Symantec Data Loss Prevention Mobile Email Monitor provides you with the ability to monitor your company's confidential information when it is  ownloaded from your corporate network to the native email client on supported iOS devices. You can create reports outlining sensitive information from emails that are downloaded to the mobile devices. You can also schedule these reports to be sent and received regularly. The reports continuously create a record of sensitive information that is downloaded to mobile devices. If the devices are lost or stolen, you can identify what downloaded emails left your corporation with the devices. You can use the information that Mobile Email Monitor provides you about downloaded content to define mobile security policies for your corporation. Mobile Email Monitor can support your company's Bring Your Own Device (BYOD) policy because it does not require  nstallation of any applications or components on personal mobile devices. In addition, Mobile Email Monitor does not inspect information generated by personal applications installed on mobile devices. The following figure provides an overview of how an email downloaded to a mobile device is monitored when Symantec Data Loss Prevention Mobile Email Monitor is installed in a corporate environment.

Above Figure shows Mobile Email Monitor Overview

Requirements:

A] Microsoft Exchange ActiveSync Server
 

B] Reverse Web proxy - Mobile Email Monitor and Mobile Prevent are both included in the Symantec Data Loss Prevention for Mobile license.

Symantec Data Loss Prevention Mobile Email Monitor compatibility and information :

Symantec Data Loss Prevention Mobile Email Monitor and Microsoft Exchange ActiveSync compatibility

The following lists the Microsoft Exchange ActiveSync versions that are compatible with Symantec Data Loss Prevention Mobile Email Monitor on various devices.

ActiveSync Versions                                           Devices                                                Mail Applications

Microsoft Exchange ActiveSync                             iPad                                                      iOS native email
2007 and 2010

Microsoft Exchange ActiveSync                             iPhone                                                  iOS native email
2007 and 2010

Above details describe Microsoft Exchange ActiveSync versions compatible with by Mobile Email Monitor

 Symantec Data Loss Prevention for Mobile device and operating system compatibility

The following table lists the devices and Operating systems that are compatible with Symantec Data Loss Prevention Mobile Email Monitor.

 Device                                                            Operating Systems

iPhone                                                              iOS
iPad                                                                 iOS

Above details describe Mobile devices and Operating systems and compatible with Mobile Email Monitor

 Symantec Data Loss Prevention Mobile Prevent Compatibility and Information  :

Symantec Data Loss Prevention for Mobile compatibility

The following table lists the iOS applications and response rules that are supported by Mobile Prevent. See the Symantec Data Loss  revention Administration Guide for more information on creating policies and response rules.

Note: Applications for iOS are frequently updated. The following table lists the application versions that have been verified for functionality with Mobile Prevent.

Application                                  Device              Block Response Rule              Content Removal Response Rule

Dropbox version 1.5.6                   ipad/iphone            Yes                                         Yes

Facebook with chat version           ipad/iphone            Yes                                         Yes
5.0.1
Note: Chat feature is not
supported.

Gmail version 1.1                         ipad/iphone             No                                           No
Note: Supported only
for monitoring.

Goodreader version 3.18.6             iPad                       Yes                                        Yes
Note: FTP support only.

ActiveSync (iOS native                  iPad                       Yes                                        Yes
email)
Note: Microsoft Exchange
2003, 2007, and 2010
Support

ActiveSync (iOS native                  iPhone                     Yes                                         No
email)
Note: Microsoft Exchange
2003, 2007, and 2010
Support

Mobile Prevent supports the following Web applications through the Safari Web browser for iPads and iPhones (for iOS versions 4.3.4, 5.0, 5.0.1, 5.1, 5.1.1. 6.0, and 6.0.1). This table also lists the supported type of response rules available for each Web application.

Below description shows Web applications and response rules supported by Mobile Prevent

Application                              Block Response Rule              Content Removal Response Rule

AOL                                             Yes                                                    Yes

Facebook                                     Yes                                                    Yes

Gmail                                            No                                                     No

Windows Live Mail                         Yes                                                    Yes

Yahoo! Mail                                   Yes                                                    Yes

Twitter                                          Yes                                                     No

The following iOS components and applications are not supported in this release of Symantec Data Loss Prevention Mobile Prevent:
i]   SMTP and IMAP messaging
ii]   iCloud functionality
iii]  iTunes wireless synchronization

Note: iTunes synchronization is supported using a USB cable. See the documentation that comes with your mobile device for more information.

iv]  Netflix for iPad application

For more reference please refer my previous article https://www-secure.symantec.com/connect/articles/how-symantec-data-loss-prevention-mobile-works-how-implement.

There are several default accounts created in the SQL Server Database after the installation of the SCSP. You can find these users by logging into the SQL Server Management Studio:

There are four accounts:

• scspdba
• scsp_ops
• scsp_plugin
• scspguest

Here are the introduction about these accounts:

• SCSPDBA

This is the DB owner account used for managing the actual SCSP DB. You provide the password during install. This password is not recorded but you will need to know it when subsequent upgrades are performed.

This account has “owner” privileges and can manipulate all the structures and data in the SCSPDB, but has no privileges with regard to the SQL Server Instance or any other database defined within the instance –- just control over SCSPDB.

It is not used for any operational activities only initial install and upgrades.

• SCSP_OPS

This is the account (and generated password) SCSP creates for the Tomcat Application Server to talk to the SQL Server Database. The credential information is recorded in the server.xml file for the JDBC URL access to the database.

This account can read and write data in SCSPDB but cannot perform any schema changes (ie it cannot create or delete table definitions, stored procedures, etc). There is normally no reason for you to know about this account or the extremely long 40 character password it uses. The server.xml file is protected from read-access by OS ACL’s as well as by SCSP default protection policies for anyone except the Tomcat process. The Database administrator can, after install and access granted, change the password to whatever they want.  

This account is used during all operational SCSP activity but it cannot change the schema, stored procedures, views, etc of the SCSPDB or any other database.

• SCSP_PLUGIN

This is the account (and generated password) SCSP creates for limited access to third-party plugin tools (such as SSIM, ArcSight, others).

This account has read-only access to the SCSP database. If you want to utilize this account, set the password to a known value (using a sysadmin privileged account such as sa) and give this username (scsp_plugin) password information to the plug-in tool for this limited access to the database.

• SCSPGuest

This is optionally created during install if you want to create a READONLY user account that could be used for external ODBC/JDBC access to the SCSPDB data.

This account is only created if you request it.

Hello Guys,

In this article I will show you how to recover Embedded Database password in SEPM 12.1 X version.

1)      Navigate to <Installed drive>:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\Php  

2) Take a backup of php.ini file (very important)

3) By default PHP.INI is a read only file. Right click –uncheck read only- Click Ok

4)Open the PHP.INI file in a notepad

5) Set the following properties to on

display_startup_errors = On

log_errors = On

report_memleaks = On

track_errors = On

As shown in the screen

6) Save the file

7) Navigate to <Installed drive>:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\Php\Include\Common

8) Take a backup of connectdb.php ( Very important)

9) By default  connectdb.php  is a read only file. Right click –uncheck read only- Click Ok

10) Open in a notepad

11) Look for this line

try {

                    ado_connect($conn_id, $ODBCDSN, $dbuser, $dpwd, $ConnectionTimeout, $CommandTimeout, $dbport, $dbserver,$isWinAuth);

Just add echo  $dpwd  as shown in the screen shot

                 Save the changes close the file

12) Open the odbc connection on 64 bit machine it will be in C:\Windows\SysWOW64\odbcad32.exe on 32 bit it will be in C:\Windows\System32\odbcad32.exe

13) Click on System DSN, Select Symantec endpoint protection DSN , click Configure

14) We need to break the connection by inserting an incorrect dba password. Under the login tab for password just key in any password (ex KingJulien)

14) Click on test connection, it should now say “connection failed, invalid user id or password”

15) Login to SEPM now, you will find the password in the home tab as show.

Once you are done , replace the backed up PHP.INI and Connectdb.php files in the respective location.

You can find this article as an attachement. Images are little smaller in size , feel free to download and Zoom it..

I hope this was helpful, Please do vote if you like it.. :)

 “If you're good at something, never do it for free” – The Joker

1] Symantec Data Loss Prevention Mobile Prevent andserver-side application configuration.

2] Symantec Data Loss Prevention Mobile Prevent and client-side application configuration.

1] Symantec Data Loss Prevention Mobile Prevent andserver-side application configuration :

You must make a few configuration changes to a number of server products. If you do not make these changes, the mobile devices that are connected to the
corporate network might not function properly. The server products that are affected are:

A] Streaming applications

B] Netflix

C] YouTube

D] Gmail

Now we will see one by one how to configure them with symantec DLP mobile prevent.

A] Configuring streaming applications to work with Symantec Data Loss Prevention for Mobile :

To enable some streaming applications, such as Pandora, a proxy server must be configured to redirect network traffic. The proxy server can be  configured to allow communication between the mobile device and the streaming server. This configuration prevents Symantec Data Loss Prevention for Mobile from scanning the streaming data.

Configuring the proxy server to redirect network traffic

1]  Log in to the proxy server.
2]  Create a forwarding rule that includes the URL or IP addresses of the streaming Web sites that you want users to access.
3]  Disable SSL interception in the rule.
4]  Save the rule.

Note : For more information on configuring the proxy server, see the documentation that comes with the proxy server.

B] Netflix streaming with Symantec Data Loss Prevention Mobile Prevent :

Netflix is not supported on a mobile device in a Symantec Data Loss Prevention Mobile Prevent environment. Configuring the proxy server to redirect
communication to the Netflix servers allows Netflix to stream movies to the mobile device. The streaming data is not scanned by Mobile Prevent.

Configuring the proxy server to redirect network traffic

1]  Log in to the proxy server.
2]  If the proxy server is configured for explicit mode, create a forwarding rule for the destination host netflix.
3]  If the proxy server is configured for transparent mode, create a forwarding rule for the destination host amazonaws.com.
4]  Disable SSL interception in the rule.
5]  Save the rule.
If users are restricted from using Netflix to stream videos, the proxy server can be configured to block communication between the proxy server and Netflix. This configuration can be used to increase performance in the corporate network. For more information on configuring the proxy server, see the documentation that comes with the proxy server.

C] YouTube streaming with Symantec Data Loss Prevention Mobile Prevent :

If the proxy server is configured for transparent mode, YouTube videos may not play. To enable YouTube videos on mobile devices connected through a VPN, create a new policy on the proxy server for the YouTube host.
Note: The following procedure is an example of installing a new policy on a Blue Coat proxy server. See the documentation for your proxy server for more
information on how to create a policy.

Configuring the proxy server for YouTube

1] Log in to the proxy server as an administrator.
2] Click Configuration > Policy > Policy Files.
3] From the Install Local Policy from list menu, click Text Editor.

4] In the field provided, enter the following:

define condition YouTubeRangeRequests
url.domain="YouTube.com"
end condition YouTubeRangeRequests
<Proxy>
request.header.Range="bytes" condition=YouTubeRangeRequests
bypass_cache(yes)

5] Click Apply to save the policy.

D] Configuring Gmail on iPads or iPhones with Symantec Data Loss Prevention Mobile Prevent :

Symantec Data Loss Prevention for Mobile can use notification and block response rules when an email is sent that violates a policy. To use the block response rule, an iOS device is configured to use Gmail-based email through the Google Sync server. The user must use the native iOS Mail application to send their emails instead of using the Gmail mail application. If a user sends emails with the Gmail application, only the notification response rule can be used when an email violates a policy.

Note: Symantec Data Loss Prevention for Mobile does not support block response rules for any emails that are sent using the Gmail application on iOS mobile devices. The Gmail application might become unusable if the application is used to send an email that gets blocked by the Mobile Prevent Server. To correct this problem, remove the response rule to block the emails and then reinstall the Gmail application on the mobile device.

To configure Gmail with the native iOS Mail application, complete the following

steps.
1] From the Home screen, tap Settings.
2] Tap Mail, Contacts, Calendars > Add Account > Microsoft Exchange.

Note: Do not use the Gmail account that is displayed in the list of account types.

3] Enter the following information into the fields provided.

Email                         =                      username@gmail.com
Server                       =                      m.google.com
Domain                      =                     gmail.com (Optional)
Username                  =                     user name
Password                   =                      password

4] Tap Next > Save to save the account.

The user can now use the native iOS Mail application on their mobile device to send and receive emails from their Gmail account. The Mobile Prevent  erver can monitor and generate notification or block response rules when an email containing sensitive data is detected.

2] Symantec Data Loss Prevention Mobile Prevent and server-side application configuration :

Some applications might require changes to their settings to allow them to function properly in the Symantec Data Loss Prevention for Mobile environment. If you do not make these changes the applications may not function properly. The known applications that are affected are:

A] iOS updates.

B] Twitter

A] Configuring iOS updates to work with Symantec Data Loss PreventionMobile Prevent :

An iOS-based mobile device that is configured for VPN connectivity must perform any iOS updates while connected to the corporate network. Disabling the VPN connection and updating the iOS operating system might cause the update to fail.

B] Using Twitter with Symantec Data Loss Prevention Mobile Prevent :

Users who send messages with Twitter might receive an authorization error after a message is sent. When the error occurs, the message is not sent or has had content removed due to content that violates a policy. The message creates an incident on the Symantec Data Loss Prevention Enforce Server. The user can continue to use Twitter to send messages.

Hello Everyone,

It's a very common practice for System administrators to disconnect the active session and reconnect it using 'mstsc' command. By doing this many sessions can get activated in the background. It happens especially when there are couple of administrators for single server.

It may happen if another Symantec Endpoint Protection Manager(SEPM) session is running in the background & you attempted to perform SEPM upgrade in that case may get the following error message.

"The installation cannot finish because it detected that one or more SEPM apps were running"

OR

Even can get following error message "To install the Symantec Endpoint Protection Manager from a remote desktop connection, the remote desktop connection must be session 0. You are currently running a differernt session. You can change you current session to session 0".

Check the screenshot for more details

If System rebooted all the active sessions will be disconnected but it's not a practical solution if it's a critical server.

It can be a better solution to logoff that session

Check this screenshot for more reference.

You should connect to the '0' session to continue with the upgrade process.

To connect '0' session go to the Task Manager and select 'Users' tab.

In the following screenshot two active sessions are listed with the Server.

In the 'Users' tab all the active connections will be listed.

Right click on ID-0 and click on Connect.

It will connect to the

Right click on another sessions & select logoff to close all the active sessions.

Sometime it may happen session 0 is not available, in that case you need to initiate a new session

Go to the start --> Run --> Type 'mstsc /admin' it will take you to the 0 session.

Please note that in Windows Server 2003, you can start the RDC client (Mstsc.exe) by using the /console or /admin switch to remotely connect to the physical console session on the server (also known as session ID=0). However, in Windows Server 2008 or Windows Server 2008 R2, the /console switch has been deprecated. In Windows Server 2008 and Windows Server 2008 R2, session 0 is a non-interactive session that is reserved for services.
For more information, please visit the following Microsoft article:  http://support.microsoft.com/kb/947723

Screenshot for the reference:

You can use the new /admin switch to remotely connect to a Windows Server 2008-based server for administrative purposes. The /admin switch is introduced in RDC 6.1. RDC 6.1 is included in the following operating systems:

• Windows Server 2008
• Windows Server 2008 R2
• Windows Vista Service Pack 1 (SP1)
• Windows XP Service Pack 3 (SP3)

Also can verify sesion 0 using command prompt.

To ensure you are on the console (Session ID=0) of the server, please run the command "query session" from a Command Prompt. 

If anyone faced error message similar to "Symantec Endpoint Protection Manager upgrade rolls back: "SESM CA: files still locked...sleeping 1 second"

In that case also customer can refer the steps suggested above or can refer the Symantec KB also.

http://www.symantec.com/docs/TECH142215

I hope it's informative.

1] Incident Archiving :

Incident archiving lets you flag specified incidents as "archived." Because these archived incidents are excluded from normal incident reporting, you can improve the reporting performance of your Symantec Data Loss Prevention deployment by archiving any incidents that are no longer relevant. The archived incidents remain in the database; they are not moved to another table, database, or other type of offline storage.

You can set filters on incident reports in the Enforce Server administration console to display only archived incidents or to display both archived and non-archived incidents. Using these reports, you can flag one or more incidents as archived by using the Archive options that are available when you select one or more incidents and click the Incident Actions button. The Archive options are:

i] Archive Incidents - Flags the selected incidents as archived.

ii] Restore Incidents - Restores the selected incidents to the non-archived state.

iii] Do Not Archive - Prevents the selected incidents from being archived.

iv] Allow Archive - Allows the selected incidents to be archived.

The archive state of an incident displays in the incident snapshot screen in the Enforce Server administration console. The History tab of the incident snapshot includes an entry for each time the Do Not Archive or Allow Archive flags are set for the incident.

Access to archiving functionality is controlled by roles. You can set the following user privileges on a role to control access:

i] Archive Incidents - Grants permission for a user to archive incidents.

ii] Restore Archive Incidents - Grants permission for a user to restore archived incidents.

iii] Remediate Incidents - Grants permission for a user to set the Do Not Archive or Allow Archive flags.

2] To archive incidents :

A] Open the Enforce Server administration console and navigate to an incident report.
B] Select the incidents you want to archive, either by selecting the incidents manually or by setting filters or advanced filters to return the set of

    incidents that you want to archive.
C] Click the Incident Actions button and select Archive > Archive Incidents.The selected incidents are archived.

3] Restoring archived incidents :

To restore archived incidents

A] Open the Enforce Server administration console and navigate to an incident report.
B] Select the Advanced Filters & Summarization link.
C] Click the Add filter button.
D] Select Is Archived in the first drop-down list.
E] Select Show Archived from the second drop-down list.
F] Select the incidents you want to restore, either by selecting incidents manually or by setting filters or advanced filters to return the set of incidents you  want to restore.

The selected incidents are restored.

4] Preventing incidents from being archived :

You can prevent incidents from being archived using either an incident report or an incident snapshot.

To prevent incidents from being archived using an incident report.

A] Open the Enforce Server administration console and navigate to an incident report.
B] Select the incidents you want to prevent from being archived. You can select incidents manually or by setting filters or advanced filters to return the set of incidents you want to prevent from being archived.
C] Click the Incident Actions button and select Archive > Do Not Archive.
The selected incidents are prevented from being archived.

Note:  You can allow incidents to be archived that you have prevented from being archived by selecting the incidents and then selecting Archive > Allow Archive from the Incident Actions button.
 

To prevent an incident from being archived using the incident snapshot.

A] Open the Enforce Server administration console and navigate to an incident report.
B] Click on an incident to open the incident snapshot.
C] On the Key Info tab, in the Incident Details section, click Do Not Archive.

Note:  You can allow an incident to be archived that you have prevented from being archived by opening the incident snapshot and then clicking Allow Archive in the Incident Details section.

5] Deleting archived incidents :

To delete archived incidents

A] Open the Enforce Server administration console and navigate to an incident report.
B] Click the Advanced Filters & Summarization link.
C] Click Add filter.
D] Select Is Archived in the first drop-down list.
E] Select Show Archived from the second drop-down list.
F] Select the incidents you want to delete. You can select the incidents manually or you can set filters or advanced filters that return the set of incidents you want to delete.
G] Click the Incident Actions button and select Delete incidents.
H] Select one of the following delete options:

i] Delete incident completely -  Permanently deletes the incident(s) and all associated data (for example, any emails and attachments). Note that you cannot recover the incidents that have been deleted.
 
ii] Retain incident, but delete message data -  Retains the actual incident(s) but discards the Symantec Data Loss Prevention copy of the data that triggered the incident(s). You have the option of deleting only certain parts of the associated data. The rest of the data is preserved.
 
iii] Delete Original Message -  Deletes the message content (for example, the email message or HTML post). This option applies only to Network incidents.
 
iv] Delete Attachments/Files -  This option refers to files (for Endpoint and Discover incidents) or email or posting attachments (for Network incidents). The options are All, which deletes all attachments, and Attachments with no violations. For example, choose this option to delete files (for Endpoint and Discover incidents) or email attachments (for Network incidents).

This option deletes only those attachments in which Symantec Data Loss Prevention found no matches. For example, choose this option when you have incidents with individual files taken from a compressed file (Endpoint and Discover incidents) or several email attachments (Network incidents).
 

I] Click the Delete button.

Exact Data Matching (EDM) detects content you want to protect that is stored in structured or tabular format. For example, you can use EDM to detect confidential customer information from a database. Or, you can use EDM to detect sensitive financial information from a spreadsheet.

To implement EDM, you identify the structured data you want to protect. You index the data source using the Enforce Server administration console. During the indexing process, the system fingerprints the data by accessing and extracting the text-based content, normalizing it, and securing it using a nonreversible hash. For precise continuous detection, you can schedule indexing on a regular basis so the data is always current. You configure the Content Matches Exact Data From policy detection rule to match individual pieces of the profiled data. For increased accuracy you can configure the rule to match combinations of data fields from a particular record. Once the data source is indexed and the policy is deployed, the detection engine can detect the data in structured or unstructured format.

Consider the following example.

Your company maintains an employee database that contains five columns:

First Name

Last Name

SSN

Date of Hire

Salary

Each row in the database contains information for one employee. You export the records to a data source file. Each record is on a separate line. A comma, tab, or pipe character delimits each data item. For example, one row in the data source file contains Bob,Smith,123-45-6789,05/26/99,$42500. You index the data source file and create an Exact Data Profile. When you configure the profile, you map the data elements (columns) you want to protect. You then configure the EDM policy rule that references the Exact Data Profile. In this example, the rule matches if a message contains the First Name, Last Name, and SSN together. At runtime, the detection engine reports an incident if it detects "Raj, Malhotra, 333-65-7841" in any inbound message. But, a message containing "Sam, Malhotra, 333-65-7841" does not match because that record is not in the profile. A message that contains "Raj, Malhotra, 625-111-7545" also does not match because the number is not the social security number.

To detect data exactly, Symantec Data Loss Prevention requires a special indexed version of the data. An index is a secure file (or set of files). It contains hashes of the exact data values from each field in your data source, along with information about those data values. The index does not contain the data values themselves, so it is secure.

Indexes consist of one or more secure, binary .rdx files, each with space to fit into random access memory (RAM) on the detection server(s). For a large data source file, Symantec Data Loss Prevention may break the data into several .rdx files. In production, the system converts input content into hashed data values using the same algorithm it employs for indexes. It then compares data values from input content to those in the appropriate .rdx files, identifying matches.

By default, Symantec Data Loss Prevention stores index files in C:\Vontu\Protect\index (on Windows) or in /var/Vontu/index (on Linux) on the Enforce Server and on all detection servers. When the policy is active, Symantec Data Loss Prevention deploys the index to the detection server and the detection server loads the index into RAM.

Implementing Exact Data Matching :
 

To implement EDM, you create the Exact Data Profile, index the data source, and define one or more EDM detection rules to match the profiled data exactly.

Procedure Step 1 : Create the data source file:
 

A] Export the source data from the database (or other data repository) to a tabular text file.

About Data Owner Exception:

The data owner exception (DOE) feature enables data owners to send or receive their own data the system would otherwise prevent from delivery or receipt.

To implement the data owner exception feature, you must include either or both of the following fields in your data source file:

Email address

Domain address

Note: To implement DOE and except data owners from detection, you must explicitly include each user's email address or domain address in the Data Profile. Each expected domain (for example, symantec.com) must be explicitly added to the Data Profile. The system does not automatically match on subdomains (for example, fileconnect.symantec.com). Each subdomain must be explicitly added to the Data Profile.
 

Once you have configured the Exact Data Profile that includes either of these data elements, you can flag either field as the data owner. At runtime if the sender or recipient of the data is the owner, the condition does not trigger a match. The result is that the data is delivered or received.

If you previously implemented DOE manually using configuration files, you must reconfigure these exceptions to run on the latest Enforce Server.

B] If you want to except data owners from matching, you need to include specific data items in the data source file.

About implementing profiled Directory Group Matching :

Symantec Data Loss Prevention lets you detect the exact identities of data users, message senders, and recipients based on a profiled directory server or database.

Symantec Data Loss Prevention provides two static Directory Group Matching methods. Both methods require the use of an Exact Data Profile with specific data fields.

i) Sender/User Matches Directory From Exact Data Profile :

Group-related attributes may include an IP address, email, Windows user name, business unit, department, manager, title, employment status. Other attributes may be whether that employee has provided consent to be monitored, or whether the employee has access to sensitive information.
 

ii) For the Recipient Matches Directory From Exact Data Profile :
 

You can index a list of recipients email addresses and author policies based on this indexed data. For example, you can write a detection rule that requires the message sender to be from the customer service department to violate the policy. Or, you could write a detection exception that is not violated if the recipient of an email is on an approved list.

C] If you want to match identities for profiled Directory Group Matching (DGM), you need to include specific data items in the data source files. :

Procedure Step 2 : Prepare the data source file for indexing :
 

Remove irregularities from the data source file.

Preparing the exact data source file for indexing:

Once you create the exact data source file, you must prepare it so that you can efficiently index the data you want to protect.

When you index an exact data profile, the Enforce Server keeps track of empty cells and any misplaced data which count as errors. For example, an error may be a name that appears in a column for phone numbers. Errors can constitute a certain percentage of the data in the profile (five percent, by default). If this default error threshold is met, Symantec Data Loss Prevention stops indexing. It then displays an error to warn you that your data may be unorganized or corrupt. Symantec Data Loss Prevention checks for errors only if the data source has at least a thousand rows.

To prepare the exact data source for efficient EDM indexing:

A] Make sure that the data source file is formatted as follows:

i)If the data source has more than 200,000 rows, verify that it has at least two columns of data. One of the columns should contain reasonably distinct values. For example, credit card numbers, driver's license numbers, or account numbers (as opposed to first and last names, which are relatively generic).

ii) Verify that you have delimited the data source using commas, tabs, or pipes ( | ). If the data source uses commas as delimiters, remove any commas that do not serve as delimiters. For example, if a value in the address column is 346 Guerrero St., Apt. 2, delete the comma after Guerrero St.

Note: The pound sign (#), equals sign (=), plus sign (+), semicolon (;) and colon (:) characters are also treated as separators.
 

iii) Verify that data values are not enclosed in quotes.

iv) Remove single-character and abbreviated data values from the data source. (For example, remove the column name and all values for a column in which the possible values are Y and N.) Optionally, remove any columns that contain numeric values with less that five digits, as these can cause false positives in production.

v) Verify that numbers, such as credit card or social security, are delimited internally by dashes, or spaces, or none at all. Make sure that you do not use a data-field delimiter (for example, a comma) as an internal delimiter in any such numbers; for example: 123-45-6789, or 123 45 6789, or 123456789, but not 123,45,6789.

vi) Eliminate duplicate records, which can cause duplicate matches in production.

vii) Eliminate spaces in data values by separating the data into two or more fields. For example, the name Joe Brown, may appear in input content with the middle name or initial; for example: Joe R Brown, Joe R. Brown, or Joe Robert Brown. If the value Joe Brown appears in a single field in your data source, Symantec Data Loss Prevention detects only the literal string Joe Brown. It does not detect other variants of the name. To ensure that the system detects name variants, divide the name into two fields: a first-name field and a last-name field. You may also want to remove any relatively unimportant text that is separated by a space. For example, for a data value of Mary Jo, you may want to remove Jo entirely. In addition, some data values with inherent spacing, such as San Francisco and New York, may not be critical to your matching criteria, and therefore can be left as they are.

viii) Eliminate duplicate records, which can cause duplicate incidents in production.

ix) Do not index common values. EDM works best with values that are unique. You need to think about the data you want to index (and thus protect). Is this data truly valuable? If the value is something common, it is not be useful as an EDM value. For example, suppose you want to look for "states." Since there are only 50 states, if your exact data profile has 300,000 rows, the result is a lot of duplicates of common values. Symantec Data Loss Prevention indexes all values in the exact data profile, regardless of if the data is used in a policy or not. It is good practice to use values that are less common and preferably unique to get the best results with EDM.

B] Once you have prepared the exact data source file, proceed with the next step in the EDM process: load the exact data source file to the Enforce Server for profiling the data you want to protect.

Procedure Step 3 : Upload the data source file to the Enforce Server:
 

You can copy or upload the data source file to the Enforce Server, or access it remotely.

Uploading exact data source files to the Enforce Server :
After you have prepared the data source file for indexing, load it to the Enforce Server so the data source can be indexed.

Listed here are the three options you have for making the data source file available to the Enforce Server. Consult with your database administrator to determine the best method for your needs.

To make the data source available to the Enforce Server :

A] If you have a large data source file (over 50 MB), copy it to the "datafiles" directory on the host where Enforce is installed.
i) On Windows this directory is located at DLP_home\Protect\datafiles (for example, C:\Vontu\Protect\datafiles).

ii) On Linux this directory is located at /var/Vontu/datafiles.

This option is convenient because it makes the data file available by reference by a drop-down list during configuration of the Exact Data Profile. If it is a large file, use a third-party solution (such as Secure FTP) to transfer the data source file to the Enforce Server.

Note: Ensure that the Enforce user (usually called "protect") has modify permissions (on Windows) or rw permissions (on Linux) for all files in the "datafiles" directory.
 

B] If you have a smaller data source file (less than 50 MB), upload the data source file to the Enforce Server using the Enforce Server administration console (Web interface). When creating the Exact Data Profile, you can specify the file path or browse to the directory and upload the data source file.
Note: Due to browser capacity limits, the maximum file size that you can upload is 2 GB. However, uploading any file over 50 MB is not recommended since files over this size can take a long time to upload. If your data source file is over 50 MB, consider copying the data source file to the "datafiles" directory using the first option.
 

C] In some environments it may not be secure or feasible to copy or upload the data source file to the Enforce Server. In this situation you can index the data source remotely using the Remote EDM Indexer Utility.

The Remote EDM Indexer is a utility that converts a comma-separated value, or tab-delimited, data file to an Exact Data Matching index. The utility is similar to the local EDM Indexer used by the Enforce Server. However, the Remote EDM Indexer is designed for use on a computer that is not part of the Symantec Data Loss Prevention server configuration.

Using the Remote EDM Indexer to index a data source on a remote machine has the following advantages over using the EDM Indexer on the Enforce Server:

It enables the owner of the data, rather than the Symantec Data Loss Prevention administrator, to index the data.

It shifts the system load that is required for indexing onto another computer. The CPU and RAM on the Enforce Server is reserved for other tasks.

The SQL Preindexer is often used with the Remote EDM Indexer. The SQL Preindexer is used to run SQL queries against SQL databases and pass the resulting data to the Remote EDM Indexer.

This utility lets you index an exact data source on a computer other than the Enforce Server host. This feature is useful when you do not want to copy the data source file to the same machine as the Enforce Server. As an example, consider a situation where the originating department wants to avoid the security risk of copying the data to an extra-departmental host. In this case you can use the Remote EDM Indexer.

D] Proceed with the next step in the EDM process: configuring the Exact Data Profile and indexing the data source.

Procedure Step 4 : Create an Exact Data Profile:
 

The Exact Data Profile specifies the data source, the indexing parameters, and the indexing schedule.

The Manage > Data Profiles > Exact Data > Add Exact Data Profile screen is the home page for managing and adding Exact Data Profiles. An Exact Data Profile is required to implement an instance of the Content Matches Exact Data detection rule.

An Exact Data Profile specifies the data source, the indexing parameters, and the indexing schedule. Once you have created the EDM profile, you index the data source and configure one or more detection rules to use the profile and detect exact content matches.

Procedure Step 5 : Map the data fields.
 

You map the source data fields to system or custom data types that the system validates. For example, a social security number data field needs to be nine digits.

Column headings in your data source are useful for visual reference. However, they do not tell Symantec Data Loss Prevention what kind of data the columns contain. You use the Field Mappings section of the Add Exact Data Profile screen to specify mappings between fields in your data source. You can also use this screen to specify fields that Symantec Data Loss Prevention recognizes in its policy templates. The Field Mappings section also gives you advanced options for specifying custom fields.

Consider the following example use of field mappings. Your company wants to protect employee data, including employee social security numbers. You create a policy based on the Employee Data Protection template. The policy requires an exact data index with fields for social security numbers and other employee data. Prepare your data source and then create an exact data profile. Specify that the social security number field in the data source maps to the "Social Security Number" system field of the policy template.

After you have added and configured the data source file and settings, the Manage > Data Profiles > Exact Data > Add Exact Data Profile screen lets you map the fields from the data source file to the Exact Data Profile you are configuring.

To enable error checking on a field in a data source or to use the index with a policy template that uses a system field, you must map the field in the data source to the system field. The Field Mappings section lets you map the columns in the original data source to system fields in the Exact Data Profile.

Procedure Step 6 : Index the data source, or schedule indexing:
 

When you configure an Exact Data Profile, you can set a schedule for indexing the data source.

Before you set up a schedule, consider the following:

If you update your data sources occasionally (for example, less than once a month), there is no need to create a schedule. Index the data each time you update the data source.

Schedule indexing for times of minimal system use. Indexing affects performance throughout the Symantec Data Loss Prevention system, and large data sources can take time to index.

Index a data source as soon as you add or modify the corresponding exact data profile, and re-index the data source whenever you update it. For example, consider a scenario whereby every Wednesday at 2:00 A.M. you update the data source. In this case you should schedule indexing every Wednesday at 3:00 A.M. Do not index data sources daily as this can degrade performance.

Monitor results and modify your indexing schedule accordingly. If performance is good and you want more timely updates, for example, schedule more frequent data updates and indexing.

Scheduling Exact Data Profile indexing:

When you configure an Exact Data Profile, you can set a schedule for indexing the data source (Submit Indexing on Job Schedule).

Before you set up a schedule, consider the following recommendations:

If you update your data sources occasionally (for example, less than once a month), there is no need to create a schedule. Index the data each time you update the data source.

Schedule indexing for times of minimal system use. Indexing affects performance throughout the Symantec Data Loss Prevention system, and large data sources can take time to index.

Index a data source as soon as you add or modify the corresponding exact data profile, and re-index the data source whenever you update it. For example, consider a scenario whereby every Wednesday at 2:00 A.M. you update the data source. In this case you should schedule indexing every Wednesday at 3:00 A.M. Do not index data sources daily as this can degrade performance.

Monitor results and modify your indexing schedule accordingly. If performance is good and you want more timely updates, for example, schedule more frequent data updates and indexing.

The Indexing section lets you index the Exact Data Profile as soon as you save it (recommended) or on a regular schedule as follows:

Procedure Step 7 : Configure and tune one or more EDM detection conditions :
 

Once you have defined the Exact Data Profile and indexed the data source, you configure one or more Content Matches Exact Data conditions in policy detection rules. The EDM condition is not available for policy exceptions.

By adjusting the EDM.MatchCountVariant setting for the detection server, you can configure how EDM matches are counted.

As an example, consider a database profile with the following three records:

Kathy, Stevens, 123-45-6789, 1111-1111-1111-1111

Kathy, Stevens, 123-45-6789, 2222-2222-2222-2222

Kathy, Stevens, 123-45-6789, 3333-3333-3333-3333

If the policy rule is set up to match any 3 of 4 and someone sends a message with the following line:

Kathy, Stevens, 123-45-6789

The matches are counted as follows:

EDM.MatchCountVariant=1: 3 (number of database profile records matched)

EDM.MatchCountVariant=2: 1 (number of unique token sets matched)

EDM.MatchCountVariant=3: 1 (number of inclusive token sets matched)

If someone sends a message with the following 2 lines:

Kathy, Stevens, 123-45-6789, 1111-1111-1111-1111

Kathy, Stevens, 123-45-6789

The matches will be counted as follows:

EDM.MatchCountVariant=1: 3 (number of database profile records matched)

EDM.MatchCountVariant=2: 2 (number of unique token sets matched)

EDM.MatchCountVariant=3: 1 (number of inclusive token sets matched, the first token set includes the second one).

Dear All,

Please follow the below instruction as I integrated DLP 12.0.1 with RSA envison for syslog.

Configure Symantec DLP

To configure Symantec DLP to work with the enVision appliance, you must complete the following
tasks:

1. Configure System Events
2. Configure Response Rules
3. Enable Rules

Configure System Events

To configure system events:

1.  On your Vontu system, depending on your operating system, choose one of the following:

         For Windows, change directories to \Vontu\Protect\config.
         For Linux, change directories to /opt/Vontu/Protect/config.

2. Open Manager.properties in a text editor.

3. Remove the number sign (#) from the line, #systemevent.syslog.host=, and then enter the
hostname or IP address of your enVision appliance.

4. Remove the # from the line, #systemevent.syslog.port=, and then type 514.

5. Remove the # from the line, #systemevent.syslog.format= [{0}] {1} - {2}.

6. Save and close the file.

7. Restart the Vontu server.

Configure Response Rules: Refer attached snapshot- response rule.jpg

To configure response rules:
1. Log on to the Symantec DLP user interface.
2. Click Policies > Response Rules > Add Response Rule.
3. Select Automated Response.
4. Click Next.
5. In the Configure Response Rule window, complete the fields as follows.
 

Field Action

Rule Name : Enter a rule name.
Description : Enter a description for the rule name.
6. From the Action drop-down list, select All: Log to a Syslog Server.
7. Click Add Action.
8. Complete the fields as follows.

Field Action

Host Enter the IP address of your enVision appliance.
Port Type 514.

Message Type:

$POLICY$^^$INCIDENT_ID$^^$SUBJECT$^^$SEVERITY$^^
$MATCH_COUNT$^^$RULES$^^$SENDER$^^$RECIPIENTS$^^
$BLOCKED$^^$FILE_NAME$^^$PARENT_PATH$^^$SCAN$^^
$TARGET$^^$PROTOCOL$^^$INCIDENT_SNAPSHOT$

* Important: This is one continuous entry. Do not add spaces or hyphens.

Level Select 4.

9. Click Save.

Enable Rules

To enable rules: refer the attached screenshot - Policy response.JPG

1. Click Policies > Policy List.
2. Select a policy that you want to report on.
3. Click the Response tab.
4. From the drop-down list, select the rule you created in the previous task.
5. Click Add Response Rule.

Example of created Response Rule:

Find the attached snapshot

$POLICY$^^$INCIDENT_ID$^^$SUBJECT$^^$SEVERITY$^^$MATCH_COUNT$^^$RULES$^^$SENDER$^^$RECIPIENTS$^^$BLOCKED$^^$FILE_NAME$^^$PARENT_PATH$^^$SCAN$^^$TARGET$^^$PROTOCOL$^^$INCIDENT_SNAPSHOT$

This document describes the creation of a maintenance plan for system and SEP (Sem5) databases of SQL Server 2008. This plan is made of simple tasks that do not impact the operation of the databases. These activities aim at increase the performance of SQL Server 2008 and improve functioning and health of the database of Symantec Endpoint Protection Manager. All the configurations above were done in a windows 2008 R2 Enterprise server.

Software installed:

Microsoft windows 2008 R2 Enterprise 64 bits

Microsoft SQL server 2008 R2 64 bits

Hardware used:

1x itautec – intel Blade server

4x CPU Xeon 3.0

16 Gb RAM

2x 70 Gb Hard Disk

Environment:

5 x SEPM - version 11 RU6 MP3

1x SQL server 2008

1x LUA server

~45.000 clients

To create a maintenance plan we must access the SQL Server 2008,

1 - Open the console SQL Server Management Studio;

2 - Select the database engine and log on with SA account or administrator configured at installation time;

3 - After logging in, expand the instance of SQL Server installed.
4 - Click Maintenanceà Management plans;
5 - Right click on Maintenance Plans and Run the wizard (Maintenance Plan Wizard) to create a new maintenance plan;

NOTE: It is important to confirm that the SQL Server Agent service is running.

When creating the maintenance plan it is recommended to create separate tasks within the plan, because each one has a specific implementation schedule and customization within the plan.
These are the Maintenance tasks to be created:

1 - Check Database Integrity:

Run Health Check Database (Database Integrity Check) to verify the allocation and structural integrity of users, system tables, and indexes in the database. Performing this task ensures that any problems with the integrity of the database are reported, allowing them to be addressed later by a system administrator or database owner.

It is suggested to check the integrity of databases (System and SEP) daily:

2 - Shrink Database:

Use the Shrink Database Task dialog to create a task that attempts to reduce the size of the selected databases. Each file within a database can be reduced to remove unused pages. Although the mechanism of the database will reuse the space effectively, there are times when a file need not be as great as it was before, shrinking the file may then become necessary. Both data and transaction log files can be reduced, or shrunk. The database files can be shrunk manually, either in groups or individually, or the database can be configured to automatically reduce at specific intervals. It is suggested to shrink the SEP database once a week.
NOTE: Do not change the default information in this task.

3 - Reorganize Index:

SQL Server automatically maintains indexes whenever insert, update or delete is made ​​to the data in your tables. Over time these changes can cause the information in the index to become scattered in the database (fragmented). Fragmentation exists when indexes have pages in which the logical order, based on the key value does not match the physical order of data within the file. Very fragmented indexes can degrade query performance and cause your application to respond more slowly.

It is recommended to reorganize the index of the SEP database (Sem5) daily:

4 - Update Statistics:

Updates information about the distribution of key values for one or more statistics groups (collections) in the specified table or indexed view. Update statistics occur in tables or indexed views ensuring that queries to compile updated statistics. However, the statistics update causes the query to be recompiled.
It is recommended to update statistics on SEP database daily.

5 - Clean up History

The History Cleanup task is a weekly routine, and the volume of data stored in the history is suggested by the client or the database administrator. In this case the data older than four weeks will be deleted promptly set the date and time on task:

 6 - Backup full database

This is the most important task to be performed in SQL Server. At this point we will make a full backup of system databases and the SEP (Sem5) daily. There are several options to be customized in this task (check integrity, backup compression...). In this task we will simply perform a full backup of the databases in a .Bak file extension for each database:

7 - Cleanup Database Backup:

This task will be a customized routine to clean old backups on the server. It will depend on your backup and storage plan. In This case we decided to clean daily the files older than two days in the server:

8 - Memory Limit

After the creation of these tasks, it is suggested to make an adjustment of the maximum memory that the SQL service can consume. In this case it is recommended the reservation of approximately 20 to 30% of the total RAM for the OS and the rest to SQL. This setting is important because after starting the SQL service, it will consume gradually the memory of the host until its maximum value. In this example the field was set max server memory value to 13000 MB maximum memory that the SQL service can consume:

9 - Notifications - DatabaseMail

It is suggested to configure DatabaseMail to send notifications via e-mail or pager to the administrators. To reach this configuration it is necessary to first setup an account operator to send messages.

To configure an operator account:
1 - In SQL Management Studio, click SQL Server Agent à Operators;
2 - Select New operator and enter the required information;

After setting up the account operator you must setup the DatabaseMail:

1 - In SQL Management Studio, click  Configure Database Mailà Database Mail;
2 - Follow the steps to configure the SMTP server and the account operator who will perform the sending of the alerts;
3 - After this configuration, test the alerts using the option Send test e-mail;

References - Symantec:

http://www.symantec.com/business/support/index?page=content&id=TECH122397&locale=en_US

References - Microsoft:

http://msdn.microsoft.com/en-us/library/ms186524 SQL.90 =% 28v% 29.aspx

http://msdn.microsoft.com/en-us/library/ms187348.aspx

http://msdn.microsoft.com/en-us/library/ms189080.aspx

http://msdn.microsoft.com/en-us/library/ms179349.aspx

http://msdn.microsoft.com/en-us/library/ms180226.aspx

http://msdn.microsoft.com/en-us/library/ms183383.aspx

http://msdn.microsoft.com/en-us/library/ms177182.aspx

Symante Critical System Protection (CSP) provides policy-based behavior control and detection for server and desktop computers. Symantec Critical System Protection provides a flexible computer security solution that controls application behavior, blocks port traffic, and provides host-based intrusion prevention and detection.

Symantec Critical System Protection agents control behavior by allowing and preventing specific actions that an application or user might take. For example, a Symantec Critical System Protection prevention policy can specify that an email application may not spawn other processes, including dangerous processes like viruses, worms, and Trojan horses. The email application can still read and write to the directories that it needs to access.

Symantec Critical System Protection agents detect behavior by auditing and monitoring processes, files, log data, and Windows registry settings. For example, a Symantec Critical System Protection detection policy can specify to monitor the Windows registry keys that the Welchia worm changes during infection and send an alert. As a result, Windows registry security-related events can be put into context and appropriate measures taken.

We will give the introduction of some use cases of CSP. The first and the simplest one is file watch.

Here are the configuration steps:

1. From the CSP management console, make a copy of this IDS policy: Windows_Baseline_Detection

2. Open to edit this new policy, and select 'My Custom Rules':

3. Click the + button to add a new custom control:

4. From the category list, select 'File Watch':

5. Click the + to edit the custom control:

6. Select to enable 'File Watch Rule Options':

7. Click the 'Edit' of the 'File Watch Rule Options', then input the name of the rule:

8. Select to enable 'Files to watch':

9. Click the 'Edit' of the 'Files to watch', then click 'Add':

10. Input the name of the folders or the files that you want to watch/monitor:

11. Select to enable the option of 'Monitor file creation', 'Monitor file deletion' or 'Monitor file access':

12. Save this policy:

13. Right click this saved policy, and select 'Apply' to apply this policy to the target agent:

14. Check out that the target agent/asset has received this policy:

15. If the use on the agent access the folders or files, the audit log will be find out on the Monitors tab of CSP management console:

The LDAP Lookup Plugin pulls data from a live LDAP system (such as Microsoft Active Directory, Novell LDAP, Oracle LDAP (formerly Sun ONE), or IBM LDAP). It then uses that data to populate custom attributes for an incident at the time the incident is generated.

The LDAP Lookup Plugin receives a group of lookup parameters that contain data about an incident from the Enforce Server. These lookup parameters are then used in LDAP queries to pull data out of an existing LDAP directory. For example, the value of the sender-email lookup parameter might be compared to the values in the email attribute of the directory. If the sender-email lookup parameter contains account@financecompany.com, a query can be constructed to search for a record whose email attribute contains account@financecompany.com. Data in the record that the search returns is inserted into the custom attributes for the incident.

To configure one or more LDAP Lookup Plugins, need to follow the below procedure steps.

Procedure Step 1 : Create custom attributes :

Configuring custom attributes

Use the Configure Custom Attribute screen to add or modify the a custom attribute.

Custom attributes can be grouped into attribute groups, similar to how statuses are grouped into status groups, to organize the information in a useful way. Examples of common attribute groups include Employee Information, Manager Information, and Remediation Information. All custom attributes are available for all incidents.

To create custom attributes and add them to a group :

i] On the Enforce Server, click System > Incident Data > Attributes > Custom Attributes. Note that a number of custom attributes were defined and loaded for you by the Solution Pack that you selected during installation. All existing custom attributes are listed in the Custom Attributes window.
ii] To create a new custom attribute, click the Add option.
iii] Type a name for the custom attribute in the Name box. If appropriate, check the Is Email Address box.
The name you give to a custom attribute does not matter. But a custom attribute you create must be structured the same as the corresponding external data source. For example, suppose an external source stores department information as separate geographic location and department name. In this case, you must create corresponding location and department name custom attributes. You cannot create a single department ID custom attribute combining both the location and the department name.

iv] Select an attribute group from the Attribute Group drop-down list. If necessary, create a new attribute group. Select Create New Attribute Group from the drop-down list, and type the new group name in the text box that appears.
v] Click the Save option.
vi] Generate a new incident, or view an existing incident, and verify that it contains the new custom attribute.
Once you define your custom attributes, they become available to every incident. Each incident receives its own set of custom attributes (though some name-value pairs may be empty depending on circumstances). The custom attribute values for an incident can be populated and changed independently of other incidents.

You can edit the custom attribute values if you have been assigned to a role that includes edit access for custom attributes. If you want to update a group of incidents, you can select those incidents on the incident list page. You can then select the Set Attributes command from the Incident Actions menu. You can select Lookup Attributes, to look up the values of custom attributes. Note that the Set Attributes command and Attributes section on the Incident Snapshot page are available only if at least one custom attribute is defined.

 Procedure Step 2 : Configure a connection to the LDAP server :

A] A functioning connection to an LDAP server must be available.

B] The connection to the LDAP server can be configured from the link in the LDAP Lookup Plugin.

A] A functioning connection to an LDAP server must be available.

Requirements for LDAP server connections

The following conditions must be met for Symantec Data Loss Prevention to establish a connection with an LDAP directory:

The LDAP directory must be running on a host that is accessible to the Enforce Server.

There must be an LDAP account that the Symantec Data Loss Prevention can use. This account must have read-only access. You must know the user name and password of the account.

You must know the Fully Qualified Domain Name (FQN) of the LDAP server (the IP address cannot be used).

You must know the port on the LDAP server which the Enforce Server uses to communicate with the LDAP server. The default is 389.

You can use an LDAP lookup tool such as Softerra LDAP Browser to confirm that you have the correct credentials to connect to the LDAP server. Also confirm that you have the right fields defined to populate your custom attributes.

B] The connection to the LDAP server can be configured from the link in the LDAP Lookup Plugin.

Configuring directory server connections
The System > Settings > Group Directories > Configure Directory Connection is the home page for configuring directory server connections.

To create q directory connection

1. Click Create New Connection.
2. Enter a Name for the directory server connection.
3. Specify the Network Parameters for the directory server connection..
4. Specify the Authentication mode for connecting to the directory server.
5. Click Test Connection to verify the connection.

   If there is anything wrong with the connection, the system displays an error message describing the problem.

6. Click Save to save the direction connection configuration.
7. Verify that the directory server is indexed in the Index and Replication Status tab.

   After you successfully create, test, and save the directory server connection, the system automatically indexes the directory server. Verify that the Replication Status shows "Completed <date> <time>."

8. Adjust the directory server indexing schedule as necessary from the Index Settings tab.

 Procedure Step 3  : Create a new LDAP Lookup Plugin:

Creating new lookup plugins

You must have Server Administration privileges to create and configure lookup plugins.

To create new lookup plugin

i]  Navigate to System > Lookup Plugins in the Enforce Server administration console.
ii] Click New Plugin at the Lookup Plugins List Page screen.

iii] Select the type of lookup plugin you want to create and configure it.

CSV

LDAP

Script

Data Insight

Custom (Legacy)

iv] Click Save to apply the lookup plugin configuration.

The system displays a success (green) message if the plugin was successfully saved or an error (red) message if the plugin is misconfigured and could not be saved.

v] Click Modify Plugin Chain and enable the lookup plugin and chain multiple plugins.
 

Procedure Step 4 : Map the attributes :

Map the attributes to the corresponding LDAP directory fields. The syntax is as follows:

attr.CustomAttributeName = search_base:
  (search_filter=$variable$):
  ldapAttribute

A] Mapping attributes to LDAP data
You map system and custom attributes to LDAP data in the Attribute Mapping field. Each mapping is entered on a separate line. The order in which these mapping entries appear does not matter.

The attribute mapping syntax for LDAP Lookup Plugins is as follows:

attr.CustomAttributeName = search_base:
  (search_filter=$variable$):
  ldapAttribute

B] Attribute mapping examples for LDAPAttribute mapping examples for LDAP

The following mappings provide additional attribute mapping examples for LDAP Lookup Plugins.

The following example attribute mapping searches the hr.corp LDAP directory for a record with an attribute for mail whose value matches the value of the sender-email lookup parameter. It returns to the Enforce Server the value of the givenName attribute for that record.

attr.First\ Name = dc=corp,dc=hr:(mail=$sender-email$):givenName

In the following attribute mapping example, a separate line is entered for each custom attribute that is to be populated. In addition, note the use of the TempDeptCode temporary variable. The department code is needed to obtain the department name from the LDAP hierarchy. But only the department name needs to be stored as a custom attribute. The TempDeptCode variable is created for this purpose.

attr.First\ Name = cn=users:(email=$sender-email$):firstName
attr.Last\ Name = cn=users:(email=$sender-email$):lastName
attr.TempDeptCode = cn=users:(email=$sender-email$):deptCode
attr.Department = cn=departments:(deptCode=$TempDeptCode$):name
attr.Manager = cn=users:(email=$sender-email$):manager

Procedure Step 5 : Save and enable the plugin :
 

The LDAP Lookup Plugin must be enabled on the Enforce Server.

Enabling lookup plugins
To enable a lookup plugin you have to change its status from Off, which is the initial status of a plugin after it is configured, to On. The System > Lookup Plugins > Modify Lookup Plugin Execution Chain is where you enable lookup plugins.

To enable a lookup plugin

Navigate to System > Lookup Plugins in the Enforce Server administration console.
Click Modify Plugin Chain at the Lookup Plugins List Page.
In the Dedicated Actions field, select (check) the On option.
Click Save to apply the configuration.
If the plugin cannot be loaded the system will report an error and the plugin state will remain Off. In this case, check the latest Tomcat log file for the error.

Procedure Step 6 : Test and troubleshoot the LDAP lookup plugin.

Troubleshooting lookup plugins
Symantec Data Loss Prevention provides logging and error messages specific to lookup plugins. The most common errors involve the failure of a plugin to load due to one or more misconfigurations. If a lookup plugin fails to load, the exception is logged as a warning at the system events screen and in the Tomcat log. In addition, the attribute map and plugin execution chain is logged in the Tomcat log.

To troubleshoot lookup plugin errors

i] Navigate to the System > Servers > Overview screen and look for any warnings in the Recent Error and Warning Events table at the bottom of the page.
ii] On the Enforce Server host, open the log file \SymantecDLP\protect\Enforce\logs\tomcat\localhost.<date>.log.
iii] Troubleshoot errors that appear in the Tomcat localhost log file.

iv] Configure detailed logging for lookup plugins if the plugin fails but errors are not logged.

v] Refer to the troubleshooting topics for specific plugins.

Testing and troubleshooting LDAP Lookup Plugins

Complete these steps to troubleshoot LDAP Lookup Plugin implementations.

To troubleshoot an LDAP Lookup plugin

If the plugin does not save correctly, verify the configuration.
Before using the LDAP Lookup Plugin you should test the connection to the LDAP server. You can use a lookup tool such as the Softerra LDAP Browser to help confirm that you have the correct fields defined.

Make sure that the plugin is enabled.
Make sure that you created the Custom Attribute definitions.
In particular, check the attribute mapping. The attribute names must be identical.

If you made changes, or edited the lookup parameter keys, reload the plugin.

Select Incidents > All Incidents for the detection server you are using to detect the incident.
Select (check) several incidents and select Lookup Attributes from the Incident Actions drop-down menu. (This action looks up attribute values for all incidents for that form of detection.
Check the Incident Snapshot screen for an incident. Verify that the Lookup Custom Attributes are filled with entries retrieved from the LDAP lookup.
If the correct values are not populated, or there is no value in a custom attribute you have defined, make sure that there are no connection errors are recorded in the Incident History tab.
Check the Tomcat log file.

LDAP Lookup Plugin tutorial:
This tutorial provides steps for implementing a simple LDAP Lookup Plugin.

To implement an LDAP Lookup Plugin

i] Create the following custom attributes at System > Attributes > Custom Attributes:
LDAP givenName

LDAP telephoneNumber

ii] Create a directory connection for the Active Directory server at System > Group Directories.
For example:

Hostname: enforce.dlp.company.com

Port: 389

Base DN: dc=enforce,dc=dlp,dc=com

Encryption: None

Authentication: Authenticated

username: userName

password: password

iii] Test the connection. The system indicates if the connection is successful.
iv] Create a new LDAP plugin at System > Lookup Plugins > New Plugin > LDAP.
Name: LDAP Plugin Name

Description: Description for the LDAP Plugin.

v] Select the directory connection created in Step 2.
vi] Map the attributes to LDAP metadata.
attr.LDAP\ givenName = cn=users:(|(givenName=$endpoint-username$)(mail=$sender-email$)
(streetAddress=$discoverserver$)):givenName
attr.LDAP\ telephoneNumber = cn=users:(|(givenName=$endpointuser-name$)(mail=$sender-email$)
(streetAddress=$discoverserver$)):telephoneNumber

vii] Save the Plugin. Verify that the correct save message for the plugin is displayed.
viii] Enable the following keys at the System > Lookup Plugins > Lookup Parameters page.
Incident

Message

Sender

ix] Create an incident that generates one of the lookup parameters. For example, an email incident will expose the sender-email attribute. There must be some corresponding information in the Active Directory server.
x] Open the Incident Snapshot for the incident.
xi] Click the Lookup button and verify the custom attributes created in the Step 1 are populated in the right panel.

Creating dashboard reports :

You can create custom dashboards and reports.

If you are logged on as a user other than the administrator, Symantec Data Loss Prevention lets you choose whether to share your dashboard or keep it private.

To create a dashboard please follow the below procedure step by step.

Procedure Step 1 : In the Enforce Server administration console, on the Incidents menu, click Incident Reports.
Procedure Step 2 :On the Incident Reports screen that appears, click Create Dashboard.

The Configure Dashboard screen appears.

Procedure Step 3 :Choose whether to share your dashboard or keep it private.

If you choose to share a dashboard, the dashboard is accessible to all users assigned the role under which you create it.

If you are logged on as Administrator, you do not see this choice.

Note: Symantec Data Loss Prevention automatically designates all dashboards that the administrator creates as private.
 

Click Next.

Procedure Step 4 :In the General section, for Name, type a name for the dashboard.

Procedure Step 5 :For Description, type an optional description for the dashboard.

Procedure Step 6 :In the Delivery Schedule section, you can regenerate and send the dashboard report to specified email accounts.

If SMTP is not set up on your Enforce Server, you do not see the Delivery Schedule section.

If you have configured your system to send alerts and reports, you can set a time to regenerate and send the dashboard report to specified email accounts.

If you have not configured Symantec Data Loss Prevention to send reports, skip to the next step.

To set a schedule, locate the Delivery Schedule section and select an option from the Schedule drop-down list. (You can alternatively select No Schedule.)

For example, select Send Weekly On.

Enter the data that is required for your Schedule choice. Required information includes one or more email addresses (separated by commas). It may also include calendar date, time of day, day of the week, day of the month, or last date to send.

Delivery schedule options for dashboard reports :

The Delivery Schedule section lets you set up a schedule for the report.

Note: If your Enforce Server is not configured to send email, or you are not allowed to send reports, the Delivery Schedule section does not appear.
 

When you make a selection from the Schedule drop-down list, additional fields appear.

The following table describes the additional fields available for each option on the list.

No Schedule :  Select No Schedule to save the report without a schedule.
 
Once :  Select Once to schedule the report to be run once at a future time, and then specify the following details for that report:

On : Enter the date you want to generate the report, or click the date widget and select a date.

At : Select the time you want to generate the report.

Send To : Enter one or more email addresses. Separate them with commas.
 
Send Every Day :  Select Send Every Day to schedule the report to be run every day, and then specify the following details for that report:

At : Select the time you want to generate the report.

Until : Enter the date you want to stop generating daily reports, click the date widget and select a date, or select Indefinitely.

Send To : Enter one or more email addresses. Separate them with commas.
 
Send Weekly On :  Select Send Weekly on to schedule the report to be run every week, and then specify the following details for that report:

Day : Click to check one or more check boxes to indicate the day(s) of the week you want to generate the report.

At : Select the time you want to generate the report.

Until : Enter the date you want to stop generating weekly reports, click the date widget and select a date, or select Indefinitely.

Send To : Enter one or more email addresses. Separate them with commas.
 
Send Monthly On :  Select Send Monthly on to schedule the report to be run every month, and then specify the following details for that report:

Day of each month : Enter the date on which you want to generate the report each month.

At : Select the time you want to generate the report.

Until : Enter the date you want to stop generating monthly reports, click the date widget and select a date, or select Indefinitely.

Send To : Enter one or more email addresses. Separate them with commas.
 

Procedure Step 7 : For the Left Column, you can choose what to display in a pie chart or graph. For the Right Column, you can also display a table of the information.

Choosing reports to include in a dashboard :

Dashboards have two columns of report portlets.

Portlets in the left column display a pie chart or graph.

Portlets in the right column display the same information as those in the left. They also display either a list of the most significant incidents or a summary. Incidents are ranked with severity and match count. You can display a list of summary criteria and associated incidents that highlight any high-severity incident totals.

You can choose up to three reports to include in the left column, and up to three reports to include in the right column.

To choose reports to include

i] Choose a report from as many as three of the Left Column (Chart Only) drop-down lists.
ii] Choose a report from as many as three of the Right Column (Chart and Table) drop-down lists.
iii] After you configure the dashboard, click Save.

Select a report from as many as three of the Left Column (Chart Only) drop-down lists. Then select a report from as many as three of the Right Column (Chart and Table) drop-down lists.

Procedure Step 8 : Click Save.

Procedure Step 9 : You can edit the dashboard later from the Edit Report Preferences screen.
To display a custom dashboard at logon, specify it as the default logon report on the Edit Report Preferences screen.

 Configuring dashboard reports :

You can create the custom dashboards that are tailored for users with specific roles.

Dashboards consist of up to six portlets, each providing a quick summary of a report you specify.

If you choose to share a dashboard, the dashboard is accessible to all users assigned the role under which you create it.

Note: The Administrator user cannot create shared dashboards.
 

To configure a custom dashboard :

i] In the General section, for Name, type a name for the dashboard.
ii] For Description, type an optional description for the dashboard.
iii] In the Delivery Schedule section, you can regenerate and send the dashboard report to specified email accounts.
If SMTP is not set up on your Enforce Server, you do not see the Delivery Schedule section.

If you have configured your system to send alerts and reports, you can set a time to regenerate and send the dashboard report to specified email accounts.

If you have not configured Symantec Data Loss Prevention to send reports, skip to the next step.

To set a schedule, locate the Delivery Schedule section and select an option from the Schedule drop-down list. (You can alternatively select No Schedule.)

For example, select Send Weekly On.

Enter the data that is required for your Schedule choice. Required information includes one or more email addresses (separated by commas). It may also include calendar date, time of day, day of the week, day of the month, or last date to send.

See Delivery schedule options for dashboard reports.

iv] For the Left Column, you can choose what to display in a pie chart or graph. For the Right Column, you can also display a table of the information.

See Choosing reports to include in a dashboard.

Select a report from as many as three of the Left Column (Chart Only) drop-down lists. Then select a report from as many as three of the Right Column (Chart and Table) drop-down lists.

v] Click Save.
vi] You can edit the dashboard later from the Edit Report Preferences screen.
To display a custom dashboard at logon, specify it as the default logon report on the Edit Report Preferences screen.

Use Mobile Prevent incident reports to monitor and respond to Mobile Prevent incidents. You can save, send, export, or schedule Symantec Data Loss Prevention reports.

In the Enforce Server administration console, on the Incidents menu, click Mobile. This incident report displays all incidents for any target that is a mobile device. You can select the standard reports for all incidents, new incidents, policy summary, status by policy, or high-risk senders.

Summaries and filter options can select which incidents to display.

About filters and summary options for reports :

You can set a number of filters and summaries for Symantec Data Loss Prevention incident reports.

These filters let you see the incidents and incident data in different ways.

The set of filters apply separately to Network, Endpoint, Mobile, and Storage events.

The filters and summary options are in the following sections:

General filters :  The general filter options are the most commonly used. They are always visible in the incident list report.
 
 
Advanced filters :  The advanced filters provide many additional filter options. You must click the Advanced Filters & Summarization bar, and then click Add Filter to view these filter options.
 
 Summary options :  The summary options provide ways to summarize the incidents in the list. You must click the Advanced Filters & Summarization bar to view these summary options.
 

Symantec Data Loss Prevention contains many standard reports. You can also create custom reports or save report summary and filter options for reuse.

Mobile Prevent incident list :

A Mobile Prevent incident list shows multiple mobile incident records with information about the incident such as: the severity, associated policy, number of matches, and status of the incident. Click a row of the incident list to view more details about a specific incident. Select specific incidents (or groups of incidents) to modify or remediate by clicking the check boxes at the left.

Note:
 Use caution when you click Select All. This action selects all incidents in the report (not only those on the current page). Any incident command you subsequently apply affects all incidents. To select only the incidents on the current page, select the checkbox at top left of the incident list.
 

Incident information is divided into several columns. Click any column header to sort alpha-numerically by that column's data. To sort in reverse order, click the column header a second time. By default, Symantec Data Loss Prevention sorts incidents by date.

Mobile Prevent incident snapshot :

An incident snapshot provides detailed information about a particular incident. It displays general incident information, matches detected in the intercepted text, and incident attributes. The snapshot also enables you to execute any Smart Response rules that you have configured.

The incident snapshot is divided into three panes, with navigation and Smart Response options.

Mobile Prevent incident list - Columns :

Incident information is divided into several columns. Click any column header to sort alpha-numerically by that column's data. To sort in reverse order, click the column header a second time. By default, Symantec Data Loss Prevention lists incidents by date.

The report includes the following columns:

Checkboxes that let you select incidents to remediate.

You can select one or more incidents to which to apply commands from the Incident drop-down menu at the top of the list. Click the checkbox at the top of the column to select all incidents on the current page. (Note that you can also click Select All at far right to select all incidents in the report.)

Type : The protocol over which the match was detected.

Subject/Sender/Recipient(s) : Message subject, sender email address or IP address, recipient email address(es), or URL(s).

Sent : Date and time the message was sent.

ID/Policy : Symantec Data Loss Prevention incident ID number and the policy against which the incident was logged.

Matches : Number of matches in the incident.

Severity : Incident severity as determined by the severity setting of the rule the incident matched.

The possible values are as follows:

Icon   Description

 High

 Medium

 Low

 For Information Only

Status :

Current incident status.

The possible values are as follows:

New

In Process

Escalated

False Positive

Configuration Errors

Resolved

You or your administrator can add new status designations on the Attribute Setup page.

Mobile Prevent incident snapshot - Heading and navigation
The following page navigation tools appear near the top of the incident snapshot:

Previous
 Displays the previous incident in the source report.
 
Next
 Displays the next incident in the source report.
 
 Returns to the source report (where you clicked the link to get to this screen).
 
 Updates the snapshot with any new data, such as a new comment in the History section or a modified status.
 

Mobile Prevent incident snapshot - General information :

The left section of the snapshot displays general incident information. You can click on many values to view an incident list that is filtered on that value. An icon may appear next to the Status drop-down list to indicate whether the request that generated the incident was blocked or altered.

The current status and severity of the incident appear to the right of the snapshot heading. To change one of the current values, click on it and choose another value from the drop-down list.

The remaining portion of the general information pane is divided into four tabs.

i] Key Info

ii] History

iii] Notes

iv] Correlations

Information in this section is divided into the following categories (not all of which appear for every incident type):

i] Key Info : The Key Info tab shows the policy that was violated in the incident. It also shows the total number of matches for the policy, as well as matches per policy rule. Click the policy name to view a list of all incidents that violated the policy. Click view policy to view a read-only version of the policy.

This section also lists other policies that the same file violated. To view the snapshot of an incident that is associated with a particular policy, click go to incident next to the policy name. To view a list of all incidents that the file created, click show all.

The Key Info tab also includes the following information:

The name of the detection server that recorded the incident.

The date and time the message was sent.

The sender email or IP address.

The recipient email or IP address(es).

The SMTP heading or the NNTP subject heading.

Attachment file name(s). Click to open or save the file.

If a response rule tells Symantec Data Loss Prevention to discard the original message, you cannot view the attachment.

The person responsible for remediating the incident (Data Owner Name). This field must be set manually. Reports can automatically be sent to the data owner for remediation.

If you click on a hyperlinked Data Owner Name, a filtered list of incidents by Data Owner Name is displayed.

The email address of the person responsible for remediating the incident (Data Owner Email Address). This field must be set manually.

If you click on the hyperlinked Data Owner Email Address, a filtered list of incidents by Data Owner Email Address is displayed.

ii] History : View the actions that were performed on the incident. For each action, Symantec Data Loss Prevention displays the action date and time, the actor (a user or server), and the action or the comment.

iii] Notes :  View any notes that you or others have added to the incident. Click Add Note to add a note.

iv] Correlation :  You can view a list of those incidents that share attributes of the current incident. For example, you can view a list of all incidents that a single account generated. Symantec Data Loss Prevention shows a list of correlations that match single attributes. Click on attribute values to view lists of those incidents that are related to those values.

To search for other incidents with the same attributes, click Find Similar. In the Find Similar Incidents dialog box that appears, select the desired search attributes. Then click Find Incidents.

Mobile Prevent incident snapshot - Matches :

Beneath the general information, Symantec Data Loss Prevention displays the message content (if applicable) and the matches that caused the incident. Symantec Data Loss Prevention displays the following types of message content, depending on protocol type:

Protocol                                             Message content
 
HTTP/S                                             Name value pairs of the HTTP/S request
 
FTP                                                  Nothing shown
 

Matches are highlighted in yellow and organized according to the message component (such as header, body, or attachment) in which they were detected. Symantec Data Loss Prevention displays the total relevant matches for each message component. It shows matches by the order in which they appear in the original text. To view the rule that triggered a match, click on the highlighted match.

Mobile Prevent incident snapshot - Attributes :

Note: This section appears only if a system administrator has configured custom attributes.

You can view a list of custom attributes and their values, if any have been specified. Click on attribute values to view an incident list that is filtered on that value. To add new values or edit existing ones, click Edit. In the Edit Attributes dialog box that appears, type the new values and click Save.

Mobile Prevent summary report :

The Mobile Prevent summary report provides summary information about the incidents that are generated on your mobile devices. You can organize the report by one or two summary criteria. A single-summary report is organized by a single summary criterion, such as the policy that is associated with each incident. A double-summary report is organized by two criteria, such as policy and incident status.

To view the primary criteria and the secondary summary criteria available for the current report, click the Advanced Filters and Summarization bar. The bar is near the top of the report. The Summarize By: listboxes show the primary criteria and the secondary summary criteria. In each listbox, Symantec Data Loss Prevention displays all detection criteria in alphabetical order, followed by any custom criteria that your system administrator has defined. Summary reports take their name from the primary summary criterion (the value of the first listbox). If you rerun a report with new criteria, the report name changes accordingly.

Summary entries are divided into several columns. Click any column header to sort alpha-numerically by that column's data. To sort in reverse order, click the column header a second time.

summary_criterion : This column is named for the primary summary criterion. It lists primary and (for double summaries) secondary summary items. In a Policy Summary, this column is named Policy and it lists policies. Click on a summary item to view a list of incidents that are associated with that item.

Total : The total number of incidents that are associated with the summary item. In a Policy Summary, this column gives the total number of incidents that are associated with each policy.

High : Number of high-severity incidents that are associated with the summary item. (The severity setting of the rule that was matched determines the incident severity.)

Med : Number of medium-severity incidents that are associated with the summary item.

Low : Number of low-severity incidents that are associated with the summary item.

Info :  The number of informational incidents that are associated with the summary item.

Bar Chart : A visual representation of the number of incidents (of all severities) associated with the summary item. The bar is broken into proportional, colored sections to represent the various severities.

Matches : Total number of matches associated with the summary item.

If any of the severity columns contain totals, you can click on them to view a list of incidents of the chosen severity.

Use this screen to save an incident list report as an archive of HTML pages. An archive allows personnel without direct access to Symantec Data Loss Prevention to study incident data, drilling down into individual incidents as needed.

When you export incidents as a Web Archive, the archive is placed in directory \SymantecDLP\Protect\archive\webarchive.

Note: You cannot archive summary reports or dashboards.
 

When exporting incidents, please note the following considerations:

An archive cannot be summarized like a normal report.

An archive contains no filters, so it may be difficult to locate a specific incident in an archive containing a large number of incidents.

Exporting an archive of incidents does not remove the incidents from the administration console.

You can export only one archive at a time.

Export Web Archive is a user privilege that must be assigned to a role. You can export web archives only if your role provides access to this feature. Since role access also determines what information is contained in incident reports, it also applies to archiving those incident reports. The information that is contained in the archive you create is the same information contained in the original incident report.

The Export web archive screen is divided into two sections:

A] Export web archive - Create Archive.

B] Export web archive - All Recent Events.

A] Export web archive - Create Archive :

In the Create Archive section, complete the following information:

Field :  Description
 
Archive Name :  Specify a name for the archive you are creating using normal Windows naming conventions.
 
Report to Export :  From the drop-down list, select the report that you want to archive. Any reports you created are available along with default report options.

The Network options are as follows:

Incidents - Week, Current - Network incidents from the current week.

Incidents - All - All network incidents.

Incidents - New - Network incidents with status of New.

The Endpoint options are as follows:

Incidents - Week, Current - Endpoint incidents from the current week.

Incidents - All - All endpoints incidents.

Incidents - New - Only endpoint incidents with status of New.

The Discover options are as follows:

Incidents - Last Scan - Discover incidents from the last completed scan. (Incidents from a currently active scan are not included.)

Incidents - Scan in Process - Discover incidents from the current scan.

Incidents - All Scans - All Discover incidents.

Incidents - New - Discover incidents with status of New.

The Mobile options are as follows:

Incidents - Week, Current - Network incidents from the current week.

Incidents - All - All network incidents.

Incidents - New - Network incidents with status of New.
 

After you complete the fields, click Create to compile the archive.

B] Export web archive - All Recent Events :

The All Recent Events section displays a list of events related to this archive. (The list appears only after you click Create to create the archive.) Event entries show the following information:

The event type (Error, Warning, or System Information).

The event date and time

A brief description of the event

To see the details of any event, click on the event entry in the list. To see the full Events Report for this archive, click show all.

From the previous article:

https://www-secure.symantec.com/connect/articles/create-dlp-policy-special-user-group

We introduced the method and steps to use AD to create DLP group policy.

By using AD directory connection, we can create DLP group policy based on the specific group or OU in AD. 

How can we create DLP group policy if there isn't AD, or the policy needed to be applied to the users that located in different group or OU?

We can use EDM to achieve this requirement.

By using EDM, we can create and apply group policy to any users that we needed.

For example:

there are 2 users locate in Finance OU which are finance01 and finance02, and, there are 2 users locate in Develop OU which are develop01 and develop02.

We cannot apply the DLP policy to finance01 and develop01 by using AD directory connection. But, This can be applied by using EDM Group Policy.

Here are the steps for the example:

1. Create a txt file which contains the email address we needed, such as finance01 and develop01 in our example:

2. From DLP Enforce console, select 'Manage' --> 'Data Profiles' --> 'Exact Data':

3. Click 'Add Exact Data Profile':

4. Select 'Upload Data Source to Server Now' for the 'Data Source' section:

5. Browse and select the txt file created in step1, and select 'Read first row as column names', then click 'Next':

6. On the 'Field Mappings' section, select 'Email' for 'System Field':

7. Select the option 'Submit Indexing Job on Save', then click 'Save' button:

8. Check out the EDM profile is created successfully:

9. Edit the policy, and choose 'Groups' tab, then click 'Add Rule' button:

10. Select the option 'Sender/User base on a Directory from:', then select the EDM profile created on step8:

11. Check out the Email field is list on the rule:

12. Save the policy.

Then this policy will only be applied to the uses finance01 and develop01. The other users will not trigger this policy.

Symantec DLP 12.0.1 can also be integrated with RSA Envision 4.1 SP1.

RSA Envision integration is also supported by previous Symantec DLP version 11.5, 11, and 12.

I would like to share a document, where RSA Envision 4.1 integration with Symantec Data Loss Prevention is explained.

Configuring Symantec DLP

To configure Symantec DLP to work with the RSA EnVision appliance, you must complete the following
tasks:

1. Configure System Events
2. Configure Response Rules
3. Enable Rules

Configure System Events

To configure system events:

1.       On your Vontu system, depending on your operating system, choose one of the following:

         For Windows, change directories to \Vontu\Protect\config.
         For Linux, change directories to /opt/Vontu/Protect/config.

2. Open Manager.properties in a text editor.

3. Remove the number sign (#) from the line, #systemevent.syslog.host=, and then enter the
hostname or IP address of your enVision appliance.

4. Remove the # from the line, #systemevent.syslog.port=, and then type 514.

5. Remove the # from the line, #systemevent.syslog.format= [{0}] {1} - {2}.

6. Save and close the file.

7. Restart the Vontu server.

Configure Response Rules: attached snapshot- Vontu Response Rule.jpg

To configure response rules:
1. Log on to the Symantec DLP user interface.
2. Click Policies > Response Rules > Add Response Rule.
3. Select Automated Response.
4. Click Next.
5. In the Configure Response Rule window, complete the fields as follows.
 

Field Action

Rule Name : Enter a rule name.
Description : Enter a description for the rule name.
6. From the Action drop-down list, select All: Log to a Syslog Server.
7. Click Add Action.
8. Complete the fields as follows.

Field Action

Host Enter the IP address of your enVision appliance.
Port Type 514.

Message Type:

Vontu Incident: $POLICY$^^$INCIDENT_ID$^^$SUBJECT$^^$SEVERITY$^^

$MATCH_COUNT$^^$RULES$^^$SENDER$^^$RECIPIENTS$^^

$BLOCKED$^^$FILE_NAME$^^$PARENT_PATH$^^$SCAN$^^

$TARGET$^^$PROTOCOL$^^$INCIDENT_SNAPSHOT$

Notice the addition of the text "Vontu Incident:" is required

* Important: This is one continuous entry. Do not add spaces or hyphens.

Level Select 4.

9. Click Save.

Enable Rules

To enable rules: refer the attached screenshot - Policy response.JPG

1. Click Policies > Policy List.
2. Select a policy that you want to report on.
3. Click the Response tab.
4. From the drop-down list, select the rule you created in the previous task.
5. Click Add Response Rule.

There are two method to enroll the Symantec Encryption Desktop: by Email, or by AD.

In this article, we will provide the graphic step-by-step guide for AD enrollment.

1. We need to enable Directory Synchronization firstly.

From 'Consumers' tab, select 'Directory Synchronization', then click 'Enable' button:

2. After enable the Directory Synchronization, click 'Add LDAP Directory' button:

3. Fill in the necessary information to connect to the directory:

4. Click 'Test Connection' button to ensure the connection to the directory:

5. Click the 'Settings' button of the Directory Synchronization, select to enable the option 'Enroll clients using directory authentication':

6. Open to edit the policy, then click 'Edit' button of the 'General' section:

7. On the 'General' tab, select to enable the option 'Enable Silent Enrollment':

8. Create a new group, and select to use the policy that created on step7:

9. During the download of the Symantec Encryption Desktop Client, select the 'Preset Policy Group' as the group that created on step8:

10. After the installation of the client on the desktop and the reboot, select 'Always Allow for This Site' on the Symantec Alert:

11. Fill in the credentials of the AD user:

12. The client will enroll with the server:

By using AD enrollment, we can skill the Email configuration on the Symantec Encryption Server. This will simplify the deployment process.

If your script is connecting to an external system that requires credentials, you can enable credentials for your script. If you enable credentials through the user interface option, you must encrypt them. Symantec Data Loss Prevention provides the Credential Utility, which lets you encrypt credentials and use them to authenticate to an external data source.

When the Enforce Server invokes the Script Lookup Plugin, the plugin decrypts any credentials at runtime and passes them to the script as attributes. The credentials are then available for use within the script. The Credential Utility uses the same platform encryption keys that are used to protect user accounts and incident information within the Symantec Data Loss Prevention system.

If you choose to use credentials in clear text, you must hard code them into your script. In this case, the Enforce Server passes the values you exported to the clear-text credential file. These values are passed in the following format: key=value.

Request you to please follow the below procedure step by step for enabling and encrypting the credentials.

Procedure Step 1 : Create a text file that contains the credentials that are needed by the script to access the appropriate external systems.
 

The format of this file is key=value, where key is the name of the credential.

For example:

username=msantos password=esperanza9

Procedure Step 2 : Save this credential file to the file system local to the Enforce Server.
 

The file needs to be saved to the Enforce Server temporarily.

For example: C:\temp\MyCredentials.txt.

Procedure Step 3 : On the Enforce Server, open a shell or command prompt and change directories to <\SymantecDLP_home>\Protect\bin.
 

This directory on the Enforce Server contains the Credential Generator Utility.
 

Procedure Step 4 : Issue a command to generate an encrypted credential file.

The command syntax is as follows:

CredentialGenerator.bat
 in-cleartext-filepath out-encrypted-filepathFor example on Windows you would issue the following:

CredentialGenerator.bat C:\temp\MyCredentials.txt 
    C:\temp\MyCredentialsEncrypted.txtYou can open this file in a text editor to verify that it is encrypted.

Procedure Step 5 : Select Enable Credentials.
 

At the System > Lookup Plugins > Edit Script Lookup Plugin page, select (check) the Enable Credentials option.
 

Procedure Step 6 : Enter the Credentials File Path.
 

Enter the fully qualified path to the encrypted credentials file. For example:

C:\temp\MyCredentialsEncrypted.txt.

Procedure Step 7 : Save the plugin.
 

You can now use the encrypted credentials to authenticate to an external system.

Procedure Step 8 : Secure the clear-text credentials file.
 

If you want to save the clear-text credentials file, move it to a secure location. It can be useful to save the file if you plan to update and re-encrypt it later. If you do not want to save the file, delete it now.

Procedure Step 9 : Reload the lookup plugin.

About lookup plugins :

A lookup plugin lets you connect the Enforce Server to an external system to retrieve supplemental data related to an incident. The data is stored as attributes. Lookup plugins let you add additional context to incidents to facilitate remediation workflow. For example, consider an email message that triggers an incident. A lookup plugin can be used to retrieve and display the name and the email address of the sender's manager from a directory server based on the email sender's address.

Lookup plugins use incident attributes and custom attributes in coordination with each other. The system generates incident attributes when a policy rule is violated. You define custom attributes for custom incident data. Continuing the example, on detection of the incident, the system generates the incident attribute "sender-email" and populates it with the email address of the sender. The lookup plugin uses this key-value pair to look up the values for custom attributes "Manager Name" and "Manager Email" from an LDAP server. The plugin populates the custom attributes and displays them in the Incident Snapshot.

The System > Lookup Plugins screen is the home page for creating, configuring, and managing lookup plugins. Lookup plugins are used for remediation to retrieve incident-related data from an external data source and populate incident attributes.

A] Mobile Prevent for Web Server - Basic configuration
B] Configuring the Mobile Prevent for Web Server

A] Mobile Prevent for Web Server - Basic configuration :

Detection servers are configured from each server's individual Configure Server screen. To display the Configure Server screen, go to the Overview screen (System > Servers > Overview) and click the name of the server in the list. That server's Server Detail screen appears. Click Configure to display the Configure Server screen.

A Mobile Prevent for Web Server Configure Server screen is divided into a general section and one tab:

a] General section. This section specifies the server's name, host, and port.

b] ICAP tab. This tab is for configuring Internet Content Adaptation Protocol (ICAP) capture.

Use the ICAP tab to configure Web-based network traffic. The ICAP tab is divided into the following sections:

c] The Trial Mode section enables you to test prevention without blocking traffic. When trial mode is selected, the server detects incidents and creates incident reports, but it does not block any traffic. This option enables you to test your policies without blocking traffic. Check the box to enable trial mode.

d] The Request Filtering section configures traffic filtering criteria:

Ignore Requests Smaller Than : 

 Specify the minimum body size of HTTP requests to inspect on this server. The default value is 4096 bytes. HTTP requests with bodies smaller than this number are not inspected.
 
Ignore Requests without Attachments : 

 Check this box to inspect only those HTTP requests that contain attachments.
 
Ignore Requests to Hosts or Domains :

 Enter the host names or domains whose requests should be filtered out (ignored). Enter one host or domain name per line.
 
Ignore Requests from User Agents :

 Enter the names of user agents whose requests should be filtered out (ignored). Enter one agent per line.
 

Note: The Response Filtering section is not supported for Mobile Prevent for Web.
 

The Response Filtering section configures the filtering criteria to manage HTTP responses:

e] The Connection section configures settings for the ICAP connection between an HTTP proxy server and the Mobile Prevent for Web Server:

TCP Port :

Specify the TCP port number that this server is to use to listen to ICAP requests. The same value must be configured on the HTTP proxy sending ICAP requests to this server. The recommended value is 1344.
 
Maximum Number of Requests :

Enter the maximum number of simultaneous ICAP connections from the HTTP proxy that are allowed. The default is 25.
 
Maximum Number of Responses :

Enter the maximum number of simultaneous ICAP response connections from the HTTP proxy or proxies that are allowed. The default is 25.
 
Connection Backlog :

Enter the maximum number of waiting connections allowed. Each waiting connection means that a user waits at their browser. The minimum value is 1.
 
f] The Mobile section configures settings for the Mobile Prevent for Web Server.

Mobile IP Ranges :

The range of IP addresses that your VPN Server is configured to assign to your mobile devices. The IP addresses are used to identify your mobile devices in the reporting section.
 

In addition to the settings available through the Configure Server screen, you can specify advanced settings for this server. To specify advanced configuration parameters, click Server Settings on the server's Overview screen. Use caution when modifying Advanced Server settings. Check with Symantec Support before you change any advanced setting.

B] Configuring the Mobile Prevent for Web Server :

You can use a number of configuration options for Mobile Prevent for Web Server. For example, you can configure the server to:

Ignore small HTTP/S requests or responses.

Ignore requests to or responses from a particular host or domain (such as the domain of a business subsidiary).

Ignore user search engine queries.

To modify your Mobile Prevent for Web Server configuration please follow the below procedures....

Procedure Step 1 : Go to System > Servers > Overview and click the Mobile Prevent for Web Server.
Procedure Step 2 :On the Server Detail screen that appears, click Configure.
You can verify or modify settings on the ICAP tab as described in subsequent steps. The tab is divided into several sections: Request Filtering, Response Filtering, and Connection.

Procedure Step 3 :Verify or change the Trial Mode setting.
Procedure Step 4 :Verify or modify the filter options for requests from HTTP clients (user agents). The options in the Request Filtering section are as follows:
Ignore Requests Smaller Than :

Specifies the minimum body size of HTTP requests to inspect. (The default is 4096 bytes.) For example, search-strings typed in to search engines such as Yahoo or Google are usually short. By adjusting this value, you can exclude those searches from inspection.
 
Ignore Requests without Attachments :

Causes the server to inspect only the requests that contain attachments. This option can be useful if you are mainly concerned with requests intended to post sensitive files.
 
Ignore Requests to Hosts or Domains :

Causes the server to ignore requests to the hosts or domains you specify. This option can be useful if you expect a lot of HTTP traffic between the domains of your corporate headquarters and branch offices. You can type one or more host or domain names (for example, www.company.com), each on its own line.
 
Ignore Requests from User Agents : 

Causes the server to ignore requests from user agents (HTTP clients) you specify. This option can be useful if your organization uses a program or language (such as Java) that makes frequent HTTP requests. You can type one or more user agent values (for example, java/6.0.29), each on its own line.

Note: The Response Filtering options are not supported for Mobile Prevent.

Procedure Step 5 :  Verify or modify the filter options for responses from Web servers. The options in the Response Filtering section are as follows:

Ignore Responses Smaller Than :

Specifies the minimum size of the body of HTTP responses that are inspected by this server. (Default is 4096 bytes.)
 
Inspect Content Type : 

Specifies the MIME content types that Symantec Data Loss Prevention should monitor in responses. By default, this field contains content-type values for Microsoft Office, PDF, and plain text formats. To add others, type one MIME content type per line. For example, type application/wordperfect5.1 to have Symantec Data Loss Prevention analyze WordPerfect 5.1 files.

Note that it is generally more efficient to specify MIME content types at the Web proxy level.
 
Ignore Responses from Hosts or Domains : 

Causes the server to ignore responses from the hosts or domains you specify. You can type one or more host or domain names (for example, www.company.com), each on its own line.
 
Ignore Responses to User Agents :

Causes the server to ignore responses to user agents (HTTP clients) you specify. You can type one or more user agent values (for example, java/1.4.2_xx), each on its own line.
 

Procedure Step 6 : Verify or modify settings for the ICAP connection between the HTTP proxy server and the Mobile Prevent for Web Server. The Connection options are as follows:

TCP Port :

Specifies the TCP port number over which this server listens for ICAP requests. This number must match the value that is configured on the HTTP proxy that sends ICAP requests to this server. The recommended value is 1344.
 
Maximum Number of Requests :

Specifies the maximum number of simultaneous ICAP request connections from the HTTP proxy or proxies. The default is 25.
 
Maximum Number of Responses : 

Specifies the maximum number of simultaneous ICAP response connections from the HTTP proxy or proxies. The default is 25.
 

Connection Backlog :

Specifies the number of waiting connections allowed. A waiting connection is a user waiting for an HTTP response from the browser. The minimum value is 1. If the HTTP proxy gets too many requests (or responses), the proxy handles them according to your proxy configuration. You can configure the HTTP proxy to block any requests (or responses) greater than this number.
 

Procedure Step 7 : In the Mobile IP Ranges fields, enter the range of IP addresses that your VPN server is configured to assign to mobile devices. The IP addresses are used to identify the incidents that were triggered from mobile devices as Mobile incidents.
The IP addresses you enter into this range do not dynamically affect the VPN Server. This range is only to identify your mobile devices in the administration console. You must enter the exact same range of IP addresses when you configure the VPN Server to assign the addresses.

Procedure Step 8 : Click Save to exit the Configure Server screen and then click Done to exit the Server Detail screen.

Use the following instructions to configure Network Prevent Server to operate either in reflecting or forwarding mode.

To configure the Network Prevent Server :

Procedure Step 1 :  Log on to the Enforce Server administration console for the Symantec Data Loss Prevention system you want to configure.
Procedure Step 2 : Select System > Servers > Overview to display the list of configured servers.
Procedure Step 3 : Click the name of the Network Prevent Server that you want to configure.
Procedure Step 4 : Click Configure.
Procedure Step 5 : Deselect Trial Mode to enable blocking of email messages that are found to violate Symantec Data Loss Prevention policies.
Procedure Step 6 : Configure reflecting mode or forwarding mode by modifying the following fields:

Next Hop Configuration :

Select Reflect to operate Network Prevent Server in reflecting mode. Select Forward to operate in forwarding mode.

Note: If you select Forward you must also select Enable MX Lookup or Disable MX Lookup to configure the method used to determine the next-hop MTA.
 
 Enable MX Lookup :

This option applies only to forwarding mode configurations.

Select Enable MX Lookup to perform a DNS query on a domain name to obtain the mail exchange (MX) records for the server. Network Prevent Server uses the returned MX records to select the address of the next hop mail server.

If you select Enable MX Lookup, also add one or more domain names in the Enter Domains text box. For example:

companyname.comNetwork Prevent Server performs MX record queries for the domain names that you specify.

Note: You must include at least one valid entry in the Enter Domains text box to successfully configure forwarding mode behavior.
 
 
Disable MX Lookup :

This field applies only to forwarding mode configurations.

Select Disable MX Lookup if you want to specify the exact hostname or IP address of one or more next-hop MTAs. Network Prevent Server uses the hostnames or addresses that you specify and does not perform an MX record lookup.

If you select Disable MX Lookup, also add one or more hostnames or IP addresses for next-hop MTAs in the Enter Hostnames text box. You can specify multiple entries by placing each entry on a separate line. For example:

smtp1.companyname.com
smtp2.companyname.com
smtp3.companyname.comNetwork Prevent Server always tries to proxy to the first MTA that you specify in the list. If that MTA is not available, Network Prevent Server tries the next available entry in the list.

Note: You must include at least one valid entry in the Enter Hostnames text box to successfully configure forwarding mode behavior.
 
Procedure Step 7 : Click Save.
Procedure Step 8 : Click Server Settings to verify or configure these advanced settings:

RequestProcessor.ServerSocketPort :

Ensure that this value matches the number of the SMTP Listener port to which the upstream MTA sends email messages. The default is 10025.

Note: Many Linux systems restrict ports below 1024 to root access. Network Prevent cannot bind to these restricted ports. If the computer receives mail for inspection on a restricted port (for example, port 25), reconfigure the computer to route traffic from the restricted port to the non-restricted Network Prevent port (port 10025 by default).

See Second Last Paragraph to Configuring Linux IP tables to reroute traffic from a restricted port.
 
 
RequestProcessor.MTAResubmitPort :

Ensure that this value matches the number of the SMTP Listener port on the upstream MTA to which the Network Prevent Server returns mail. The default is 10026.
 
RequestProcessor.AddDefaultHeader :

By default, Network Prevent Server uses a header to identify all email messages that it has processed. The header and value are specified in the RequestProcessor.DefaultPassHeader field.

Change the value of this field to false if you do not want to add a header to each message.
 
RequestProcessor.AddDefaultPassHeader :

This field specifies the header and value that Network Prevent Server adds to each email message that it processes. The default header and value is X-CFilter-Loop: Reflected. Change the value of this field if you want to add a different header to each processed message.

If you do not want to add a header to each email message, set the AddDefaultPassHeader field to False.
 

Note: Always configure both RequestProcessor.ServerSocketPort and RequestProcessor.MTAResubmitPort, whether you implement reflecting or forwarding mode. With forwarding mode, RequestProcessor.ServerSocketPort specifies the SMTP Listener port on the detection server to which the upstream MTA sends email messages. RequestProcessor.MTAResubmitPort is the SMTP Listener port on the downstream MTA to which the detection server sends email messages.
 

Procedure Step 9 : Click Save.
Procedure Step 10 : Click Done.
Procedure Step 11 : If your email delivery system uses TLS communication in forwarding mode, each next-hop mail server in the proxy chain must support TLS and must authenticate itself to the previous hop. This means that Network Prevent Server must authenticate itself to the upstream MTA, and the next-hop MTA must authenticate itself to Network Prevent Server. Proper authentication requires that each mail server stores the public key certificate for the next hop mail server in its local keystore file.

Configuring Linux IP tables to reroute traffic from a restricted port :

Many Linux systems restrict ports below 1024 to root access. Network Prevent cannot bind to these restricted ports.

If the computer receives mail for inspection on a restricted port (for example, port 25), use the iptables command to route that traffic to a non-restricted port, such as the Network Prevent default port 10025. Then ensure that Network Prevent listens on the non-restricted port to inspect email.

Use the following instructions to configure a Linux system to route from port 25 to port 10025. If you use a different restricted port or Network Prevent port, enter the correct values in the iptables commands.

To configure route traffic from port 25 to port 10025 :

Procedure Step A] Configure Network Prevent to use the default port 10025 if necessary.

See Configuring Network Prevent Server for reflecting or forwarding mode :

Procedure Step B] In a terminal window on the Network Prevent computer, enter the following commands to reroute traffic from port 25 to port 10025:

iptables -N Vontu-INPUT
iptables -A Vontu-INPUT -s 0/0 -p tcp --dport 25 -j ACCEPT
iptables -I INPUT 1 -s 0/0 -p tcp -j Vontu-INPUT
iptables -t nat -I PREROUTING -p tcp --destination-port 25 -j REDIRECT --to-ports=10025
iptables-save > /etc/sysconfig/iptables

Note: If you only want to test local IP routing between the ports with Telnet, use the command: iptables -t nat -I OUTPUT -o lo -p tcp --destination-port 25 -j REDIRECT --to-ports=10025
 

If later you decide to delete the IP tables entry, use the command:

iptables -t nat -D OUTPUT -o lo -p tcp --destination-port 25 -j REDIRECT --to-ports=10025