What kind of DLP Endpoint configuration and licensing options are available?
DLP Endpoint is available in two configurations:
- Device Control
- DLP Endpoint (Full DLP Endpoint)
Each configuration is available with two licensing options:
- 90-day trial
- Unlimited license
The default installation is a 90-day license for McAfee Device Control. On installation, the McAfee Device Control configuration is activated. Upgrading the license key in DLP Settings in ePO Console changes to the full-featured configuration.
What features are included in DLP Endpoint?
A full DLP Endpoint license has all capabilities of a Device Control license. In addition, full DLP Endpoint software includes the following:
- Universal protection that protects against data loss through the broadest set of data-loss channels. For example, removable devices, email (including attachments), web posts, printing, and file system.
- Persistent content-aware data protection that protects against data loss regardless of the format in which data is stored or manipulated. It enforces data loss prevention without disrupting legitimate user activities.
- Protection on-the-go that prevents transmission of sensitive data from desktops and laptops, regardless of whether they are connected to the enterprise's network.
What licenses are available for DLP?
DLP is a suite of products, each of which protects different types of data in your network. License types available:
- Data Loss Prevention Endpoint - Inspects and controls content and user actions on endpoints.
- Device Control - Controls the use of removable media on endpoints.
- Data Loss Prevention Discover - Scans file repositories to identify and protect sensitive data.
- Data Loss Prevention Prevent - Works with your web proxy or MTA server to protect web and email traffic.
NOTE: Data Loss Prevention Prevent for Mobile Email is no longer supported. This product used to work with MobileIron to monitor Microsoft Exchange ActiveSync or Microsoft Office 365 ActiveSync requests
All licenses have trial versions and Perpetual versions.
Trial versions use a 90-day license key.
- If you have only the ePO extension or endpoint software, you do not have the text file. Download the full package from the Product Downloads page. For more information, see KB56057 - How to download Enterprise product updates and documentation.
- If you have a trial package but do not have the text file, contact your sales representative or sales engineer for assistance in downloading the software.
How long does the license remain active?
The trial license remains active for 90 days before expiring. After 90 days, your policies will not be applied. Perpetual licenses do not expire.
Are there any best practice recommendations or white papers available for using Data Loss Prevention?
- Data Loss Prevention (DLP) Best Practices
- Choosing a Data Loss Prevention Solution
https://www.mcafee.com/enterprise/en-us/security-awareness/data-protection/choose-dlp-solution.html
- Universal data protection across devices, networks, and the cloud
https://www.mcafee.com/enterprise/en-us/products/data-protection-products.html
- Comprehensive data loss prevention in one suite
https://www.mcafee.com/enterprise/en-us/products/total-protection-for-data-loss-prevention.html
Scanners and indexers are applications that iterate files for scanning, such as:
- Antivirus Software
- Backup Applications
- Windows Search
Indexers and scanners scan through the hard drive and access many files. When a scanner/indexer accesses tagged files, the DLP Endpoint Agent loads all tagged content's fingerprints into the memory. For them to not load these memories into the system, indexers and scanners must be set to use a Trusted Application Strategy. This setting is considered a best practice in configuring DLP Endpoint. The reason is because there is no need for the DLP Endpoint Agent to track all files. It also improves system performance significantly.
How do I configure a Trusted Application Strategy Policy?
Application strategies are set on the Application Template page in DLP Policy Manager, Definitions. Use the built-in templates, or create your own custom templates.
NOTE: You can't edit strategies in the built-in templates. You can create overrides on the DLP Policy, Settings, Application Strategy page. Create and remove overrides as needed to experiment with fine-tuning the policy.
Change the strategy as needed to optimize performance. For example, the high level of observation that an editor application receives is not consistent with the frequent processing of backup software. The performance penalty is high and the risk of a data leak from such an application is low. So, we don't recommend using the trusted strategy with these applications.
You can also create more than one template for an application and assign it more than one strategy. To achieve different results in different contexts, use the different templates in different classifications and rules. You must be careful in assigning such templates within rule sets to avoid conflicts. McAfee DLP resolves potential conflicts according to the following hierarchy:
For more detailed information, visit this link:
https://docs.mcafee.com/bundle/data-loss-prevention-11.4.x-product-guide/
Do scanners and indexers affect how tagging works?
When a file is accessed, the DLP Endpoint Agent analyzes the content, then create and store its fingerprints in memory (RAM).
Do DLP Endpoint tags work on the entire file or content of the file?
On the file system level, DLP Endpoint tags are stored in a file's extended file attributes (EA) or alternate data streams (ADS). When a tagged file is accessed, the DLP Endpoint Agent tracks data transformations. Also, it maintains the classification of the sensitive content of the tagged file persistently, regardless of how it is used.
Tags work on content. So, if a whole file contains just a part of tagged content, such as content copied from another document, only that part is tagged. Only that part is tagged even though Manual Tagging indicates that the file is tagged. With the default agent configuration, at least two chunks, or about 350 non-repeating characters, are needed to identify and track tagged content. For more information, see KB53436 - Details about the smallest data set that triggers a Data Loss Prevention reaction.
How does tagging propagate from one file to another?
Tags work in much the same way as signatures and are generated in a similar way to fingerprint hashes. These signatures help to identify if the content of the file matches the original signature content.
When a tagged file is accessed, the tagged content signatures are loaded into memory (RAM). From that point on, if a user accesses and changes another file to contain identical content in the tagged file, the new file is tagged when it is saved. The result is similar, regardless of whether you copy a file to a new document or an existing document. Only the relevant part of the file is tagged.
How about when you copy content of a file and paste it in an email body or web browser form?
When a tagged file is accessed, the tagged content signatures are loaded into memory (RAM). From this point forward, all protection rules actions apply to this content. If an Email Protection Rule is configured to block the tag, content pasted from a tagged file is blocked. The same condition applies to Web Post Protection Rules.
How is the tag stored on the file system?
Tag technology works with the NTFS (New Technology File System) functionality of the host. Unlike FAT32 (File Allocation Table), NTFS has extra allocation space for the files to be stored. This fact allows tagging technology to work independently on file properties. The fallback method for FAT32 is ADS and ODB$ (in FAT32). For file systems that do not support EA or ADS, DLP Endpoint stores tag information as a metafile on the disk. The metafiles are stored in a hidden folder named ODB$. DLP Endpoint agent creates this folder automatically.
NOTE: Because the tag is not stored directly in the file or file properties, the content is not affected when a file is tagged.
Can a tag be lost if it is uploaded through web post or transferred via FTP?
The uploaded file is not tagged. Upload via web post or FTP only deals with the file content itself, and not the additional information in the file system. If there are web/network protection rules configured, the file upload or transfer can be monitored or prevented.
If I am accessing a file that is not tagged but the content matches tagged content, is it tagged?
Although no content is being copied from tagged FILE_1 to FILE_2, FILE_2 is still tagged when it is saved. It is tagged because the content matches the tag signatures stored in memory when FILE_1 was accessed. This method is similar to a signature matching technology, where the end file resembles the content of the fingerprinted file.
How can the tags in memory be deleted?
The tags stored in memory are deleted when the user logs out or restarts the system.
Does resetting a tag remove the tags from the extended attribute of the file?
Yes. If a tag was reset, the identification (GUID) of the tag is changed. When the agent has the latest policy and it detects a tag identification that it does not recognize, the tag is removed from the extended attributes when the file is saved.
How does allow list complement a tag?
The content in allow list are prevented from being tagged. Normally, allow list is useful for common contents like disclaimer or standard company templates.
Does allow list affect previously tagged files already residing on the user endpoint?
It works on newly tagged files or files tagged before allow list is configured. As long as the part of content is in allow list, protection rules are not applied to the content.
How does DLP Endpoint tagging work with compression software?
If a tagged file is compressed, the resulting archive is also tagged. The Administrator must make sure that the archiver application is set to use the Archiver application strategy. Technical Support has included in DLP Endpoint the application strategy of some popular archive applications like WinZip.
Back to top
