Protection rule is triggered on a document that is unexpectedly tagged

Articoli tecnici ID: KB81640
Ultima modifica: 12/21/2021

Ambiente

McAfee Data Loss Prevention (DLP) Endpoint 11.x

For supported environments, see KB68147 - Supported platforms for Data Loss Prevention Endpoint.

Riepilogo

There are two mechanisms for DLP Endpoint to detect sensitive content:

Tagging
Content Classification

Technical Support recommends that you use Content Classification in use cases where the nature of the document's sensitivity can be known from a reliable and easily identified pattern, such as the word "confidential." In cases where such a pattern is not readily available, content can be protected with Tagging. For more information, see the Product Guide.

If a Protection Rule triggers unexpectedly on a document, it is possible to determine if the document is tagged by inspecting the Manual Tagging mechanism. For more information, see the Product Guide. If a document has been confirmed as being tagged, there are five possible ways the document was tagged:

Application-based tagging rules apply tags generically in one of two ways. It applies tags based on the application or applications that create a file, as specified in application definitions, or based on the file type or file extension. You can also add text patterns and dictionaries to further restrict how the tags are applied.
Location-based tagging rules apply tags based on the location of the source file. For example, a file being copied locally from a share on a network server. You can add text patterns and dictionaries as well to further restrict how the tags are applied.
Tags can be applied manually via Manual Tagging.
Tags can be applied during the Discover Process.
Tags propagate via the DLPE software. This software tracks data transformations and maintains the classification of the sensitive content persistently, regardless of how it is being used. For example, if an application reads a tagged document and then later saves a file elsewhere with a few paragraphs of the same content.

Often, a process of elimination can be used to determine which method was used to tag the document. For example, if there are no Discovery Scans configured, the document was not tagged via the Discover Scan method.

Soluzione

If a tag appears on too many documents, it can be reset in ePO through the DLP Policy. Go to Definitions / Tags and Categories and right-click the individual tag. This action resets the unique identifier used. After the policy change is enforced on the client computer, the tag is not applied to any documents until one of the above mechanisms has occurred.

Unless something else is changed in the policy, it is likely that whatever behavior led to the initial tagging can happen again. So, ensure that the users with Manual Tagging capability are aware not to tag documents that are not intended to be protected. Also, any copy from a location specified in a Location Based Tagging Rule by a user with read permission to that location results in the destination document being tagged. To ensure that any possible Tagging vector is fine-tuned, double-check the Application Definitions and the Discover Scan settings.

The following is an example of how a new or recently reset tag can spread in an environment:

A Location-Based tagging rule is used. An application on a host with DLP Endpoint automatically, without alerting the user, reads a file from the location, such as a desktop.ini file or any configuration file. It then saves a new file with a part of sensitive content into a new share folder. Now, a second user that does not have the rights to the first location can use an application that reads a file from the second share. The tag is propagated when a file with the same content is saved.

To find out in more detail how a new or recently reset tag is multiplying in an environment, use the Log All Messages option. Use this option on all users that have Manual Tagging rights to read from a share specified in a Location Based tagging rule, use any applications in an Application Based Tagging Rule. Or, use the option on all users whose computers are configured for a Discover Scan. This setting is available under Events and Logging in the Agent Configuration of DLP Policy in ePO.

The following sample log shows how to determine when files are tagged:

NOTE: The logfile name is HDLP_Agent_(DD.MM.YYYY)(X-XX-XX).log and located under: c:\Program Data\McAfee\DLP\temp\logs\session##

In the following example, the file named notepadtext.txt is read by Process ID 2644:

18:5:44:388 [2584] [ODEBUG] [File Tracker] [RunningProcessInfo::addFileInfo] Adding the file(notepadtest.txt) to process (2644)
18:5:44:388 [2584] [ODEBUG] [File Tracker] [FileContentAccessedEvent::startProcessEvent] FAcc.FF#000183 start event handler file : \\grepo5\grshare\notepadtest.txt

In the following example, a process with PID 2644 saves a file that is then tagged by the DLP Endpoint:

18:5:44:388 [2584] [ODEBUG] [File Handler] [FileFilterHandler::onOpen] File open for PID(2644) write c:\users\administrator\desktop\notepadtest.txt
...
18:5:44:388 [2584] [ODEBUG] [File Tracker] [ExtendedAttributesService::setFileTags] Setting file c:\users\administrator\desktop\notepadtest.txt extended attributes source tags(1)

The following example shows a direct cut-and-paste action via Process ID 4928:

16:52:23:904 [4728] [ODEBUG] [File Tracker] [RunningProcessInfo::addFileInfo] Adding the file(notepadtest.txt) to process (4928)
16:52:23:904 [4728] [ODEBUG] [File Tracker] [FileContentAccessedEvent::startProcessEvent] FAcc.FF#000582 start event handler file : c:\users\administrator\desktop\notepadtest.txt
...
16:52:23:920 [4728] [ODEBUG] [File Handler] [FileFilterHandler::onOpen] File open for PID(4928) write c:\users\administrator\desktop\notepadtest - copy (2).txt
...
16:52:23:920 [4728] [ODEBUG] [File Handler] [WrittenFiles::insertWrittenFile] WRITE-BUFFER - file - c:\users\administrator\desktop\notepadtest - copy (2).txt PID(4928) pushed first time
...
16:52:23:920 [4728] [ODEBUG] [File Tracker] [FileContentTransmittedEvent::startProcessEvent] FTra.FF#000584 start event handler file : c:\users\administrator\desktop\notepadtest - copy (2).txt
...
16:52:23:920 [4728] [ODEBUG] [File Tracker] [ExtendedAttributesService::setFileTags] Setting file c:\users\administrator\desktop\notepadtest - copy (2).txt extended attributes source tags(1)

The following example shows pasting sensitive content into a document via notepad.exe (PID 2764):

19:43:5:819 [2584] [ODEBUG] [File Handler] [FileFilterHandler::onOpen] File open for PID(2764) write c:\users\administrator\desktop\new text document.txt
19:43:5:819 [2584] [ODEBUG] [File Handler] [WrittenFiles::insertWrittenFile] WRITE-BUFFER - file - c:\users\administrator\desktop\new text document.txt PID(2764) pushed first time
...
19:43:5:819 [2584] [ODEBUG] [File Tracker] [FileContentTransmittedEvent::startProcessEvent] FTra.FF#001193 start event handler file : c:\users\administrator\desktop\new text document.txt
...
19:43:5:819 [2584] [ODEBUG] [File Tracker] [FileContentTransmittedEvent::startProcessEvent] FTra.FF#001193 request text extraction filename(c:\users\administrator\desktop\new text document.txt)
...
19:43:6:115 [2584] [ODEBUG] [File Tracker] [ExtendedAttributesService::setFileTags] Setting file c:\users\administrator\desktop\new text document.txt extended attributes source tags(1)

Informazioni correlate

The following is an excerpt from the Product Guide describing the Whitelist folder. This folder can be useful to reduce the tag propagation on standard content that is not sensitive and is widely used in the environment:

The whitelist folder contains text files defining content (typically boilerplate) that is not tagged and restricted. The main purpose of the whitelist folder is to improve the efficiency of the tagging process by skipping standard content that does not need to be protected.

For more information about how the Diagnostic Tool can be used to watch file tagging activity during a user logon session, see the Product Guide.

Prodotti interessati

Data Loss Prevention Endpoint 11.6.x
Data Loss Prevention Endpoint 11.4.x (EOL)

Lingue:

Questo articolo è disponibile nelle seguenti lingue:

English United States
Spanish Spain
French
Italian
Portuguese Brasileiro

Glossario dei termini tecnici

Evidenzia termini glossario

Ti consigliamo di consultare il nostro Glossario dei termini tecnici.

Knowledge Center

Protection rule is triggered on a document that is unexpectedly tagged

Ambiente

Riepilogo

Soluzione

Informazioni correlate

Prodotti interessati

Lingue:

Glossario dei termini tecnici

Title

Title

Knowledge Center

Protection rule is triggered on a document that is unexpectedly tagged

Ambiente

Riepilogo

Soluzione

Informazioni correlate

Prodotti interessati

Lingue:

Glossario dei termini tecnici

Scegli la regione

Title

Title