrecognized’.
     
    • If none of these is selected, the device should be blocked to take a screenshot for all. The default rating is ‘Any’.
       
  • Action – The screenshot actions while selected applications are running.
     
    • Ignore – The screenshot is allowed. The default action will be "Ignore
       
    • Block - The device is set to 'Read-only' mode. Block the users to take a screenshot in this mode.
       
  • Log when this action is performed - Choose whether you want to create an event log. You can view the logs in the 'Security Sub-systems' > 'Data Loss Prevention' > 'Logs' interface in EM.
     
  • Click 'Create’

The rule is saved. The rule configuration screen opens:


Use the following links to jump the tab

General

The general tab shows the name, description, monitoring type, reputation, and action you chose for the rule in the previous step.

  • Click 'Edit' at top-right
     
  • Update the fields if required.
     
  • Click 'Save

Criteria

The screenshot rule shows the list of all criteria types. You can set the preference criteria accordingly, the option is ‘File groups’, File’, ‘File hash’, ’Folder’,’ Process hash’.

  • Click Criteria > Add
     
  • Select the criteria type from the drop-down button you want to add.

 

  • Filegroups - Exclude a specific set of file types
     
    •  Click 'Settings' > 'Data Protection Templates' > 'File Groups Variables' to view and manage file groups or click the ‘You can add/edit file groups here’ option
       
    • See this wiki if you need help to create and manage file groups.
       
  • File – Enter the file path you need to exclude from the rule.
     
  • File Hash – The file hash allows you to locate files by their SHA-1 hash value. Visibility, execution trend, file history and executive summary are listed for each file. It should be the SHA 1 checksum of a file.
     
  • Folder – Add the folder path for the rule
     
  • Process Hash – Add the SHA1 checksum of the process to exclude the screenshot rule.
     
  • Click save

The screenshot rule is now created


 

  • Repeat the process to add more rules.
     
  • To delete a rule, select the rule > click the ‘Delete’ tab

You can now add the rule to the profile

Add a DLP monitoring rule to a profile

  •   Click 'Configuration Templates' > 'Profiles'
     
  •   Click the ‘Profiles’ tab
     
  •  Open the Windows profile applied to your target devices
     
    •  Open the 'Data Loss Prevention' tab

      OR
       
    •  Click 'Add Profile Section' > 'Data Loss Prevention', if it hasn't yet been added
       
  •  Click the 'Monitoring' tab:


 

  • Click ‘Add'
     


 

Choose monitoring rule - Add an existing monitoring rule to the profile.

  • Start typing the first few letters of a rule name then select from the suggestions.
     
    • If you can’t remember your rule names, click ‘Configuration Templates’ > ‘Data Loss Prevention’
       
  • Repeat the process to add more rules to the profile
     
  • Click 'Add'

The interface shows all monitoring rules you have added:


 

The rules are applied from top to bottom in order – meaning the rules at the top have more priority

  • Select a rule and use 'Move Up' and 'Move Down' buttons to change the order of rules in the list
     
  • Ensure that 'Enable DLP Monitoring' is enabled at the top
  • The rule will take effect on all endpoints on which the profile is active.
     
  • You can view the logs of DLP monitoring events in 'Security Sub-Systems' > 'Data Loss Prevention' > 'Logs'. See View scan results to read more.