mcafee dlp 9.0.1 product guide.pdf
TRANSCRIPT
McAfee Data Loss PreventionProduct Guide
Release 9.0.1
COPYRIGHT
Copyright © 2010 McAfee, Inc. All Rights reserved.
This documentation is protected by copyright and distributed under licenses restricting its use, copying, distribution, and
compilation. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or
translated into any language in any form or by any means without permission of McAfee, Inc. or the suppliers or affiliate
companies.
TRADEMARK ATTRIBUTIONS
Reconnex iGuard, inSight Console, Prevent and Discover, now known as McAfee Network DLP Manager, Monitor,
Discover and Prevent, are Class A digital devices, pursuant to Part 15 of the FCC rules. These limits are designed to
provide reasonable protection against harmful interference when the equipment is operated in a commercial
environment. All McAfee related products contained herein (including Reconnex™) are registered trademarks or
trademarks of McAfee, Inc., and/or its affiliates in the US and/or other countries.
McAfee reserves the right to change aNy products described herein at any time, and without notice. McAfee assumes no
responsibility or liability arising from the use of products described herein, except as expressly agreed to in writing by
McAfee. The use and purchase of this product does not convey a license to any patent copyright, or trademark rights, or
any other intellectual property rights of McAfee.
FCC SPECIFICATIONS
This equipment generates, uses, and can radiate radio frequency energy, and if not installed and used in accordance with
the instruction manual, may cause harmful interference to radio communications. In a residential area, operation of this
equipment is likely to cause harmful interference, in which case the user may be required to take adequate measures. In a
domestic environment this product may cause radio interference, in which case the user may be required to take
adequate measures.
PRODUCT INFORMATION
McAfee Red in connection with security is distinctive of McAfee brand products. Any other non-McAfee related products,
registered and/or unregistered trademarks contained herein are only by reference and are the sole property of their
respective owners.
The documentation is provided "as is" without warranty of any kind, either expressed or implied, including any kind of
implied or expressed warranty of non-infringement or the implied warranties of merchantability or fitness for a particular
purpose.
November 10, 2010
ii McAfee DLP 9.0.1 Product Guide
Contents
Introducing McAfee DLP 9.0 1
McAfee DLP Products 1
Product Naming Conventions 2
Features of McAfee DLP 9.0 2
How DLP Monitor works 2
Unified policy features 3
Incident management features 4
Discovery features 4
Directory server integration features 5
System management features 5
How Host DLP works 6
How Network DLP works 6
Use Cases 6
Examples 6
Protecting Confidential Data 7
Finding leaked documents 7
Identifying and tracking specific documents 8
Finding copied or relocated files 8
Blocking data containing source code 9
Filtering Results 10
Finding documents by file type 10
Finding high-risk incidents 10
Eliminating false positives from results 11
Detecting Insider Activity 11
Monitoring a user's online activity 11
Identifying disgruntled employees 12
Finding unencrypted user data 12
Finding policies violated by a user 13
Getting statistics on website visits 13
Finding message board postings 13
Finding social networking traffic 14
Finding Rogue Communications 15
McAfee DLP 9.0.1 Product Guide iii
Finding encrypted traffic 15
Identifying frequent communications 15
Finding email using non-standard ports 16
Excluding an IP or email address from detection 16
Detecting Privacy Violations 17
Preventing release of privacy information 17
Blocking transmission of financial data 17
Protecting Endpoints 18
Blocking intellectual property residing on endpoints 18
Keeping IP from being copied to a USB drive 19
Keeping intellectual property from being printed 21
Preventing loss of project data from endpoints 22
Protecting intellectual property at a specific network location 23
Protecting Global Business 23
Finding evidence of foreign interference 23
Finding leaks after global close of business 24
Filtering captured data 25
Filtering out configuration-controlled files 25
Storing a portion of filtered traffic 25
Searching captured data 26
How data is captured and processed 26
Using search features 27
Basic search processes 27
How capture works 27
Adding or subtracting search parameters 27
Searching with managed systems 27
Getting notification of results 27
Getting details and search history 28
Stopping searches 28
Cloning searches 28
Finding documents 28
How to find documents 28
Finding Microsoft or Apple documents 29
iv McAfee DLP 9.0.1 Product Guide
Finding documents by type 29
Finding office documents 30
Finding proprietary documents 30
Finding source code 30
Finding email and chat 31
How to find email 31
Finding email by address 31
Finding email by host name 31
Finding email by domain name 32
Finding email by port 32
Finding email by protocol 32
Finding email subjects 33
Finding email attachments 33
Finding email senders 33
Finding email recipients 34
Finding copies of emails 34
Finding blind copies of emails 34
Finding webmail by port 35
Finding webmail by protocol 35
Finding chat sessions 35
Finding files 36
How to find files 36
Finding file name patterns 36
Finding files by file type 37
Finding files by owner 37
Finding files by size 37
Finding files by document type 38
Finding files using MD5 signatures 38
Finding images 39
How to find images 39
Finding images of people 39
Finding images using a template 39
Finding IP addresses 40
McAfee DLP 9.0.1 Product Guide v
How to find IP addresses 40
Finding a range of IP addresses 40
Finding IP addresses on a subnet 40
Excluding incidents using specific IP addresses 41
Finding keywords 41
Excluding keywords from a query 41
Finding exact matches 42
Finding keyword expressions 42
Finding keywords using logical operators 42
Finding non-English matches 43
How to find keywords 44
Supported languages 45
Logical operators supported in keyword queries 45
Finding locations of violations 45
Finding sources of violations 45
Finding violations by website 46
How to find locations 46
List of country codes 47
Finding violations by port 47
How to find violations by port 47
Excluding ports from a query 47
Finding violations by port range 47
List of common port assignments 48
Finding violations by protocol 48
How to find violations by protocol 48
Excluding protocols from a query 49
Finding violations in time 49
How to find time-stamped files 49
Searching in a relative time frame 49
Searching in an exact time frame 50
Searching by file creation time 50
Searching by file last accessed time 51
Searching by last modification time 51
vi McAfee DLP 9.0.1 Product Guide
Searching by local or Greenwich Mean Time 51
Searching with concepts and templates 52
Using concepts and templates in queries 52
Using concepts in queries 52
Using templates in queries 53
Using concept expressions in a query 53
Excluding a concept from a query 54
Understanding search rules 54
Rules used by the indexer 54
How archives are handled 55
Case insensitivity rule 55
How Microsoft Office 2007 files are handled 55
Avoiding negative searches 56
Number of results supported 56
Parts of speech excluded from capture 56
How proper names are treated 56
Handling of short words 56
Special character exceptions 56
How word stemming is handled 57
Monitoring Active Directory users 57
How remote user accounts are monitored 57
Using Active Directory User elements 58
Using DLP on remote LDAP servers 58
Viewing Active Directory incidents 58
Adding Active Directory columns to the dashboard 59
Adding rules to find Active Directory information 59
Advantages of keying on SIDs 60
Types of Active Directory data supported 60
How McAfee Logon Collector is used with DLP 61
How McAfee Logon Collector enables user identification 61
Finding remote user information 61
How remote user data is retrieved 61
Finding remote users by name 62
McAfee DLP 9.0.1 Product Guide vii
Finding remote users by group 62
Finding remote users by city 63
Finding remote users by country 63
Finding remote users by organization 64
Getting and processing results 64
Using the Incidents dashboard 64
Using the DLP Homepage 65
Checking Homepage permissions 65
Configuring the DLP Homepage 65
Customizing the DLP Homepage 66
How to use the Homepage 66
Getting details of results 66
How to get incident details 66
Finding matches that triggered incidents 67
Finding out if an incident is in a case 67
Getting history of an incident 67
Identifying concepts that triggered incidents 67
Generating reports 67
How reports are generated 67
Adding a company name to a report 68
Creating CSV reports 68
Creating HTML reports 68
Creating PDF reports 69
Scheduling reports 69
Setting up views 69
How to set up views 69
Copying views to users 70
Deleting views 70
Saving views 70
Selecting different views 71
Selecting a view vector 71
Selecting pre-configured views 71
Customizing the results dashboards 72
viii McAfee DLP 9.0.1 Product Guide
How dashboards are customized 72
Adding rows to the dashboard 72
Changing dashboard display space 72
Configuring dashboard columns 72
Displaying match strings 73
Grouping and filtering incidents 73
How incidents are grouped and filtered 73
Clearing filters 73
Filtering incidents 73
Grouping incidents 74
Setting a date and time for results 74
Sorting results 75
How to sort results 75
Deleting incidents 75
Deleting similar incidents 75
Finding incidents that violated a policy 76
Sorting incidents by attribute 76
Changing settings 76
How settings are changed 76
Configuring throttling to limit incidents 77
Encrypting incidents 77
Preventing data loss 77
Protecting data with DLP Prevent, Discover, and Endpoint 77
Protecting data with DLP Prevent 78
How DLP Prevent protects data 78
Adding a DLP Prevent action rule 78
Applying a DLP Prevent action rule 79
Types of DLP Prevent actions 79
The role of DLP Prevent in a managed system 80
How DLP Prevent processes email 80
Configuring DLP Prevent for email 80
How DLP Prevent processes webmail 81
Configuring DLP Prevent for webmail 81
McAfee DLP 9.0.1 Product Guide ix
MTA requirements to inter-operate with Prevent 82
Reviewing prevented violations 82
Protecting data with DLP Discover 82
How DLP Discover protects data 82
Adding a remedial action rule 83
Types of remedial action 83
Applying a remedial action to a rule 84
Setting up a location for exported files 84
Copying discovered files 85
Deleting discovered files 85
Encrypting discovered files 86
Moving discovered files 87
Reverting remediated files 88
Reviewing remedial actions 88
Adding columns to display remedial actions 88
Protecting data with Host DLP (Endpoint) 89
Adding an Endpoint action rule 89
Applying an action to a rule with Endpoint parameters 89
How Host DLP protects data 90
Types of DLP Endpoint actions 90
Protecting endpoint data 90
Host DLP: Integrated into Network DLP 90
How Host DLP extends network results 91
How Network DLP protects endpoints 91
Creating Agent Override Passwords 91
Agent events that cannot be reported 92
Viewing endpoint events 92
Types of endpoint events 93
Managing endpoints 93
How Host and Network policies differ 93
How Host DLP rules are mapped to Network DLP 94
Adding endpoints to existing network rules 94
Limitations of rules with Endpoint parameters 94
x McAfee DLP 9.0.1 Product Guide
Excluding printers from protection rules 95
Assigning Host DLP incidents to cases 95
Searching endpoint data 95
Limitations of this release 95
Discovering data at risk 95
Introducing McAfee DLP Discover 95
Setting up Discover 96
Configuring DLP Discover 96
Adding Discover to Manager 96
Preparing Discover for managed mode 96
Republishing Discover policies 97
Setting Discover registration permissions 97
Setting Discover scan permissions 97
Task status messages 98
System status messages 99
Registering sensitive content 100
Registering documents or structured data 100
How signatures register data 101
Managing registered documents 101
Registering documents by uploading 101
Uploading complete paths with Firefox 102
Excluding text from registration 102
Searching with the DocReg concept 102
Adding the DocReg concept to a rule 103
Setting signature types 103
How signatures are shared with managed systems 104
Managing signature generation memory 104
Deregistering content 104
Reregistering content 104
Crawling databases 105
Protecting sensitive database content 105
What is Dynamic Data Registration? 105
Database types supported 106
McAfee DLP 9.0.1 Product Guide xi
Database object hierarchy differences 106
Database terminology differences 107
Registering structured data by uploading 107
Setting up basic database scans 108
Advanced Options definitions for database scan operations 108
Defining catalogs to be scanned 109
Defining columns to be scanned 109
Defining logins for a database scan 109
Defining nodes for database scan operations 110
Defining ports for a database scan 110
Defining records/rows to be scanned 111
Defining schemas to be scanned 111
Defining SSL certificates for a database scan 111
Defining tables to be scanned 112
Managing scans 112
Managing scan operations 112
Types of scan states 113
Viewing scan operations 113
Modifying the state of a scan 113
Deploying scans 114
Starting scans 114
Stopping scans 114
Setting bandwidth for a scan 115
Scanning in full duplex mode 115
Managing scan load 116
Editing scans 116
Deleting scans 116
Setting up scans 117
Preparing to scan 117
Setting up basic scans 117
Repository types supported 118
Configuring inventory scans 118
Configuring discovery scans 119
xii McAfee DLP 9.0.1 Product Guide
Configuring registration scans 120
Firewall configuration to allow scanning 120
Managing credentials 121
Using credentials to access repositories 121
Viewing existing credentials 122
Adding credentials 122
Editing credentials 122
Deleting credentials 122
Scheduling scans 123
Using scan schedules 123
Viewing scan schedules 123
Editing scan schedules 123
Deleting scan schedules 123
Filtering scans 124
Defining scans 124
Filtering scans by browsing 124
Filtering scans manually 125
Filtering IP addresses to be scanned 126
Filtering URLs to be scanned 126
Filtering file properties for a scan 127
Filtering folders to be scanned 128
Filtering shares to be scanned 128
Setting policies for a scan 129
Getting scan results 129
How scan statistic reporting works 129
Understanding scan results 130
Viewing incidents found by a scan 130
Getting reports of scan statistics 130
Getting database scan statistics 131
Adding columns to scan statistics 131
Viewing registered data matches 131
Viewing scan status 131
Getting historical statistics 132
McAfee DLP 9.0.1 Product Guide xiii
Searching discovered data 132
Finding discovered data 132
Finding scan operations 132
Finding registered files in discovered data 133
Finding repository types in discovered data 133
Finding IP addresses in discovered data 133
Finding host names in discovered data 134
Finding file name patterns in discovered data 134
Finding file owners in discovered data 135
Finding file paths in discovered data 135
Finding percentages of registered data at rest 135
Finding share names in discovered data 136
Finding domain names in discovered data 136
Finding catalogs in discovered data 136
Finding schemas in discovered data 137
Finding column names in discovered data 137
Finding table names in discovered data 137
Finding records and rows in discovered data 138
Storage scanning requirements 138
Accessing network storage 138
Accessing Network Attached Storage (NAS) 138
Accessing Storage Area Networks (SANs) 138
Host vs. network discovery 138
How host and network scans differ 138
How host and network remediation differs 139
How host and network registration works 139
Deploying a host package to the agents 139
Registering documents on host computers 140
Setting up a host discovery scan 140
Configuring a policy for host discovery 141
How host scans are scheduled 141
Scheduling a host discovery scan 141
Scheduling a host registration scan 142
xiv McAfee DLP 9.0.1 Product Guide
Using policies and rules 142
How policies and rules are used 142
Using policies 143
How policies work 143
Policy field definitions 143
Using international policies 144
Adding policies 145
Activating policies 145
Deactivating policies 146
How activation works 146
How inheritance works 146
Changing ownership of policies 147
Publishing policies 147
Cloning policies 147
Renaming policies 148
Executing policies 148
Editing policies 148
Deleting policies 148
Using rules 149
How rules work 149
Adding rules 149
Viewing rule parameters 149
Reconfiguring rules for web traffic 150
Copying a rule to a policy 150
Detaching rules from policies 150
Editing rules 151
Deleting rules 151
Defining exceptions to rules 151
What are false positives? 151
How exceptions to rules are defined 151
Defining false positive incidents 152
Adding exceptions to existing rules 152
Adding new rules that contain exceptions 153
McAfee DLP 9.0.1 Product Guide xv
Correcting inaccurate rules 153
Tuning rules 154
Using action rules 155
How action rules are used 155
How action rules are deployed 155
Reacting to violations 155
Comparing Action to Protection rules 156
Assigning status to an incident 156
Applying an action rule 156
Assigning responsibility for an action 156
Using action rules to log incidents 157
Using action rules to notify users 157
Reconfiguring action rules for proxy servers 158
Setting up an action 158
Editing action rules 158
Cloning action rules 159
Removing an action from a rule 159
Deleting action rules 159
Using concepts and templates 159
How concepts and templates are used 159
Using concepts 160
How concepts are used 160
Types of concepts 160
Adding content concepts 160
Adding network concepts 161
Adding session concepts 162
Setting concept conditions 163
Applying concepts to rules 164
Using regular expressions in concepts 164
Restoring factory concepts 165
Editing concepts 166
Deleting concepts 166
Using templates 166
xvi McAfee DLP 9.0.1 Product Guide
How templates are used 166
Adding templates 166
Viewing standard templates 167
Removing a template from a rule 167
Deleting templates 167
Using the case management system 168
How case management works 168
Collecting credit card violations in a case 168
Adding a new case 168
Using incidents to create a case 169
Adding incidents to an existing case 169
Adding comments to a case 170
Notifying users about a case 170
Changing ownership of cases 170
Changing resolution of cases 170
Changing status of cases 171
Customizing Case List columns 171
Customizing case notifications 171
Exporting cases 171
Managing case permissions 172
Reprioritizing cases 172
Deleting an incident from a case 173
Deleting cases 173
Managing DLP systems 173
Managing the system 173
Configuring DLP devices 173
Configuring DLP devices 173
Adding devices to DLP Manager 174
Adding Host DLP servers to DLP Manager 174
ePO installation issues 175
Changing link speed 175
Managing disk space 175
Backing up DLP systems 176
McAfee DLP 9.0.1 Product Guide xvii
Restarting DLP systems 177
Deregistering devices from DLP 177
Adding servers to DLP systems 177
Configuring servers with DLP systems 177
Setting up DHCP services 178
Using DHCP servers with DLP 178
Adding DHCP servers 178
Setting up directory services 179
Using LDAP servers with DLP 179
Adding Active Directory servers 179
Adding LDAP Users 181
Configuring Active Directory servers for DLP 181
Exporting certificates from Active Directory 182
How ADAM servers extend DLP Manager 183
Mapping LDAP directory attributes 183
Setting up McAfee Logon Collector 184
Using McAfee Logon Collector with DLP 184
Authenticating DLP Manager and MLC 184
Setting up syslog and time servers 185
Using syslog and time servers with DLP 185
Connecting to syslog servers 185
Correcting system time in the interface 186
Resetting system time manually 187
Synchronizing DLP devices 187
Managing users and groups 188
Setting up users and groups 188
Managing user groups 189
Working with user groups 189
Using pre-configured user groups 189
Adding user groups 189
Restricting user groups 190
Deleting user groups 190
Managing users 190
xviii McAfee DLP 9.0.1 Product Guide
Working with users 190
Adding users 190
Using pre-configured user types 191
Changing passwords and profiles 191
Creating an ePO database user 191
Using a primary administrator account 191
Viewing active user sessions 192
Setting permissions 192
Assigning permissions 192
Checking permissions 192
Setting policy permissions 193
Setting task permissions 193
Managing user accounts 193
Working with user accounts 193
Customizing login settings 193
Customizing password settings 194
Configuring failover accounts 194
Auditing users 194
Using audit services 194
Filtering audit logs 194
Getting audit log reports 195
Filtering audit log reports 195
Auditing live users 195
Sorting audit log reports 196
Using capture filters 196
Working with capture filters 196
Types of capture filters 196
Types of capture filter actions 196
How content capture filters work 197
Content capture filter actions 197
Adding content capture filters 198
How network capture filters work 198
Network capture filter actions 199
McAfee DLP 9.0.1 Product Guide xix
Ignoring or storing IP addresses 199
Adding network capture filters 200
Reprioritizing network capture filters 200
Deploying capture filters 201
Editing capture filters 201
Using undeployed capture filters 201
Viewing deployed capture filters 202
Deleting capture filters 202
Setting up system alerts 202
Configuring system alerts 202
Configuring device down alerts 202
Types of device down alerts 203
Technical specifications 203
Understanding specifications 203
Power Redundancy 203
Rack Mounting Requirements 203
Safety Compliance Guidelines 204
Contacting Technical Support 204
Contacting DLP Technical Support 204
Creating a Technical Support Package 205
Glossary 207
Index 213
xx McAfee DLP 9.0.1 Product Guide
Introducing McAfee DLP 9.0
McAfee DLP ProductsIn this release, Host DLP 9.0 and the Network DLP 8.6 products are integrated, and both are
also part of ePO 4.5.
McAfee Data Loss Prevention Products
DLP ManagerCoordinates and centralizes all Monitor, Host,Discover and Prevent activity on the network, in filesystems and databases, and on endpoints.
Host DLP
Host DLP monitors data on endpoints (desktops,laptops, removable media, printers, etc.) usingnetwork resources, generates and reports eventswhen violations are detected, and preventssensitive data from being compromised.
DLP Monitor
DLP Monitor sits passively in the network,connected to a core switch router inside the firewallvia span or tap port. It captures and analyzes allTCP traffic, produces incidents that indicateviolations have been detected, and allowsdisposition of those incidents through filtering andcase management.
DLP Discover
DLP Discover scans network file systems,databases, and endpoints, registers sensitive data,detects policy violations, and allows for remediationof those incidents. NAS Intranet portals, wikis, blogs,document management systems, and FTP serverscan also be scanned.
DLP Prevent
Network DLP Prevent works with an email or webgateway via SMTP or ICAP protocols, respectively. Itanalyzes gateway traffic, adds X-headers to indicateactions to be taken on significant content, thenreturns the processed data to the gateway forenforcement. The proxy server or MTA receiving thedata then blocks, bounces, encrypts, quarantines,redirects or allows the marked content.
NOTE: You can use the familiar Host DLP product if you prefer — it is still available as a standalone product.
DLP 9.0 is organized by incidents and events contained in three different databases that contain incidents
found on the network, in network repositories, and on endpoints.
Data-in-Motion
Data-in-Motion on the network is captured and parsed into hundreds of different categories by
DLP Monitor. All real-time and historical data on the network is searchable, allowing for the
creation of rules that adapt to changing content.
McAfee DLP Products
McAfee DLP 9.0.1 Product Guide 1
Data-at-Rest
Data-at-Rest in network repositories can be inventoried, and sensitive data can be registered
automatically by matching it to existing rules and policies. Not only can the contents of
documents be recognized and protected, but individual documents can be explicitly protected
individually or in groups.
DLP Host defines Data-at-Rest on endpoints by location, document properties, user-defined
metadata, file types, text patterns and attributes, encryption types, and user groups.
Data-in-Use
Data-in-Use on endpoints can be matched to the same rules and policies as all other network
data, but addition of one or more Host parameters can add the ability to keep data from being
compromised in a variety of ways. Rule parameters can also be extended to specific shares,
network paths, file or encryption types.
NOTE In DLP Host 9.0 Data-in-Motion refers to sources and destinations of endpoints (for example, email,
webmail, printers, etc.), and Data-in-Use is categorized by the application that created it.
Product Naming ConventionsThe McAfee DLP suite is referenced in the documentation by the following product names.
McAfee Short Name McAfee Product Name
Host DLP McAfee Host DLP
DLP Manager McAfee Network DLP Manager
DLP Monitor McAfee Network DLP Monitor
DLP Prevent McAfee Network DLP Prevent
DLP Discover McAfee Network DLP Discover
Features of McAfee DLP 9.0All DLP products, including Host DLP, are now integrated in ePO 4.5.
In addition, many features in the following categories have been added.
● Unified policy features
● Incident management features
● Discovery features
● Directory server integration features
● System management features
How DLP Monitor worksDLP Monitor captures all network traffic, and performance and results can be improved by
deploying capture filters that limit the amount of data that will be recognized and indexed.
2 McAfee DLP 9.0.1 Product Guide
Introducing McAfee DLP 9.0
After capture and classification, incidents can be extracted from the database automatically or
manually.
Automatic Extraction
Standard policies are pre-configured to apply rules to classified network data. When a rule hits
on a match, an incident is created in the database and reported on the Data-in-Motion
dashboards.
For example, if you have the HIPAA policy deployed, the system will identify and report any
medical privacy violation.
Manual Extraction
Through DLP Manager, you can query all DLP Monitor databases directly using the search
options available from the DLP Reporting | Search page. When a query hits on significant data,
the search can be repeated regularly by saving it as a rule under a new or existing policy.
NOTE: When a query or rule matches any stored attribute, the entire object to
which it belongs is reported to the dashboard as an incident.
Unified policy featuresIn this release, international policies apply to both network and host applications. All products
are configured through one interface and need only one policy set, which is applied to all
vectors.
Unified Policies implemented
Host and Network DLP are integrated in this release, making is possible for users to create rules
containing Network and Host DLP parameters and display results on all dashboards. Integration
of Discover, McAfee Logon Collector, and LDAP servers make it possible to extend all features
across global enterprises — protecting data, whether it is on- and off-line.
Internationalized content
Pre-packaged international rules and concepts supporting local laws and business cases have
been added. Ad hoc searches, scans, and document registration can be done in local
languages, and dashboards display incidents in local languages.
Rules configurable with multiple user attributes
Use of Active Directory parameters in rules allows retrieval of data from groups and sites through
directory servers, which may be located anywhere on the globe.
Concept checks added
Algorithms that correspond to specific user-defined concepts can be implemented to detect and
correct transcription errors at runtime, decreasing reports of false positives.
Concept address space added
Up to 512 concepts can be implemented by DLP Manager.
Unified policy features
McAfee DLP 9.0.1 Product Guide 3
Incident management featuresIn this release, more options are available to effectively manage incidents.
Databases encrypted
Databases are encrypted, and authorized users can decrypt case, incident and capture data at
will.
Reporting is expanded
HTML reports are available for all three incident modes, and PDF reports are now available for
Incident Details. Special characters are supported in reports.
Case permissions can be assigned
Role-based authorization enables administrators to distribute case privileges according to need
to know.
Case enhancements added
Administrators can set up notifications of case assignments or changes. The Case List can be
customized, and case logs now contain incident history. The timestamp filter is updated to match
the incidents feature.
Discovery featuresIn this release, DLP Discover functionality is expanded to support databases, large volumes of
data, increased remediation options and additional scan features.
Database crawling supported
In addition to the storage repositories already supported, DLP Discover supports ODBC .
DLP Discover now crawls the following structured databases as well as network repositories:
● DB2, versions 5x iSeries, 6.1 iSeries, 7.x-9.x
● MS SQL Server, versions 2000, 2005, 2008,7.0, MSDE 2000
● My SQL (Enterprise), versions 5.0.x, 5.1
● Oracle, versions 8i, 9i, 10g, 11g
Dynamic data registration
Large volumes of data (up to 300 million records) can not only be registered as sensitive and
tracked, but fine distinctions can be made between matches. In addition, data that has been
identified can not only be tracked, but associated with a rule to provide long-term protection.
Increased Discover remediation support
Data at rest detected in non-CIFS repositories (HTTP, HTTPS, FTP, Documentum, NFS, and
HTTP SharePoint) can now be moved, copied, encrypted or deleted.
If data is moved to quarantine an incident, the action can be reverted. If remediation actions fail,
4 McAfee DLP 9.0.1 Product Guide
Introducing McAfee DLP 9.0
error messages are launched.
Discover scans expanded
Scan operations can be paused and resumed, and notification can be set up to inform users that
a crawl has started and stopped.
Directory server integration featuresIn this release, DLP is extended through integration with additional Active Directory server
functionality.
Individual users can be identified
Through integration with McAfee Logon Collector, the identity of individual users can be
resolved. Previously, only IP addresses and locations could be detected.
Large enterprise environments supported
Through integration with McAfee Logon Collector, McAfee DLP supports multiple domain
controllers used in large-scale operations.
LDAP pagination is supported
User data retrieved from Active Directory servers is displayed in page format.
System management featuresIn this release, DLP administrative control has been improved.
Device status can be updated
DLP Manager can notify users if a device is down (disconnected or turned off), and a variety of
time periods can be defined.
User login security strengthened
Administrators can discourage unauthorized access by setting up lockout conditions for
repetitive logins.
Increased security in password setting
Password requirements can be customized to force users to create more secure passwords.
Audit Logs customizable
Audit logs can be sorted and displayed to filter user data, and specific systems can be targeted.
Technical support package improved
Files generated by users to help tech support resolve problems now contain core file and BIOS
DMI (Desktop Management Interface) logs, ETL (Extract/Transfer/Load) incident count, MySQL
process list log, and case status.
Directory server integration features
McAfee DLP 9.0.1 Product Guide 5
How Host DLP worksIn this release, Host DLP is embedded in Network DLP at the rules level, making it possible to
monitor and act on endpoint content on- and off-line.
Host DLP protects all data at network endpoints — not only on desktops and laptops, but on
removable media and printers.
When a policy violation is recognized, an event is generated, stored in the ePO database as
evidence, and a pre-defined reaction is triggered to handle the violation appropriately.
All endpoint events can be viewed on the ePO dashboards, as well as on the Network DLP
Incidents | Data-in-Use dashboard, where they can be filtered, analyzed, reviewed, and
assigned to cases for further investigation.
How Network DLP worksThe core component of Network DLP is a capture engine that runs on DLP Monitor. The engine
captures all packets and reassembles them up to the application layer, where the database
objects are classified into types and stored on capture partitions.
However, Network DLP is extended to discovery of data in network repositories, to directory
servers throughout the enterprise, and to endpoints through Host DLP. In addition, DLP Prevent
monitors and acts on all email and webmail in the enterprise.
Use Cases
ExamplesBy using one of the following examples as a template, you can find a solution to some common
problems quickly.
Protecting Endpoints
● Keeping IP from being copied to a USB drive
● Keeping IP from being printed
● Blocking IP residing on endpoints
● Preventing loss of project data from endpoints
● Protecting IP at a specific network location
Protecting Confidential Data
● Finding leaked documents
● Identifying and tracking confidential documents
● Blocking data containing source code
● Finding copied or relocated files
Detecting Privacy Violations
● Blocking transmission of financial data
6 McAfee DLP 9.0.1 Product Guide
Use Cases
● Preventing release of privacy information
Finding Rogue Communications
● Excluding an IP or email address from detection
● Finding email using non-standard ports
● Identifying frequent communications
● Finding encrypted traffic
Protecting Global Business
● Finding evidence of foreign interference
● Finding leaks after global close of business
Filtering Results
● Eliminating false positives from results
● Finding high-risk incidents
● Finding documents by file type
Filtering Captured Traffic
● Filtering out configuration-controlled files
● Storing a portion of filtered traffic
Detecting Insider Activity
● Finding message board postings
● Finding policies violated by a user
● Finding social networking traffic
● Finding unencrypted user data
● Getting statistics on website visits
● Identifying disgruntled employees
● Monitoring a user's online activity
Protecting Confidential Data
Finding leaked documents
Whether accidental or unintentional, confidential documents on corporate networks are often
open to discovery by unauthorized users.
Use keyword and time-delimited searches to locate those documents, then analyze the incidents
to find out how those documents were leaked.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Basic Search.
2. Type in a word or phrase that might be found in the controlled document, such as Confidential.
If you have additional information (such as content type or protocol), use an Advanced Search so you can add
elements to include those values.
Protecting Confidential Data
McAfee DLP 9.0.1 Product Guide 7
3. Select a time frame from the Date/Time menu.
4. Click Search.
Identifying and tracking specific documents
McAfee DLP systems help you to identify documents at risk without knowing exactly what
information they contain.
But in some cases, you might know enough to be able to identify those documents in advance.
You can register them individually, then track them as they move or are copied to different
locations.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPPolicies | Registered Documents.
2. From the Actions menu, select Upload New File.
3. Browse to locate a sensitive file that must be protected.
NOTE: Mozilla Firefox 3.5 will not include the path to the uploaded document unless you reconfigure it before
scanning.
4. Select a policy and rule to guide the search.
Example:
Select the Financial and Security Compliance policy and the Financial Statement Documents rule to protect a
document that contains sensitive financial information.
5. Select a device that will receive the uploaded file by checking the box of any DLP appliance.
6. If more documents need protection, select Save & Upload Another and repeat the process.
7. Click Save.
TIP: Schedule a Discover scan that will crawl file shares regularly looking for the document.
Finding copied or relocated files
Confidential documents often proliferate over networks, because employees can copy or move
them to insecure locations to work on them, or share them with other staff members.
Even when confidential information is accessed only by those who have the proper privileges,
finding, registering and controlling every copy is the only way to protect it.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPPolicies | Registered Documents | Web
Upload.
2. Select Upload New File from the Actions menu.
3. Browse to the file you want to track.
4. Select a signature type.
NOTE: The web upload feature supports only high granularity mode, which provides full plagiarism detection
and protection by generating overlapping signatures over every bit of text in a file. The original document can
be identified, even if words are transposed. The contents may differ by a couple of lines of text.
8 McAfee DLP 9.0.1 Product Guide
Use Cases
5. Select a policy that corresponds to your objective.
For example, you might use the Competitive Edge policy if your goal is to protect a sensitive sales document.
6. Select a rule that corresponds to your objective.
For example, you might use the Pricing Information rule if your goal is to protect a price list.
7. Select one or more DLP devices that will store the uploaded price list.
8. Click Save.
9. On theWeb Upload page, click the Details icon of the price list to view the MD5 signature number. This unique
number will be found during any scan, or in a search of discovery data after a scan has run.
10. Configure a Discover scan and start it.
11. After allowing some time for the document to be found, go to Incidents and click the Columns button.
12. Add the Signature and Path columns to your dashboard.
13. Click Apply.
14. Go to the Incidents page and select Data-at-Rest from the display thumbwheel.
15. Look for the signature number of the document in the results under the added columns.
16. If you want to search the Discover database for that number, right-click the number and select Copy.
17. Go to the Advanced Searchpage.
18. Open File Information.
19. SelectMD5 is any of and paste the signature number into the Value box.
20. Click Search.
NOTE: You might find that you are inadvertently pasting in unrelated text. If so, close the program that contains
that text and repeat the process.
21. Click Search.
22. View the Path column for the exact location of the file.
Blocking data containing source code
Employees who are leaving the company might feel they have a right to the code they have
written. You can protect your company's intellectual property by configuring your systems to
block all source code leaving the network.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Advanced Search.
2. Open Content.
3. Select Content Type is any of and click "?".
4. Open Source Code from the popup menu.
5. Select one or more source code types.
TIP: If you don't know the source code type, select Template and is any of. Then click "?" and Select All beside
the Source Code category.
Protecting Confidential Data
McAfee DLP 9.0.1 Product Guide 9
6. Click Apply.
7. Click Save as Rule.
NOTE:When you save a search, it becomes a rule.
8. Go to the Policies tab.
9. Open the policy containing the new rule, then click on it.
10. Click on the Action tab.
11. Click Add Action, then select the Block and Notify Sender action.
12. Click Save.
When the rule runs and source code is found, the action rule automatically blocks it. The sender receives email
notification of the action.
TIP: To notify more users, go to Policies | Action Rules, edit the action rule, and Save.
Filtering Results
Finding documents by file type
You might know that a confidential document you are looking for in your results was created by a
Microsoft Office application. You can find that document by filtering incidents to display only
documents created by that program.
TIP: If you have a limited number of results to sort through, you can simply click any icon on the dashboard
relating to the program. The results will be automatically sorted by that attribute.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Incidents.
2. Under Filter by Timestamp, select a time frame.
3. Click plus to add a filter.
4. Select Content from the first menu.
5. Select equals from the second menu.
6. Type in the document type, or click "?" and selectMSWord from the popup menu.
If you know the name of the document, add another element using a Filename equals filter, and type in its
name.
7. Click Apply. The dashboard will reconfigure the results to display the document.
TIP: To add a note to the incident, use the Comments equal filter and type in a text string.
Finding high-risk incidents
When you have a high volume of violations to search through, it may be difficult to find the most
significant ones. Filter your results to display only the most critical incidents.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Incidents.
2. Under Filter by Timestamp, select a time frame.
10 McAfee DLP 9.0.1 Product Guide
Use Cases
3. Click plus to add a filter.
4. Select Severity from the first menu.
5. Select equals from the second menu.
6. Type in a number from 1 to 5, or click "?" from the third menu and select a Severity checkbox from the popup
menu.
7. Click Apply.
8. Click Apply.
Eliminating false positives from results
Suppose you are looking for personal identification numbers that violate privacy standards, but
product part numbers that also match the pattern are being erroneously reported. An exception
that redefines numerical patterns will exclude the incidents containing part numbers, which do
not constitute privacy violations.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting.
2. On the Incidents dashboard, find one or more incidents that contain part numbers.
3. From the menu in the Group by... window, select Rule. All incidents produced by that rule will be listed.
4. Check the boxes of the incidents.
TIP: If all incidents on the page were produced by the rule, select the box in the table header to select all of
them.
5. From the Actions menu, selectModify Status | False Positive | Create Exception.
6. When the Edit Rule page launches, type some text describing the exception in the Notes box.
7. Redefine the values reported on that page. For example, if the part number has the same pattern as an
identification number, but is preceded by "PN#", add a Content element that specifies "Keywords | contain
none of | PN#."
TIP: If there is no difference in the pattern, consider eliminating another element the incidents have in common.
For example, if all of the reported part number incidents may have come from the same department, create a
Source/Destination element that specifies an email domain or UserOrganization.
8. Click Save.
TIP: After the rule runs, evaluate the incidents retrieved and make revisions if the results still do not meet your
criteria.
Detecting Insider Activity
Monitoring a user's online activity
Employees who have been warned to discontinue specific network activities should be
monitored to prevent them from wasting company resources or sabotaging the system.
You can monitor all of a user's communications to determine if they are complying with your
instructions.
Detecting Insider Activity
McAfee DLP 9.0.1 Product Guide 11
TIP: To monitor the user on a regular basis, save the search as a rule. In case of flagrant violations, incidents
and events can be collected in a case and delegated to your legal team for use as evidence in court.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Basic Search.
2. Select User ID, Host Name, Host IP, or Email address from the Input Type menu.
3. Type identifying text into the value field.
NOTE: The UserID corresponds to a field found on an LDAP server, so this option cannot be used unless a
directory server has been added. Note that UserID might not necessarily correspond to a user's email address,
since a user could have more than one email address.
4. If the information is on a remote directory server, click Find and select a category of users, then click Apply. If
you select Everyone, the rule will apply to all users on all of your directory servers.
5. If the user is local, click plus to add one or more identifying elements, such as an IP or email address under
Source/Destination.
6. Click Search or Save as Rule.
Identifying disgruntled employees
Unhappy insiders can do a lot of damage to your business operations if they are not found and
stopped.
You can search for instant messaging or email communications that contain clues to potential
trouble by applying a concept that will identify those transmissions.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Advanced Search.
2. Open Content.
3. Select Concept from the first drop-down menu, and is any of from the second.
4. Click "?".
5. Select DISCONTENT from the Acceptable Use menu.
This concept contains a collection of words and phrases that are often used by unhappy employees. Go to
Policies | Concepts and double-click on one of them to understand what the phrases are, and how the concept
is constructed.
6. Click Apply.
7. Click Search.
Finding unencrypted user data
You might assume that usernames and passwords are protected on your network as a matter of
course, but that may not always be the case.
Find out quickly if user account information is circulating in cleartext on your network by
searching for account passwords.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Basic Search.
2. Select Keywords.
12 McAfee DLP 9.0.1 Product Guide
Use Cases
3. Type the words account password into the value field.
4. Click Search.
NOTE: If there are any significant results, alert your IT department.
Finding policies violated by a user
If you have a lot of incidents to sort through, it may be hard to find the ones that are related to a
particular user. You can find them by keying on attributes relating to that user.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Incidents.
2. Select Policy from the Group by menu.
3. Double-click the policy the user might have violated (if it generated incidents).
4. Under Filter by, select a time from the Timestampmenu.
5. Click plus to add a filter.
6. Select UserID, UserName, or UserEmail from the first menu.
7. Select equals from the second menu.
8. Type in the user's ID, name or email address.
TIP: If you don't have exact information but want to guess at the identity of a sender or recipient, select the
Sender or Recipient filter, add a like or not like condition, and type in a string that might match some
characters in the user's ID, name or email address.
9. Click Apply.
Getting statistics on website visits
Even if users are routinely allowed to use the Internet to complete their job duties, they might
have been told to curtail certain web sites that can compromise network security.
TIP: By creating a content capture filter, you can store all traffic to and from inappropriate web sites to find out if
your company policy is being violated.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Advanced Search.
2. Open Source/Destination.
3. Select URL is any of and type the URL of the website into the value field — for example, www.webrats.com.
4. Click Search.
TIP: If no results are retrieved, check to see if the default ignore_http_header content capture filter is still active.
Finding message board postings
Employees sometimes spend company time on non-work-related posting to internet sites. You
can identify that activity by targeting the protocol that is used to transmit such postings.
Detecting Insider Activity
McAfee DLP 9.0.1 Product Guide 13
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Incidents.
2. Select a time frame from the menu under Filter by Timestamp.
3. Click plus to add a filter.
4. Select Protocol from the first drop-down list, and is any of from the second.
5. Type in HTTP_Post, or click "?" and select it from the popup menu.
6. Click Apply.
7. Click Apply.
TIP: This filter identifies all posting traffic. If you know what web site is being posted to, add a Content equals
filter and type in its name (for example, webrats.com).
Finding social networking traffic
Employees who are accustomed to using social networking sites might not realize how much
time they are spending on activities that reduce their productivity, or how much sensitive
information might be leaked when they use such sites in the workplace.
You can find out how much social networking activity is occurring on your network by finding all
traffic to and from specific web sites.
Use Site Keywords
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Basic Search.
2. Type site keywords into the value field (for example, facebook or myspace).
3. Select a time frame from the Date/Time menu.
4. Click Search.
Detect Posting to any Site
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Basic Search.
2. Select Protocol.
3. Click "?" and select HTTP_Post from the popup menu.
4. Click Apply.
5. Click Search.
Find Blog Postings to Popular Sites
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Basic Search.
2. Open Content.
3. Select Concept is any of and click "?".
4. Select BLOGPOST from the popup menu.
TIP: Go to Policies | Concepts and customize BLOGPOST by clicking plus to add additional expressions that
cover more sites. Save the edited concept, then repeat the search.
14 McAfee DLP 9.0.1 Product Guide
Use Cases
5. Click Apply.
6. Click Search.
Finding Rogue Communications
Finding encrypted traffic
Insiders attempting to conceal illegal activity or steal your intellectual property routinely use
encryption. Identify the sources and destinations of encrypted traffic on your network to expose
those activities.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Advanced Search.
2. Open Content.
3. Select Content Typefrom the first drop-down list, and is any of from the second.
4. Click "?".
5. From the Protocolmenu, select Crypto.
6. Click Apply.
7. Click Search.
Identifying frequent communications
You may suspect that a particular user is communicating with an off-site competitor. You might
be able to identify the sources and destinations of frequent communications that will eventually
reveal that leak.
TIP: If you already know a source or destination, find the other side of the session by searching for a UserID or
email address on the Advanced Search page under the Source/Destination category.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Incidents.
2. Select an incident.
3. Select a time frame from the menu under Filter by Timestamp.
4. Click plus to add a filter.
5. Select SourceIP or DestinationIP from the first drop-down list, and equals from the second.
NOTE: If the source and destination IP addresses are dynamically assigned, they will change over time. If you
have added a DHCP server to DLP Manager, you can track the previous addresses of a host.
6. Type the known IP address into the Values field.
TIP: Click the Details icon of an incident to find the IP address.
7. Click Apply. The dashboard will display all sender and recipient communications with that IP address, but you
see the SourceIP and DestinationIP addresses by adding those columns to the dashboard.
TIP: Add another filter to identify both source and destination of frequent communications.
Finding Rogue Communications
McAfee DLP 9.0.1 Product Guide 15
Finding email using non-standard ports
When non-standard ports are used to transmit email, a deliberate attempt to conceal illegal
activity should be suspected. By eliminating email that uses well-known ports, unknown or
unsecured transmissions can be revealed.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Advanced Search.
2. Open Content.
3. Select Content Type from the first drop-down list,, and is any of from the second..
4. Click "?".
5. Open Mail from the popup menu.
6. Select one or more email formats, or Select All.
7. Click Apply.
8. Open Protocol.
9. Select Port is none of and type standard port numbers into the value field.
TIP: Ports 25 and 80 are commonly-used email and webmail ports. Add
10. Type 25 into the Value field. Repeat for port 80 to exclude all email sent by well-known ports.
11. Click Search and evaluate the results.
TIP: You may have to add Columns to your dashboard to see the port information, which is displayed in source
and destination columns.
Excluding an IP or email address from detection
Even network administrators may not be privileged to peruse certain information found in
network data streams. If you want to ensure absolute security for one or more hosts or users who
have access to top secret information, you can protect them from detection by the capture
engine.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config | Capture Filters.
2. Click Create Content Filter.
3. Type in a name for the filter. Typing a description is optional.
4. Select Drop Element from the Actionmenu.
5. Open the Source/Destination category.
6. Select IP Address from the first drop-down list, and is any of from the second. You can define an email
address instead, or add an element and protect both email and IP addresses.
7. Type the IP address or email address into the value field.
NOTE: If the address is on a subnet, it is detectable only if the network and host portions of an IP address are
standard classful IP (address fields are separated into four 8-bit groups). Separate multiple addresses by
commas, and IP ranges by dashes.
7. Check the box of the device on which you want the filter deployed, or None if you want to deploy it later.
8. Click Save.
16 McAfee DLP 9.0.1 Product Guide
Use Cases
NOTE: CIDR notation is supported, but IPv6 is not.
Detecting Privacy Violations
Preventing release of privacy information
Billions of dollars have been lost by companies that have released privacy information by
accident. You can prevent such losses by implementing existing policies to identify the
information, then setting up automatic blocking to keep it from leaving the network.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Policies.
2. Click on a policy that can be used to identify privacy information.
For example, you might select Financial and Security Compliance, Competitive Edge, or Personally Identifiable
Information.
3. Click on the first rule listed under the policy, then click the Actions tab.
4. If no action is listed, or the action listed is not relevant, click the Add Action icon.
5. Select the appropriate action rule.
NOTE: Actions are defined and edited on the Action Rules page. All of the reactions listed in the Actions
column will be applied. If you do not see the one you need, create it under Policies | Actions Rule, then return
to this step.
NOTE: Action rules act only on monitored or discovered data (Data-in-Motion or Data-at-Rest). Only one
action type is allowed for each process.
6. Click Save.
7. Repeat this process for every rule under the policy.
8. When the policy runs, all privacy information defined in its rules will be blocked from leaving the network.
Blocking transmission of financial data
Even the most dedicated employees might not realize the implications of failing to protect
financial documents, or they may not know how to encrypt them.
You can protect this data in either case by creating a concept that flags a variety of financial
documents, then attach an action rule to prevent them from leaving the network.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Advanced Search.
2. Open Content.
3. Select Concept is any of and click "?".
4. Check the Select All checkboxes on all groups of financial concepts. (For example, if you are in North America
you might select Banking and Financial Sector, and Corporate Financial.)
TIP: Concepts contain words and phrases that identify a broad range of financial content. Go to Policies |
Concepts and double-click on one of them to understand how they are constructed.
Detecting Privacy Violations
McAfee DLP 9.0.1 Product Guide 17
7. Click Apply.
8. Click Save as Rule.
NOTE:When you save a search, it becomes a rule.
9. Go back to the Policies page.
10. Open the policy containing the new rule, then click on it.
11. Click on the Action tab.
12. Click Add Action, then select the Block and Notify Sender action.
13. Click Save.
When the rule runs and source code is found, the action rule automatically blocks it. The sender receives email
notification of the action.
TIP: To notify more users, go to Policies | Action Rules, edit the action rule, and Save.
Protecting Endpoints
Blocking intellectual property residing on endpoints
If your intellectual property is referenced in email or webmail communications residing on an
endpoint, it can be blocked from being sent to a competitor.
NOTE: This use case requires deployment of NDLP Endpoint functionality and an added directory server.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Policies.
2. From the Actions menu, select Add Policy. Give the policy a recognizable name, such as Competitor
Policy.
3. Select Active from the State menu, then click on the DLP devices to which you want to publish the policy.
4. Click Save.
5. On the Policies page, open the new policy. From the Actions menu, select Add Rule.
NOTE: You can use an existing policy and add a rule to it, or clone an existing rule from another policy. You
could also do a historical search, then save it as a rule when it returns the type of information you need.
6. Type a name for the rule.
7. Select a Severity and an inheritance state (Enabled rules run when the policy runs).
8. Define the intellectual property by selecting keywords, content type, or concepts from the Content menu. You
may add values to one or more of the following categories.
● Type in Keywords that may be found in sensitive documents.
● Select Content Type from the menu, click "?" to launch the Content Type palette, and make one or more
selections from it.
● Select Concept from the menu and click "?" to launch the definitions palette.
18 McAfee DLP 9.0.1 Product Guide
Use Cases
TIP: Inspect the Intellectual Property sub-menu to see if one or more of the default concepts will suit your
purposes. If not, create a new concept and add your own parameters, then return to this page and add that new
concept from the Concepts palette.
NOTE: The following selections are optional, depending on how much you know about what you are looking
for.
4. Open Source/Destination and select UserName from the menu.
5. Select is any of or is none of. The latter selection will indicate an exception to the value provided.
6. Click "?" and select from the remote Directory Server List.
7. Click Find and select a category of users, then click Apply. If you select Everyone, the rule will apply to all
users on your directory servers.
8. Click plus to add another item under Source/Destination.
9. Select Email Address from the menu.
10. Select is all of or another condition to focus the email address.
11. Type in the domain you want to block.
12. Open Protocol and select Protocol from the menu.
13. Select is any of.
14. Click "?" and select from the Internet Protocols menu. For example, if you suspect intellectual property is
being posted, select HTTP_Post.
15. Click Apply.
16. Click the Actions tab, then click Add Action.
NOTE: The same action can be used on all three data types (Data-in-Motion, Data-at-Rest, Data-in-Use), but
only one of each type to a single rule.
17. Scroll down to the Data-in-Use actions and select theWebPost Reaction or Email Reaction action rule.
NOTE: Actions are defined and edited on the Action Rules page. All of the reactions listed in the Actions
column will be applied.
18. After you have finished adding as much information as you have to the rule, click Save and let the policy and
rule run. After you get results, tune as needed.
Keeping IP from being copied to a USB drive
If your employees are allowed to work remotely, they may be duplicating material that includes
contains proprietary information in the course of performing legitimate tasks. If USB drives
containing such information are lost or mishandled, your intellectual property could easily be lost
to a competitor.
NOTE: This use case requires deployment of NDLP Endpoint functionality and an added directory server.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Policies.
2. From the Actions menu, select Add Policy. Give the policy a recognizable name, such as Competitor
Policy.
Protecting Endpoints
McAfee DLP 9.0.1 Product Guide 19
3. Select Active from the State menu, then click on the DLP devices to which you want to publish the policy.
4. Click Save.
5. On the Policies page, open the new policy. From the Actions menu, select Add Rule.
NOTE: You can use an existing policy and add a rule to it, or clone an existing rule from another policy. You
could also do a historical search, then save it as a rule when it returns the type of information you need.
6. Type a name for the rule.
7. Select a Severity and an inheritance state (Enabled rules run when the policy runs).
8. Open Endpoint and select Protect Removable Media from the menu.
9. Click "?", check Enable, and click Apply.
NOTE: This definition, plus an action rule, constitutes a minimal removable media policy. To refine the rule for
specific content, add the following definitions.
10. Define content by selecting keywords, content type, or concepts from the Content menu. You may add values
to one or more of the following categories.
● Type in Keywords that may be found in sensitive documents.
● Select Content Type from the menu, click "?" to launch the Content Type palette, and make one or more file
types from it.
● Select Concept from the menu and click "?" to launch the definitions palette.
TIP: Inspect the sub-menus to see if one or more of the default concepts will suit your purposes. If not, create a
new concept and add your own parameters, then return to this page and add that new concept from the palette.
12. Open Source/Destination and select UserName from the menu.
13. Select is any of or is none of. (The latter selection will indicate an exception to the value provided.)
14. Click the "?" and select from the remote Directory Server List..
15. Click Find and select a category of users, then Apply. If you select Everyone, the rule will apply to all users on
your local and directory servers.
16. Click the Actions tab, then Add Action.
NOTE: The same action can be used on all three data types (Data-in-Motion, Data-at-Rest, Data-in-Use), but
only one of each type to a single rule.
17. Scroll down to the Data-in-Use actions and select Removable Media Reaction action rule.
NOTE: Actions are defined and edited on the Action Rules page. All of the reactions listed in the Actions
column will be applied.
18. Click Save.
20 McAfee DLP 9.0.1 Product Guide
Use Cases
Keeping intellectual property from being printed
If your employees are allowed to work remotely, they may be printing material that includes
contains proprietary information in the course of performing legitimate tasks. If printed copies
containing such information are lost or mishandled, your intellectual property could easily be lost
to a competitor.
NOTE: This use case requires deployment of NDLP Endpoint functionality and an added directory server.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Policies.
2. From the Actions menu, select Add Policy. Give the policy a recognizable name, such as Printer Policy
.
3. Select Active from the State menu, then click on the DLP devices to which you want to publish the policy.
4. Click Save.
5. On the Policies page, open the new policy. From the Actions menu, select Add Rule.
NOTE: You can use an existing policy and add a rule to it, or clone an existing rule from another policy. You
could also do a historical search, then save it as a rule when it returns the type of information you need.
6. Type a name for the rule.
7. Select a Severity and an inheritance state (Enabled rules run when the policy runs).
8. Open Endpoint and select Protect Local Printers from the menu.
9. Click "?", check Enable, and click Apply.
TIP: You can select one or more Network Printers from the "?" Directory Server List, or type in its network
path and name, to add printer protection for printers on your company site. You can allow exceptions for secure
printers by defining them at DLP Sys Config | Endpoint Configuration | Unmanaged Printers.
10. Click the Actions tab, then Add Action.
NOTE: This definition, plus an action rule, constitutes a minimal printer policy. To refine the rule for specific
content, add the following definitions.
11. Define content by selecting keywords, content type, or concepts from the Content menu. You may add values
to one or more of the following categories.
● Type in Keywords that may be found in sensitive documents.
● Select Content Type from the menu, click "?" to launch the Content Type palette, and make one or more file
types from it.
● Select Concept from the menu and click "?" to launch the definitions palette.
TIP: Inspect the sub-menus to see if one or more of the default concepts will suit your purposes. If not, create a
new concept and add your own parameters, then return to this page and add that new concept from the palette.
12. Open Source/Destination and select UserName from the menu.
13. Select is any of or is none of. (The latter selection will indicate an exception to the value provided.)
14. Click "?" and select from the remote Directory Server List.
Protecting Endpoints
McAfee DLP 9.0.1 Product Guide 21
15. Click Find and select a category of users, then Apply. If you select Everyone, the rule will apply to all users on
your directory servers.
NOTE: The same action can be used on all three data types (Data-in-Motion, Data-at-Rest, Data-in-Use), but
only one of each type to a single rule.
16. Scroll down to the Data-in-Use actions and select Printer Reaction action rule.
NOTE: Actions are defined and edited on the Actions page. All of the reactions listed in the Actions column
will be applied.
17. Click Save.
Preventing loss of project data from endpoints
Use this task to keep users from copying project information to a USB drive.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Policies.
2. From the Actions menu, select Add a Policy.
3. Type a name and optional description for the policy.
4. Select Host or All Devices to publish the policy to host or network DLP devices, then click Save.
5. Click the policy to open it for editing. From the Actions menu, select Add Rule.
6. Type a name and optional description for the rule.
7. Select a Severity and an inheritance state (Enabled rules run when the policy runs).
8. Define the project data by selecting keywords, content type, or concepts from the Content menu.
You may add values to one or more of the following categories.
● Type in Keywords that may be found in sensitive documents.
● Select Content Type from the menu, click "?" to launch the Content Type palette, and make one or more file
types from it.
● Select Concept from the menu and click "?" to launch the definitions palette.
TIP: Inspect the sub-menus to see if one or more of the default concepts will suit your purposes. If not, create a
new concept and add your own parameters, then return to this page and add that new concept from the palette.
12. If the user is known, open Source/Destination and type the username in the Values field.
13. If you want to specify exclusions, go to the Exceptions tab and add project data that may be found, but is
irrelevant. When you have finished, click Save.
14. On the Actions tab, click Add Action and specify the action to be taken when the project data is found.
15. Select Removable Media Reaction from the Actions menu to protect the data. The actions that will be taken
are listed in the Actions column.
16. Click Save.
Example:
Content:
22 McAfee DLP 9.0.1 Product Guide
Use Cases
Keywords | contains all of | Project X
Source/Destination:
Email Address | contains all of | tjohnson
Endpoint:
Protect Removable Media | equals | Enable
Actions
Removable Media Reaction
Protecting intellectual property at a specific network location
If documents containing intellectual property are located at specific network locations, you can
protect those locations from access by unauthorized users.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Policies.
2. Add a policy, and add a rule to the policy.
NOTE: You can use an existing policy and add a rule to it, or edit an existing rule. You can also do a historical
search, then save it as a rule when it returns the type of information you need.
3. Open Endpoint and select Location Tag Path to protect all documents on a single share.
TIP: Use Network File Path to add protection for a single directory.
4. Click "?", check Enable, and Apply.
5. Click the Actions tab, then Add Action.
NOTE: The same action can be used on all three data types (Data-in-Motion, Data-at-Rest, Data-in-Use), but
only one for each type.
6. Scroll down to the Data-in-Use actions and select the Network Communication Reaction action rule.
NOTE: All of the reactions listed in the Actions column will be applied. The copy action will be monitored,
blocked, stored as evidence, and the user will be notified of the violation.
7. Click Save as Rule.
Protecting Global Business
Finding evidence of foreign interference
Protecting intellectual property can be difficult when sensitive data is so easily transported
beyond national borders.
Identifying source and destination IP addresses will help you to identify where suspicious traffic
is coming from and where it is going.
Protecting Global Business
McAfee DLP 9.0.1 Product Guide 23
NOTE: Because dynamically-assigned IP addresses change regularly, hosts that are not local can be identified
only if a DHCP server is installed on the network.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Basic Search.
2. Open Source/Destination.
3. SelectGeoIP Location.
4. Click "?".
5. Select one or more country names from the popup menu.
6. Click Apply.
7. Open Date/Time.
8. Select File Creation Time between and enter before and after values.
9. Click Search.
TIP: If you do not see locations in your results, click Columns and add Source, Destination, Sender or
Recipient columns.
Finding leaks after global close of business
You might expect confidential data to be entering or leaving a company network during business
hours — after 5 PM, movement of sensitive data may indicate a leak. But global operations make
it difficult to define exactly when close of business occurs in local time zones.
If you are managing several DLP Monitors in different locations, you can find captured data at the same clock
time in each of those locations. Monitoring data at the time most employees are leaving each of those facilities
will help to expose those activities.
Detect this activity by creating a rule that tracks sensitive data between the hours of 5 and 6 PM in your Los
Angeles, New York, London, and Tokyo offices,
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Advanced Search | Date/Time.
2. Select Exact Time and a local or GMT time frame.
Automatic Conversion to GMT (same moment globally)
before
between
after
Local time (same clock time globally)
before (local time)
between (local time)
after (local time)
3. Click the Calendar icon to select a date.
4. Select the hour, minute and second from the pull-down menus.
5. Click Search or Save as Rule.
24 McAfee DLP 9.0.1 Product Guide
Use Cases
Filtering captured data
Filtering out configuration-controlled files
Use a content capture filter to filter out configuration-controlled files. Because network data
streams typically transport large numbers of images, eliminating large multimedia content can
improve performance of the capture engine.
For example, you might have a library of video files that is already protected by a configuration
control system. Setting up a filter to bypass those files will improve system performance.
TIP: A pre-installed filter automatically filters out images (like icons and thumbnails) that are too small to be
significant. You can turn off this filter by removing it from the list under DLP Sysconfig | Capture Filters |
Content Filters.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config | Capture Filters.
2. Click Create Content Filter.
3. Type in a name for the filter. Typing a description is optional.
4. From the drop-down Action list, select Drop Element.
5. Select the devices for deployment.
NOTE: If you want to deploy a capture filter at a later time, select the None checkbox under Devices, then
select it from the Add Filter menu under the deployment target.
6. Open Content .
7. Select Content type from the first drop-down list, and is any of from the second.. .
8. Click "?" and open the Multimedia popup menu.
9. Check the box of the controlled format (for example, MPEG).
10. Click Apply.
11. Click Save.
Storing a portion of filtered traffic
In some circumstances, you might want to block all encrypted traffic on the network, except for a
particular type. You can do this by setting up multiple action filters that are applied to the data
stream, gradually narrowing the filtering process by applying them one after another.
Isolating traffic using port 443, which commonly transports encrypted data, is one way of filtering
out encrypted traffic. But that port is also used by AOL, and blocking that traffic too might
eliminate traffic you need to monitor.
In such a case, you can set up the capture filters to retain the encrypted AIM traffic while
dropping the broader category of encrypted traffic.
CAUTION: You cannot save sessions or data that have already been eliminated, so pay attention to the
filtering sequence.
1. In ePolicy Orchestrator, go toMenu | Data Loss Prevention | DLP Syslog | Capture Filters.
2. Click Create Network Filter.
Filtering captured data
McAfee DLP 9.0.1 Product Guide 25
3. Type the name AOL_Chat and a description (optional).
4. Select Store from the Actionmenu to retain that traffic.
5. Open the Protocol category and select Protocol equals from the first drop-down menu.
6. Click "?" and select AOL_Chat from the Protocol popup menu.
7. Click Apply and Save.
8. Click Create Network Filter to create another filter.
9. Give the policy a recognizable name, such as "SSH traffic". Typing a description is optional.
10. Select Ignore from the Actionmenu.
11. Open Protocol and select Port from the first drop-down list, and source is any of from the second.
12. Type 443 into the value field.
13. Click plus to add a parameter.
14. Repeat the process, but select Port from the first drop-down list, and destination is any of from the second.
NOTE: Traffic through ports and port ranges is bidirectional, so you must define source and destination
transmissions separately.
19. Type 443 into the Value field.
20. Check the box of the device on which you want the filter deployed. To decide later, check None.
21. Click Save. A new Ignore filter is added to the existing list.
22. Use the Priority icons to change the order of the filters. The Store filter must run first, because the Ignore filter
will eliminate all of the rest of the port 443 traffic.
NOTE:When a network capture filter is applied to the network data stream, its position in the list indicates its
priority. Because the BASE filter instructs the system to store all data that has not been dropped from the data
stream, it must always run last.
23. Let the system run. After some time, you can search for AIM traffic in the captured data on the Incidents page.
Searching captured data
How data is captured and processedThe core component of Network DLP is a capture engine that allows reassembly of packets that
have been extracted from network traffic or repositories.
The reassembled objects are classified into object types that are saved in the DLP Monitor
database. Each object has many attributes, all of which can be retrieved by queries.
Captured data is indexed and analyzed in three different databases that hold data in use, data at
rest, and data in motion. You can query the databases directly using the options available in the
user interface, or save queries that are to be run regularly as rules.
When an object matches a query or rule, the result is reported to the DLP dashboards as an
incident. Incidents can be sorted and filtered according to their attributes so that the most
significant information can be identified and displayed.
26 McAfee DLP 9.0.1 Product Guide
Searching captured data
NOTE: You need not search or save rules to get results. Standard policies that contain collections of rules
automatically search captured data to produce incidents, but you can enter your own queries under the
Capture tab.
Using search features
Basic search processes
DLP search features are designed to make constructing queries and getting results easy. By
scanning just a few of the search topics, you can master the basics quickly.
NOTE: Logical operators are still supported, but only in concept and keyword expressions.
TIP: Specific permissions are required for search tasks. Check DLP Sys Config | System | User
Administration | Groups | Task Permissions | Capture Permissions for details.
How capture works
The core component of Network DLP is a capture engine that extracts packets from network
traffic or repositories. They are indexed and analyzed, classified into object types, and saved in
databases on capture partitions on the DLP Monitor and Discover appliances.
You can query the Monitor and Discover databases directly using the options available in the
user interface, and save queries that are to be run regularly as rules.
When an object matches a query or rule, the result is reported to the dashboard as an incident.
NOTE: You need not search or save rules to get results. Standard policies that contain sets of rules
automatically search captured data to produce incidents, and concepts that match related parameters to
network data can be used as a shortcut to find text-based data quickly.
Adding or subtracting search parameters
Use this task to add an element to any search, rule, filter, or case.
● Click the green plus icon to add an element.
● Click the red minus icon to subtract an element.
Searching with managed systems
When you send a query from an DLP Manager, you are automatically doing a distributed search
through all DLP appliances registered to the system.
NOTE: Although the default is All Devices, you can target an DLP Manager search by selecting one or more
checkboxes of devices from the DLP Reporting | Advanced Search | Devices menu.
Getting notification of results
Any search that takes more than 60 seconds to process is run in background mode. When it is
complete, the user who is logged in is notified by email.
Using search features
McAfee DLP 9.0.1 Product Guide 27
NOTE: If a search is aborted, no notification is sent.
Use this task to get notification of search results.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Basic or Advanced Search.
2. Define a search.
3. Click the Search List tab to view its status.
4. If it is incomplete, continue with other tasks and check back periodically.
TIP: Set up your email client to prompt you when new email comes in.
Getting details and search history
Use this task to get details about a query.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Search List.
2. Click the Details link of the query.
Stopping searches
Use this task to stop a search that is still running.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Search List.
2. Click Abort.
NOTE: The search must still be in RUNNING mode.
Cloning searches
Use this task to edit a search and save as a new one.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Advanced Search.
2. Type in a search term.
3. On the search list, click Clone Search.
4. Modify the parameters and results.
5. Click on Search to create a new search.
Finding documents
How to find documents
The classification engine sorts all network data into content types. This allows you to search for
engineering drawings, different types of source code, office documents, images, and countless
other file types.
Use this task to find out what documents are available.
28 McAfee DLP 9.0.1 Product Guide
Searching captured data
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Advanced Search.
2. Open the Content category.
3. Select Content Type from the first menu.
4. Select is any of from the second menu.
5. Click "?".
6. Open each document category to review its contents.
7. Click Apply.
8. Click Search or Save as Rule.
Finding Microsoft or Apple documents
The classification engine sorts all network data into content types. This allows you to search for
engineering drawings, different types of source code, office documents, images, and countless
other file types.
Use this task to find out what content types are available.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Advanced Search.
2. Open the Content category.
3. Select Content Type from the first menu.
4. Select is any of from the second menu.
5. Click "?".
6. Open the Apple or Microsoft categories to review their contents.
7. Check the boxes to define the format you are looking for.
8. Click Apply.
9. Click Search or Save as Rule.
Finding documents by type
Use this task to find specific document types (for example, Adobe FrameMaker, PostScript, ePS,
or XML) on your network.
TIP: Narrow your selection to one or two document types to keep from getting too many results.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Advanced Search.
2. Open the Content category.
3. Select Content Type from the first menu.
4. Select is any of from the second menu.
5. Click "?".
6. Open the Advanced Documents category to review its contents.
7. Check the boxes to define type of document you are looking for.
8. Click Apply.
9. Click Search or Save as Rule.
Finding documents
McAfee DLP 9.0.1 Product Guide 29
Finding office documents
Use this task to find office documents on your network.
TIP: Narrow your selection to one or two document types to keep from getting too many results.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Advanced Search.
2. Open the Content category.
3. Select Content Type from the first menu.
4. Select is any of from the second menu.
5. Click "?".
6. Open the Office Applications category to review its contents.
7. Check the boxes to define type of office document you are looking for.
8. Click Apply.
9. Click Search or Save as Rule.
Finding proprietary documents
Use this task to find proprietary design documents on your network.
TIP: Narrow your selection to one or two document types to keep from getting too many results.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Advanced Search.
2. Open the Content category.
3. Select Content Type from the first menu.
4. Select is any of from the second menu.
5. Click "?".
6. Open the Engineering Drawings and Designs category to review its contents.
7. Check the boxes to define type of document you are looking for.
8. Click Apply.
9. Click Search or Save as Rule.
Finding source code
Use this task to find out if proprietary source code is unsecured on your network.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Advanced Search.
2. Open the Content category.
3. Select Content Type from the first menu.
4. Select is any of from the second menu.
5. Click "?".
6. Open the Source Code category to review its contents.
7. Check the boxes to define type of source code you are looking for.
30 McAfee DLP 9.0.1 Product Guide
Searching captured data
8. Click Apply.
9. Click Search or Save as Rule.
Finding email and chat
How to find email
Email objects are stored in capture databases as separate tokens. For that reason, you can
search for one or more components of an email address (for example, user, host or domain
names).
NOTE: Email addresses or domain names that contain numbers are searchable only if they are in the
addressing, subject, cc or bcc fields. Only alphabetic characters are supported in the body of email messages.
NOTE: In rare cases, email addresses that are not present in SMTP mail may be displayed in strikeout mode in
the highlighting on the dashboard.
Finding email by address
Use this task to find email addresses.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Advanced Search.
TIP: If you use a Basic Search, you can specify the Email to or from address selections. In an Advanced
Search, the condition defines the sender or recipient.
2. Open the Source/Destination category.
3. Select Email Address from the first menu.
4. Select is any of, all of, or none of (to include or exclude specific addresses) from the second menu.
TIP: Select the sender condition to indicate that the email address found was the source of the email. Use the
green plus to add another parameter if you also want to define the recipient of the email.
5. Type in one or more email addresses.
6. Click Apply.
7. Click Search or Save as Rule.
Finding email by host name
Use this task to find email by host name.
NOTE: This search is limited to data at rest.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Basic Search.
2. Select Host Name from the first menu.
3. Type one or more host names into the value field.
4. Click Search or Save as Rule.
Finding email and chat
McAfee DLP 9.0.1 Product Guide 31
Finding email by domain name
Use this task to find email by domain name.
Note: This search is limited to data at rest.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Advanced Search.
2. Open Discover.
3. Select Domain Name from the first menu.
4. Select is any of from the second menu.
5. Type the domain name into the value field.
6. Click Search or Save as Rule.
Finding email by port
Use this task to find email by port. This can be useful if you know the protocol of the email you
are looking for. For example, SMTP email is commonly sent through Port 25; webmail uses Port
80.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Advanced Search.
2. Open Protocol.
3. Select Port from the first menu.
4. Select is any of from the second menu.
TIP: The system returns port information in both directions, but in separate flows. For complete results, first add
source port, then use the green plus to add an additional parameter that defines the destination port.
5. Type 25 or 80 into the value field.
6. Click Search or Save as Rule.
TIP: Because most email uses one of two ports, searching by port is likely to return too many results. Narrow
your query by using additional qualifiers, such as user, host or domain name.
Finding email by protocol
Use this task to find email by protocol. This can be useful if you know the protocol of the email
you are looking for. For example, you are likely to find local corporate email if you search for
SMTP traffic, and private webmail by looking for HTTP communications.
TIP: You can search for a protocol directly from the Basic Searchmenu, but such a query is likely to return too
many results. Use an Advanced Search so you can add additional qualifiers (like user, host or domain
names).
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Advanced Search.
2. Open the Protocol category.
3. Click "?".
4. Select HTTP_Webmail from the popup menu.
32 McAfee DLP 9.0.1 Product Guide
Searching captured data
5. Click Apply.
6. Click Search or Save as Rule.
Finding email subjects
Use this task to find email by subject.
TIP: If you know the exact verbiage of the subject line, you might start with a quick Basic Search. Select Email
Subject and type in the exact words, then Search. Use Advanced Search to add parameters if you have some
additional information that will focus your query.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Advanced Search.
2. Open Source/Destination.
3. Select Email Subject from the first menu.
4. Select contains any of from the second menu.
5. Type the subject into the value field.
6. Click Search or Save as Rule.
Finding email attachments
Use this task to find incidents with email attachments.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Advanced Search.
2. Open the Protocol category.
3. Click "?".
4. Open the Mail Protocols category.
5. Select one or more attachment types.
TIP: You might select HTTP_Webmail_Attach to find webmail attachments, SMTP_Attach to find email
attachments sent, and POP3_Attach to find email attachments received.
6. Click Apply.
7. Click Search or Save as Rule.
TIP:When an incident is reported, click its Details icon to view the attachment.
NOTE: Attachments larger than 50MB cannot be reported.
Finding email senders
Use this task to find email by sender.
TIP: You can search for an email sender from the Basic Search page, but such a query may return too many
results. Use an Advanced Search so you can add additional qualifiers (like subject, host or IP address).
Finding email and chat
McAfee DLP 9.0.1 Product Guide 33
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Advanced Search.
2. Open Source/Destination.
3. Select Email Address from the first menu.
4. Select sender is any of from the second menu.
5. Type one or more recipient names into the value field.
6. Click Search or Save as Rule.
Finding email recipients
Use this task to find email by recipient.
TIP: You can search for an email recipient from the Basic Search page, but such a query may return too many
results. Use an Advanced Search so you can add additional qualifiers (like subject, host or IP address).
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Advanced Search.
2. Open Source/Destination.
3. Select Email Address from the first menu.
4. Select recipient is any of from the second menu.
5. Type one or more recipient names into the value field.
6. Click Search or Save as Rule.
Finding copies of emails
Use this task to find lind copies of emails (cc).
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Advanced Search.
2. Open Source/Destination.
3. Select Email CC from the first menu.
4. Select contains any of from the second menu.
5. Type the cc: addressee into the value field.
6. Click Search or Save as Rule.
Finding blind copies of emails
Use this task to find blind copies of email (bcc).
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Advanced Search.
2. Open Source/Destination.
3. Select Email BCC from the first menu.
4. Select contains any of from the second menu.
5. Type the bcc: addressee into the value field.
6. Click Search or Save as Rule.
34 McAfee DLP 9.0.1 Product Guide
Searching captured data
Finding webmail by port
Use this task to search for all traffic using Port 80, which is commonly used for webmail.
TIP: You can use Basic Search to find all traffic on a single port quickly, but such a search is likely to return too
many results. Use Advanced Search to add parameters that will focus your query.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Advanced Search.
2. Open the Protocol category.
3. Select Port from the first menu.
4. Select source is any of from the second menu.
TIP: The system returns port information in both directions, but in separate flows. For complete results, define
both source and destination values.
5. Type 80 into the value field.
6. Select Port from the first menu.
7. Select destination is any of from the second menu.
8. Type 80 into the value field.
9. Click Search or Save as Rule.
Finding webmail by protocol
Use this task to search for all traffic using the HTTP_Webmail protocol.
TIP: You can use Basic Search to find all traffic using a single protocol quickly, but such a search is likely to
return too many results. Use Advanced Search to add parameters that will focus your query.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Advanced Search.
2. Open the Protocol category.
3. Select Protocol from the first menu.
4. Select is any of from the second menu.
5. Click "?".
6. Select HTTP_Webmail from the popup menu.
7. Click Apply.
8. Click Search or Save as Rule.
Finding chat sessions
Use this task to find incidents containing chat sessions.
NOTE: Chat sessions lasting up to four hours can be captured. They are reported in chronological order.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Advanced Search.
If you don't have to exclude incidents containing specific chat sessions, use Basic Search instead.
Finding email and chat
McAfee DLP 9.0.1 Product Guide 35
2. Open the Content category.
3. Select Content Types from the first menu.
4. Select is any of from the second menu.
5. Click "?".
6. Open the Chat category.
7. Select one or more chat protocols.
8. Click Apply.
9. Click Search or Save as Rule.
NOTE: Encrypted chat sessions (for example, Skype and AOL Instant Messenger 6) cannot be captured.
Finding files
How to find files
When the DLP search engine captures files, each attribute is stored as a separate token in the
capture database. You can find files by using any of the attributes of a file, such as type, owner,
size or signature.
● From the Basic Searchmenu, you can find files in data at rest by selecting Host Name, Host IP, File Name
Pattern, or File Owner.
● From the Advanced Searchmenu, you can find files in data in motion and data at rest by selecting parameters
under File Information, Content | Content Types, or Discover.
Finding file name patterns
Use this task to find files by file name pattern.
NOTE: You can find multiple files by entering a word stem and adding an asterisk, but it is the only
metacharacter supported.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Basic Search.
2. Select File Name Pattern.
3. Click Search or Save as Rule.
NOTE: You can also find file names in file repositories and databases by going to DLP Reporting | Advanced
Search. Open Discover, select File Name Pattern, and type a pattern into the value field.
Example
Find JPG OR GIFs in a repository:
DLP Reporting | Basic Search | File Name Pattern contains *.jpg,*.doc
NOTE: Only OR is supported for file name pattern searches. You can no longer use a space or ampersand to
combine terms in a search. Use the green plus icon to add an element instead.
36 McAfee DLP 9.0.1 Product Guide
Searching captured data
4. Click Save as Rule.
Finding files by file type
Use this task to limit your search to files of a specific content type.
TIP: The DLP indexer captures all data on the network and sorts it into content types. If you just want to see
what they are, go to Capture | Basic Search and select Content Type, then click the "?" to launch the popup
menu, which contains all available content types.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Advanced Search.
2. Open Content.
3. Select is any of from the second menu.
4. Click "?".
5. Open a content type group.
6. Check one or more file types.
NOTE: The capture engine can extract and evaluate content from ZIP, GZIP and TAR files as long as the type
containing the files is specified. Eight other compressed file types are also supported.
7. Click Apply.
8. Click Search or Save as Rule.
Finding files by owner
Use this task to find all files owned by a user.
NOTE: This feature searches the Discover database, which must contain data in order for results to be
retrieved.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Basic Search.
2. Select File Owner.
3. Type the file owner into the value field
4. Click Search or Save as Rule.
Finding files by size
Use this task to find files of a specific size.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Advanced Search.
2. Open File Information.
3. Select File Size.
4. Select range from the Conditionmenu. You can also specify greater or less than values.
5. Enter a value in bytes. If you define a range, use a dash to separate values.
6. Click Search or Save as Rule.
Finding files
McAfee DLP 9.0.1 Product Guide 37
Example
File Size > range > 1024-5000 (must be expressed in bytes)
Finding files by document type
Use this task to find specific document types (for example, all Microsoft Word and Excel
documents).
TIP: You can use Basic Search to find all files of a specific document type, but such a search is likely to return
too many results. Use Advanced Search to add parameters that will focus your query.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Advanced Search.
2. Open the Content category.
3. Select Content Type from the first menu.
4. Click "?".
5. Open Office Applications.
6. Select one or more office document types.
7. Click Apply.
8. Click Search or Save as Rule.
NOTE: The capture engine can extract and evaluate content from ZIP, GZIP and TAR files as long as the type
containing the files is specified. Eight other compressed file types are also supported.
Finding files using MD5 signatures
MD5 is the most widely-used algorithm used for creating compact digital signatures.
NOTE: This procedure can no longer be used in a direct query, but it can be attached to a rule.
Use this task to find all copies of a unique file identified by an MD5 signature.
1. Login to the back end of an DLP Manager or Monitor.
2. Go to the /usr/bin directory and locate the md5sum utility.
3. Use the md5sum utility to generate a signature.
# md5sum filename
4. Select and copy the resulting hexadecimal number.
5. Open a browser and launch the DLP Monitor or Discover user interface.
6. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | DLP Policies.
7. Click on a rule and open File Information.
8. Select Signature.
9. Select is any of from the Conditionmenu.
10. Paste the hexadecimal number into the value field.
11. Click Save as Rule.
38 McAfee DLP 9.0.1 Product Guide
Searching captured data
Finding images
How to find images
Use this task to find images using specific file formats.
TIP: Add a Thumbnail Match column to your dashboard to scan results quickly.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Advanced Search.
2. Open Content.
3. Select Content Type.
4. Click "?".
5. Open Images.
6. Select one or more image types.
7. Click Apply.
8. Click Apply.
9. Click Search or Save as Rule.
TIP: Avoid timeouts caused by retrieving large image files by adding additional search terms.
Finding images of people
Use this task to find images containing advertising imagery or pornographic content.
TIP: Add a Thumbnail Match column to your dashboard to scan results quickly.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Advanced Search.
2. Open Content.
3. Select Concepts.
4. Select a Condition.
5. Click "?".
6. Click Fleshtone from the popup menu.
7. Click Apply.
8. Click Search or Save as Rule.
TIP: Avoid timeouts caused by retrieving large image files by adding additional search terms.
Finding images using a template
Use this task to expedite image searches.
TIP: Add a Thumbnail Match column to your dashboard to scan results quickly.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Advanced Search.
2. Open Content.
Finding images
McAfee DLP 9.0.1 Product Guide 39
3. Select Template.
4. Click "?".
5. Select the Common Image Files template.
6. Click Apply.
7. Click Search or Save as Rule.
TIP: Avoid timeouts caused by retrieving large image files by adding additional search terms.
Finding IP addresses
How to find IP addresses
Use this task to search for incidents containing individual IP addresses, a range of addresses, or
IP addresses on a subnet.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Advanced Search.
2. Open the Source/Destination category.
3. Select IP Address from the first menu.
4. Select is any of from the second menu.
5. Enter one or more IP addresses in the value field.
6. Click Search or Save as Rule.
Example
192.168.1.244,172.25.3.100-172.25.3.199,192.168.2.1/25
Finding a range of IP addresses
Use this task to find a range of IP addresses.
TIP: Use a dash between starting and ending addresses, and a comma to add individual addresses.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Advanced Search.
2. Open Source/Destination from the first menu.
3. Select IP Address from the first menu.
4. Select is any of from the second menu.
5. Enter the IP address range in the value field. Do not use spaces.
Example
192.168.4.1-192.168.3.255
6. Click Search or Save as Rule.
Finding IP addresses on a subnet
Use this task to find IP addresses on a subnet.
40 McAfee DLP 9.0.1 Product Guide
Searching captured data
Subnet searching is supported whether or not network and host portions of an IP address are standard classful
IP (address fields separated into four 8-bit groups). CIDR notation is also supported.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Advanced Search.
2. Open the Source/Destination category.
3. Select IP Address from the first menu.
4. Select is any of from the second menu.
5. Type the subnet into the value field.
6. Click Search or Save as Rule.
Example
For subnet mask 255.255.255.128, you can use CIDR shorthand to translate the value — for example,
192.168.2.1/25
Excluding incidents using specific IP addresses
Use this task to exclude incidents using specific IP addresses from a query or rule.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Advanced Search.
2. Open the Source/Destination category.
3. Select IP Address from the first menu.
4. Select is any of from the second menu.
5. Type an IP address range into the value field.
Example
172.25.3.100-172.25.3.199
6. Click plus to add an element.
7. Select IP Address from the first menu.
8. Select does not equal from the second menu.
9. Type one or more addresses within the range into the value field to exclude addresses from the defined range.
Example
172.25.3.101,172.25.3.197
10. Click Search or Save as Rule.
Finding keywords
Excluding keywords from a query
Use this task to exclude keywords from a query.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Advanced Search.
2. Open the Content category.
Finding keywords
McAfee DLP 9.0.1 Product Guide 41
3. Select Keywords from the first menu.
4. Select contains none of from the second menu.
5. Type one or more keywords into the values field.
6. Click Search or Save as Rule.
Finding exact matches
Use this task to search for an exact match using keywords and logical operators.
NOTE: Keywords need not be in the order specified, but all must be present.
NOTE: You can use logical operators to build a keyword query, but only for keyword expressions and exact
phrases.
NOTE: Because search is case-insensitive, you need not capitalize the keywords. Do not add quotation marks
and parentheses; they are added by the search engine.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Advanced Search.
2. Open the Content category.
3. Select Keywords from the first menu.
4. Select exact phrase from the second menu. Do not use quotation marks.
5. Type the phrase into the value field.
6. Click Search or Save as Rule.
Finding keyword expressions
Use this task to enter a keyword query using logical operators.
NOTE: You can use logical operators to build a keyword query, but only for concept or keyword expressions
and exact phrases.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Advanced Search.
2. Open the Content category.
3. Select Keywords from the first menu.
4. Select expression from the second menu.
5. Type keywords and logical operators into the values field.
6. Click Search or Save as Rule.
Finding keywords using logical operators
Use the supported logical operators to enter searches into keyword expressions and exact
phrase fields.
42 McAfee DLP 9.0.1 Product Guide
Searching captured data
NOTE: Custom searches are not supported in this release. If you created a rule in DLP 8.6 using only logical
operators, it will no longer run. You must rebuild the query using parameters available in the menus available
on the rules pages.
LogicalOperator
Notation Different Ways of Expressing the
Same Query
AND + &&
Confidential Restricted SecretConfidential AND Restricted ANDSecretConfidential and Restricted andSecretConfidential + Restricted + SecretConfidential && Restricted && Secret
OR or ||Confidential OR Restricted OR SecretConfidential or Restricted or Secret(Confidential || Restricted) && Secret
NOT - !Confidential -Restricted -SecretConfidential !Restricted !Secret
Wordstemming
~ Confident~ Restrict~ Secret~
Parentheses ( )Confidential AND (RestrictedOR Secret)
Exact Match " " "Confidential and Secret"
NOTE: All operators, including Exact Match, are case-insensitive. In other words, if you search for a term in
ALL CAPS, the system will return that term not only in capital letters, but initial caps or lowercase as well.
Use logical operators (|| or OR) instead of a comma to construct an OR query. You cannot use AND operators
between URLs and email fields.
NOTE: The capture engine can extract and evaluate content from ZIP, GZIP and TAR files as long as the type
containing the files is specified. Eight other compressed file types are also supported.
Finding non-English matches
Use this task to search for non-English keywords.
NOTE: The search engine supports the UTF-8 standard.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Advanced Search.
2. Open the Content category.
3. Select Keywords from the first menu.
4. Select exact phrase from the second menu.
5. Cut and paste keywords containing the characters into the values field.
6. Click Apply.
7. Click Search or Save as Rule.
Finding keywords
McAfee DLP 9.0.1 Product Guide 43
How to find keywords
The keyword search types are illustrated by the following examples.
The examples displayed here show the queries as they are summarized in search boxes. Logical operators
can be entered in value fields only when used with expression and exact phrase conditions.
Find all these words (in any order)
Keywords | Condition contains | Intel AMD NVidia
When using the contains condition, spaces between words imply AND.
Find one or more of these words (in any order)
Keywords | Condition contains any of | Intel AMD NVidia
When using the contains any of condition, spaces between words imply OR.
Find this exact phrase
Keywords | Condition exact phrase | NVidia supports AMD and Intel platforms.
When using the exact phrase condition, do not use quotation marks. Search is case-insensitive;
upper-case characters are ignored.
Find these words, but not this word
Keywords | Condition contains | Intel AMD
Keywords | Condition does not contain | NVidia
Find either of these words, but neither of these
Keywords | Condition expression (Intel || AMD) !(Nvidia && ATI)
Find non-English content
Keywords | exact phrase | <paste in characters>
NOTE: Search keywords are highlighted in your search results, with the exception of high volume retrieval
(when the 50,000 or All Results options are selected in the Basic Search window). This limitation improves
performance.
44 McAfee DLP 9.0.1 Product Guide
Searching captured data
Supported languages
Supported Languages
English
Chinese (traditional)
Chinese (simplified)
Korean
French
German
Spanish
Portuguese
Dutch
Polish
Russian
Turkish
Logical operators supported in keyword queries
Use these examples to construct keyword queries in the expressions and exact phrases fields.
Examples
These compound queries will produce the same results:
confidential +”Eyes Only” OR “Do Not Distribute” –secret -security
Confidential "Eyes Only" || "Do Not Distribute" !secret !security
This complex query adds grouping of search terms and use of word stemming:
Confidential + (("Eyes Only" || "Do Not Distribute") || (secret~ or secur~))
This query will find documents containing the word "Confidential" that are also marked EITHER "Eyes Only" or "Do
Not Distribute" OR contain variations of the words "secret" or "secure".
Finding locations of violations
Finding sources of violations
Use this task to find violations in traffic sent to or received from a specific country.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Advanced Search.
2. Open Source/Destination and selectGeoIP Location.
3. Select a sender or recipient condition.
4. Click "?".
Finding locations of violations
McAfee DLP 9.0.1 Product Guide 45
5. Select checkboxes of one or more countries.
6. Click Apply.
7. Click Search or Save as Rule.
Finding violations by website
Use this task to find violations associated with a website. If you know the source or destination of
a known transmission, you can find violations in traffic to or from a specific user, host or website.
NOTE:When defining a URL in a Discover scan, the URL must be preceded by the protocol used and
terminated by a slash. If the URL is not terminated, the scan will run not only within the targeted directory and
subdirectories, but will be extended to directories above the parent URL.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Advanced Search.
2. Open the Source/Destination category.
3. Select URL from the first menu.
4. Select is any of from the second menu.
5. Type the URL into the values field.
6. Click Search or Save as Rule.
NOTE: This search assumes that the ignore_http_header capture filter has been removed, making it possible
for the classification engine to find HTTP posts in captured data.
How to find locations
Use this task to search for traffic sent to and received from specific countries, or to exclude
specific geographic traffic.
TIP: Use Basic Search | GeoIP Location to find all incidents involving one or more geographic locations. Use
Advanced Search to add more parameters.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Advanced Search.
2. Open the Source/Destination category.
3. SelectGeoIP Location from the first menu.
4. Select a condition from the second menu.
TIP: Add an additional parameter by selecting the green plus icon if you want to define more than one
condition. For example, use is none of to exclude a country, or sender and recipient values to define source or
destination.
5. Click "?".
6. Select checkboxes of one or more countries.
7. Click Apply.
8. Click Search or Save as Rule.
46 McAfee DLP 9.0.1 Product Guide
Searching captured data
List of country codes
Use country codes to identify sources or destination of violations.
Updated list of country codes
http://www.iso.org/iso/country_codes/iso_3166_code_lists
Finding violations by port
How to find violations by port
Use this task to find violations in traffic that uses well-known ports.
NOTE: Unless you define both source and destination values, the system returns incidents in either direction,
but not both.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Advanced Search.
2. Open the Protocol category.
3. Select Port from the first menu.
4. Select source is any of from the second menu.
5. Type a port number into the values field.
6. Select the green plus icon to add a parameter.
7. Select destination is any of from the second menu.
8. Type a port number into the values field.
9. Click Search or Save as Rule.
Excluding ports from a query
Use this task to eliminate a type of traffic that is transmitted through one of the well-known ports.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Advanced Search.
2. Open the Protocol category.
3. Select Port from the first menu.
4. Select source is none of from the second menu.
5. Type a port number into the values field.
6. Select Port.
7. Select destination is none of from the second menu.
8. Type a port number into the values field.
9. Click Search or Save as Rule.
Finding violations by port range
Use this task to find violations in traffic that uses a specific port range.
TIP: For example, the Solaris operating system often uses the 1000-1023 range.
Finding violations by port
McAfee DLP 9.0.1 Product Guide 47
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Advanced Search.
2. Open the Protocol category.
3. Select Port from the first menu.
4. Select is any of from the second menu.
5. Type port numbers (separated by a dash) into the values field.
6. Click Search or Save as Rule.
List of common port assignments
You can select from a list of common port assignments to find a specific type of traffic that uses
one of the well-known ports.
Common Port Assignments
Service Port #
FTP 20/21
SSH 22
Telnet 23
SMTP 25
HTTP 80
POP3 110
NTP 123
IMAP 143
NNTP 144
HTTPS 443
SMTP-SSL 465, 587
IMAP-SSL 993
POP3-SSL 995
TIP: You can find the latest IANA update at http://www.iana.org/assignments/port-numbers.
Finding violations by protocol
How to find violations by protocol
Use this task to search for violations in traffic transmitted by a specific protocol.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Basic or Advanced Search.
2. Open the Protocol category.
3. Select is any of from the second menu.
4. Click "?".
5. Open categories and check protocol boxes.
48 McAfee DLP 9.0.1 Product Guide
Searching captured data
6. Click Apply.
7. Click Search or Save as Rule.
Excluding protocols from a query
Use this task to exclude violations in traffic that uses a specific protocol.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Advanced Search.
2. Open the Protocol category.
3. Select is none of from the second menu.
4. Click "?".
5. Select one or more protocol checkboxes.
6. Click Apply.
7. Click Search or Save as Rule.
Finding violations in time
How to find time-stamped files
Because the DLP Monitor captures every packet in a network data stream and time-stamps
every significant object found, it is essential to set a time frame for your search or rule.
Objects are time-stamped in UTC, but you can use either local or global time conditions. The
system does the conversion for you.
TIP: Remember the date of installation of the DLP appliance when searching in time. The system cannot
retrieve results that were never captured.
NOTE: If you have a time frame set under Incidents | Filter by... , it takes precedence over one set in Advanced
Search.
Searching in a relative time frame
Use this task to find a file time-stamped within a relative time frame.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Advanced Search.
2. Open the Date/Time category.
3. Select any parameter from the first menu.
4. Select a local or global before, between or after time from the drop-down menus.
5. Click the Calendar icon to select a date.
6. Select the hour, minute and second from the pull-down menus.
7. Click Search or Save as Rule.
Finding violations in time
McAfee DLP 9.0.1 Product Guide 49
Searching in an exact time frame
When you define a time in a search or rule, your local time is automatically converted to Greenwich Mean Time.
If you are managing several DLP Monitors in different locations, you can find captured data at the same clock
time in each of those locations.
Use this task to select an Exact Time in local or Greenwich Mean Time.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Advanced Search.
2. Open the Date/Time category.
3. Select Exact Time from the first menu.
4. Select a local or global before, between or after time from the drop-down menus.
Automatic Conversion to GMT (same moment globally)
before
between
after
Local time (same clock time globally)
before (local time)
between (local time)
after (local time)
5. Click the Calendar icon to select a date.
6. Select the hour, minute and second from the pull-down menus.
7. Click Search or Save as Rule.
Searching by file creation time
Use this task to find a file that was created in a specific time frame.
NOTE: The interface displays the time zone of the DLP appliance.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Advanced Search.
2. Open the Date/Time category.
3. Select File Creation Time from the first menu.
4. Select before, between or after from the second menu.
5. Click the Calendar icon and select a date.
6. Select the hour, minute and second from the pull-down menus.
7. Click Search or Save as Rule.
Example
File Creation Time > between > 16:30:00 and 17:00:00.
50 McAfee DLP 9.0.1 Product Guide
Searching captured data
Searching by file last accessed time
Use this task to find out when a file was last accessed.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Advanced Search.
2. Open the Date/Time category.
3. Select File Last Accessed from the first menu.
4. Select before, between or after from the second menu.
5. Click the Calendar icon to select a date.
6. Select the hour, minute and second from the pull-down menus.
7. Click Search or Save as Rule.
Example
Last Accessed > before > 17:00:00
TIP: If a Discover crawl processes more than 50,000 files, the date and time is reported in a
yyyyMMddHHmmss format (for example, 20090820120000). Because Microsoft Excel interprets this as a large
real number, it is displayed in scientific notation (for example, 2.01+E13).
Recover the date by selecting the column, then set the number to zero decimal places under Tools | Format |
Cell | Number.
Searching by last modification time
Use this task to find out when a file was last modified.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Advanced Search.
2. Select the Date/Time category.
3. Select Last Modification Time from the first menu.
4. Select before, between or after from the second menu.
5. Click the Calendar icon to select a date.
6. Select the hour, minute and second from the pull-down menus.
7. Click Search or Save as Rule.
Example
Last Modification Time > after > 13:30:00
Searching by local or Greenwich Mean Time
Use this task to search for an event that occurs at the same local time in different time zones.
When you define a time in a search or rule, your local time is automatically converted to Greenwich Mean Time
. But if you are managing several DLP Monitors in different locations, you will want to know what the local time
is in each of those locations.
Finding violations in time
McAfee DLP 9.0.1 Product Guide 51
Example:
If you are managing a global network, you may expect confidential data to be entering or leaving the network data
stream during business hours. But after 5 PM local time, movement of sensitive data may indicate a leak.
By creating a rule that tracks sensitive data between the hours of 5 and 6 PM in your Los Angeles, New York,
London, and Tokyo offices, you can monitor data at the time most employees are leaving each of those facilities.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Advanced Search.
2. Select Date/Time from the first menu.
3. Select Exact Time from the second menu.
4. Select a local or global before, between or after time from the drop-down menus.
Automatic Conversion to GMT (same moment globally)
before
between
after
Local time (same clock time globally)
before (local time)
between (local time)
after (local time)
5. Click the Calendar icon to select a date.
6. Select the hour, minute and second from the pull-down menus.
7. Click Search or Save as Rule.
Searching with concepts and templates
Using concepts and templates in queries
Concepts and templates can be used to expedite queries. Concepts provide ready-made
parameters to find all data of a similar type, while templates can be used to avoid repetitive
searching.
Using concepts in queries
Use this task to find concepts (collections of data related to a single issue) in a search.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Advanced Search.
2. Open the Content category.
3. Select Concept from the first menu.
4. Select is any of from the second menu.
5. Click "?".
6. Select one or more concepts from the popup menu.
52 McAfee DLP 9.0.1 Product Guide
Searching captured data
7. Click Apply.
8. Click Search or Save as Rule.
NOTE: The number of concepts usable in a compound search or a rule is limited only by the number of
concepts defined in the system.
Using templates in queries
Use this task to search using a template.
For example, you might use a template to find all documents of a certain type, or give a name to
an IP address range.
TIP: Go to Policies | Templates and open any template to learn to construct one of your own.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Advanced Search.
2. Open the Content category.
3. Select Template from the first menu.
NOTE: Each category on the Advanced Search and Add/Edit Rule pages includes a Template element
containing a set of templates related to that category.
4. Select equals from the second menu.
5. Click "?".
6. Select a template from the popup menu.
NOTE: All templates are available from the popup menu. If you add a custom template, it is automatically added
to the menu.
7. Click Search or Save as Rule.
TIP:When you tune a rule, use a template to run repetitive queries that vary slightly.
Using concept expressions in a query
Use this task to create a complex concept query using logical operators.
NOTE: You can use logical operators to build a keyword query, but only for concept or keyword expressions
and exact phrases.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Advanced Search.
2. Open the Content category.
3. Select Concept from the first menu.
4. Select expression from the second menu.
5. Type an expression into the value field.
6. Click Search or Save as Rule.
Searching with concepts and templates
McAfee DLP 9.0.1 Product Guide 53
Example:
The expression concept:CCN -concept:AMEX(concept:SSN OR concept:EIN)finds credit cardnumbers that are not American Express AND either Social Security or Employee Identification numbers.
Excluding a concept from a query
Use this task to exclude an entire concept from a query.
NOTE: Concepts identify collections of data related to a single issue. Content concepts, the type most widely
used, use patterns to identify related data objects.
For example, if you wanted to find credit cards using any possible numbering pattern except American Express,
you could eliminate the AMEX concept from a general credit card query.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Advanced Search.
TIP: You may also exclude a concept from an existing rule by editing it.
2. Open the Content category
3. Select Concept from the first menu.
4. Select is any of from the second menu.
5. Click "?".
6. Select one or more VISA, DISCOVER, MASTERCARD, DINERS or JCB checkboxes.
7. Click Apply.
8. Select plus to add an element.
9. Select Concept from the first menu.
10. Select is none of from the second menu.
11. Click "?".
12. Select the AMEX checkbox.
13. Click Apply.
14. Click Search or Save as Rule.
Understanding search rules
Rules used by the indexer
Because DLP systems capture all network data, some rules are needed to classify and store it.
Search rules
● How archives are handled
● Understanding case insensitivity
● How Microsoft Office 2007 files are handled
54 McAfee DLP 9.0.1 Product Guide
Searching captured data
● Avoiding negative searches
● Number of results supported
● Parts of speech excluded from capture
● How proper names are treated
● Handling of short words
● Special character exceptions
● How word stemming is handled
How archives are handled
The search engine finds, extracts and evaluates content in ZIP, GZIP and TAR archives, but only
if the compressed file type is identified in the query.
Case insensitivity rule
The search engine is case-insensitive.
For example, if you search for a term in ALL CAPS, the system will retrieve and report the
matching content, whether it is in upper or lower case.
How Microsoft Office 2007 files are handled
The indexer ignores certain Microsoft Office 2007 content because of the way the applications
handle fonts, colors, macros, and page definition.
● If two dictionary words are merged together, the merged word will not be found.
Example:
American and Recovery are two dictionary words. If they are merged into the word AmericanRecovery, they will
not be found.
● If a word in a Microsoft Office 2007 document has different fonts and colors, the word will not be read as a
whole and will not be found.
Example:
If all the letters in the word Recovery are of different fonts and colors, it will not be found.
● If a word continues across two different pages, it will not be found.
Example:
If the word Recovery is spread across two pages (one page contains Rec and the second page contains overy), it
will not be found.
● Words in documents that use special Microsoft Office 2007 font features likeWordArt, SmartArt, and
watermarks will not be found.
● Words present in macros in Microsoft Office 2007 documents, and headers and footers in PowerPoint and
Excel, will not be found.
Understanding search rules
McAfee DLP 9.0.1 Product Guide 55
Avoiding negative searches
The search engine does not recognize queries that consists entirely of negative search terms.
A query containing only words not to be found is instructing the search engine not to search.
Therefore, you must define a scope of data within which the term will not be found.
Number of results supported
The search engine is designed to retrieve no more than 10,000 results at a time. If this limit is
exceeded, match strings will not be retrieved, and hits on substrings may return overly broad
results.
The dashboard incident list is limited to 5,000 results, but up to 150,000 incidents can be exported via CSV.
Export from dashboard is limited to 5K.
TIP: If your search results exceed this number, narrow your query and repeat the search.
Parts of speech excluded from capture
The indexer ignores some common parts of speech.
Parts of speech like a, and, this, therefore, else, while, and with are excluded from capture.
How proper names are treated
The indexer treats proper name searches like keyword searches. It is not necessary to capitalize
them.
Handling of short words
The indexer ignores words that are less than or equal to three characters. Short words like air,
eye, mac, pet, sox, and zip are excluded from capture.
Exceptions
● Postal codes are reported [AL, CA, CT, TX, NY...]
● Common governmental acronyms are reported [DMV, CIA, DOJ, FAA, NSA, IRS]
Special character exceptions
The indexer reports words including non-alphabetic characters, such as number or spaces, only
if they are identified in an Exact Search.
The following characters have special meaning and cannot be used in searches.
56 McAfee DLP 9.0.1 Product Guide
Searching captured data
Character Description
. period
; semicolon
| pipe
` back tick
< > less than/greater than
( ) parentheses
\ \\ backslashes
/> ]]> markup
* control characters
/ escape characters
If you enter any of these characters in a query, you might get the following error messages:
>>Invalid character(s) in the input for the field; or Search didnot complete.
How word stemming is handled
The search engine does not recognize Incomplete or partial words, but word stemming is
supported.
NOTE: If an exact search is defined, stemming is disabled.
Example
● Searching for "basket" to retrieve "basketball" will not return a result.
● Searching for "run" in "running" will return a result.
NOTE: If the plural of a complete word used in a search is found, the result is reported as if it were a word stem.
Monitoring Active Directory users
How remote user accounts are monitoredHistorically, DLP Manager has been linked to SAMAccountName as the main user identification
element. But if that attribute is applied to users in the same domain who have similar or matching
user names, they cannot be positively identified. DLP now keys on the unique alphanumeric SID
(Security Identifier) that is assigned to each user account by the Windows domain controller.
For example, the user name jsmith may belong to John Smith or Jack Smith, so more information
would be needed to distinguish between those two users. Those individuals may even be using
the same IP address, which would aggravate the problem of discovering the identity of the actual
user.
How remote user accounts are monitored
McAfee DLP 9.0.1 Product Guide 57
But each account on an Active Directory server is made up of attributes that identify the
individual who owns the account. McAfee Logon Collector matches the unique SIDs that are
assigned to each Active Directory user to IP addresses, and all of the parameters associated
with that SID are extracted when MLC moves binding updates from the Active Directory server to
DLP.
NOTE: Because SAMAccountName was used to index data in earlier releases, that information may be lost
during ad hoc searches when the user has upgraded to 9.0, or when the data residing in the capture database
pre-dates the upgrade.
Using Active Directory User elements.All Active Directory elements are treated as word queries, and can be directed to specific
LDAP servers.
When these elements are used in a query, columns supporting the parameter are configured in
the search popup and on the dashboard.
NOTE: Each of the user elements retrieves the attributes listed.
Parameters available
● User Name: user's name, alias, department, location
● User Groups: user's group
● User City: user's city
● User Country: user's country
● User Organization: user's company or organization
Using DLP on remote LDAP serversThe ability to monitor user traffic on Active Directory servers now has been extended to directory
servers, making global user management a reality.
The ability of DLP 9.0 to connect to multiple domain controllers makes this possible. Not only is
data on local networks captured, but it is extended to all traffic on up to two LDAP servers.
When users can be recognized by name, group, department, city or country, a DLP administrator
can extract a great deal of significant information by using a few seminal facts to gradually gather
more details about potential violations.
Viewing Active Directory incidentsIn ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Incidents. When
you get results from querying a directory server, you can view them on the Data-in-Motion
dashboard or the corresponding ePO dashboard.
Click Columns to see what other data categories are available for display.
NOTE: Not all of these parameters can be used for queries. This accounts for the disparity of data categories on
search and rule pages.
58 McAfee DLP 9.0.1 Product Guide
Monitoring Active Directory users
Adding Active Directory columns to the dashboardWhen you view Active Directory results, you will want to see all the user data available for the
query you made. Use this task to add user columns to the dashboard.
NOTE: The columns available reflect the scope of data available. Not all of these parameters can be used for
searching captured data or implementing rules. In an ad hoc search, some Active Directory attributes (user
names, companies, email, managers, titles) are not displayed.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Incidents.
2. Click Columns.
3. Use the Add and Remove buttons to move Available columns to the Selected box.
NOTE: There are many more columns available than there are searchable network elements.
They were added to the interface to accommodate Host DLP. You can use them to display
additional attributes that are reported, but not displayed by default.
Columns available
● User Custom
● UserCity
● UserCompany
● UserCountry
● UserEmail
● UserGroups
● UserID
● UserManager
● UserName
● UserGroup
● UserOrganization
● Network printer
● Network path
● Location Tag Path
4. Use Move buttons to move all User columns to the top of the Selected pane.
TIP: If you cannot see the Move buttons, expand your dashboard.
5. Click Apply.
Adding rules to find Active Directory informationAfter you have configured your DLP system to get Active Directory user parameters, you will be
able to search network traffic for any user information on that server. Use this task to create rules
that will find significant information in that traffic.
Adding Active Directory columns to the dashboard
McAfee DLP 9.0.1 Product Guide 59
TIP: You can construct a rule to keep administrators, who are responsible for handling privileged information,
from being reported as violators.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Incidents.
2. From the Actions menu, select Add a Policy.
NOTE: You can skip this step and add a rule to an existing policy, or add Active Directory user parameters to an
existing rule.
3. Select Add a rule from the Actions menu.
4. Select a Severity to classify the rule.
5. Set the Inherit Policy State to Enabled to bind the rule to the policy.
6. Open Content and add a keyword, concept, or content type to retrieve specific content (optional).
7. Open Source/Destination and click on a user parameter.
8. Click "?" and select an Active Directory server.
9. Click Find to retrieve all available patterns.
TIP: If you know what you are looking for, you can type it into the search field.
10. Click on one or more patterns and Apply.
11. Add other parameters as needed.
12. If you want to apply an action when a match is found, click on the Actions tab and add one or more.
13. Click Save.
Advantages of keying on SIDsBecause McAfee Logon Collector allows DLP to key on SIDs instead of sAMAccountnames, the
identities of individual users can be resolved and their traffic can be monitored. By leveraging
multiple user attributes, it is now possible to identify end users conclusively, regardless of what
email or IP addresses they are using.
When a SID is retrieved from the Active Directory server, all of its associated attributes, such as
domain name, location, department and user group, come with it. That collection of information
can then be used in rules, templates, action rules, and notifications to find and stop security
violations by specific users.
Types of Active Directory data supportedThe following Active Directory parameters are supported by this release.
● UserCity (ucity)
● UserCountry (ucountry)
● UserDepartment (udepartment)
● UserGroups (ugroup)
● UserName (uname)
60 McAfee DLP 9.0.1 Product Guide
Monitoring Active Directory users
NOTE: These are the parameters that can be used for queries and rules, but incidents that are reported on the
dashboard may have more objects available in the database. That information can be viewed by adding
columns that can display those fields.
The following Active Directory parameters are supported by the standalone Host DLP 9.0.
● Network path
● Network printer
● Location Tag Path
How McAfee Logon Collector is used with DLPSuppose you know that your company has lost intellectual property to a Chinese firm, and you
suspect that the leak came from an insider in your Shanghai branch. Because McAfee
DLP captures all traffic on your company's network, you can add an Active Directory server that
contains the user account of that insider to DLP Manager, then search for the UserName of that
individual and monitor his communications.
You might then search his communications for the name of the lost component, then find the
email address and geographical location of users outside the company who may have received
the information.
You might not know what will be in those communications, but you can use what you find to ask
the next logical question.
TIP: If you don't know the user's name, you can gradually develop his identity by searching for users in
Shanghai, searching the user groups in your Engineering division, and identifying a sub-group that may
contain the user.
How McAfee Logon Collector enables user identificationMcAfee Logon Collector is used to map IP addresses to user identities within Active Directory
servers. Without it, users may be hard to identify because they may be logged into different or
multiple workstations. IP addresses change when DHCP servers automatically assign new
addresses, and more than one user might be logged on to the same workstation.
When a McAfee Logon Collector is configured with an DLP Manager, it resolves user identities
by retrieving collections of user account information from all Active Directory servers that have
been added to the DLP system. Supporting multiple domain controllers means that large-scale
enterprise operations can be served by McAfee applications.
For DLP, that means that after McAfee Logon Collector is enabled, DLP administrators can
configure Active Directory-based queries and rules to find out what activities specific users are
engaging in on the network.
Finding remote user information
How remote user data is retrieved
The extension of McAfee DLP capabilities through multiple Active Directory controllers makes it
possible to retrieve more information about remote users than ever before.
How McAfee Logon Collector is used with DLP
McAfee DLP 9.0.1 Product Guide 61
If your local network is connected through McAfee Login Collector to remote Active Directory
servers, this capability brings your global security problems down to local control.
TIP: When a user parameter is used to bring in remote information, it is best to use it as a key within a larger
search or rule. Add other qualifiers to target the information that is needed.
NOTE: Before you can search for user information on remote servers, you will have to add an Active Directory
server and establish secure connections between a McAfee Login Collector and DLP Manager.
Finding remote users by name
Use this task to get information about specific users on remote networks.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Advanced Search.
TIP: Use Basic Search to do exploratory searches, and Advanced Search to create complex searches or
rules.
2. Open the Source/Destination category.
3. Select User Name from the first menu.
4. Select is any of from the second menu.
TIP: Using the is none of condition might retrieve too many records.
5. Click "?".
6. Select a Directory Server from the popup menu.
7. Click Find to fetch the first 1000 user name entries.
8. Select Local User or Everyone.
9. Click Apply. The selected user names will populate the value field.
10. Add parameters from other categories to define the information that is needed from the records of the remote
users.
11. Click Search or Save as Rule.
Finding remote users by group
Use this task to get information about users on remote networks who are members of specific
groups.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Advanced Search.
TIP: Use Basic Search to do exploratory searches, and Advanced Search to create complex searches or
rules.
2. Open the Source/Destination category.
3. Select User Group from the first menu.
4. Select is any of from the second menu.
62 McAfee DLP 9.0.1 Product Guide
Monitoring Active Directory users
TIP: Using the is none of condition might retrieve too many records.
5. Click "?".
6. Select a Directory Server from the popup menu.
7. Click Find to fetch the first 1000 user group entries.
8. Select one or more groups.
9. Click Apply. The selected groups will populate the value field.
10. Add parameters from other categories to define the information that is needed from the records of the remote
groups.
11. Click Search or Save as Rule.
Finding remote users by city
Use this task to get information about users on remote networks who reside in specific cities.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Advanced Search.
TIP: Use Basic Search to do exploratory searches, and Advanced Search to create complex searches or
rules.
2. Open the Source/Destination category.
3. Select User City from the first menu.
4. Select is any of from the second menu.
TIP: Using the is none of condition might retrieve too many records.
5. Click "?".
6. Select a Directory Server from the popup menu.
7. Click Find to fetch the first 1000 user city entries.
8. Select one or more cities.
9. Click Apply. The selected city's users will populate the value field.
10. Add parameters from other categories to define the information that is needed from the records of the remote
users of the selected city.
11. Click Search or Save as Rule.
Finding remote users by country
Use this task to get information about users on remote networks who reside in a specific country.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Advanced Search.
TIP: Use Basic Search to do exploratory searches, and Advanced Search to create complex searches or
rules.
2. Open the Source/Destination category.
3. Select User Country from the first menu.
How McAfee Logon Collector is used with DLP
McAfee DLP 9.0.1 Product Guide 63
4. Select is any of from the second menu.
TIP: Using the is none of condition might retrieve too many records.
5. Click "?".
6. Select a Directory Server from the popup menu.
7. Click Find to fetch the first 1000 user country entries.
8. Select one or more cities.
9. Click Apply. The selected country's users will populate the value field.
10. Add parameters from other categories to define the information that is needed from the records of the remote
users of the selected country.
11. Click Search or Save as Rule.
Finding remote users by organization
Use this task to get information about users on remote networks who work for specific
organizations or companies.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Advanced Search.
TIP: Use Basic Search to do exploratory searches, and Advanced Search to create complex searches or
rules.
2. Open the Source/Destination category.
3. Select User Organization from the first menu.
4. Select is any of from the second menu.
TIP: Using the is none of condition might retrieve too many records.
5. Click "?".
6. Select a Directory Server from the popup menu.
7. Click Find to fetch the first 1000 user organization entries.
8. Select one or more organizations.
9. Click Apply. The selected organizations will populate the value field.
10. Add parameters from other categories to define the information that is needed from the records of the remote
organizations.
11. Click Search or Save as Rule.
Getting and processing results
Using the Incidents dashboardThe Incidents dashboard gives you a detailed and comprehensive picture of the risks faced by
your organization. The incidents and events reported are stored in three different databases,
which correspond to the appliances that produced them.
64 McAfee DLP 9.0.1 Product Guide
Getting and processing results
Database vectors
● Data-in-Motion incidents are produced by DLP Monitor when its rules match data in the network stream.
● Data-at-Rest incidents are produced by DLP Discover when a scan finds sensitive data in network
repositories or databases.
● Data-in-Use events are produced by DLP Host when data violations are found at network endpoints.
The dashboard tools give you the means to sort through all of the databases to reveal the most
significant objects.
Dashboard tools
● Selecting pre-defined views, such as Incident Listing, offer different configurations of the incidents on the
dashboard.
● Clicking the List,Group Detail, and Summary buttons display some typically useful configurations.
● Clicking on any link on the dashboard changes the sorting keys in the Group by pane change to reveal
different attributes of the incidents.
● Building filters using the Filter by pane offers dozens of options for viewing the data stored in the databases.
● Selecting the Disk or Options icons allows you to save significant collections of data as views or reports.
If you are using DLP through ePolicy Orchestrator, all DLP dashboard tools are available to you.
In addition, you can get summaries of the incidents and events on the main ePO dashboards.
TIP: Assign incidents to cases to collaborate on investigating and resolving problems.
Using the DLP Homepage
Checking Homepage permissions
In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | DLP HomePage.
Your role in the organization determines what you will be able to see on this page.
You can check your permissions by checking DLP Sys Config | User Administration | Groups |
Details | Task Permissions | Incident Permissions.
NOTE: Because permissions are assigned by group, you will have to find out what group you belong to before
checking permissions.
Configuring the DLP Homepage
The DLP Homepage gives you a quick overview of incidents found on your network or in
network repositories. You can also get a summary of events that have taken place at network
endpoints on this page.
Incidents are categorized by the Data-in-Motion, Data-at-Rest, or Data-in-Use vectors. These
correspond to data moving over the network, data in network repositories, and events taking
place at network endpoints.
Using the DLP Homepage
McAfee DLP 9.0.1 Product Guide 65
Customizing the DLP Homepage
Use this task to display up to four different reports on your home page.
TIP: You can control the details of incidents you see on the Incidents dashboard by sorting, grouping and
filtering them.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | DLP HomePage.
2. Select Customize from the Options menu.
3. Select up to four reports.
4. Click Apply.
How to use the Homepage
All incidents and events that are reported on the Incidents dashboard can also be viewed
directly by clicking the ePO Dashboard icon.
NOTE: If you want to sort, filter, or manage any of the incidents, you must go to the DLP Reporting | Incidents
dashboard.
● DLP Status Summary
● DLP Executive
● DLP Manager
● DLP Data-in-Motion
● DLP Data-at-Rest
● DLP Data-in-Use
Getting details of results
How to get incident details
Use this task to get details about an incident.
TIP: If you cannot see incident details, you may not have the right permissions set. See your administrator.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Incidents.
2. Click on a Details icon.
3. On the Incident Details page, click any available link.
NOTE: The document will launch if the supporting software is installed. If there is another link inside the
document, it is likely to be the database object that triggered the incident.
4. Click any tab to get additional information.
NOTE: Incidents that are captured in real time, like chat and FTP sessions, cannot display details (like file
names and user information) because they cannot be synchronized with the existing flow.
66 McAfee DLP 9.0.1 Product Guide
Getting and processing results
Finding matches that triggered incidents
Use this task to find the match string that triggered an incident.
TIP: If you cannot see incident details, you may not have the right permissions set. See your administrator.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Incidents.
2. Click on a Details icon.
3. In the Incident Details window, click Matches.
Finding out if an incident is in a case
Use this task to find out if an incident has been included in a case.
TIP: If you cannot see incident details, you may not have the right permissions. See your administrator.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Incidents.
2. Click on a Details icon.
3. On the Incident Details page, click Case.
Getting history of an incident
Use this task to find out who looked at an incident and what actions were taken.
TIP: If you cannot see incident details, you may not have the right permissions. See your administrator.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Incidents.
2. Click on a Details icon.
3. In the Incident Details window, click History.
Identifying concepts that triggered incidents
Use this task to find out what concept triggered an incident.
TIP: If you cannot see incident details, you might not have the right permissions. See your administrator.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Incidents.
2. Click on a Details icon.
3. In the Incident Details window, click Concepts.
Generating reports
How reports are generated
When you save a report, you are saving the content of what you are seeing on the dashboard in
PDF, HTML or CSV format.
Generating reports
McAfee DLP 9.0.1 Product Guide 67
NOTE: CSV output is limited to150,000 incidents. The maximum size of the exported report is 5 MB. There are
no limits on the number of incidents exported in a case.
If you want to save the dashboard settings, save a view instead.
NOTE: An incident that is exported from the dashboard cannot be saved if it is larger than 5 KB.
Adding a company name to a report
Use this task to display a company name on a report.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config | System Administration.
2. Select a Configure link for the DLP Manager being used to create the report.
3. Scroll down to Company Information.
4. Type in your company name.
5. Click Update.
Creating CSV reports
Use this task to export an ASCII report in CSV format.
NOTE: The CSV format is available only under List view.Group Detail and Summary are not supported.
NOTE: Unlike the HTML and PDF Incident List Reports, there is no maximum number of incidents or maximum
size for the exported report.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Incidents.
2. Select a view vector (Data-in-Motion, Data-at-Rest, Data-in-Use).
3. Click List.
4. Click Options.
5. Select Export as CSV.
6. SelectOpen or Save.
If you selectOpen, the report will launch in spreadsheet format if you have Microsoft Excel installed.
If you select Save, the report will be saved to your desktop.
Creating HTML reports
Use this task to export an report in HTML format.
NOTE: Tne maximum number of incidents displayed in the HTML Incident List Report is 5,000. The maximum
size of the exported report is 5 MB.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Incidents.
2. Select a view vector (Data-in-Motion, Data-at-Rest, Data-in-Use).
3. Click List, Group Detail, or Summary.
4. Select Export as HTML from the Options menu.
68 McAfee DLP 9.0.1 Product Guide
Getting and processing results
5. SelectOpen or Save.
If you selectOpen, the report will open it in a web browser.
If you select Save, the report will be saved to your desktop.
Creating PDF reports
Use this task to export a report in Adobe PDF format.
NOTE: The maximum number of incidents displayed in the PDF Incident List Report is 5,000. The maximum
size of the exported report is 5 MB.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Incidents.
2. Select a view vector (Data-in-Motion, Data-at-Rest, Data-in-Use).
3. Click List,Group Detail, or Summary.
4. Select Export as PDF from the Options menu.
5. SelectOpen or Save.
If you selectOpen, the report will launch if you have Adobe Reader installed.
If you select Save, the report will be saved to your desktop.
Scheduling reports
Use this task to set up a report to run on a regular basis and send an email notification.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Incidents.
2. Click the Disk icon.
3. Name the view.
4. Select an owner.
NOTE: Ownership is determined by the group to which a user belongs. If the user's group is not listed, go to
DLP Sysconfig | User Administration | Groups and add the group.
1. Click Set as Home View (optional).
2. Click Schedule Reports.
3. Click Types.
4. Fill in the report frequency parameters.
5. Type in the email parameters.
6. Click Save.
Setting up views
How to set up views
In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | My Views. Use
this page to manage all standard and custom views you have collected. Using a variety of
significant data patterns will help you to understand and manipulate the incidents that are found.
Setting up views
McAfee DLP 9.0.1 Product Guide 69
TIP: Pull down the Incident Listingmenu on the Incidents page and select another view to see how results can
be rearranged.
Attachments can be displayed if they are under 50 MB. The number of incidents that can be
reported is limited to 150,000. After that number is reached, chunks of supporting data are
wiped, starting with the oldest incidents first.
Copying views to users
Use this task to copy a view that you have created to another group of users.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | My Views.
2. Check a view box.
3. Select Copy View to Users from the Actions menu.
4. Check a group box.
5. Click Apply.
TIP: Add a user group if the one you need is not listed.
Deleting views
Use this task to delete views from the Incident Listingmenu.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | My Views.
2. Check a view box.
3. Select Delete from the Actions menu.
4. Confirm or cancel.
Saving views
Use this task to save a customized view to the Incident Listingmenu.
NOTE:When you save a view, you are storing your current dashboard settings. To save the content you are
seeing, create a report instead.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | My Views.
2. Select a vector from the Data-in-Motion dashboard menu.
3. Reconfigure your dashboard (optional).
4. Group your results (optional).
5. Filter your results (optional).
6. Click the Disk icon.
7. Name the view.
8. Select an owner.
70 McAfee DLP 9.0.1 Product Guide
Getting and processing results
NOTE: Ownership is determined by the group to which a user belongs. Add a group if the user's group is not
listed.
9. Check Set as Home View (optional).
10. Schedule a report that will use the view (optional).
11. Click Save.
Selecting different views
You can switch to different Incident configurations by selecting from a variety of different
dashboard menus.
TIP: Many views keyed on different attributes of reported incidents are available in the Incident Listingmenu. If
none suit your purposes, save a custom view; it will be added automatically to the list.
NOTE: Each of the view vector menus (Data-in-Motion, Data-at-Rest, Data-in-Use) references a different
database.
Selecting a view vector
Use this task to control the display of incidents from the three databases that support
DLP devices.
The vector menu is located over the Actions menu on the Incidents dashboard.
● Select Data-in-Motion from the vector menu to view incidents found in the network data stream.
● Select Data-at-Rest from the vector menu to view incidents found by scanning repositories.
● Select Data-in-Use from the vector menu to view events that have occurred on endpoints.
Selecting pre-configured views
The Incidents dashboard displays icons that access three pre-configured views.
Pre-configured Views
List Displays all incidents in page format
Group DetailDisplays incidents graphically using two sortkeys
SummaryReports incident highlights arranged in agraphical framework
TIP: Customize each view type by sorting, grouping, or filtering incidents. The Incident Listingmenu contains a
large number of sample views that you can add to by saving your own custom views.
Setting up views
McAfee DLP 9.0.1 Product Guide 71
Customizing the results dashboards
How dashboards are customized
Customizing the results dashboard allows expansion of the display area, listing of more
incidents, or display of additional attributes that are hidden by the default configuration.
TIP: Pull down the Incident Listingmenu and select another view to change the default configuration quickly.
Adding rows to the dashboard
Use this task to view more than 25 rows of incidents on the dashboard.
NOTE: Viewing a large number of incident rows at one time (1,000 or more) could cause an HTTP REQUEST
timeout.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Incidents.
2. Click Columns.
3. Select a number from the Incidents per page menu.
4. Click Apply.
Changing dashboard display space
Use this task to change incident display space on the dashboard by expanding or collapsing
dashboard panes.
TIP: To adjust the size of the navigation pane, drag the vertical rule to the desired location.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Incidents.
2. Double-click the expansion bar between panes to collapse the navigation pane.
3. Double-click the expansion bar to restore the navigation pane.
TIP: Drag the expansion bar to adjust the space used by each frame.
Configuring dashboard columns
Use this task to change the number of attributes reported per item by adding or removing
dashboard columns.
TIP: Try changing the view type (List, Group Detail, Summary) or views under Incident Listing before adding
columns. One of the views may already provide the framework you need.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Incidents.
2. Click Columns.
3. Use the Add and Remove buttons to move Available columns to the Selected box.
4. Use Move buttons to move Selected column headers up or down.
TIP: If you cannot see the Move buttons, expand your dashboard.
72 McAfee DLP 9.0.1 Product Guide
Getting and processing results
5. Click Apply.
TIP: If you add a column to display ThumbnailMatch images, do not add rows. Moving 1,000 or more incident
rows at one time could cause an HTTP REQUEST timeout.
Displaying match strings
Use this task to add a Matchstrings row to the incidents dashboard.
TIP: Because Matchstrings use more space on your dashboard, you may prefer to view them using the Details
icon of each incident..
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Incidents.
2. Click Columns.
3. Select the Display Matchstring checkbox.
4. Click Apply.
Grouping and filtering incidents
How incidents are grouped and filtered
DLP Monitor captures all network data, though portions of traffic might be filtered out to improve
performance.
NOTE: You can set a capture filter to focus the capture engine on significant traffic.
Because each incident displayed on the DLP dashboard is supported by a huge collection of
database objects, a vast amount of data is available for viewing.
TIP: Click on a data cell to see how the dashboard uses attributes as sorting keys.
Because you can see and understand only a small percentage of those objects at one time, you
should try to filter incidents so that only the most significant attributes will be displayed.
Clearing filters
Use this task to clear any filters you have set.
CAUTION:When you finish using a filter, Clear All, or the configuration will block all other results.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Incidents.
2. Go to Filter by... .
3. Click Clear All.
4. Click Apply.
Filtering incidents
Use this task to eliminate irrelevant results that block significant data.
Grouping and filtering incidents
McAfee DLP 9.0.1 Product Guide 73
TIP: Before filtering, always define a time frame.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Incidents.
2. Click any view type (List,Group Detail, or Summary).
TIP: You can filter incidents instantaneously by clicking on any cell. The dashboard will
immediately display all other incidents that contain the attribute that was selected.
3. Go to Filter by... .
4. Set the time frame filter.
5. Click the green plus sign to add a filter.
6. Set another data filter (for example, Content equals MSWord).
NOTE: You can type attributes into the value field, but it is easier to click "?" to launch a popup
menu.
7. Click Apply.
8. Add filters that will narrow the results further (for example, Filename equals <filename>).
9. Click Apply.
10. Click the Disk icon to save the configuration (optional).
NOTE:When you finish using a filter, Clear All, or the configuration will block all other results.
Grouping incidents
By focusing only on categories that are relevant, you will learn how to get more focused results.
Use this task to select up to two group types that will provide a framework for your incidents.
TIP: Before grouping, always set a time frame filter.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Incidents.
2. Select a view vector (Data-at-Rest, Data-in-Motion, Data-in-Use).
3. Click Group Details.
4. In the Group by... pane, select two categories that will act as your primary and secondary sort keys.
5. For each category, select the number of occurrences to display.
6. Click the disk icon to save the view (optional).
The workspace automatically adjusts to the configuration you define.
NOTE:When you finish using a filter, Clear All, or the configuration will block all other results.
Setting a date and time for results
Because Monitor captures everything on your network, you must specify a general or specific
time frame to focus your results — but make sure you have data available for the period you
specify. If you select a date range before your systems started capturing data, you will not get
any results.
74 McAfee DLP 9.0.1 Product Guide
Getting and processing results
Use this task to find all results captured at a specific time or within a certain time frame.
NOTE: Time filters are associated with dashboard views. For example, if you select a view different from the
default Incident List, you can see the Timestamp and other filter settings change.
TIP: Keep the time setting constant by saving a Home View.
1. Go to Filter by... .
2. Select Timestamp (default).
3. Select a time frame from the Anytime menu.
TIP: Click "?" to select a Custom Date.
4. Click Apply.
When you finish using a filter, Clear All, or the configuration will block all other results.
Sorting results
How to sort results
In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Incidents to sort
incidents. Sorting allows you to set aside results that are not immediately relevant, but might be
significant at a later time.
TIP: Save a view or a report to track your changes.
Deleting incidents
Use this task to delete incidents that do not contain useful information.
NOTE: You can delete over 100,000 incidents from the capture database at one time.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Incidents.
2. Select one or more checkboxes.
TIP: Click the box in the column header to Select All Results on Page if you want to delete more results.
3. Select Delete from the Actions menu.
4. Click OK to confirm, or Cancel.
TIP: You can mark incidents as false positives to prevent them from being retrieved again, or flag them for
deletion later.
Deleting similar incidents
Use this task to delete all incidents produced by a single rule, policy, or any other attribute.
Sorting results
McAfee DLP 9.0.1 Product Guide 75
NOTE: Using this method, you can delete over 100,000 incidents from the capture database at one time.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Incidents.
2. Select a category from the Group by...menu.
3. Select All Results or All on Page from the Actions menu.
4. Select Delete from the Actions menu.
5. Click OK to confirm, or Cancel.
TIP: You can mark incidents as false positives to prevent them from being retrieved again, or flag them for
deletion later.
Finding incidents that violated a policy
Use this task to find all incidents that violated a single policy.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Incidents.
2. Select List or Summary.
3. Double-click any policy listed under Group by... .
The incidents that violated that policy will be displayed on the dashboard.
Sorting incidents by attribute
Use this task to sort incidents that contain common attributes (for example, the same recipient,
timestamp, severity, reviewer, etc.).
TIP: Select Columns and add more columns to display more attributes.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Incidents.
2. Click on the column of the state.
The incidents will sort according to the attribute selected.
Changing settings
How settings are changed
Because DLP systems capture everything on the network (except traffic which is deliberately
filtered out using capture filters), you may find that you need to change the settings that
determine how many incidents are reported at once, and how they are delivered to the
dashboard.
For example, you might want to expand the number of incidents reported to the dashboard by
default, but avoid overburdening the system. You can experiment with different settings by
configuring throttling.
Similarly, you can comply with PII requirements by encrypting certain elements, but you can
manage the system resources that are being consumed while doing so.
76 McAfee DLP 9.0.1 Product Guide
Getting and processing results
Configuring throttling to limit incidents
You can set throttling to report between 1 and 9,999 incidents in from 10 to 3600 seconds.
Throttling is enabled by default; to report all incidents, uncheck the Enable Throttling box.
Use this task to change the number of incidents found in a specific time frame.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Policies | Settings.
2. Under Configure Throttling Parameters, leave the Enable Throttling box checked.
3. Type in the maximum Number of Incidents to be reported.
4. Type in the maximum Time Duration in seconds.
5. Click Save.
Encrypting incidents
Use this task to ensure compliance with PII requirements.
When the encryption feature is enabled, two significant files (subject and matchstring) that might
contain PII information are encrypted before storing to the database. They are decrypted before
displaying on the dashboard.
NOTE: This feature is disabled by default to conserve resources.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Policies | Settings | Security
Settings.
2. Check the Sensitive Incident Data box to encrypt all incidents found.
3. Check the Encrypt Capture Data box to encrypt the entire capture database.
NOTE: Selecting this option might impede performance.
4. Click Save.
Preventing data loss
Protecting data with DLP Prevent, Discover, and EndpointMcAfee DLP devices use three different mechanisms to prevent data loss. Actions taken depend
upon whether the violations are detected in network communications, network repositories and
databases, or at network endpoints.
● DLP Prevent evaluates email and webmail that has been forwarded from an MTA or proxy server, marks
messages that violate active rules with certain actions, and passes them back to the email or webmail server to
be enforced.
● DLP Discover supports remedial actions that can be taken when sensitive or registered content has been
detected in a network repository or database.
● Host DLP uses pre-programmed rules with specific actions that may be deployed on- or offline when violations
are found at endpoints.
Protecting data with DLP Prevent, Discover, and Endpoint
McAfee DLP 9.0.1 Product Guide 77
Whether they are generated by Prevent, Discover, or Host DLP devices, Incidents and events on
DLP dashboards can be resolved manually or automatically. Users might apply actions directly
to incidents from the Actions menu, or pre-program rules to automatically trigger specific
actions.
Protecting data with DLP Prevent
How DLP Prevent protects data
DLP Prevent uses a rules evaluation mechanism with applied actions to provide automatic
resolution of problems found in email and webmail that is circulating on a network.
When a violation is found in network communications, an optional action rule is triggered to
neutralize or dispose of the incident.
NOTE: DLP Prevent must be deployed with an MTA or proxy server. Communications are forwarded over
SMTP or ICAP, depending on whether an email or web gateway is used.
When violations are found in network email, DLP Prevent might be used to do the following:
● block confidential data breaches
● encrypt authorized transmissions
● quarantine suspicious traffic
● bounce email that violates policies
● notify supervisory personnel
● record incidents in a system log
● allow email that is determined to be legitimate.
When violations are found in webmail, the seven DLP actions are attenuated to BLOCK and
ALLOW.
TIP: Use DLP Prevent to capture network traffic for later forensic analysis or block the transmission of sensitive
data sent using specific mail protocols (for example, HTTP POST, SMTP_Request, etc.).
Adding a DLP Prevent action rule
McAfee DLP 9.0 provides default action rules that can be applied to any rule, and they are used
by DLP Prevent to process violations in email communications.
Use this task to create a custom action rule, if one is needed.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Policies | Action Rules.
2. From the Actions menu under Data-in-Motion, select Add Action Rule.
3. Type in a name for the action rule.
4. Open Email Notification to alert one or more users when the action is triggered.
TIP: You can use Dynamic Variables to inform users of the prevented action automatically. For example,
##Filename found by the ##Rule violated the ##Policy and was quarantined.
78 McAfee DLP 9.0.1 Product Guide
Preventing data loss
5. Open Syslog Notification and select Enable to log the incident (optional).
6. Open Incident Reviewer to assign a reviewer when the action takes place (recommended).
7. Open Incident Status to change the stage of resolution when the action takes place (recommended).
8. Select an action from the Data-in-Motion Prevent Actionmenu.
9. Click Save.
After you have created the action rule, apply it to one or more rules.
Applying a DLP Prevent action rule
DLP Prevent contains a set if international rules that are automatically applied against email
communications, and many of them already have default actions that will be taken when the
rules hit.
If the correct action has not yet been applied, use the following task to add an action to a rule.
1. Go to Policies and click on a policy.
2. Click on a rule.
3. Click on the Actions tab.
4. Click on the Add Action plus sign.
5. Select the action from the Data-in-Motion list.
6. Click Save.
TIP:Wait for the edited rule to produce results, or create some traffic that will execute it. Then verify that the
action rule applied to the rule implements the correct action.
Types of DLP Prevent actions
Violations found by DLP Monitor capture engine may be processed using one of seven
preventive actions.
Actions
● Allow
● Block
● Bounce
● Encrypt
● Monitor
● Notify
● Quarantine
● Redirect
Each action can be configured to automatically notify users that a preventive action has been
applied.
Each action can also be configured to place a record in a system log, assign the incident to one
or more reviewers, or apply a status that indicates its stage of resolution.
Protecting data with DLP Prevent
McAfee DLP 9.0.1 Product Guide 79
The role of DLP Prevent in a managed system
DLP Monitor is a passive component on the network, so the default preventive action has to be
set to ALLOW. This setting changes only if DLP Prevent is installed — preventive actions are not
supported without it.
If DLP Prevent is managed by DLP Manager, rules that are deployed to All Devices are directed
to DLP Prevent, but only if they contain preventive actions.
NOTE: If DLP Monitor, Discover and Endpoint devices are managed by DLP Manager, every rule can be
configured to deploy one action of each of the three incident types.
How DLP Prevent processes email
Use this task to understand the DLP Prevent process.
1. A host sends an email message to an email gateway.
2. The message is relayed to the smart host, which routes it to the DLP Prevent appliance.
3. On receiving the email, the DLP Prevent appliance compares it to existing rules.
4. If a rule matches, DLP Prevent adds an X-RCIS-Action header and stores the event in its database.
5. The DLP Prevent then sends the email back to the smart host, and it is relayed back to the email server.
6. Based on the action specified in the X-RCIS-Action header appended by the Prevent appliance, the message
is allowed, blocked, bounced, encrypted, monitored, quarantined or redirected.
7. Notification of the action is sent to the defined user.
Configuring DLP Prevent for email
When configured with an email gateway, DLP Prevent can monitor transmissions and apply
preventive actions to protect data in network communications.
Use this task to configure DLP Prevent.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config.
2. Select the DLP Prevent appliance and click Configure.
3. Scroll down to the Smart Host section of the page and enter an IP address to which the email to be processed
will be routed.
NOTE: Host names are not supported; an IP address must be used. A smart host is configured only if
SMTP email is being processed, and configuring more than one is not supported.
4. If you configured a rule and you want email notification when the rule hits, you must add an email address. The
mail server sends notification to that address after the action is taken.
5. Click Send test mail to verify that the smart host connection is alive.
6. Click Update.
NOTE: Both MTA and proxy servers can be handled by one DLP Prevent system, but contact a McAfee Service
Representative to assure proper performance.
80 McAfee DLP 9.0.1 Product Guide
Preventing data loss
How DLP Prevent processes webmail
Use this task to understand the DLP Prevent webmail process.
1. A host sends a webmail message to a network address.
2. If a web proxy server is set up, it intercepts the message and routes it to the DLP Prevent appliance.
3. On receiving the email, the DLP Prevent appliance compares it to existing rules.
4. If a rule matches, DLP Prevent adds an X-RCIS-Action header and stores the event in its database.
5. The DLP Prevent then sends the webmail back to the proxy server, and it is either blocked or delivered to its
addressee.
NOTE: Although DLP Prevent supports block, bounce, encrypt, monitor, quarantine and redirect actions, proxy
servers can only BLOCK or ALLOWwebmail.
6. Notification of the action is sent to the defined email address.
Configuring DLP Prevent for webmail
When configured with a web proxy server, DLP Prevent can monitor transmissions and identify
traffic to and from wikis, portals, blogs and other collaborative sites using HTTP and HTTPS
protocols.
Use this task to set DLP Prevent up to work with webmail.
1. Set up DLP Prevent to work with Bluecoat, McAfee Web Gateway (formerly Webwasher), or McAfee Email
Security Appliance.
McAfee Email Security Appliance is set to handle up to 30 concurrent SMTP connections — but Prevent
exceeds this limit. To get these two appliances to work together, you must modify the ESA configuration files.
2. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sysconfig.
3. Add the DLP Prevent device to DLP Manager.
4. Click on the configure link of the DLP Prevent.
5. Scroll down to the Email Setting fields and add an email address for notification.
NOTE: If you are monitoring traffic through a proxy server, no configuration is needed because that server is
already part of the network, so smart hosts are not used when DLP Prevent is configured with a proxy server.
Do not enter anything in this box.
6. Click Update.
NOTE: SSL-encrypted webmail transmissions might become visible during this process.
7. The web proxy server captures outgoing HTTP traffic (including webmail) and sends that the DLP Prevent over
ICAP (Internet Control Adaptation Protocol).
8. If a rule matches, DLP Prevent adds an X-RCIS-Action header and stores the event in its database.
9. If the action specified in the header is not ALLOW, the webmail is BLOCKED.
10. Notification of the action is sent to the defined user.
Protecting data with DLP Prevent
McAfee DLP 9.0.1 Product Guide 81
MTA requirements to inter-operate with Prevent
Whether or not a generic MTA can inter-operate with Prevent depends upon the capabilities of
the MTA in question. In what follows, we distinguish between the terms incoming/outgoing and
entering/leaving when discussing emails.
● By incoming and outgoing, we mean emails that are either being sent to or received from the outside world.
● By entering and leaving, we mean emails that are entering or leaving the MTA.
Any MTA that is expected to inter-operate with Prevent must comply with the following
requirements.
1. Must be capable of sending either all or a portion of outgoing traffic to the Prevent application. DLP Prevent is
not typically used to inspect incoming email. Examples of a requirement where only a portion of the traffic
needs to be scanned may be in environments where only traffic with attachments is to be scanned, or where
scanning is limited to traffic directed to public sites (for example, Yahoo).
2. Must be capable of inspecting email headers of messages entering the MTA.
3. Must be capable of taking actions based on specified match expressions for email headers. The specific
header strings received from Prevent are the X header X-RCIS-Action header with values ALLOW, BLOCK,
QUART, ENCRYPT, BOUNCE, REDIR and NOTIFY.
4. Based on entering port or some other metric, must be capable of distinguishing between all emails arriving
from the Prevent appliance, then applying header inspection and header-based action rules exclusively to
incoming email from Prevent.
5. Must be capable of ensuring that emails arriving from the Prevent appliance are not routed back to the Prevent
appliance. This can be done either by using port / srcIP-based mail routing, checking to see if an X-RCIS-
Action header already exists in an email scheduled to be routed to the Prevent appliance, or by some other
means.
6. Must be capable of implementing all of the Prevent-based actions. If the MTA does not have all of the required
capabilities, inter-operation is still possible — but in that case, the actions that can be set when rules are
created must be limited to those supported by the MTA.
7. Must be able to inter-operate with an email encryption appliance (if this capability is needed) and instruct the
encryption appliance to encrypt specific messages based on header information or other metrics.
Reviewing prevented violations
Use this task to see what preventive actions have been applied to an incident.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Policies | Incidents.
2. Click List.
3. Select an incident and click its Details icon.
4. At the bottom of the Incident Details page, check for prevented actions.
Protecting data with DLP Discover
How DLP Discover protects data
DLP Discover remediation allows immediate resolution of problems found in a repository or
database.
82 McAfee DLP 9.0.1 Product Guide
Preventing data loss
When a violation is found, a Data-at-Rest action rule can be configured to prevent or correct the
situation that produced the incident.
NOTE: Remediation is part of the incident workflow, and any time incidents are wiped from the system,
remediated files will also be wiped.
When violations are found in Data-at-Rest, the remediation feature may be used to do the
following:
● Copy files containing violations to another location on the network
● Move files containing violations to another location on the network
● Password-protect files containing violations
● Delete files containing violations
Each of these actions also includes the capability to do the following:
● Notify users of violations found in scanned data
● Record violations found in scanned data in a system log
● Assign incidents to one or more reviewers
● Set a status that indicates the state of resolution
Remediation can be applied directly to incidents reported on the Data-at-Rest dashboard, or
pre-programmed by attaching an action rule to rules that produce incidents.
Adding a remedial action rule
Use this task to add a remedial action rule that will be applied in a Discover scan.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Policies | Action Rules.
2. Select Add Action Rule from the Actions menu under Data-at-Rest.
3. Type a name for the action rule.
4. Open Email Notification to alert one or more users to the action.
TIP: You can use Dynamic Variables to inform users of the remedial action automatically. For example,
##Filename found by ##ScanOperation violated the ##Policy and was moved to <export location>.
5. Open Syslog Notification and select Enable to log the incident.
6. Open Incident Reviewer and Incident Status to assign a reviewer.
7. Open Incident Status to define its stage of resolution.
8. Open Remediation Policy and select the corrective action that is to be taken.
9. Click Save.
Types of remedial action
Violations found by a Discover scan may be processed using one of four remedial actions.
● Copy
● Move
Protecting data with DLP Discover
McAfee DLP 9.0.1 Product Guide 83
● Encrypt
● Delete
Each action can be configured to automatically notify users that a remedial action has been
applied to a violation found in Data-at-Rest.
Each action can also be configured to place a record in a system log, assign the incident to one
or more reviewers, or apply a status that indicates its stage of resolution.
Applying a remedial action to a rule
Use this task to apply a remedial action to a rule that will be used in a Discover scan. If the rule
hits, the action defined in the rule will be taken.
NOTE: If Monitor and Discover devices are managed by DLP Manager, every rule can be configured to deploy
one action to each of the three incident types.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Policies.
2. Click on the policy defined in the scan.
3. Click on one of the rules.
4. Click on the Actions tab.
5. Click on the Add Action plus sign.
6. Select the remedial action from the Data-at-Rest menu.
7. Click Save. Repeat until all rules have the action applied.
TIP: Re-scan to produce updated results, then verify that the action rule applied to the rule implements the
correct remedial action.
Setting up a location for exported files
Before sensitive files found in a database or repository can be copied or moved, a folder must be
set up to receive them, and it must also be set up for sharing.
Use this task to set up and configure an export location.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config | Discover Configuration |
Export Locations.
2. From the Actions menu, select New.
3. Name the Export Location.
NOTE: If the folder does not already exist, it is created.
4. Type the IP address/Host Name, Share Name and Directory Path in the appropriate boxes.
5. Select a type from the Repository Type drop-down list.
NOTE: Only Windows shares (CIFS) are supported.
84 McAfee DLP 9.0.1 Product Guide
Preventing data loss
6. Select a Credential to access the repository, or click New to create a new one using authentication parameters
of an existing account.
7. Click Test to verify read/write access to the repository. If the credential is correct but the test is negative, use
Windows Explorer to verify that sharing is enabled and read-write privilege has been granted.
8. In Microsoft Windows Explorer, right-click on the target folder and select Properties.
9. On the General tab, deselect the Read-only checkbox.
10. On the Sharing tab, select Share this folder.
11. Click OK.
12. Click Save, then re-test.
Copying discovered files
After defining an export location, use this task to copy a file found by a discovery scan to that
location.
NOTE:When a file is copied, moved, deleted or encrypted, DLP Discover leaves a trace file at the original
location to leave a record of the remedial process that has been applied.
1. Use the export location task to define a folder that will receive the file.
2. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Policies | Action Rules.
3. Under Data-at-Rest, from the Actions menu, select Add Action Rule.
4. Type a name for the action rule.
5. Open Email Notification to alert one or more users when the action is triggered.
TIP: You can use Dynamic Variables to inform users of the prevented action automatically. For example,
##Filename found by the ##Rule violated the ##Policy and was quarantined.
6. Open Syslog Notification and select Enable to log the incident (optional).
7. Open Incident Reviewer to assign a reviewer when the action takes place (recommended).
8. Open Incident Status to change the stage of resolution when the action takes place (recommended).
9. Open Remediation Policy and select Copy from the Action drop-down list.
10. Select the export location from the Destination drop-down list.
11. Click Save.
TIP: If you copy an incident from the dashboard, select its checkbox and select Remediate | Action | <copy
action rule> from the Actions menu. If an incident is to be copied when it is hit on by a rule, add the <copy
action rule> to the rule and click Save, then start a Discover scan that applies the rule containing the action
rule.
Deleting discovered files
Use this task to delete a file found during a discovery scan. Deleted incidents cannot be
recovered.
NOTE:When a file is copied, moved, deleted or encrypted, DLP Discover leaves a trace file at the original
Protecting data with DLP Discover
McAfee DLP 9.0.1 Product Guide 85
location to leave a record of the remedial process that has been applied.
1. Check the permissions of the file to be deleted.
2. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Policies | Action Rules.
3. From the Actions menu, select Add Action Rule.
4. Type a name for the action rule.
5. Open Remediation Policy and select Delete from the Action drop-down list.
6. If you have read and understood theWarning, select the I Accept checkbox.
NOTE: The action can be completed only if there is no conflicting instruction in the rule to which the action rule
is attached.
7. Add File Marker Text as appropriate.
TIP: You can add Dynamic Variables to the file marker text at the text cursor position by clicking the variable
on the drop-down list. For example, ##Filename found by ##ScanOperation violated ##Policy and was deleted.
8. Click Save.
9. Apply the new action rule to one or more rules.
10. Go to Menu | Data Loss Prevention | DLP Sys Config. Click Discover Configuration. The Scan Operations
page is displayed.
11. Select a scan.
12. From the Actions menu, select Rescan .
13. Check results to verify that the file gets deleted.
Encrypting discovered files
Use this task to password-protect a file found by a discovery scan.
NOTE:When a file is copied, moved, deleted or encrypted, DLP Discover leaves a trace file at the original
location to leave a record of the remedial process that has been applied.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Policies | Action Rules.
2. Under Data-at-Rest, from the Actions menu, select Add Action Rule.
3. Type a name for the action rule.
4. Open Email Notification to alert one or more users when the action is triggered.
TIP: You can use Dynamic Variables to inform users of the prevented action automatically. For example,
##Filename found by the ##Rule violated the ##Policy and was quarantined.
5. Open Syslog Notification and select Enable to log the incident (optional).
6. Open Incident Reviewer to assign a reviewer when the action takes place (recommended).
7. Open Incident Status to change the stage of resolution when the action takes place (recommended).
8. Open Remediation Policy and select Encrypt from the Action drop-down list.
86 McAfee DLP 9.0.1 Product Guide
Preventing data loss
9. Type in a password and confirm it.
10. Add File Marker Text as appropriate.
TIP: You can use Dynamic Variables to the file marker text at the test cursor position by clicking the variable on
the drop-down list. For example, ##Filename found by ##ScanOperation violated the ##Policy and was
password-protected. Consult <administrator> for more information.
11. Click Save.
TIP: If you relocate an incident from the dashboard, select its checkbox and select Remediate | Action | <move
action rule> from the Actions menu. If you want an incident to trigger a move, add the <move action rule> to the
rule and click Save, then start a discovery scan that applies the rule containing the action rule.
Moving discovered files
After defining an export location, use this task to move a file found by a discovery scan to that
location.
NOTE:When a file is copied, moved, deleted or encrypted, DLP Discover leaves a trace file at the original
location to leave a record of the remedial process that has been applied.
1. Use the export location task to define a folder that will receive the file.
2. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Policies | Action Rules.
3. Under Data-at-Rest, from the Actions menu, select Add Action Rule.
4. Type a name for the action rule.
5. Open Email Notification to alert one or more users when the action is triggered.
TIP: You can use Dynamic Variables to inform users of the prevented action automatically. For example,
##Filename found by the ##Rule violated the ##Policy and was quarantined.
6. Open Syslog Notification and select Enable to log the incident (optional).
7. Open Incident Reviewer to assign a reviewer when the action takes place (recommended).
8. Open Incident Status to change the stage of resolution when the action takes place (recommended).
9. Open Remediation Policy and selectMove from the Action drop-down list.
10. Select the export location from the Destination drop-down list.
TIP: You can use Dynamic Variables to the file marker text at the test cursor position by clicking the variable on
the drop-down list. This informs users of the relocation automatically. For example, ##Filename found by
##ScanOperation violated the ##Policy and was moved to <export location>.
11. Click Save.
TIP: If you relocate an incident from the dashboard, select its checkbox and select Remediate | Action | <move
action rule> from the Actions menu. If you want an incident to trigger a move, add the <move action rule> to the
rule and click Save, then start a discovery scan that applies the rule containing the action rule.
Protecting data with DLP Discover
McAfee DLP 9.0.1 Product Guide 87
Reverting remediated files
Use this task to reverse a remedial action that has been applied to a file that was found during a
discovery scan.
NOTE: Deleted incidents cannot be reverted or recovered.
1. In ePolicy Orchestrator, go to to Menu | Data Loss Prevention | DLP Reporting | Incidents.
2. Check one or more incident boxes.
3. Click on the Actions menu, and select Remediate | Revert.
4. Click OK to confirm, or Cancel.
5. Verify that the action has been reverted by rescanning (optional).
Reviewing remedial actions
Use this task to see what remedial actions have been applied to an incident.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting Incidents.
2. Select Data-at-Rest from the display thumbwheel.
3. Click an incident to display the DLP Incident Details page. Any remedial actions are listed.
TIP: Click Columns to add the three Rem columns to the dashboard.
Adding columns to display remedial actions
Use this task to configure the Incidents | Data-at-Rest page to display the remedial actions that
have been applied to a file.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting.
2. Click Incidents, then select Data-at-Rest from the display thumbwheel.
3. Click Columns.
4. On the Table Columns page, scroll down the Available list of columns.
5. Select one or more of the Remediation column headers.
● RemActionRule
● RemActionType
● RemTaskStatus
5. Click Add to move the column headers to the Selected list.
TIP: To move column headers out of the Selected list, select them, then click Remove.
6. Click the Move buttons to rearrange the placement of column headers.
7. Click Apply.
88 McAfee DLP 9.0.1 Product Guide
Preventing data loss
Protecting data with Host DLP (Endpoint)
Adding an Endpoint action rule
Endpoint action rules contain elements that are used in rules supported by the Host DLP product
— but in this release, they can also include network parameters. However, the endpoint
parameters used in the rule must be enabled before they can be used.
Use this task to create an action rule that can be added to any network rule containing an
Endpoint parameter.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Policies | Action Rules.
2. From the Data-in-Use Actions menu, select Add Action Rule.
3. Type a name for the action rule. Typing a description is optional.
4. Select one or more actions to be taken when a protected endpoint is detected.
● If the endpoint data detected is to be encrypted, provide an encryption key. Consult the updated Endpoint
Encryption for Files and Folders 4.0 Product Guide for more information.
● If the data detected is significant, select a Severity from the drop-down list.
● If users are to be notified when endpoint data is detected, type in a message. Typing in link text or a URL is
optional.
5. Select a Data-in-Use Policy Action.
6. Select from the available actions.
NOTE: Endpoint actions can be taken if the detected device is online or offline. Select one or both.
5. Click Save.
After you have created the endpoint action rule, apply it to one or more rules.
Applying an action to a rule with Endpoint parameters
Endpoint action rules are defined in the same way as DLP Prevent and DLP Discover action
rules, but if protection rules are to employ those actions, they must first be enabled (after
selecting them from a rule's Endpoint menu).
NOTE: You can add one of the existing Endpoint action rules to the unified rule, or configure an action
containing one or more of the Data-in-Use actions. Any rule can contain actions based on moving traffic or
static files, as well as endpoint reactions.
Because all parameters in a rule may have actions added, many different combinations are
possible. If an action is needed in a rule containing Endpoint parameters, use this task to add
one.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Policies and click on a rule that has one or
more Endpoint parameters.
2. Click on the Actions tab and select Add Action.
3. Select one or more Data-in-Use actions to be taken when a protected endpoint is detected.
4. Click Save.
Protecting data with Host DLP (Endpoint)
McAfee DLP 9.0.1 Product Guide 89
How Host DLP protects data
Host DLP 9.0 protection rules have reactions defined by default, but in the unified release,
actions are optional, and they can be pre-programmed in the same way as DLP Prevent and
Discover. But rules containing Endpoint protection parameters are disabled by default, and
reactions fire only if they are enabled.
Endpoint protection rules cover clipboards, local printers, PDFs and image writers, removable
media, and screen captures — and by combining them with network parameters, massive
amounts of data that needs protection can be precisely defined.
In addition, Host DLP allows targeting of specific network paths and shares, printers, file and
encryption types, making it possible to protect a wide range of network endpoint types.
When any of these targets is compromised, a violation is generated and reported to Data-in-Use
dashboards on ePO or DLP Manager.
If an Endpoint action rule has been pre-defined, an action is triggered when a violation is found.
If not, the Actions menu provides many other ways to resolve problems that are reported to the
dashboards.
Types of DLP Endpoint actions
Events found on an endpoint by McAfee Agent may be processed using one of nine preventive
actions.
Actions
● Block
● Delete
● Encrypt
● Monitor
● Notify User
● Quarantine
● Request Justification
● Store Evidence
● Tag
Each of these actions can be applied to endpoints whether on- or offline.
Protecting endpoint data
Host DLP: Integrated into Network DLPIn this release, Host DLP has been redesigned and embedded in Network DLP. With this
addition, Network DLP has been extended to protect enterprises from the risk associated with
unauthorized transfer of data to unsecured endpoints. In addition, network file systems and
shares can now be protected using both host and network products.
90 McAfee DLP 9.0.1 Product Guide
Protecting endpoint data
The new Host DLP product interface is now known as Endpoint protection and configuration.
Events are identified by McAfee Agent and displayed through a Host DLP server on the ePO and
DLP Data-in-Use dashboards.
For example, data that has been moved, copied, printed or screen-captured from a laptop or
desktop to another device or location is monitored and controlled.
Endpoints that are protected include desktops, laptops, removable media, and printers.
How Host DLP extends network resultsWith the addition of Host DLP 9.0, significant host events are reported along with network
incidents. Like Network DLP, when violations are found, actions that prevent the misuse of
sensitive data fire automatically.
Because each host event can be embedded in a network rule, additional network parameters
can be added. For example, content, protocols, time definitions, and file and location parameters
may amplify the information available for each host event.
This is done by constructing network-oriented rules that include endpoint definitions. Open any
rule and pull down the Endpoint menu to select one or more of the Host DLP protection rules.
Then use the menu choices under other categories to add attributes that will produce more
relevant hits — on or off the network.
NOTE: If your DLP Manager is configured with McAfee Logon Collector and an Active Directory server,
endpoint protection can be extended to directory servers managing users all over the world.
How Network DLP protects endpointsHost DLP protects endpoints by using the McAfee DLP Agent, which resides on hosts, to
administer and enforce the global Host DLP policy. Network DLP works with the Agent through
Host DLP by adding host parameters to existing network rules and policies.
When a significant event is detected by one of the integrated host protection rules, it is reported
to the Data-in-Use dashboards through DLP Manager. When a rule hits, reactions that are
associated with Host DLP rules are deployed.
Creating Agent Override PasswordsAfter McAfee Agent reports an event, an agent override key must be used to reverse any of its
actions. An Agent Override Passwordmust therefore be set before starting any network tasks
related to DLP Host.
For example, a key must be used to unblock quarantined files, unlock and decrypt encrypted
files, request justification for blocked actions, or work around any other events that have been
generated by the McAfee Agent.
Use this task to set an agent override password.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config.
2. Click Endpoint Configuration, then Agent Override Password.
How Host DLP extends network results
McAfee DLP 9.0.1 Product Guide 91
3. Type in and confirm a password.
4. Click Submit.
Agent events that cannot be reportedSome of the events detected by McAfee Agent cannot be reported to DLP dashboards. For
example, the Incident Details page cannot identify content, content type, or the evidence server
that generated the event.
None of the following events can be reported to DLP Manager.
● Agent enters bypass mode
● Agent leaves bypass mode
● User returned from Safe Mode
● Device plugged in
● New device class found
Viewing endpoint eventsEvents that are generated by DLP agents at endpoints are stored in the ePO database, which is
accessed through DLP Manager. They can be viewed on the Incidents dashboard on the
Network DLP Data-in-Use dashboard, and a summary of those events is also displayed on
ePO's main dashboard.
NOTE: If you cannot see endpoint event details, you might not have the right permissions set. Contact your
administrator.
Use this task to view endpoint events on ePO.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting.
2. Click Incidents.
3. Select the Data-in-Use vector.
4. Click List.
5. Select a view from the Incident Listingmenu.
6. Click a Details icon.
7. On the Incident Details page, click any available link.
If you select a document link, it will launch if the supporting software is installed. If
there is another link inside the document, it is likely to be the database object that
triggered the incident.
8. Click any tab on the Incidents Details page to get additional information.
TIP: The columns configured on the dashboard determine the attributes displayed on the Incident Details
page. Add or subtract columns by clicking the Columns button on the Incidents dashboard.
92 McAfee DLP 9.0.1 Product Guide
Protecting endpoint data
Types of endpoint eventsHost DLP events are generated by the McAfee DLP Agent, which is deployed by the Host
DLP Monitor, and any significant events found are displayed through the DLP Manager.
Problems identified by the McAfee Agent might include critical system events, rule violations, or
events associated with a particular user or computer. The roles users play in an organization
determine what types of events they are allowed to view.
The events displayed may also include registered and classified content that has been tagged
for protection purposes, disallowed user actions, access violations, or detection of a controlled
element.
Events can be filtered by general, administrative, or outgoing conditions. For example, an
administrative event may indicate that an agent or policy state has changed, and an outgoing
event may be generated when protected data is in motion.
Managing endpointsThe DLP 9.0 system must be set up to record incidents and events to the Host and Network
DLP databases through DLP Manager. Because existing Host DLP operations must not be
affected, the default configuration is to allow them.
As long as device control, application tagging, and rights management features are not needed,
you can manage endpoints with Network DLP. This is done by creating a global policy to enable
all of the supported Host DLP features.
The policy for host operations must be created on the DLP Sysconfig | Endpoint Configuration |
Manage Endpoints page. Its rule definitions are updated on the Host DLP extension every 30
seconds by default, but a different interval can be defined by editing the Time Duration for
Posting Policy Definition setting.
After the policy is generated, it is posted from DLP Manager to ePO, saved in the ePO database,
forwarded to the connected agents, and updated at the defined interval.
NOTE: If you don't check the Generate Policy for Endpoint box, incidents found by the existing policies are
sent to the Network DLP databases and reported to the Data-in-Motion dashboard. If the box is checked,
incidents and events will be sent to both Host and Network DLP databases, and reported to both Data-in-Use
and Data-in-Motion dashboards.
How Host and Network policies differRule definitions for Host DLP are all consolidated within a single global policy definition, so
there is only one global policy that supports multiple rules. Network DLP, however, is designed
around an international collection of unified policies, and all Host rules are accommodated
within that system.
The systems are merged by adding an Endpoint category to every rule of every policy. When
that category is opened on the Add or Edit Rule page, a menu listing all Host DLP rules is
displayed. One or more can be selected to add specific endpoints to the parameters of any rule.
For example, existing privacy policies that have been deployed on a DLP Monitor can be
configured to identify violations not only in network traffic, but on specific endpoints.
Types of endpoint events
McAfee DLP 9.0.1 Product Guide 93
Multiple endpoints can be added to a rule as a group by creating a template, then selecting it
from the menu before saving the rule. Adding frequently-used collections of endpoints to a rule
increases its efficiency and scope.
How Host DLP rules are mapped to Network DLPNetwork DLP rules are organized under sets of policies that may have multiple owners. To
preserve this hierarchy, Host DLP rules feed into this structure by becoming an attribute, or rule
type.
The merged structure then becomes
<policy owner> | <policy> | <rule> | <rule type>.
Adding endpoints to existing network rulesUse this task to add a DLP Host endpoint parameter to an existing rule.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Policies.
2. Click a policy to open it for editing.
3. Click the rule to which you are adding endpoint parameters.
4. Open Endpoint.
5. Select an endpoint rule and define it. If it is a protection rule, click "?"; select Enable and Apply.
6. Click the Actions tab, then Add Action.
7. Select a suitable action from the Data-in-Use section.
8. Click Save.
9. Click Save.
Limitations of rules with Endpoint parametersIf a rule contains attributes that are supported by Network DLP, but not Host DLP, the rule will not
produce accurate results.
Unsupported DLP Network Parameters
● Email address sender variants
● Email subjects
● GeoIP locations
● User city
● User country
● File size
● Keyword expressions
● Complex Boolean algebra
94 McAfee DLP 9.0.1 Product Guide
Protecting endpoint data
Excluding printers from protection rulesBefore you use printer protection rules, you should whitelist any printers that need not be
monitored.
Identify the printers that do not require protection by going to Menu | Data Loss Prevention |
DLP Sys Config, and open the Endpoint Configuration | Unmanaged Printer Models page.
You can type printer paths and names directly into the Printer Model field, but if you have added
Active Directory servers to DLP Manager, you can click "?" and select them from an existing
Directory Server list.
Assigning Host DLP incidents to casesAll events reported on Data-in-Use dashboards can be assigned to cases if further investigation
is warranted. They might even be assigned to the same cases as Data-at-Rest and Data-in-
Motion incidents.
NOTE: If an error is encountered while assigning incidents to a case (for example, the object cannot be fetched
from the evidence share), a message launches indicating that the failed incidents must be reassigned to the
case.
Searching endpoint dataEndpoint data can be identified if it is tagged or registered, and user activities can be monitored
and controlled to prevent compromise of sensitive data.
But because it is not indexed, endpoint data cannot be searched.
Limitations of this releaseIf you have to implement device control, application tagging, or digital rights management
features of Host DLP, you cannot also use Network DLP.
● Device control prevents unauthorized use of removable media (including USB drives), iPods, Buetooth
devices, CDs, and DVDs.
● Application-based tagging rules are used to monitor or block files created by applications.
● Digital rights management controls use of digital content not authorized by the content provider.
Discovering data at risk
Introducing McAfee DLP DiscoverDLP Discover scans document or database repositories on network or managed client (host)
computers to identify and protect sensitive data.
Crawling is implemented by scan tasks, which find, fetch, and analyze sensitive content.
Depending on the type of scan used, files found may be listed, registered, or evaluated and
protected, producing incidents and violations.
Excluding printers from protection rules
McAfee DLP 9.0.1 Product Guide 95
Setting up Discover
Configuring DLP Discover
Before DLP Discover can be configured to in cooperation with other DLP appliances, you must
prepare it to run in managed mode, register it to DLP manager and ePO, and configure policies
to find incidents in data at rest.
Users who are tasked with registering documents and running scans must be given permission
to do so. See Setting Discover scan permissions.
Adding Discover to Manager
Use this task to integrate the DLP Discover appliance into the DLP system.
NOTE: Because registering wipes the current configuration, you must recreate any scan tasks manually.
If you are upgrading from a standalone DLP Discover, you cannot register it to DLP Manager if any registration
task is in Running state. Wait for the task to finish, or stop it manually.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config | Devices.
2. From the Actions menu, select New Device .
3. Fill in the blank fields. The database port and ePO UI port are predefined, and should not normally be
changed. If you are adding a DLP Host server, check the box.
4. Click Add.
5. Click OK to confirm.
6. Wait for the Status icon in the device list to turn green. If registration seems to be taking a long time, try
refreshing the page.
If the Status icon changes to a Critical or Unknown state, you might have to overwrite an old configuration or re-
synchronize the systems. Deregister the machine, then reregister it.
Preparing Discover for managed mode
Because registering Discover to DLP Manager wipes its configuration, take notes so you can
recreate all user-defined elements.
NOTE: Only captured data and incidents are retained after the Discover device is added to DLP Manager.
User-defined elements
● Scan tasks
● Schedules
● Credentials
● Scan statistics
● Export locations
● Users and user preferences
96 McAfee DLP 9.0.1 Product Guide
Discovering data at risk
● Custom rules and policies.
Contact McAfee Professional Services if you need assistance.
Republishing Discover policies
Use this task to publish policies to Discover after it has been registered to DLP Manager.
This process copies policies, rules, concepts, and content capture filters to Discover.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Policies.
2. Select a policy that will be used by Discover.
3. Select a rule in the policy.
4. Select the Discover Devices checkbox.
5. Repeat for each rule that is to be used.
6. Click Save.
Setting Discover registration permissions
Use this task to assign privileges to register documents.
NOTE: You must have administrative permission to make these changes.
Document Registration Permissions
● Web Upload: Upload documents or structured data to be registered; no deletion or de-registration rights;
view user's own registered documents
● Manage Uploaded Documents: Upload documents or structured data to be registered; view and manage
documents uploaded by all users; delete and deregister uploaded files; update and delete excluded text
● Discover Registration: Register documents or structured data.
NOTE: If group permissions are modified, all members will have to log out and relogin.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config. Click User Administration |
Groups.
2. Click the Details icon of a group.
3. Select the Task Permissions tab.
4. Open Discover Registration Permissions.
5. Select one or more permissions checkboxes.
6. Click Apply.
Setting Discover scan permissions
Use this task to assign privileges to users who will be using Discover.
NOTE: You must have administrative permission to make these changes.
Setting up Discover
McAfee DLP 9.0.1 Product Guide 97
Discover Scan Permissions
● Manage Schedules: Create, edit and delete schedules
● Manage Credentials: Create, view, edit and delete credentials
● Manage Scans: Create, view, edit, activate, deactivate and delete scans; register documents; view and
export scan statistics, history and registered files; add and view excluded text
● Control Scans: Create new actions, view, start, stop, re-scan, and clone tasks; View and export scan
statistics, history and registered files; add and view excluded text
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config. Click User Administration |
Groups.
2. Click the Details icon of a group.
3. Select the Task Permissions tab.
4. Open Discover Scan Permissions.
5. Select one or more permissions checkboxes.
6. Click Apply.
NOTE: Policy Execute and Task View Dashboards permissions are required to for DLP Discover users to see
the Incidents dashboard.
Task status messages
Status messages indicate anomalies or updates that may respond to remedial actions.
98 McAfee DLP 9.0.1 Product Guide
Discovering data at risk
StatusMessage
Definition Remedy
ResourceMissing
The path does not exist, or the file may be missing. It was foundduring the investigation phase (indexing) but is missing during thecrawling phase.
Check on the repository to seeif it is really missing. If not,restart the scan.
ConfigurationError
The task database may have been corrupted.Recreate the task. Call McAfeeTechnical Support if that doesnot resolve the problem.
Connectiontimed out -IncompleteListing
Cannot connect to the repository while investigation phase is inprogress.
Wait for awhile, then try again.
Complete The scan is complete.
IncompleteThe scan is incomplete, probably due to a network error. Therepository may have become unavailable.
Reconnect and restart the scan.
IncompleteListing
The node is down, there was a network failure, credentials werechanged between task, or the server is busy.
Wait for awhile, then rescan.
Serverstoppedresponding
The server is busy.Wait for awhile, then resumethe task.
TaskTerminated
The Stop action was applied to the scan operation, the task stoppedaccording to schedule, or it was killed by some extraneous means(for example, a system crash or health check).
Wait for awhile, then rescan.
TaskTerminated -IncompleteListing
The task stopped (or its scheduled end time arrived) duringinvestigation phase.
Restart the task.
Waiting -crawlers busy
The system has reached the maximum limit.The task will continue when thesystem is free.
System status messages
Status messages indicate anomalies or updates that may respond to remedial actions.
Setting up Discover
McAfee DLP 9.0.1 Product Guide 99
StatusMessage
Definition Remedy
Connection Timed OutThe repository is busy, too many connections havebeen made to the repository, or the network is down.
Wait for the network or repositoryto idle, then restart the scan.
Account is locked The account (username) is locked.Provide a valid account, orcontact administrator of therepository.
Authentication Failed An incorrect credential has been entered.Check the user name, passwordand domain in the credential, ortry another one.
Authentication OK Authentication was successful.
Permission DeniedAlthough authentication was successful, you do nothave the privilege needed to use the resource.
Contact your administrator.
Do not have permissionto update last access time
on repository
Permission to access the repository is needed.Supply the correct credentials(read/write access) and restart
the task.
Share (or Shares)Inaccessible
A share may be inaccessible because of insufficientuser privilege, or because he share is being usedexclusively by another process.
Go to the Filters tab and try tobrowse to the share.
Socket CommunicationFailure
Could not establish socket connection to the database.Verify the IP address and port,then restart.
UnknownThis error is rare, but may be related to a configurationerror.
Call Technical Support if theerror persists.
Unknown database The login database given was wrong.Provide correct login database,then restart.
Unsupported databaseversion
Database version on the repository is not supported.Check documentation forsupported version.
Registering sensitive content
Registering documents or structured data
Registered documents are indexed files. During a Registration scan, algorithms generate
signatures according to defined criteria that identify the text in the documents. They are used by
rules and policies to identify sensitive content.
The signatures are stored in the DocReg or DBReg system attributes for network scans. For host
scans, the signatures are stored in registered document packages that are deployed to the host
computers.
There are four ways to register content:
● Scanning network devices
● Embedding the DocReg or DBReg attribute in network rules
● Uploading individual files or databases
● Scanning the endpoint and deploying the signature package to the DLP Agent.
100 McAfee DLP 9.0.1 Product Guide
Discovering data at risk
Crawling a repository using a Registration scan is the most efficient way to create unique
signatures for many at-risk documents. The scan can be set to run at regularly scheduled times,
or it may be started manually.
How signatures register data
Signatures that identify sensitive data are generated by complex algorithms during registration.
The registration process runs whenever a document is uploaded to Discover, or when a
Registration scan runs on a designated file system.
Each protected document may contain hundreds of overlapping signatures, which are
expressed as hexadecimal numbers. The density, or fidelity, of the signature tiling depends on
the level of detection you need.
Managing registered documents
Use these tasks to manage registered documents.
There are two ways of registering sensitive document or structured data.
● UseWeb Upload under DLP Policies | Registered Documents to register single documents or objects.
● Use Data Registration to register groups of documents or database tables.
TIP: All signatures generated by these methods are stored in the DocReg or DBReg system attributes. Embed
the DocReg concept in a rule to find registered data on a regular basis, or run an ad hoc query by selecting it
from a popup menu.
Registering documents by uploading
Use this task to register documents on network repositories one at a time.
NOTE: If you want to upload a CSV (comma-separated values) file larger than 100 MB,
compress the data file (zip, jar, gzip, tar, etc.) before uploading. Net DLP device caps the size of
uploaded files from browsers to 100 MB. However, a larger data file can easily be compressed
into an archive smaller than 100 MB. The DLP server does not impose any size limits on files
after they are uploaded and uncompressed.
NOTE: If you use DLP Manager to upload a document, it will automatically be registered on all managed
devices.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Policies | Registered Documents | Web
Upload.
2. From the Actions menu, select Upload New File.
3. Browse to the file you want to register.
The file to be registered cannot be over 10 MB.
4. Select the policy and rule you want to use to detect the document.
Example
If your goal is to protect design documents, you might select the High Technology Industry IP policy
Registering sensitive content
McAfee DLP 9.0.1 Product Guide 101
and the Design Documents Emailed to Competition rule.
5. Click Save or Save, Upload Another.
When you click Save, the signature of the document is added to the DocReg attribute. All web uploaded
documents are collected in the DocReg concept; they are treated as a group, not registered individually.
NOTE: If you are using Mozilla Firefox 3.x, you may get an error message advising you of a security risk after
clicking Save. The file will be uploaded anyway, but unless you reconfigure Firefox, the complete path to it will
not be recorded when using that browser.
Uploading complete paths with Firefox
Use this task to determine the complete path to the uploaded file when using Mozilla Firefox
3.5.x. Other browsers do not require reconfiguration.
1. Type about:config in the Firefox address bar.
2. Click the button acknowledging the warning.
3. Double-click signed.applets.codebase_principal_support.
4. Close and re-open Firefox.
5. Upload a file.
6. Click Allow on the Internet Security popup.
Excluding text from registration
Use this task to register text that should be ignored by a scan.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Policies | Registered Documents |
Excluded Text.
2. From the Actions menu, select New Text.
3. Open the document containing the text to be excluded.
4. Cut and paste the text into the Text to Exclude box.
5. Click Save.
TIP: You can also exclude text by tuning rules or identifying incidents as false positives.
Searching with the DocReg concept
Use this task to search for documents that have been registered.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting. Click Advanced Search and
open Content.
2. Select Concept from the first drop-down list, and is any of from the second..
3. Type DocReg in the text box
4. Select the search results threshold from the drop-down list, then click Search.
102 McAfee DLP 9.0.1 Product Guide
Discovering data at risk
NOTE: You can embed the DocReg concept in a rule to regularly match its signatures to data-at-rest or data-in-
motion on the network.
Adding the DocReg concept to a rule
Use this task to add the DocReg concept to a rule.
You can add up to two scan tasks to a rule, but only one of each type (Data-in-Motion or Data at
Rest). The definition of the rule determines which type is targeted.
TIP: If you add a scan operation to a rule after the DocReg concept is added, you can restrict the incidents
reported to a specific task by clicking "?" and selecting it from the popup menu.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Policies.
2. Select a policy, then select a rule to open it.
3. On the Define tab, select Content.
4. Click the plus icon to add an element.
5. In the new element, select Concept from the first drop-down list, and is any of from the second..
6. Click "?", then open Corporate Confidential and select DocReg. This instructs the rule to match all existing
signatures to the content you defined.
7. Click Save.
TIP: Alternatively, click Save as Rule to open a rule definition page. Adding this rule to a policy allows you to
use the DocReg concept to identify sensitive documents automatically whenever that policy is used to find
incidents.
Example
If DocReg is added to the PII rule Social Security Number in Documents, it will find signatures only
in stationary documents.
If DocReg is added to Social Security Number in Email and Instant Messaging Conversations, it
will find signatures only in streaming network data.
TIP: If a Registration task is used with the DocReg concept, the rule will also be evaluated by any Discover
scan that uses its policy. You must manually configure the rule to include the DocReg concept if you want to
register the same document across multiple rules.
Setting signature types
The density of signatures generated during registration is determined by the signature type
selected when a Registration scan is configured.
NOTE: Only High Granularity signature types are generated for Web Uploaded documents.
High granularity
High granularity signatures provide full plagiarism detection and protection by generating
Registering sensitive content
McAfee DLP 9.0.1 Product Guide 103
overlapping tiles over every bit of text. The original document can be identified, even if words are
transposed or the contents differ by a couple of lines of text.
If this signature type is used, a percentage of matching signatures can be detected.
Medium granularity
Medium granularity signatures provide basic plagiarism detection and protection by generating
tiles over every eighth word. The original document can be identified even if the contents differ by a
couple of pages of text.
Low granularity
Low granularity signatures include a single compact digital signature for each document
registered. Exact copies of the file can be detected.
How signatures are shared with managed systems
When Discover and Monitor are in communication through DLP Manager, the registration
records produced on a Discover system are automatically shared with the Monitor signature
agents.
When signatures are shared, protection for content that has been identified in data at rest is
extended to data in motion on the network.
NOTE: Signatures are automatically transferred from Discover to any managed Monitor when a registration
scan is run. Rescanning is not necessary.
Managing signature generation memory
Generating signatures consumes memory resources; one gigabyte is available for the process.
The signature type defines the amount of memory used.
NOTE: In general, the larger the signature set, the more memory used while completing a registration task. For
example, a high granularity signature that provides full plagiarism detection consumes more resources than a
low granularity signature, which detects only documents that are identical to the one registered.
Deregistering content
Use this task to keep registered documents or objects from being identified again by any scan.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Policies | Data Registration.
A list of registered items is displayed.
2. From the Actions menu, select Unregister. When this is done, the registration crawler will exclude the
document or object from future registration.
Reregistering content
Use this task to re-register documents or objects that have been deregistered.
104 McAfee DLP 9.0.1 Product Guide
Discovering data at risk
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Policies | Data Registration. A list of
unregistered items is displayed.
2. From the Actions menu, select Reregister. When this is done, the registration crawler will restore the
registered document or object.
Crawling databases
Protecting sensitive database content
McAfee DLP Discover can crawl databases to protect known sensitive content or determine if
files that violate confidentiality are stored, then return the results of the crawl. You can drill down
to database catalogs, schemas, table, and column level with a scan, just as you can scan for
data at specific levels of a file system hierarchy.
There are three ways to register database content:
● Run a registration scan on network devices or storage
● Embed the DBReg attribute in network rules
● Upload individual files or databases
NOTE: The structured data found can be saved to your desktop and uploaded, so that it can be used in
subsequent scans.
Different database vendors support different object hierarchies, and terminologies can differ from
vendor to vendor.
NOTE: Since the configuration of the filters page depends on the database type chosen, only the
relevant objects are displayed.
Example:
Database X might have the hierarchy Database -> Catalog -> Schema -> Table -> Columns/rows
Database Y might have the hierarchy Database -> Schema -> Table -> column/rows
What is Dynamic Data Registration?
Dynamic data registration (DDR) is a method for making the system aware of specific data items
that need protection. This could include lists of customer names and account numbers, credit
card numbers, patient records, and more.
DDR matches specific data values, not just patterns that describe the data, so fine distinctions
can be made between matches. For example, customer credit card numbers might be reported
as privacy violations, but an employee's own credit card number would be ignored.
With the DDR feature of McAfee DLP Discover, large volumes of data in a database (~10 million
records) can be registered as sensitive and tracked. This feature is also known as Dynamic Data
Match. The signatures produced by data matching are collected in a factory default concept
(DBREG).
Crawling databases
McAfee DLP 9.0.1 Product Guide 105
The same mechanisms that support registration of flat files also support registration of database
records. For example, the DBREG factory default concept collects structured data in the form of
comma-separated values found in databases, just as DocREG does for documents.
Database types supported
When you access a database, you are connecting to a central network location where data is
stored, organized and maintained.
DatabaseType/Version
Filtering Options
Oracle Schemas, Tables, Columns, Records/Rows
DB2 Schemas, Tables, Columns, Records/Rows
MS SQL ServerCatalogs, Schemas, Tables, Columns,Records/Rows
MySQL Catalogs, Tables, Columns, Records/Rows
NOTE: Only MySQL Enterprise is supported. MySQL CE cannot be used for a database scan task because
DataDirect, publisher of the JDBC driver used in DLP products, does not support free GPL database versions.
Database object hierarchy differences
The database types available for scanning by DLP Discover use the following object hierarchy.
DatabaseType
Object Hierarchy
MySQL There is no concept of a difference between catalogs and schemas. Databases and tables can be listed.
OracleSchemas corresponds to users, and users can be listed. Catalogs cannot be listed (remotely), but alltables the current user can access can be listed.
DB2Schemas can be listed, and databases/catalogs cannot be listed (remotely). Tables in a schema can belisted.
MS SQLServer
Schemas and tables can be listed.
TIP: Try selecting different database types, then go to the Filter tab to observe the options available for each
database type.
All filters are applied across the database server. For example, if you set filter
"Table=Employees", the crawler will scan all databases and fetch records for tables whose
names match "Employees". If you set filter "Column=LAST_NAME, the crawler will scan all tables
and fetch records from the columns whose name is LAST_NAME in any table crawler scan
access.
To restrict a particular column in a particular table, enter filter for both table and column names,
and make sure no other table has the same name and has similarly-named columns.
106 McAfee DLP 9.0.1 Product Guide
Discovering data at risk
Database terminology differences
Database object hierarchy differs according to the terminologies used by the vendors of different
database types. The object hierarchy displayed on the Filters tab is determined by the selection
of the database type on the Add Scan Operation page.
DLP Discover follows ANSI SQL 92 standards, which defines a catalog/schema model for data
stores. In this model, catalogs (databases) contain schemas, and schemas contain tables.
● Catalogs may be a collection of related schemas. Because many databases have only one catalog, metadata
is sometimes simply called schema information.
● Schema is a collection of database objects that are owned or have been created by a particular user.
● Tables are collections of columns arranged in specific orders.
Registering structured data by uploading
Use this task to upload significant structured data found in a database. You might want to do this
if you find significant data in one database, and want to set up a task to detect it in others.
NOTE: If you use DLP Manager to upload structured data, it will automatically be registered on all managed
devices.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Policies | Registered Documents |
Database Registration.
2. From the Actions menu, select Upload New Data File.
3. Browse to the objects you want to register. The compressed file to be registered cannot be over 100 MB.
TIP: You can generate a CSV file by creating a database scan, filtering the scan, and then copying and pasting
the data you find in a folder into a spreadsheet document. Save the document to your desktop, then browse to
that location to upload it.
4. In the Registration Name text box, type a name.
5. If there is no significant data in the first row of the table (for example, a header), check Skip First Row.
6. Select a Signature Type. Only High Granularity signature types are generated for uploaded CSV documents.
7. Select the policy and rule you want to use to detect the document.
Example
If the data to be protected is of a financial nature, you might select the Banking and Financial sector
policy and the Unencrypted Bank Transactions with ABA Routing Number rule.
8. Click Save or Save, Upload Another.
When you click Save, the signatures of the structured data are added to the DBReg attribute. As with the
DocReg attribute, signatures are treated as a group, regardless of registration method.
NOTE: If you are using Mozilla Firefox 3.x, you may get an error message advising you of a security risk after
clicking Save. The file will be uploaded anyway, but unless you reconfigure Firefox, the complete path to it will
not be recorded when using that browser.
Crawling databases
McAfee DLP 9.0.1 Product Guide 107
Setting up basic database scans
Use this task to set up a basic database scan, then adapt it to your purpose by characterizing it
as an inventory, registration or discovery scan.
NOTE: Because integrated Windows authentication is not supported for Microsoft SQL Server, you must create
an MS SQL Server user with the correct credentials for use in a scan task operation.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config | Discover Configuration |
Scan Operations.
2. From the Actions menu, select New.
3. In the Scan Operation text box, type a name. Typing a description is optional.
TIP: Include the scan mode in the name — for example, a name like Finance_registration will help you to
remember what the scan does when applied to a rule.
4. Select a Database Type. This defines the support protocol that allows DLP Discover to access the database.
5. Select a Credential definition to enable access to the repository, if necessary, or click New to create a new
one.
6. Select a Schedule, or click New to create a new one.
7. Select a scan Mode. See Types of network scans for a definition of the different modes.
8. Under Devices, select the appliance from which the scan will be run.
NOTE: Select None if you want to save a scan, but do not want to deploy it immediately.
9. On the Node Definition tab, define the IP type by making a selection from the menu.
10. Type the IP Address, then click Include or Exclude to add the IP address to the list. Select Test to verify the
connection.
10. On the Filters tab, filter the scan to define the location to be scanned.
11. On the Advanced Options tab, make the following settings.
● Throttle the bandwidth available to the scan if necessary. See Setting bandwidth for a scan.
● SelectOn Start or On End to determine if and when you want email notification sent.
NOTE: Subject fields are not customizable. There may be a lag of a few minutes between the actual task
start/stop time and the email posting. The end notification is sent at the end of scanning, and file processing
might continue after notification.
12. Click Save.
Advanced Options definitions for database scan operations
Advanced Options are used to set the throttling bandwidth and set up email notification of
scanning operations. Notifications can be sent at scan start, stop, or both.
Customize the email notification by selecting from the dynamic variables available or adding the
message of your choice.
Use this page to set the Advanced Options definitions.
108 McAfee DLP 9.0.1 Product Guide
Discovering data at risk
Option Definition
Bandwidth Specifies the bandwidth when throttling is activated.
Email To A standard email address text box.
End Message /Start Message
Specifies the text of the message. A default message is included. Dynamic variables can bepasted in by clicking them when the cursor is in the text box.
On End / On Start Checkboxes that specify when email is sent.
NOTE: Subject fields are not customizable. There may be a lag of a few minutes between the actual task
start/stop time and the email posting. The end notification is sent at the end of scanning. File processing might
continue after notification.
Defining catalogs to be scanned
MySQL and Microsoft SQL Server catalogs can be scanned. In MySQL databases, there is no
difference between catalogs and schemas.
Use these options to set a catalog filter for MySQL or Microsoft SQL Server scans.
CONDITION Definition
All Default value; equivalent to no filtering.
Exact Match Filters by exact match to the schema/table/column name entered in the VALUE parameter.
Pattern Filters by text pattern match to the schema/table/column name entered in the VALUE parameter.
Defining columns to be scanned
Columns for all four database types can be scanned. Use these options to set a column filter for
any scan.
CONDITION Definition
All Default value; equivalent to no filtering.
Exact Match Filters by exact match to the schema/table/column name entered in the VALUE parameter.
Pattern Filters by text pattern match to the schema/table/column name entered in the VALUE parameter.
Defining logins for a database scan
When Repository Type for a scan operation is set to DATABASE, specific parameters appear on
the Node Definition tab. The parameters are slightly different for different database types, but
remain the same for all modes.
Use this page to determine the login for a database scan.
Crawling databases
McAfee DLP 9.0.1 Product Guide 109
Option Definition
Login
Database(for Oracle:SID)
Type the name of the database. For SQL, this is the database instance. ForOracle, it is the System ID.
When you have completed the node entries, click Include. You can also Test the database
connection.
Defining nodes for database scan operations
When Repository Type for a scan operation is set to DATABASE, specific parameters appear on
the Node Definition tab. The parameters are slightly different for different Database Types, but
remain the same for all Modes.
Use this page to determine the Node Definition settings for database scan operations.
Option Definition
IP Address Only single IP Addresses are allowed. You must enter a valid IP Address to create a validscan operation.
Port The port is automatically configured, according to the Database Type:
● DB2 — 50000
● Microsoft
● Server — 1433
● MySQL — 3306
● Oracle — 1521
If you are using a non-standard port, type the address in the text
box.
Login Database (forOracle: SID)
Type the name of the database. For SQL, this is the database instance. For Oracle, theSystem ID.
SSL Certificate Certificates are created and saved on the Discover Configuration | SSL Certificates page.Click New to create a new certificate on the fly .
When you have completed the node entries, click Include. You can also Test the database
connection.
Defining ports for a database scan
When Repository Type for a scan operation is set to DATABASE, specific parameters appear on
the Node Definition tab. The parameters are different for different database types, but remain the
same for all modes.
Use this page to determine a port setting for a database scan.
110 McAfee DLP 9.0.1 Product Guide
Discovering data at risk
Option Definition
Port The port is automatically configured, according to the database type.
If you are using a non-standard port, type the address in the text box.
● DB2— 50000
● Microsoft SQL Server— 1433
● MySQL— 3306
● Oracle— 1521
When you have completed the node entries, click Include. You can also Test the database
connection.
Defining records/rows to be scanned
Records for all four database types can be scanned. Use these options to set a record/row filter
for any scan.
Option Definition
Where Allows entry of any SQL where clause. For example, retrieve matching names from columns in
a table by entering surname like '%lang'; .
Limit(#Rows)
Limits the number of rows fetched from each table. If you set a limit of 100, it means at most onehundred rows will be fetched from each table crawled.
Defining schemas to be scanned
Schemas for all four database types can be scanned. In MS SQL database, there is a distinction
between catalogs and schemas.
Use these options to set a schema filter for any scan.
CONDITION Definition
All Default value; equivalent to no filtering.
Exact Match Filters by exact match to the schema/table/column name entered in the VALUE parameter.
Pattern Filters by text pattern match to the schema/table/column name entered in the VALUE parameter.
Defining SSL certificates for a database scan
When Repository Type for a scan operation is set to DATABASE, specific parameters appear on
the Node Definition tab. The parameters are slightly different for different Database Types, but
remain the same for all Modes.
Crawling databases
McAfee DLP 9.0.1 Product Guide 111
NOTE: You have the option of using an SSL certificate to identify the database server host and encrypt the data
exchanged between database server and the DLP device. This is particularly useful if the database server is
using a non-standard/self-signed certificate. Client certificate handling is currently not supported.
Use these options to determine the SSL certificate needed for a database scan.
Option Definition
SSLCertificate
Certificates are created and saved on the Discover Configuration | SSL Certificates page. Click Newto create a new certificate on the fly.
When you have completed the node entries, click Include. You can also Test the database
connection.
Defining tables to be scanned
Tables for all four database types can be scanned.
Use these options to set a table filter for any scan.
CONDITION Definition
All Default value; equivalent to no filtering.
Exact Match Filters by exact match to the schema/table/column name entered in the VALUE parameter.
Pattern Filters by text pattern match to the schema/table/column name entered in the VALUE parameter.
Managing scans
Managing scan operations
You can manage one or more scans by applying different states from the Actions menu on the
Scan Operations page.
112 McAfee DLP 9.0.1 Product Guide
Discovering data at risk
ScanAction
Description
New Launches the Add Scan Operation dialog box
CloneCopies the selected scan and opens the Edit ScanOperation dialog box; allows name and otherparameters to be changed
ActivateActivates the selected scan; causes system to fetch filesand analyze content
Deactivate Deactivates the selected scan (keeps it from running)
Start Starts the scan; fetches only new content
Stop Stops the scan
RescanResubmits the scan for tasks that not running, but are ina Ready state. Re-fetches files and re-analyzes allcontent, and generates new incidents
Delete Deletes the scan
Up to 100 scans can be queued.
TIP: Configure firewalls and set bandwidth when you set up a scan.
Types of scan states
The Last Status column on the Scan Operations page always displays one of the following
states.
● Ready: Task is ready to run and user can start tasks.
● Running: Task (crawler) is running
● Inactive: Task is removed from the schedule queue and tasks cannot be run (even manually). Such tasks must
be activated before they can be run.
● Starting: Task is starting and about to run.
● Stopping: Task is stopping.
● Stopped: (Rare) Task was killed/crashed by some unforeseen situation. Such tasks can be started again.
Viewing scan operations
All scan operations are listed on the Scan Operations page. In ePolicy Orchestrator, go to Menu |
Data Loss Prevention | DLP Sys Config | Discover Configuration | Scan Operations.
TIP: You can get details on scans that are in progress or completed by selecting the Statistics icon.
Modifying the state of a scan
Use this task to modify a scan.
Managing scans
McAfee DLP 9.0.1 Product Guide 113
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config | Discover Configuration |
Scan Operations.
2. Select the radio button of the scan.
3. From the Actions menu, select a state.
Deploying scans
A scan is deployed when the scan targetsare defined.
Use this task to identify the Discover and Monitor devices that run the scan and store the
signatures.
TIP: On Monitor and Discover appliances managed by DLP Manager, you can store the signatures on more
than one DLP device.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config | Discover Configuration |
Scan Operations.
2. Double-click the name of the scan.
3. Select the radio button of an appliance from the Devices checkbox.
TIP: Select None if you want to save a scan, but do not want to run it right away.
Starting scans
Use this task to start a scan.
NOTE: You cannot start a task until it is in Ready state. A new scan will remain inactive until its associated
policies are published. If the status column does not display Ready, wait until this happens (you may refresh
the screen if you wish). Then click the radio button of the task and select Start from the Actions menu.
NOTE:When you rescan, all files are fetched again and reanalyzed.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config | Discover Configuration |
Scan Operations.
2. Note the Last Status column of the scan. If the scan status is Inactive, select the radio button and select
Activate from the Actions menu.
3. Select the radio button of the scan.
4. From the Actions menu, select Start.
TIP: Click on the Refresh icon to refresh the status of the scan.
NOTE: If a scan is stopped, you can resume it without restarting by simply selecting Start from the Actions
menu.
Stopping scans
Use this task to stop a scan.
114 McAfee DLP 9.0.1 Product Guide
Discovering data at risk
NOTE: The task must be in a RUNNING state.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config | Discover Configuration |
Scan Operations.
2. Note the Last Status column of the scan.
3. Select the radio button of the scan.
4. From the Actions menu, select Stop
NOTE:When you stop a scan, the process pauses, and selecting Start from the Actions causes it to resume.
Setting bandwidth for a scan
Discover is set up to use all bandwidth needed to perform a scan (No Throttling is the default).
Use this task to conserve bandwidth by configuring bandwidth throttling.
TIP: Consider the transmission capacity of your network and the amount of network traffic before deciding how
much bandwidth to allocate to the scan.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config | Discover Configuration |
Scan Operations.
2. From the Actions menu, select New.
3. Define the credential, schedule, mode, devices and node.
4. Select the Advanced Options tab.
5. Type a rate into the Bandwidth field, or select No Throttling from the menu.
● No Throttling
● Kbps
● Mbps
Example:
On a 100-Mbps LAN, limit bandwidth to 50 Mbps to limit the crawler to half of the bandwidth available.
NOTE: If bandwidth is throttled correctly and there is L3 connectivity between networks, Discover can be
deployed across a WAN, though object viewing might be slower due to WAN latency. For example, if a 1 Gbps
link between Tokyo and London is used, only ~10 Kbps throughput may be available for a CIFS scan.
4. Click Save after completing all other scan parameters.
NOTE: Bandwidth throttling is applied as an average across the entire scan rather than as each individual file
is being fetched. A Discover scan might burst above or below the configured throttle limit, but the average
throughput measured across the entire scan will remain very close to the configured limit.
Scanning in full duplex mode
Discover cannot be deployed in half-duplex mode. Every interface between Discover and target
nodes (intermediary switch, router, firewall, etc.) must be set to full duplex.
Managing scans
McAfee DLP 9.0.1 Product Guide 115
Guidelines for Fast Ethernet networks
● Hard-code the speed and duplex of the Discover appliance to 100 Mbps and full duplex.
● Ensure that all intermediary devices are either hard-coded to 100 Mbps and full duplex, or validate that all
intermediary devices have negotiated to full duplex if configured for automatic negotiation
Guidelines for Gigabit Ethernet networks
● Set the speed and duplex of the Discover appliance to 1000 Mbps and full duplex or to auto-detect.
● Ensure that all intermediary devices are either hard-coded to 1000 Mbps and full duplex, or validate that all
intermediary devices have negotiated to full duplex if configured for automatic negotiation
Managing scan load
Scan load may have an impact on performance of DLP systems. If too many operations are
running concurrently, a Discover scan might appear to be stalled in a Not Ready state.
Operations that add load to the system include:
● Deleting or creating scans in the same time frame;
● Crawlers are running and processing files from an extended scan;
● Multiple policies and rules are being decoupled from deleted scans.
If a Discover scan appears to have stopped, wait for 30 minutes. If the task does not reactivate,
select it and Activate from the Actions menu.
If several retries fail, save the scan as a new task to republish all policies, then delete the old
task.
Editing scans
Use this task to edit a scan.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config | Discover Configuration |
Scan Operations.
2. Double-click the name of scan you want to modify.
3. Make changes in the Edit Scan Operation window.
4. Click Save.
Deleting scans
Use this task to delete a scan.
NOTE: If a scan is in Running state, it must be stopped before it can be deleted.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config | Discover Configuration |
Scan Operations.
2. By clicking one or more radio buttons, select the scans to be deleted.
3. From the Actions menu, select Delete.
116 McAfee DLP 9.0.1 Product Guide
Discovering data at risk
NOTE: Deleting a scan will also clear all scan statistics and the entire history of the scan, and any incidents
found by a scan that is later deleted will not be remediable or recoverable.
Setting up scans
Preparing to scan
Plan your scan before setting it up. Gather all of the following information.
● Scan mode - Inventory, Registration, or Discover
● Credentials to access the repository
● Database type and version (for database scans)
● IP address, subnet, or range including required ports
● Login database or SID and SSL certificate (for database scans)
● File systems to be scanned
● Schedule for the scan
● Configuration of firewalls
● Bandwidth to be used
● Projected scan load
Setting up basic scans
Use this task to set up a basic scan, then adapt it to your purpose by characterizing it as an
inventory, registration or discovery scan.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config. Click Discover Configuration |
Scan Operations.
2. From the Actions menu, select New.
3. In the Scan Operation text box, type a name. Typing a description is optional.
TIP: Include the scan mode in the name. For example, a name like Finance_registration will help you to
remember what the scan does when applied to a rule.
4. Select a Repository Type. This defines the support protocol that allows DLP Discover to access the repository.
See Repository types supported for a list of protocols.
5. Select a Credential definition to enable access to the repository, if necessary, or click New to create a new
one.
6. Select a Schedule, or click New to create a new one.
7. Select a scan Mode. See Discovering data at risk for a definition of the different modes.
8. Under Devices, select the appliance from which the scan will be run.
NOTE: Select None if you want to save a scan, but do not want to deploy it immediately.
9. On the Node Definition tab, select a Node definition.
● For a Single IP, type the IP Address, then click Include or Exclude to add the IP address to the list.
Setting up scans
McAfee DLP 9.0.1 Product Guide 117
● For an IP Subnet, type a Base IP and a Subnet Mask. Click Include or Exclude to add the IP subnet to the list.
● For an IP Range, type a Start IP and an End IP. Click Include or Exclude to add the IP range to the list.
Depending on the protocol used, you might have to enter the URL instead.
NOTE: You must include at least one IP address, subnet, or range. Including or excluding additional
addresses, subnets, or ranges is optional. See Defining URLs to be scanned.
10. On the Filters tab, filter the scan to define the location to be scanned.
11. On the Advanced Options tab, make the following settings.
● Throttle the bandwidth available to the scan if necessary. See Setting bandwidth for a scan.
● If you do not want the scan to update the file's last access time, select Preserve and run the scan manually.
● Type email notification information. Notification can be send for scan start or stop or both, with a default
message or the message of your choice.
NOTE: Subject fields are not customizable. There may be a lag of a few minutes between the actual task
start/stop time and the email posting. The end notification is sent at the end of scanning. File processing might
continue after notification.
12. Click Save.
Repository types supported
When you access a repository, you are connecting to a central network location where data is
stored, organized and maintained. The repository type is determined by the protocol used to
access data on the device.
Configuring inventory scans
Inventory scans crawl all directories and files residing on a targeted repository and generate an
index, or manifest.
Use this task to configure a basic scan as an inventory scan.
118 McAfee DLP 9.0.1 Product Guide
Discovering data at risk
1. Set up a basic scan.
2. Select a Repository Type. This defines the support protocol that allows DLP Discover to access the repository.
See Repository types supported for a list of protocols.
3. Set up filters to define the location to be crawled. The inventory scan identifies all files that are available to be
scanned in a targeted repository.
4. Set the Advanced Options. See Setting up basic scans for details.
5. Click Save.
TIP: You can export a report of the index from the Scan Statistics window.
Configuring discovery scans
Discovery scans find data that has been registered or is residing on a file share in violation of a
policy.
Network discovery scans are defined and scheduled as described below. Host discovery scans
are defined as described below, but are scheduled on the ePolicy Orchestrator Agent
Configuration page.
Discovery scans act according to specified policies. Go to Menu | Data Loss Prevention | DLP
Policies to verify that a suitable policy exists, or to create a new policy. For more information, see
Using policies and rules. For host discovery, see Configuring a policy for host discovery for host-
specific instructions.
Use this task to configure a basic scan as a discovery scan.
1. Set up a basic scan.
2. Select a Repository Type.
NOTE: For host discovery scans, use CIFS.
3. Select a Schedule, or click New to create a new one.
NOTE: For host discovery scans, accept the default schedule. The schedule set in the HDLP policy in the
ePolicy Orchestrator Policy Catalog overrides the value set here.
4. For Mode, select Discover.
5. Under Devices, select the appliance from which the scan will be run.
NOTE: For host discovery, select None.
6. On the Node Definition tab, select a Node definition. See Setting up basic scans for more details.
NOTE: For host discovery, you must select Single IP. Type a dummy IP address, for example, 1.1.1.1. Host
discovery is run only on the host computer, and the DLP Agent on the host ignores this information, but you
must include a valid IP address to create a valid scan definition.
7. Set the Advanced Options. See Setting up basic scans for details.
8. On the Policies tab, select policies from the Available Policies list and Add them to the Selected Policies list
Setting up scans
McAfee DLP 9.0.1 Product Guide 119
NOTE: You must add at least one policy to create a valid definition.
9. Click Save.
Configuring registration scans
Registration scans register sensitive data by generating digital fingerprints, or signatures, that
identify whole or partial documents.
Network registration scans are defined and scheduled as described below. Host registration
scans are defined as described below, but are scheduled with ePolicy Orchestrator Server Tasks
.
Use this task to configure a basic scan as a Registration scan.
TIP: Do an inventory scan first to get an idea of what directories, folders and documents are available to be
scanned.
1. Set up a basic scan.
2. Select a Repository Type.
NOTE: For Host discovery scans, use CIFS.
3. Select a Credential definition to enable access to the repository, or click New to create a new one.
4. Select a Schedule, or click New to create a new one.
NOTE: For Host registration scans, accept the default schedule. The schedule set in ePolicy Orchestrator
Server Tasks overrides the value set here.
5. For Mode select Registration.
NOTE: For database registration, select Data Match.
6. Select one or more Devices that will receive the registration signatures.
NOTE: For Host registration scans, select None.
7. Set the Advanced Options. See Setting up basic scans for details.
8. On the Registration tab, define signature type and targets.
9. Click Save.
NOTE: If Discover reboots (or the application is restarted) while the registration task is in the RUNNING state, a
few documents might be re-registered, and duplicate incidents could be reported.
Firewall configuration to allow scanning
Before you crawl a repository, make sure the scan will not be impeded by a firewall.
120 McAfee DLP 9.0.1 Product Guide
Discovering data at risk
NOTE: Source ports are randomly chosen unless explicitly noted. Network and host-based firewalls typically
permit connections only on certain ports and might have to be configured to permit connections on others.
Managing credentials
Using credentials to access repositories
Credentials enabling access to an existing account on a repository are needed before a scan
can be created. Some systems may also require a domain name to complete the authentication
process.
Use these tasks to add, view, edit, or delete credentials.
NOTE: If the data in a file system is openly accessible, you can use the default credential None.
Managing credentials
McAfee DLP 9.0.1 Product Guide 121
Viewing existing credentials
Use this task to view the credentials available for logging on to a repository.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config | Discover Configuration |
Scan Operations | Credentials.
2. Click a credential to view its properties.
Adding credentials
Use this task to add a credential, which will allow you access to a repository to be scanned.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config | Discover Configuration |
Scan Operations.
2. From the Actions menu, select New.
3. Name and describe (optional) the credential.
4. Type a User Name of an existing account.
5. Add a Domain Name (may not be required).
6. Type and confirm the Password.
7. Click Save.
Editing credentials
Use this task to edit a credential that must be modified before it can be used to access a
repository.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config | Discover Configuration |
Scan Operations | Credentials.
2. Click a credential to display its properties.
3. Modify the parameters, then click Save.
Deleting credentials
Use this task to delete credentials that can no longer be used to access a repository.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config | Discover Configuration |
Scan Operations | Credentials.
2. Select one or more credential checkboxes.
3. From the Actions menu, select Delete Selected.
TIP: Click trash can icons to delete credentials one by one.
122 McAfee DLP 9.0.1 Product Guide
Discovering data at risk
Scheduling scans
Using scan schedules
Use this task to define a schedule for a scan task. Continuous, periodic and on-demand scans
are supported.
NOTE: To schedule a host discovery scan, go to Menu | Policy | Policy Catalog and click on the Discovery
Schedule tab of the Agent Configuration settings. See Scheduling a host discovery scan for details.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config | Discover Configuration
| Schedules.
2. From the Actions menu, select New.
3. Type in a name for the schedule. Typing a description is optional.
4. Set the time parameters for the schedule.
5. Click Save.
Viewing scan schedules
Use this task to view available schedules.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config | Discover Configuration.
2. Click Schedules.
3. View the Description and Details columns.
NOTE: By opening the schedule, you can find out what scans are controlled by it.
Editing scan schedules
Use this task to edit a scan schedule.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config | Discover Configuration
| Schedules.
2. Open a schedule and modify the parameters.
3. Click Save.
Deleting scan schedules
Use this task to delete scan schedules.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config | Discover Configuration |
Schedules.
2. Select one or more schedule checkboxes.
TIP: Click trash can icons to delete schedules one by one.
3. From the Actions menu, select Delete Selected.
Scheduling scans
McAfee DLP 9.0.1 Product Guide 123
Filtering scans
Defining scans
After you decide whether to inventory, register, or discover files in a repository, you must set up
filtering, registration, and policy options.
The scan definition must include the credentials to be used to access the repository, and a
schedule that determines when the scan will be run.
Because Last Access Updating is enabled in all Microsoft Windows operating systems before
Vista, the DLP Discover crawler automatically changes the access time of each file it touches.
The original timestamps can be preserved by selecting the Preserve Last Access Time
checkbox and filtering the scan manually.
NOTE: This feature is applicable only to CIFS and NFS repositories.
Use these tasks to set filters, locations, policies, and other scan parameters.
Filtering scans by browsing
Use this task to define a filter when browsing databases and file systems.
Database Filtering
Filter definitions allow the scan to look for data at a specific level of the database hierarchy. The
hierarchy is specific for the database type, and includes catalogs, schema, table, column, or row
level.
CONDITION Definition
All Default value; equivalent to no filtering.
Exact Match Filters by exact match to the schema/table/column name entered in the VALUE parameter.
Pattern Filters by text pattern match to the schema/table/column name entered in the VALUE parameter.
File System Filtering
Filter definitions allow the scan to look for data at a specific levels of a file system hierarchy. The
hierarchy is specific for the file system, and includes shares, folders, and file properties.
CAUTION: Because Last Access Updating is enabled in all Microsoft Windows operating systems before Vista,
the DLP Discover crawler automatically changes the Last Accessed Time of each file it touches. If you do not
want the files changed, click the Preserve Last Access Time box and filter the scan manually.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config | Discover Configuration |
Scan Operations.
2. From the Actions menu, select New.
3. Define the credential, schedule, mode, devices and node.
124 McAfee DLP 9.0.1 Product Guide
Discovering data at risk
4. Select a target for storage of the signatures by selecting one or more Devices.
5. Click the Filters tab.
6. Click Browse.
7. Click the plus icon to open the repository. If Authentication Failed appears when you filter a repository, check
the credential you are using to access it. If authentication succeeds for the repository, but fails for a share, you
might not have permission to view it.
8. Select the shares, folders and file properties.
NOTE: For browsing document repositories, only file properties (File pattern and size) are supported for HTTP,
HTTPS, FTP and SharePoint. Database repositories attributes differ according to database type.
TIP: Use only a single click; double-clicking will duplicate your selection.
9. Click X to close the browse window.
10. Click Save.
Filtering scans manually
Use this task to define a filter manually.
TIP: Use the Browse feature to research the path before entering options manually.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config | Discover Configuration |
Scan Operations.
2. From the Actions menu, select New.
3. Define the credential, schedule, mode, devices and node.
4. Select one or more Devices from which the scan will be deployed.
5. Select the Filters tab and open Filter.
6. Define the shares to be scanned.
NOTE: If you define an absolute path on an NFS repository manually, Discover will not crawl the share unless
you replace the "/" character in the share name with "%2F".
Example:
For /home/nfs_local/mydirectory
use /%2Fhome%2Fnfs_local/mydirectory
where /home/nfs_local is the name of the exported share and /mydirectory is a
directory under this share.
7. Define the folders to be scanned.
8. Define the file properties to use when scanning.
9. Click Save.
Filtering scans
McAfee DLP 9.0.1 Product Guide 125
Filtering IP addresses to be scanned
Use this task to define IP addresses of hosts to be scanned.
NOTE: Only single IP addresses are allowed for database scans. You must enter a valid IP
Address to create a valid scan operation.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config | Discover Configuration |
Scan Operations.
2. From the Actions menu, select New.
3. Define the credential, schedule, mode, devices and node.
4. Set the repository type to CIFS, NFS or Documentum.
NOTE: The protocol used determines the repository type and method of node definition. CIFS, NFS and
Documentum require IP addresses.
5. Select Single IP, IP Subnet or IP Range from the Node Definitionmenu.
6. Type addresses in the IP Address field.
TIP: If some addresses do not fit in the sequence, you can define those addresses or ranges and exclude them.
Examples
Single IP address
192.168.1.0
IP Range
Type 192.168.3.128-192.168.3.200 and click Include;
Type 192.168.3.245-192.168.3.254 and click Exclude.
IP Subnet
192.168.1.0
255.255.255.0
NOTE: You cannot define a range across subnets; only 255 addresses can be defined at a time (0-254). CIDR
is not supported in the address field — decimal notation is required.
7. Click Include or Exclude, as appropriate.
8. Click Save.
9. Define filters and policies.
Filtering URLs to be scanned
Use this task to define URLs to be scanned.
126 McAfee DLP 9.0.1 Product Guide
Discovering data at risk
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config | Discover Configuration |
Scan Operations.
2. From the Actions menu, select New.
3. Define the credential, schedule, mode, devices and node.
4. Set the repository to one of the following:
● FTP
● HTTP
● HTTPS
● Microsoft SharePoint
5. Select URL from the Node Definitionmenu.
6. Type a URL into the URL field followed by a slash, which establishes the boundaries of the scan.
Example:
http://www.yahoo.com/
https://reconnex-host.reconnex.net:8181/dir/
7. Click Include.
8. Click Save.
9. Define filters and policies.
Filtering file properties for a scan
Use this task to define file properties before scanning.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config | Discover Configuration |
Scan Operations.
2. From the Actions menu, select New.
3. Define the credential, schedule, mode, devices and node.
4. Click the Filters tab.
5. Open Folders.
6. Open File Properties.
7. Select an Element and Condition.
8. Type a path or pattern into the value field.
Absolute Directory Path is recognized as the base directory.
Examples
Absolute Directory Path > equals >C$/Eng/Network/Drawings
File Pattern > equals > *.jpg,*.doc
File Owner > equals > bjones
File Size > range > 1024-5000 (requires numbers expressed in bytes)
Filtering scans
McAfee DLP 9.0.1 Product Guide 127
File Creation Time > between > 16:30:00 and 17:00:00.
Last Modification Time > after > 13:30:00
Last Accessed > before > 17:00:00
9. Define policies.
10. Click Save.
Filtering folders to be scanned
Use this task to define the folders to be scanned.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config | Discover Configuration |
Scan Operations.
2. From the Actions menu, select New.
3. Define the credential, schedule, mode, devices and node.
4. Click the Filters tab.
5. Open Folders.
6. Select an Element and Condition.
7. Type a path or pattern into the value field. Absolute Directory Path is recognized as the base directory.
Examples
Absolute Directory Path > equals > C$/Eng/Network/Drawings
Directory Pattern > contains > Human Resources
Directory Pattern > does not contain > Employee Records
NOTE: All subdirectories matching the pattern will be crawled.
8. Define policies.
9. Click Save.
Filtering shares to be scanned
Use this task to define shares to be scanned.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config | Discover Configuration |
Scan Operations.
2. From the Actions menu, select New.
3. Define the credential, schedule, mode, devices and node.
4. Select one or more Devices from which the scan will be deployed.
5. Select the Filters tab.
6. Open Filter.
7. Open Shares.
128 McAfee DLP 9.0.1 Product Guide
Discovering data at risk
NOTE:When you scan all the shares on a system, you do not have to define a filter at all. The default filter will
always crawl all the shares on the system with the base directory / (root).
8. From the Shares menu, select equals.
9. Select Exact Match or Pattern from the Conditionmenu.
TIP: The All condition, indicating that all shares will be scanned, is the default.
10. Type the share name into the Value menu.
11. Define the folders to be scanned, if needed.
12. Define the file properties to use when scanning, if needed.
13. Click Save.
Setting policies for a scan
Use this task to match specific policies and rules to the data found by a Discover scan. The scan
cannot be saved until you choose at least one policy.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config | Discover Configuration |
Scan Operations.
2. Select the Policies tab.
3. Click on one or more policies.
4. Click Add or Add All.
Use the Remove or Remove All buttons to make adjustments to your selection.
Getting scan results
How scan statistic reporting works
While files are being fetched, counters increment as nodes are identified and shares are
authenticated. The incident database is updated every 15 minutes until the conclusion of the
task.
Incident files are downloaded directly to Discover from the host on which they were detected, but the files are
not saved indefinitely. They are fetched from the source when needed and the cache is flushed regularly to
optimize disk utilization.
The index keeps running in the background until all files are reported, even if the task has
completed.
NOTE: To maximize performance during a CIFS/NFS/Documentum inventory scan, the crawler updates the
database only after 100,000 files have been processed. If fewer files are detected, the counters are updated
after the scan has been completed.
Getting scan results
McAfee DLP 9.0.1 Product Guide 129
Understanding scan results
When you run a scan operation, files that have been registered or matched to rule conditions are
indexed and fetched from the repository. Scan results are displayed on the Incidents | Data-at-
Rest dashboard.
Statistics describing the status of the scan are displayed under the Statistics icon. In ePolicy
Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config | Discover Configuration.
Viewing incidents found by a scan
Incidents found by a scan are reported on the Incidents dashboard. Select Details to display the
file and its attributes, and the Match tab to find out why it was reported, or add the MatchString
column to the dashboard.
After a standalone Discover is registered to DLP Manager, the number of total incidents
displayed will not include incidents that were reported before Discover was added to the
network. Because a few documents might be re-registered after a reboot or restart, duplicate
incidents might be reported.
TIP: Use the Actions menu to change the status of incidents that have been found, and set up action rules to
remediate them.
Getting reports of scan statistics
Use this task to save all statistics produced during a scan to your dashboard.
NOTE: Export from the dashboard is limited to 5 KB. Although the dashboard incident list is limited to 5,000
results, up to 150,000 results can be exported.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config | Discover Configuration |
Scan Operations.
2. Click the icon in the Statistics column of the scan.
3. From the Reports menu, select a report.
Report Types Description
CurrentStatistics
Reports statistics which are currently viewable. They could be fromthe current scan, the last one run, or any other historical scan.
All Statistics Reports all the statistics of all the runs of the scan task.
Export File List
Reports the file list at share level (only files of the required share),IP level (only files of a required host), or task level (all files detectedby the task across hosts and shares). If there is a single host with asingle share, all three reports will be the same.
4. Click Save.
If you have Microsoft Excel installed and are using Internet Explorer, the reports will automatically open in Excel
. If not, a CSV text file will launch.
130 McAfee DLP 9.0.1 Product Guide
Discovering data at risk
NOTE: Because CSV is a generic ASCII format, it can be opened with any text editor, spreadsheet or database
program. If the CSV file is very large (50,000+ records), it will be compressed into a zip file before it is available
for opening or saving.
Getting database scan statistics
Use this task to get statistics from running and completed database scans.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config | Discover Configuration |
Scan Operations.
2. Click the icon in the Statistics column of a database scan.
3. View database scan statistics and counters.
TIP: Select an export option from the Report Options menu to get a report of the historical scan.
Adding columns to scan statistics
Use this task to display scan statistics in a different configuration.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config | Discover Configuration |
Scan Operations.
2. Click the Statistics icon.
3. Select the Repository Details tab.
4. Open Share Details per Host.
5. Click on Shares Detected, Shares Crawled, or Shares Failed. Click underlined numbers for more
information.
● Click Files Fetched to get a full page report.
● Select Columns and move them to the Available or Selected windows.
● Click the Move buttons to change the display order.
6. Click Apply.
Viewing registered data matches
Registered data results do not display match strings on the Incident Details page, because the
file found is itself evidence of an exact match. However, the Match tab under Incident Details
does display the document matched and the matching text snippet.
Viewing scan status
Use this task to get information on the status of a crawl.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config | Discover Configuration |
Scan Operations.
2. Click the Statistics icon for the scan of interest.
3. Select the Repository Details tab.
Getting scan results
McAfee DLP 9.0.1 Product Guide 131
4. Open Share Details per Host.
5. Click on Shares Detected, Shares Crawled, or Shares Failed. Underlines under numbers indicate that there
is more information available.
NOTE: The Files yet to be fetched counter increments when new shares are detected and decreases as files
are detected and fetched. If a database scan is interrupted when records have been fetched but not processed,
those records are not processed when the scan is rerun.
TIP: Select a Report Option to keep a record of the scan after it has completed.
TIP: If you need updates before the scan status is synchronized, click the Refresh button. This action
consumes resources, so use it judiciously.
Getting historical statistics
Use this task to get statistics from previously completed scans.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config | Discover Configuration |
Scan Operations.
2. Click the icon in the Statistics column of the scan.
3. Select a report from the History menu.
4. View.
TIP: Select an export option from the Report Options menu to get a report of the historical scan.
Searching discovered data
Finding discovered data
In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting. Click Advanced
Search, then open Discoverto search for data in the Discover database.
Finding scan operations
Use this task to find existing scan operations.
TIP: Use this parameter with other options to find files discovered by a specific scan.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting. Click Advanced Search, then
open Discover.
2. Select Scan Operation from the first drop-down list, and is any of from the second..
3. Click "?".
4. Select the scan task from the popup menu.
5. Click Search or Save as Rule.
132 McAfee DLP 9.0.1 Product Guide
Discovering data at risk
Finding registered files in discovered data
Use this task to find registered files in the Discover scanned data database.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting. Click Advanced Search, then
open Content.
2. Select Concept from the first drop-down list and is any of from the second..
3. Click "?", then open Corporate Confidential.
4. Select DocReg. The DocReg concept contains all the signatures that identify registered data. When this
concept is used in a search, its signatures are applied against all objects in the Discover database. Any
matches are reported on the Incidents dashboard.
5. Click Apply.
6. Click Search.
TIP: Alternately, save as rule to open a rule definition page. Adding this rule to a policy allows you to use the
DocReg concept to identify sensitive documents automatically whenever that policy is used to find incidents.
Finding repository types in discovered data
Use this task to find repository types in a data at rest.
Repository Type Definition
CIFS Microsoft Common Internet File Services
SharePoint Microsoft SharePoint
NFS Sun Network File System
Documentum EMC Documentum
FTP_Crawl File Transfer Protocol Crawl
HTTP_Crawl Hypertext Transfer Protocol Crawl
HTTPS_Crawl Secure Hypertext Transfer Protocol Crawl
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting. Click Advanced Search, then
open Discover.
2. Select Repository Type from the first drop-down list, and is any of from the second..
3. Click "?".
4. Select one or more repositories.
5. Click Search or Save as Rule.
Finding IP addresses in discovered data
Use this task to find IP addresses in the Discover scanned data database.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting. Click Advanced Search, then
open Discover.
2. Select Host IP from the first drop-down list, and is any of from the second..
Searching discovered data
McAfee DLP 9.0.1 Product Guide 133
3. Click "?".
4. Type the IP address of the repository into the value field.
NOTE: You can type in a single address, a range, or a subnet CIDR notation is supported.
Examples
192.168.3.225
10.1.0-10.0.1.255
172.16.1.1/24
5. Click Search or Save as Rule.
Finding host names in discovered data
Use this task to find host names in the Discover scanned data database.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting. Click Advanced Search, then
open Discover.
2. Select Host Name from the first drop-down list, and is any of from the second..
3. Click "?".
4. Type the host name of the repository into the value field.
5. Click Search or Save as Rule.
Finding file name patterns in discovered data
Use this task to find files by pattern in the Discover scanned data database.
NOTE: The only metacharacter supported is a single asterisk .
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting. Click Advanced Search, then
open Discover.
2. Select Share Name, Host IP or Host Name from the drop-down list to define the target of the search.
3. Click the plus icon to add an element.
4. Select File Name Pattern from the first drop-down list, and contains any of from the second..
NOTE: Use Basic Search | File Name Pattern to find files in streaming network data.
5. Type a name, or a single file type extension into the value field.
6. Click Search or Save as Rule.
NOTE: Comma- and space-separated values signifying AND and OR are not supported.
Example
Find a JPG in a database or repository:
134 McAfee DLP 9.0.1 Product Guide
Discovering data at risk
Capture | Advanced Search | Discover | File Name Pattern contains *.jpg
Find Microsoft Office Word AND Excel files in a database or repository:
Capture | Advanced Search | Discover | File Name Pattern contains *.xls
NOTE: You can use a keyword with an asterisk (for example, Financ*), but a File Name Pattern search is
faster.
7. Click Search or Save as Rule.
Finding file owners in discovered data
Use this task to find all files belonging to a single user in the Discover scanned data database.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting. Click Advanced Search, then
open Discover.
2. Select File Owner.
3. Select is any of from the drop-down list.
TIP: If the files belong to a prolific user, adding other search elements to the query will help to focus on exactly
what is needed.
4. Type the file owner into the value field.
5. Click Search or Save as Rule.
Finding file paths in discovered data
Use this task to find file paths in the Discover scanned data database.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting. Click Advanced Search, then
open Discover.
2. Select File Path from the first drop-down list, and contains any of from the second.
3. Type the file path of the repository into the value field.
4. Click Search or Save as Rule.
NOTE: Absolute or relative file paths in Microsoft Windows (\) or UNIX (/) systems are indexed in the database,
but only UNIX paths are supported when searching.
Finding percentages of registered data at rest
When registered text is plagiarized, it is unlikely that a 100% match will be found to the original
document, so searching for match to a percentage of the registered material is more likely to
expose intellectual property theft.
Use this task to match files containing a percentage of registered data in the Discover database.
NOTE: This function cannot be used to search; it can only be added a rule to supplement other parameters that
have been defined.
Searching discovered data
McAfee DLP 9.0.1 Product Guide 135
1. Go to DLP Reporting | Advanced Search.
2. Open Discover.
3. Select Signature Percentage Match from the first menu.
4. Select greater than from the second menu.
NOTE: Because an exact percentage match is unlikely, you can only ask that the match be greater than the
percentage you specify.
5. Enter an integer in the value field.
6. Click Save.
Finding share names in discovered data
Use this task to find share names in the Discover scanned data database.
NOTE: You need not know the server on which the share resides, but the targeted file system will have to be
configured as a share.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting. Click Advanced Search, then
open Discover.
2. Select Share Name from the first drop-down list, and is any of from the second..
3. Click "?".
4. Type a share name into the value field.
5. Click Search or Save as Rule.
NOTE: On Microsoft Windows computers, the default share is C$.
Finding domain names in discovered data
Use this task to find domain names in the Discover scanned data database.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting. Click Advanced Search, then
open Discover.
2. Select Domain Name from the first drop-down list, and contains any of from the second..
3. Type a domain name into the value field.
4. Select contains any of from the drop-down list.
5. Click Search or Save as Rule.
Example:
Find a domain name:
DLP Reporting | Advanced Search | Discover | Domain Name contains any of Mercury
Finding catalogs in discovered data
Use this task to match files containing a catalog in the Discover database.
136 McAfee DLP 9.0.1 Product Guide
Discovering data at risk
When registered text is plagiarized, it is unlikely that a 100% match will be found to the original document, so
searching for match to a percentage of the registered material is more likely to expose intellectual property
theft.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting. Click Advanced Search, then
open Discover.
2. Select Catalog from the drop-down list, then click Search or Save as Rule.
Finding schemas in discovered data
Use this task to match files containing a catalog in the Discover database.
When registered text is plagiarized, it is unlikely that a 100% match will be found to the original document, so
searching for match to a percentage of the registered material is more likely to expose intellectual property
theft.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting. Click Advanced Search, then
open Discover.
2. Select Catalog from the drop-down list.
3. Click Search or Save as Rule.
Finding column names in discovered data
Use this task to find share names in the Discover scanned data database.
NOTE: You need not know the server on which the share resides, but the targeted file system will have to be
configured as a share.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting. Click Advanced Search, then
open Discover
2. Select Share Name from the drop-down list, and is any of from the second..
3. Click "?"
4. Type a share name into the value field.
5. Click Search or Save as Rule.
NOTE: On Microsoft Windows computers, the default share is C$.
Finding table names in discovered data
Use this task to find share names in the Discover scanned data database.
NOTE: You need not know the server on which the share resides, but the targeted file system will have to be
configured as a share.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting. Click Advanced Search, then
open Discover.
2. Select Share Name from the first drop-down list, and is any of from the second..
Searching discovered data
McAfee DLP 9.0.1 Product Guide 137
3. Click "?".
4. Type a share name into the value field.
5. Click Search or Save as Rule.
NOTE: On Microsoft Windows computers, the default share is C$.
Finding records and rows in discovered data
Use this task to find share names in the Discover scanned data database.
NOTE: You need not know the server on which the share resides, but the targeted file system will have to be
configured as a share.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting. Click Advanced Search, then
open Discover.
2. Select Share Name from the first drop-down list, and is any of from the second..
3. Click "?".
4. Type a share name into the value field.
5. Click Search or Save as Rule.
NOTE: On Microsoft Windows computers, the default share is C$.
Storage scanning requirements
Accessing network storage
Before scanning data storage devices, you must understand what is required for DLP Discover
to access the file system.
Accessing Network Attached Storage (NAS)
Network Attached Storage presents a conventional file system to the network, and can be
accessed directly by DLP systems.
Accessing Storage Area Networks (SANs)
Store data in an unusable format using physical blocks of disk space, but DLP Discover can
connect through any server that owns a pool of data on that device.
Host vs. network discovery
How host and network scans differ
Network scans find content that has been registered, or has been discovered during a
registration scan. Host scans use either content or context.
138 McAfee DLP 9.0.1 Product Guide
Discovering data at risk
● Using content categories. Categories can match specific text patterns, dictionaries, or registered documents
repositories to the files.
● Using file context. You can specify file types, file extensions, document properties, encryption type, and user
assignment in the discovery rule.
How host and network remediation differs
When sensitive content is found during a network scan, it can be remediated by pre-configuring
actions that will automatically copy, encrypt, move (quarantine), or delete it.
● For host discovery scans, a setting on the Policy tab allows you to delete files instead of quarantining them. In
Policy Orchestrator, go to Menu | Data Protection | DLP Monitor | Tools | Options.
You will need a release key to release files from quarantine. This is done by generating a challenge key and
sending it to the administrator, who issues an Agent Quarantine Release Key.
● For network scans, quarantined files can be remediated from the DLP Reporting | Incidents page. No release
key is required.
How host and network registration works
Registration works slightly differently in the host and network implementations.
Unique signatures that identify documents or data on the network are collected in the DocReg
and DBReg concepts. They are proprietary concepts that hold all signatures generated for
registered documents or structured data during registration.
In host document registration, a host registration scan deploys registered document packages to
the DLP Agents, and the index packages are distributed to all endpoint workstations. The DLP
Agent on the endpoint blocks distribution of documents containing registered content fragments
outside of the host system.
Deploying a host package to the agents
Use this task to deploy a registered document package to host computers when working in
ePolicy Orchestrator.
NOTE: The registered document package must be indexed in ePolicy Orchestrator.
1. In ePolicy Orchestrator, click System Tree.
2. In the System Tree, select the level at which to deploy the registered document package.
TIP: Leaving the level atMy Organization deploys to all workstations managed by ePolicy Orchestrator. If you
select a level under My Organization, the right-hand pane displays the available workstations. You can also
deploy the registered document package to individua workstations.
3. Click the Client Tasks tab. Under Actions click New Task. The Client Task Builder wizard opens.
4. In the Name field, type a suitable name, for example, Deploy registered document package.
5. In the Type field, select Product Deployment. Click Next.
6. In the Products and Components field, select DLP Registered Documents 9.0.0.0. Leave the Action on
Install.
Storage scanning requirements
McAfee DLP 9.0.1 Product Guide 139
7. Click Next.
8. Select a suitable Schedule type and set the options, date, and schedule parameters. Click Next.
9. Review the task summary. When you are satisfied that it is correct, click Save.
Registering documents on host computers
There are two advantages of registering documents over traditional location-based tagging.
● Documents that existed before the location-based tag was defined are not detected by location-based tagging
rules — unless the user opens or copies the original file from its network location. Registered document
classification rules detect all files in the defined folders.
● If the same confidential content exists in several documents, you need to categorize it only once using a
registered document repository. When you use location-based tagging you have to identify every network
share where the confidential content is located, and tag each one.
Setting up a host discovery scan
Use this task to set up a host discovery scan. Changes in discovery setting parameters take
effect on the next scan. They are not applied to scans already in progress.
NOTE: To run a discovery scan on a host computer, you must activate the discovery module on the
Miscellaneous tab of the Agent Configuration dialog box.
1. In ePolicy Orchestrator, go to Menu | Policy | Policy Catalog. From the Product drop-down list, select Data
Loss Prevention 9.0.0.0:Policies. From the Category drop-down list select Agent Configuration.
2. Create a new Agent Configuration, or edit an existing one.
3. Click the Discovery Setup tab. Set the performance parameters. To prevent excessive demand on the system,
you can pause the scan when the CPU or RAM usage exceeds a preset value. The default for each of these is
80%. You can also speed up scans by setting a maximum file size to scan.
4. Set the notification details. When the Quarantine action is selected in a discovery rule, discovery removes files
with sensitive content to the quarantine folder. If no notifications are set, users might wonder why their files
disappeared. The notification feature replaces files with stand-in files with the same name containing the
notification text. If the discovery rule is set to encrypt files, no notification is needed because the files remain in
place.
5. To get files out of quarantine, users must request a quarantine release key from the administrator. This works
in a similar manner to the agent override key. To unlock encrypted files, users must have the encryption key
specified in the discovery rule.
NOTE: If you select the Encrypt action and McAfee Endpoint Encryption is not installed, the files are
quarantined.
6. Select the folders to scan, and the folders to skip. UseWindows Explorer to browse to a folder, then cut and
paste the address into the Enter folder text box. Use the plus icon to the add the folder to the scan list. You can
remove folders with the minus icon.
140 McAfee DLP 9.0.1 Product Guide
Discovering data at risk
NOTE: If you don't specify any folders for either scan or skip, all folders on the computer are scanned. The only
folder that is skipped by default is C:\Windows. The following file types will always be skipped, no matter which
folder they are in:
● The specific files ntldr, boot.ini, and .cekey
● Executable files (*.com, *.exe, *.sys)
Configuring a policy for host discovery
Use this task to set the discovery policy.
1. Go to Menu | Data Loss Prevention | DLP Policies.
2. On the Policies page, from the Actions menu, select Add Policy.
3. Type a name for the policy. Under Devices select Host. From the State drop-down list select Active. From the
Actions menu, select Add Rule.
4. Type a name for the rule. For Inherit Policy State select Enabled. On the Define tab, define at least one rule
element. The element should be one of Keywords or Concept (under Content) or Location Tag Path (under
Endpoint).
5. On the Actions tab, click to add an action rule, and select the discovery action rule created previously from the
list.
6. Click Save to save the rule, then click Save to save the policy. See Configuring discovery scans to configure
the scan operation.
How host scans are scheduled
Host discovery scans are set up and scheduled on standalone systems on the Agent
Configuration page in the Policy Catalog.
You can run a host scan at a specific time daily, or on specified days of the week or month. You
can specify start and stop dates, or run a scan when the DLP Agent configuration is enforced.
You can suspend the scan when the computer's CPU or RAM exceeds a specified limit.
If you change the discovery policy while a host scan is running, rules and schedule parameters
will change immediately. Changes to which parameters are enabled or disabled will take effect
with the next scan. If the computer is restarted while a scan is running, the scan continues where
it left off.
For network discovery, scheduling is set on the Scan Operations page. If you make changes to network scans,
you must stop the scan, make the changes, save, and re-scan.
Scheduling a host discovery scan
Use this task to schedule a host discovery scan.
NOTE: To run a discovery scan on a host computer, you must activate the discovery module on the
Miscellaneous tab of the Agent Configuration dialog box.
Storage scanning requirements
McAfee DLP 9.0.1 Product Guide 141
1. In ePolicy Orchestrator, go to Menu | Policy | Policy Catalog. From the Product drop-down list, select Data
Loss Prevention 9.0.0.0:Policies.
2. Create a new Agent Configuration, or edit an existing one.
3. Click the Discovery Schedule tab. Set the time of day for the scan to start using the thumbwheel.
4. Set the scanning frequency using the option buttons and checkboxes.
5. If you want to run a discovery scan immediately, select Run now.
6. If you want to prevent runs being missed due to the user being logged off, select Resume discovery missed
runs after login.
7. Set the start and end dates for discovery scans. Click Save.
Scheduling a host registration scan
Use this task to schedule indexing of host registered document repositories in ePolicy
Orchestrator.
Create a registered documents repository definition, then create and enable a registered
documents classification rule and a protection rule using the content category specified in the
classification rule. Apply the policy to ePolicy Orchestrator.
1. In ePolicy Orchestrator, go to Menu | Server Tasks.
2. Click New Task.
3. In the Server Task Builder, name the new task and click Next.
4. On the Actions page, select DLP Register Documents Scanner from the pull-down menu. Click Next to
schedule the scan, review your task, and click Save. The task now appears in the Server Tasks list. Select it
and click Run to run the scan immediately.
Using policies and rules
How policies and rules are usedOn DLP systems, rules are used to match network and endpoint data to produce incidents.
Related rules are collected in policies that target specific issues.
Many standard policies are installed on DLP Monitor, and users can choose which ones to
activate and publish to other DLP devices. By default, policies and their rules act as a single unit,
but if inheritance is disabled, rules can be run individually.
After one or more DLP Monitors have captured and processed data for some time, incidents that
are found by the rules under standard policies are reported to the Incidents dashboard.
On endpoint systems, all deployed rules are collected in a single global DLP policy. That policy
is implicit, and is not visible on the DLP dashboards as a separate entity.
142 McAfee DLP 9.0.1 Product Guide
Using policies and rules
Using policies
How policies work
Policies are containers for groups of related rules. When the rules of a policy produce an
incident, the navigation pane displays the name of the policy used. However, the Group by
menu can be configured to display other attributes as well.
TIP: SelectGroup by Rule to find out exactly why the incident was reported.
Standard policies are installed on DLP Monitor, Discover or Prevent appliances before
shipment. Your geographic location, industry sector, and business type determine which ones
are activated during installation, but activation can also be done from the Policies page.
Customized policies can be created at any time to address issues specific to your business
operations.
All standard and customized policies are listed under the Policies tab.
Policy field definitions
Use the following field definitions when adding or editing policies.
Policy Name
Type in a descriptive name. Use of certain non-alphanumeric characters may generate an error
message.
Policy Description
Type in a description (optional).
Owner
Select a group whose members can access the policy. If you are logged in as a member of one
of the default groups, only that group is displayed, and other options are not available.
State
Policies must be published to a device to be used, so new policies are inactive by default. If you
plan to use the new policy, check one or more boxes under Devices.
Those appliances will then match the policy's rules to network traffic or repositories, and report
results to the Data-at-Rest or Data-in-Motiondashboards.
Region
In this release, groups of international policies can be used to add rules relevant to specific
geographic regions.
For example, to define a new policy for Ukraine, select Europe and Middle East from this menu
to add the new Ukrainian policy to that regional group. If the EMEA group is not on the menu,
select it from the Regional Policy menu on the Policies page and click Add.
Using policies
McAfee DLP 9.0.1 Product Guide 143
Suppress incidents
Check either Data-at-Rest or Data-in-Motion if your purpose is to find incidents only in static
network repositories or moving network traffic. Eliminating reporting of irrelevant hits will exclude
results that are not useful and improve performance.
Note: Data-in-Use events will display only if DLP Host is installed, and cannot be suppressed if
they are found.
Devices
Devices that are attached to DLP Manager are listed so that you can publish the new policy to
one or more of the available DLP appliances.
If you are not going to publish the policy right away, check None. If you check the Host box, you
must already have it installed on DLP Manager.
Using international policies
International policies containing rules supporting regional documents have been added to this
release. Regional users can not only conduct searches and view incidents in local languages,
but use rules constructed to provide privacy protection for local identification numbers (drivers'
licenses, international bank account numbers, etc.),
Asia Pacific
Australia
China
Hong Kong
India
Korea
Singapore
Taiwan
Europe and Middle East
Austria
France
Germany
Israel
Netherlands
Poland
Russia
Spain
144 McAfee DLP 9.0.1 Product Guide
Using policies and rules
Turkey
United Kingdom
Latin America
Brazil
Mexico
Use this task to add and activate local policies and rules.
1. In ePolicy Orchestrator, go to Menu | DLP Prevention | DLP Policies.
2. Click Add, then confirm or cancel the operation.
3. Select the checkboxes of the appropriate local policies.
4. From the Actions menu, select Activate.
Adding policies
Use this task to add customized policies that address a specific need in your organization.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Policies.
2. Select Add Policy from the Actions menu.
3. Type in a name and an optional description.
4. Select an Owner.
NOTE: Standard policies are owned by the admin user. If another policy owner is needed but not listed, add the
user to an existing group, or create a new one before adding the policy.
5. If you are going to use the policy immediately, set State to Active. An inactive policy cannot produce incidents.
6. If you want to limit the rule to acting on static or moving data, check Data-at-Rest or Data-in-Motion.
7. Select one or more device checkboxes to publish the policy to specific appliances.
TIP: Select None if you want to publish the policy at a later time.
8. Click Save.
9. Go to System | User Administration to assign access rights to the policy.
10. SelectGroups, then click the Details icon of a group that will use the policy.
11. Click Policy Permissions.
12. Select the checkboxes of the permissions needed by the group.
13. Click Apply.
14. Click the Policy tab and open the new policy.
15. Add rules to the policy.
Activating policies
Use this task to activate a policy that was not initially activated during installation of
DLP appliances. A policy that is inactive cannot find and report incidents to the dashboard.
Using policies
McAfee DLP 9.0.1 Product Guide 145
NOTE: Policies have the default state Inactive. To use a policy, you can activate it while editing — or, to
activate multiple policies, select the policy checkboxes and select Activate from the Actions menu.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Policies.
2. Select a policy checkbox.
3. Select Activate from the Actions menu.
4. Verify the change in the State column.
TIP: Rules inherit activation from their policies, but inheritance can be disabled to allow them to run
independently.
Deactivating policies
Use this task to deactivate a policy so that it will not produce any incidents.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Policies.
2. Select a policy checkbox.
3. Select Deactivate from the Actions menu.
4. View the State column of the policy to verify the change.
NOTE: The rules of a policy may be active or inactive, depending on inheritance.
How activation works
Policies must be activated and published to at least one DLP appliance before the system can
report incidents and events. They are inactive by default to allow users to focus only on the rule
sets that meet their needs.
For example, United Kingdom users may add the EMEA regional policy package, but activate
only the UK policy. Similarly, North American users may want to use only the U.S. government
regulatory policies, like HIPAA, SOX and ITAR.
There are three ways to activate a policy.
● During installation, check the boxes of the policies to be activated.
● On the Policies page, check the boxes of the policies to be activated, then select Activate from the Actions
menu.
● Open a policy and select Active from the State menu.
NOTE: State is inherited by the rules of a policy, but can be disabled to allow rules to run independently.
How inheritance works
The Inherit Policy State establishes the relationship of a rule to its policy. If a rule inherits Active
state from its policy, it runs only when the policy runs, and cannot be run independently.
NOTE: Policy-based inheritance is enabled by default because it allows policies to work efficiently as a unit.
User-defined rules are disabled by default, allowing the flexibility needed for non-standard applications.
146 McAfee DLP 9.0.1 Product Guide
Using policies and rules
Changing ownership of policies
Use this task to change ownership of a policy.
NOTE: Ownership is granted to users through the Manage Policy and Rules group permission.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Policies.
2. Select a policy checkbox.
3. SelectModify Owner from the Actions menu.
4. Select a group from the sub-menu.
Publishing policies
Use this task to publish policies to one or more appliances. A published policy is one that is
deployed on one or more DLP devices.
NOTE: Policies can be published by checking Device boxes during creation or modification.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Policies.
2. Select one or more policy checkboxes.
3. SelectModify Devices from the Actions menu.
4. Check the boxes of one or more appliances.
NOTE: If the All Devices deployment target is selected, all rules of all policies that have been activated on
DLP Manager will run on all its managed devices. If the appliance to which you need to publish is not listed
under Devices, you must first add that device to the system.
5. Click Apply.
6. Select one or more devices from the submenu.
TIP: Select None if you want to publish the policy at a later time.
7. Check the Deployed On column to verify redeployment.
Cloning policies
Use this task to create a new policy that resembles an existing one.
NOTE: You cannot save and edit the rules, but all policy attributes will be replicated.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Policies.
2. Click on the policy you want to use as a template.
3. Type in a new name.
4. Type in a new description (optional).
5. Edit other parameters as needed.
6. Click Save As.
Using policies
McAfee DLP 9.0.1 Product Guide 147
7. Verify that the new policy is listed under Policies.
8. Add rules to the policy.
Renaming policies
Use this task to rename a policy.
NOTE: If you rename a policy, you will lose incidents already found by its rules.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Policies.
2. Click on a policy.
3. Type in a new name and description (optional). When you start typing, a Save As button will pop up.
4. Click Save.
NOTE: No confirmation is required. The new policy is immediately added to the policy list.
Executing policies
Use this task to assign policy permissions to users.
NOTE: Users tasked with viewing incidents and events must have Execute Policy permission, because policies
have been used to find them.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention |DLP Sysconfig | System | User Administration.
2. Click on the Details icon of the user's group.
3. Click on the Policy Permissions tab.
4. Open Policies.
5. Select one or more Execute checkboxes corresponding to the policies to be used to find incidents.
6. Click Apply.
Editing policies
Use this task to modify the parameters of a policy.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Policies.
2. Click on the policy.
3. Modify one or more parameters.
4. Click Save.
Deleting policies
Use this task to delete policies.
NOTE: You can delete a policy only if you own it.
148 McAfee DLP 9.0.1 Product Guide
Using policies and rules
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Policies.
2. Select one or more policy checkboxes.
3. Select Delete from the Actions menu.
TIP: To delete policies one by one, click the trash can icons.
Using rules
How rules work
Rules define patterns that are matched against network or endpoint data to identify violations of
policy. When a rule hits on a data match, an incident or event is saved in a database and
reported to the dashboard.
NOTE: Only active rules report results, and the system cannot manage more than a total of 512 active rules. To
activate a 513th rule, you must deactivate an active rule.
TIP: User permissions, including the ability to create or use rules, depend on group membership. Group
permissions are displayed under DLP Sysdmin | User Administration | <Details> | Groups | Task
Permissions | Policy Permissions.
Adding rules
Use this task to add a rule to a policy. However, you may also search captured data and save the
search as a rule.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Basic or Advanced Search.
2. Enter a query and examine the results.
3. If the results are useful, and you want to run the query on a regular basis, click Save as Rule. The Edit Rule
page launches.
4. Type in a rule name.
5. Assign the rule to a policy by selecting an appropriate one from the Policy menu.
6. Select a Severity to classify the rule.
7. Set the Inherit Policy State to Enabled to bind the rule to the policy.
8. Make any changes or additions to the rule's parameters.
9. Click Save as Rule.
TIP: If you want to tune the rule, select the Disabled state and run it apart from the policy until it is perfected.
Viewing rule parameters
Use this task to review the parameters of a rule.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Policies.
2. Click on a policy.
3. Click on a rule.
Using rules
McAfee DLP 9.0.1 Product Guide 149
4. Open the categories under the Define, Actions and Exceptions tabs.
5. View any of the defined parameters.
Reconfiguring rules for web traffic
Use this task to reconfigure rules to monitor web traffic.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Policies.
2. Click on a policy, then click on a rule you want to adapt for web traffic.
3. Type a new name and click Save As to create a copy of the rule.
4. Click on the new rule.
5. Open Protocol.
6. Select Protocol from the Element menu.
7. Select is any of from the Conditionmenu.
8. Click "?".
9. If any boxes are checked on the popup menu, uncheck them.
10. Select all HTTP checkboxes.
11. Click Apply.
12. Click Save.
Copying a rule to a policy
Use this task to save the same rule under two different policies.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Policies.
2. Click on a policy.
In the Rule Name field, type in a new name. To have the appearance of an exact duplicate, you can or add a
single character or a space to distinguish it from the original.
3. Select a different policy from the Policy menu.
4. Click Save As.
5. Go to Policies.
6. Click on the policy you selected from the Policy menu.
7. Verify that the copied rule has been added to the rule list.
Detaching rules from policies
Use this task to detach a rule so that it can be run independent of its policy.
NOTE: This process is used primarily for tuning rules.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Policies.
2. Click on an Active policy.
3. Click on a rule.
150 McAfee DLP 9.0.1 Product Guide
Using policies and rules
4. Disable the Inherit Policy State.
5. Click Save.
Editing rules
Use this task to modify the parameters of a rule.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Policies.
2. Click on a policy.
3. Click on a rule.
4. Modify one or more parameters.
5. Click Save.
NOTE: Inactive rules that belong to standard policies are automatically activated when they are saved.
Deleting rules
Use this task to delete one or more rules from a policy.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Policies.
2. Click on a policy.
3. Select one or more rule checkboxes.
4. Select Delete from the Actions menu.
TIP: To delete rules one by one, click the trash can icons.
Defining exceptions to rules
What are false positives?
When the parameters of a rule literally match network data but produce no useful information,
the resulting incident is referred to as a false positive.
Creating an exception keeps the rule that tagged false data from reporting it again. The
classification engine responds by ignoring incidents that include certain attributes.
How exceptions to rules are defined
An incident may technically match a rule, but it might not contain any useful information, which
makes it a false positive. False positives get in the way of significant results, preventing accurate
reporting of the problems detected in network traffic.
In such a case, you can redefine the rule that produced the incident by adding an exception.
When the rule runs again, the classification engine will ignore any incidents that contain the
misleading attributes.
There are several ways to assure that only legitimate violations are reported to the dashboards.
Defining exceptions to rules
McAfee DLP 9.0.1 Product Guide 151
● Add new rules that contain exceptions
● Add exceptions to an existing rules
● Use existing incidents to build more accurate rules
● Define an incident that has already been detected as a false positive
TIP: To prevent false positive matches, tune rules after they are created using historical data.
Defining false positive incidents
Use this task to define false positive incidents.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | Incidents.
2. Find one or more incidents that contain useless or insignificant information.
3. From the menu in the Group by... window, select Rule. All incidents produced by that rule will be listed.
4. Check the boxes of the rules you want to define as exceptions.
TIP: Select the box in the table header to select all incidents on the current page, or Select All Results from the
Actions menu to define every incident with a specific false positive parameter from being reported again.
5. From the Actions menu, selectModify Status | False Positive | Set Status.
6. Click the Columns icon.
7. Select Status from the Available list.
8. Add it to the selected columns.
TIP: Before clicking Apply, select Status and click the Move Up or Top buttons to move the false positive status
to the left.
9. Click Apply.
10. Scroll the list of incidents to view those that are false positives.
TIP: Click the Status column header to display all false positives at the top of the list.
Adding exceptions to existing rules
Use this task to add an exception to an existing rule.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Policies
2. Click on a policy, then the rule to be modified.
3. Click on the Exceptions tab, and open the Exception 1 element.
4. Type text describing the exception into the Notes box.
5. Open the element categories and define parameters that should be ignored when the rule is run.
NOTE: Eight exceptions are supported for each rule, so you can define precisely the conditions that are NOT to
be matched. The capture engine will DROP any incident matching the exceptions.
152 McAfee DLP 9.0.1 Product Guide
Using policies and rules
6. Type in a Note describing the exception.
7. Using the existing categories, define each aspect of the exception.
8. Click Save.
NOTE: Exceptions apply to real-time searches only. You cannot use Test Rule because it is available only
when tuning rules, which requires historical data.
Adding new rules that contain exceptions
Use this task to define a new rule with an exception.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Policies.
2. From the Actions menu, select Add Policy.
3. Type in a name for the policy. Typing a description is optional.
4. From the State menu, select Active.
NOTE: If you are not going to use the rule right away, you can leave it in an Inactive state.
5. From the Regionmenu, select the region in which the policy will be used.
6. Select the devices to which the policy will be deployed.
7. Click Save.
8. Click on the policy, and select Add Rule from the Actions menu.
9. Click on the policy that contains the rule.
10. Type in a name for the policy. Typing a description is optional.
11. From the Severity menu, select a severity.
12. If the rule is to be run whenever its policy is run, select the Enable radio button from the Inherit Policy State.
13. On the Define tab, define the parameters of the rule.
14. Click on the Actions tab, and add actions to be performed when the rule is active.
15. Click on the Exceptions tab, and open the Exception 1 element.
16. Type text describing the exception into the Notes box.
17. Open the element categories and define parameters that must NOT be flagged when the rule is run.
NOTE: Eight exceptions are supported for each rule, so you can define precisely the conditions that are to be
ignored. The capture engine will drop any incident matching the exceptions.
18. Click Save.
NOTE: Exceptions apply to real-time searches only. You cannot use Test Rule because it is available only
when tuning rules, which requires historical data.
Correcting inaccurate rules
Use this task to adjust rules that produced false positive results.
Defining exceptions to rules
McAfee DLP 9.0.1 Product Guide 153
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | Incidents.
2. Find an incident that contains useless or insignificant information.
3. From the menu in the Group by... window, select Rule. All incidents produced by that rule will be listed.
4. Check the boxes of the rules you want to define as exceptions, or Select All Results from the Actions menu.
TIP: Check the box in the table header to select all incidents on the current page.
5. From the Actions menu, selectModify Status | False Positive | Create Exception.
6. When the Edit Rule page launches, define the exception by adding or deleting parameters.
NOTE: When an exception is created from the Actions menu, the Edit Rule page is populated with the current
values of the rule under the Exceptions tab. This makes it easy to edit those elements to prevent a similar
incident from being reported again.
7. Type some text describing the exception in the Notes box.
8. Click Save.
Tuning rules
Use this task to tune rules, and save the search when all extraneous search terms have been
eliminated. Tuning is done by running multiple searches on historical data and gradually
tightening conditions and parameters with each modification.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Policies.
2. Select Rule from the Group by menu.
3. Click on a rule that produces some useful results.
4. Make a note of incidents that include irrelevant information.
5. Go to Policies.
6. Click on the policy of the rule that produced the hits.
7. Click on the rule that produced the hits.
8. In Inherit Policy State, click Disabled.
NOTE: Disabling inheritance allows the rule to run independently of the other rules in the policy, allowing for
multiple revisions.
9. On the Define tab of the rule, remove any parameters that are producing false positives.
TIP: Using the conditions is none of or contains none of will help to eliminate extraneous information.
10. Click on Test Rule to start searching the historical data for a match.
11. Go to Incidents and inspect the results.
12. Repeat the process until all incidents contain useful information.
13. Reset Inherit Policy State to Enabled.
14. Click Save as Rule.
154 McAfee DLP 9.0.1 Product Guide
Using policies and rules
Using action rules
How action rules are used
When a rule produces an incident in network data or a scanned repository, use of an action rule
can prevent damage, trigger a remedial action, or react to an action that has been taken at a
network endpoint.
● A Data-in-Motion action rule applies preventive actions to incidents found by Monitor in network data.
● A Data-at-Rest action rule applies corrective actions to incidents found by Discover after scanning a
repository.
● A Data-in-Use action rule is applied when a specific event takes place on an endpoint.
How action rules are deployed
Action rules may be are applied to Data-in-Motion, Data-at-Rest or Data-in-Use,
● An action rule can be applied to data in motion if DLP Prevent is configured with an MTA or proxy server and
registered to DLP Manager.
● An action rule can be applied to data at rest if DLP Discover crawls a repository and finds files that should be
remediated.
● An action rule must be applied to data in use if any rule acts on an endpoint event.
NOTE: If Monitor and Discover devices are both managed by DLP Manager, every rule can be configured to
deploy one action of each of the three incident types.
Reacting to violations
When DLP Prevent is deployed with an MTA or proxy server, problems found in email and
webmail can be identified and resolved immediately by associating an action with a rule.
For example, DLP Prevent might use action rules to:
● block confidential data breaches
● encrypt authorized transmissions
● quarantine suspicious traffic
● bounce email that violates policies
● notify supervisory personnel
● record incidents in a system log
● allow email that is determined to be legitimate.
TIP: Use DLP Prevent to capture network traffic for later forensic analysis, or block the transmission of sensitive
data sent using specific protocols (for example, HTTP, SMTP, HTTP POST, etc.).
Using action rules
McAfee DLP 9.0.1 Product Guide 155
Comparing Action to Protection rules
In this release, all DLP products use Action rules to define the disposition of a detected incident
or event, but some actions were originally defined as reactions attached to Host DLP protection
rules.
● In this release, a single Action rule can be attached to many different rules. Each of the rules to which the
action has been added can deploy that action once to network data in motion, data in repositories, or data in
use at endpoints.
Several actions can be combined in a single Action rule. For example, when a rule hits, the file found may be
blocked or quarantined, its sender may be notified, and it may be assigned to a group for investigation.
● In the Host DLP 9.0 standalone product, reactions are pre-configured when a Protection rule is defined. They
may be applied to different endpoints under a variety of circumstances.
Reactions can vary, depending on what action is to be taken and whether the endpoint is on- or offline (in contact
with a domain controller) when the violation occurs.
Assigning status to an incident
Use this task to identify the state of an incident in the resolution process.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Policies | Action Rules.
2. Click on an action rule.
3. Open the Incident Status category.
4. From the drop-down list, select a state.
5. Click Save.
Applying an action rule
Use this task to add an action to a rule before it runs. Actions can be added to rules monitoring
data in motion, scanning data at rest, or identifying significant events on endpoints.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Policies.
2. Click on a policy, then click on a rule.
3. Click on Actions tab, then click Add Action.
4. Select an action.
5. Click Save.
The list displayed will include the standard action rules, plus any custom ones you have created.
Assigning responsibility for an action
Use this task to assign an action rule to one or more reviewers who will assume responsibility for
the result.
156 McAfee DLP 9.0.1 Product Guide
Using policies and rules
NOTE: Only one reviewer can be assigned to an action rule, but a user group can be considered a single
reviewer.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Policies | Action Rules.
2. Click on an action rule.
3. Open the Incident Reviewer category.
4. From the drop-down list, select a reviewer.
5. Click Save.
Using action rules to log incidents
Use this task to set up an action rule to log system events.
NOTE: You must have a syslog server configured on your network to receive system log entries.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Policies | Action Rules.
2. Click on an action rule.
3. From the Syslog Notificationmenu, select Enable.
4. Click Save.
Using action rules to notify users
Use this task to set up notifications that inform users of problems found.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Policies | Action Rules.
2. Click on an action rule, or add a new one from the Actions menu.
3. Open Email Notification.
4. Enter a valid email address in the From field.
NOTE: If an existing action rule is edited, the From field must be completed, even if it was not there when the
rule was created.
NOTE: If an email address containing a special character (e.g. “&, *, %”) is added to the Email Notification
component of an action rule, notification will not be sent. However, additional valid email addresses added to
the same rule will provide notification to other users.
5. Enter one or more addresses in the "To" and "cc:" fields.
6. Check a box to send a copy to the Manager, Reviewer, Sender or Recipients (optional).
The options available depend upon which DLP appliance you are using. Managers can be identified only if an
Active Directory server has been added, but other categories are user-defined. Reviewer is the only option
available on Discover.
7. Type in a Subject and Message (optional).
8. Click Save.
Using action rules
McAfee DLP 9.0.1 Product Guide 157
NOTE: The Subject and Message fields accept dynamic variables, enabling you to set up automatic responses
to routine situations.
TIP: You can use Dynamic Variables to alert users to details of the violation automatically. For example,
##Filename found by the ##Rule violated the ##Policy.
Reconfiguring action rules for proxy servers
Use this task to reconfigure action rules for use on proxy servers. This is necessary because
BOUNCE, ENCRYPT, NOTIFY, QUARANTINE or REDIRECT actions cannot be used on proxy
servers, which support only ALLOW or BLOCK.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Policies | Action Rules.
2. Click on the action rule you want to reconfigure.
3. Type a new name and click Save As to create a copy of the action rule.
4. Click on the new action rule.
5. Open the Prevent actions menu.
6. Select Allow or Block, then click Save.
Setting up an action
Use this task to set up an action that will be taken whenever a rule identifies an incident or event.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Policies | Action Rules.
2. From the Data-in-Motion or Data-at-Rest Actions menu, select Add Action Rule. You can configure one rule
for each vector.
NOTE: See Setting up an Endpoint action rule to add an action rule to the Data-in-Use vector.
3. Type a name for the action rule. Typing a description is optional.
4. Enabling email and syslog notification is optional.
5. From the Incident Reviewer and Incident Status menus, select from the drop-down lists.
6. Depending on the Actions menu selected, select a Prevent or Remediation action and supply the required
parameters.
7. Click Save.
Editing action rules
Use this task to modify the parameters of any action rule.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Policies | Action Rules.
2. Click on the action rule to be edited.
3. Modify one or more parameters.
4. Click Save.
158 McAfee DLP 9.0.1 Product Guide
Using policies and rules
Cloning action rules
Use this task to clone any action rule so you can apply the same action to another rule.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Policies | Action Rules.
2. Click on an action rule.
3. Type in a new name. Typing in different parameters is optional.
4. Click Save As.
Removing an action from a rule
Use this task to remove an action that has been applied to a rule.
NOTE: This task removes only actions that have been applied to rules. Action rules that have been applied to
rules are in use, so they cannot be removed.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Policies.
2. Click on a policy, then click on a rule.
3. Click on the Actions tab.
4. Find the action to be removed from the rule.
5. Click on "X".
6. Click Save.
Deleting action rules
You can delete action rules one by one, or as a group.
NOTE: Action rules that have been applied to rules are in use, so they cannot be removed.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Policies | Action Rules.
2. Check the box of one or more action rules.
3. Select Delete from the Actions menu.
TIP: To delete templates one by one, click the trash can icons.
4. Click Confirm or Cancel.
Using concepts and templates
How concepts and templates are usedContent concepts, the most common type, find collections of significant data related to a single
issue in application data (Flow A). If you are an advanced user, you can construct network or
session concepts to identify data in the transport and session layers.
Templates contain collections of elements that save time when searching, creating rules, or
building capture filters. They eliminate the need to enter the same values repetitively.
How concepts and templates are used
McAfee DLP 9.0.1 Product Guide 159
NOTE: Network DLP policies contain collections of related rules, while Host DLP rules are all part of a single
global policy.
Using concepts
How concepts are used
Content concepts, the most common type, find collections of significant data related to a single
issue in application data.
Most of the concepts that are shipped with your DLP appliances are listed under the User-
Defined tab. Only a few Factory Default concepts are constructed with proprietary algorithms.
TIP: Use a content concept with one or more templates to look for patterns in specific data types.
For example, a content concept can be used to collect credit card numbering patterns that can
be matched to network data. You might use one of the factory default concepts (AMEX, CCN,
DISCOVER, MASTERCARD) to find them quickly, or you can add one that focuses only on
patterns used by retail cards.
If you are an advanced user, you can construct network or session concepts to identify data in
the Transport and Session layers.
Types of concepts
There are three types of concepts.
● Content concepts contain text patterns and regular expressions to match patterns to data on the Application
layer (Layer 7).
● Network concepts monitor activity on the Transport layer (Layer 4). They can be used to find spiders, robots,
crawlers, types of webmail, browser versions, and operating systems in use.
● Session concepts focus on exchanges of data between applications on the Session layer (Layer 5). They can
be used to recognize content found in multiple objects contained in a single flow.
Adding content concepts
Use a content concept to regularly search application-level traffic for specific patterns defined by
regular expressions.
TIP: Open and examine an existing concept to understand its construction.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Policies | Concepts.
2. Select Add Concept from the Actions menu.
NOTE: DLP Manager can manage up to 512 concepts.
3. Type in a name (uppercase only).
4. Type in a description (optional).
160 McAfee DLP 9.0.1 Product Guide
Using concepts and templates
5. If you want to discourage false positives, select an algorithm that is associated with the regular expression you
will define or upload (optional). When the concept hits, the system will run checksums to verify accuracy, and
results that do not match exactly will be discarded.
Example:
If you create a MasterCard expression that uses an incorrect numbering sequence, the algorithm
will ignore the pattern and replace it with the correct sequence.
6. Select a category for the expression (optional).
TIP: Later you might want to use a package of related concepts in a query to expedite the search process.
7. If you have patterns recorded in a document, Upload it by browsing. Only text documents can be uploaded.
8. Click Import Expressions to load in the expressions from the file you selected.
TIP: If you want to edit the list of expressions or just keep a copy, click Export Expressions to save them to
your desktop. You can debug them in a text editor, then re-import them.
9. If you don't have a document to upload, use text and regular expressions to build one or more expressions,
starting with Expression 0.
TIP: Add additional expressions by clicking the green plus icon.
10. Click Validate, then enter the expression and a sample of a string it should match.
11. Click Validate in the dialog box, then check the Matches String box to get a true or false result.
12. Set conditions for the concept, if needed.
13. Click Save.
NOTE:When creating concepts that have multiple words, you must escape spaces between words with a
backslash (for example, hello\_world).
Other metacharacters and ASCII characters (such as   	  ​ for space, tab,
form feed, zero-width space) can also be used to define concept expressions.
TIP: Add a template using your custom concept. This will save you keystrokes when searching, creating rules,
and building capture filters.
Adding network concepts
Use a network concept to find spiders, robots, crawlers, types of webmail, browser versions, and
operating systems.
1. Open a browser and post to the problem website.
2. Use a packet analyzer likeWireshark on your system to locate the type of traffic you are looking for. For
example, you might focus on a GET instruction.
3. Right-click on the instruction in the TCP stream and copy the string.
4. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Policies | Concepts.
Using concepts
McAfee DLP 9.0.1 Product Guide 161
5. Select Add Concept from the Actions menu.
6. Open Advanced at the bottom of the page and select the Network Type radio button.
7. Type in a name (uppercase only) and description (optional).
8. If you want to discourage false positives, select an algorithm that is associated with the regular expression you
will define or upload. When the concept hits, the system will run checksums to verify accuracy, and results that
do not match exactly will be discarded.
Example:
If you create a MasterCard expression that uses an incorrect numbering sequence, the algorithm
will ignore the pattern and replace it with the correct sequence.
9. Select a category for the expression (optional).
TIP: Later you may want to use a package of related concepts in a query to expedite the search process.
10. Paste the string from the TCP stream into an Expression field.
NOTE: Escape all metacharacters with a backslash to ensure literal interpretation. For example,
www\.deadspin\.com.
11. Click Validate, then enter the expression and a sample of a string it should match.
12. Click Validate in the dialog box, then check the Matches String box to get a true or false result.
13. Set conditions for the concept, if needed.
14. Click Save.
Adding session concepts
Use a session concept to inspect all communications between two parties when a pattern is
matched. Because the session layer is monitored, you will be able to find multiple objects
contained in a single flow (for example, an email attachment as well as the mail body).
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Policies | Concepts.
2. Select Add Concept from the Actions menu.
3. Open Advanced at the bottom of the page and select the Session Type radio button.
4. Type in a name (uppercase only).
5. Type in a description (optional).
6. If you want to discourage false positives, select an algorithm that is associated with the regular expression you
will define or upload (optional). When the concept hits, the system will run checksums to verify accuracy, and
results that do not match exactly will be discarded.
Example:
If you create a MasterCard expression that uses an incorrect numbering sequence, the algorithm
will ignore the pattern and replace it with the correct sequence.
7. Select a category for the expression (optional).
162 McAfee DLP 9.0.1 Product Guide
Using concepts and templates
TIP: Later you may want to use a package of related concepts in a query to expedite the search process.
8. If you have patterns recorded in a document, Upload it by browsing. Only text documents can be uploaded.
9. Click Import Expressions to load in the expressions from the file you selected.
TIP: If you want to edit the list of expressions or just keep a copy, click Export Expressions to save them to
your desktop. You can debug them in a text editor, then re-import them.
10. If you don't have a document to upload, use text and regular expressions to build one or more expressions,
starting with Expression 0, on the fly.
TIP: Add additional expressions by clicking the green plus sign.
11. Click Validate, then enter the expression and a sample of a string it should match.
12. Click Validate in the dialog box, then check the Matches String box to get a true or false result.
13. Set conditions for the concept, if needed.
14. Click Save.
NOTE:When creating concepts that have multiple words, you must escape spaces between words with a
backslash (e.g., \_).
Setting concept conditions
Use this task to narrow the focus of any content, network or session concept. Matches are
reported only if certain conditions are met.
NOTE: Only User-Defined or custom concepts accept conditions.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Policies | Concepts.
2. Click on a concept.
3. Open a component.
● Use the Count category to set a number of objects that must be found before a match is reported.
● Use the Percentage Match category to define a percentage of objects that must be found before a match is
reported.
● Use the Number of lines from the beginning category to define the number of lines within which an object
must be found (starting from the beginning of a captured object) before a match is reported.
● Use the Number of bytes from the beginning category to define the number of bytes within which an
object must be found (starting from the beginning of a captured object) before a match is reported.
● Use the Proximity category to define the relative proximity to a specified byte of an object before a match is
reported.
NOTE: Imposing multiple conditions could cause conflicts. Consider carefully what the conditions will do before
setting them.
Using concepts
McAfee DLP 9.0.1 Product Guide 163
6. Use the Condition, Value and Expressions fields to set the parameters of a condition.
7. Use the Advanced component to change the concept type only if the conditions you have set will apply to a
different type of concept.
8. Click Save.
Applying concepts to rules
Use this task to apply a content concept to a rule. Whenever the rule runs, the pattern identified
in the concept will find matches in captured data.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Policies | Concepts.
2. Open a related policy and click on a rule.
3. If you want the rule to run independently of its policy, set its Inherit State to Disabled.
TIP: This is especially useful for trying out rules before they are implemented with the other rules in the policy.
3. Open the Content category.
4. Select Concept from the first menu.
5. Select is any of from the second menu.
6. Click "?" .
7. Select one or more concept categories from the popup menu.
TIP: Open a concept category to select one or more concepts in the category.
8. Click Apply.
9. Click Save.
10. Wait for the rule to run, then go to Incidents to view the result.
TIP: If you can't find a relevant incident, group by policy and rule to filter results. You can set up an action rule to
notify you when there is a hit.
Using regular expressions in concepts
When you build concepts using regular expressions, use only the syntax supported by DLP.
164 McAfee DLP 9.0.1 Product Guide
Using concepts and templates
Expression Definition
\n line feed
\r carriage return
\f form feed
\b backspace
\a bell
\t tab
\k disables Perl/POSIX set range restrictions
\K enables Perl/POSIX set range restrictions
\0xN the hex ascii character equivalent to N
\nnn the octal character of value nnn
\d digit 0-9
\D not digit 0-9
\c any alpha A-Z or a-z
\C not any alpha A-Z or a-z
\w any alphanumeric \c or \d
\W not alphanumeric ^\w
\s any space [\ \f \n \r \t]
\S not any space ^\s
\p any space or field delimiter [\ -\\ :-@ \[-‘ {-~ ]
\P not any space or field delimiter ^\p
\i case sensitivity off
\I case sensitivity on
[…] character sets, e.g. [3-6a-c] = 3,4,5,6,a,b,c
x-y character ranges T-X = T,U,V,W,X
^ invert, e.g. ^\0x0 are all characters except NULL
\literal backslash (transforms metacharacters intoordinary characters)Examples: \\ \. \& \[ \] \<space> \* \+
Restoring factory concepts
If you have accidentally written over an original concept, use this task to restore it to its original
state.
NOTE: Only the original list of concepts under the User-Defined tab can be restored. Custom concepts cannot
be recovered. Concepts listed under the Factory Default tab cannot be edited, so they need not be restored.
Using concepts
McAfee DLP 9.0.1 Product Guide 165
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Policies | Concepts.
2. Select one or more concepts.
3. Select Restore Default from the Actions menu.
Editing concepts
Use this task to modify the parameters of a concept.
For example, you might want to remove one of the expressions used in a content concept if it
generates false positive results.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Policies | Concepts.
2. Click a concept.
3. Modify one or more parameters.
4. Click Save.
Deleting concepts
Use this task to delete more than one concept.
NOTE: Factory Default templates cannot be deleted.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Policies | Concepts.
2. Select one or more concept checkboxes.
3. Select Delete from the Actions menu.
Using templates
How templates are used
Templates contain collections of elements that save time when searching, creating rules, or
building capture filters. They eliminate the need to enter the same values repetitively.
For example, when you search for data containing source code of any type, you might use the Source Code
template. Similarly, to find data containing images, you might use the Common Image Files template.
TIP: You can use any of the standard templates, or you can add your own custom templates to the list under
Policies | Templates.
Adding templates
Use this task to add a template to save time on repetitive or complex searches.
TIP: You can use a template to create a name for a range of IP addresses so you can refer to them as a group.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Policies | Templates.
2. Select Add Template from the Actions menu.
166 McAfee DLP 9.0.1 Product Guide
Using concepts and templates
3. Type in a name.
4. Type in a description (optional).
5. Open Construction.
6. Select an element from the first menu.
7. Select a condition from the second menu.
8. Click "?". If no popup menu launches, type a string into the values field.
9. Click Save.
NOTE:When a template element is used in a search or rule, a list of available templates pops up from the "?" at
the end of the values field. Each category may pop up a different set of templates, and more than one can be
used at a time.
Viewing standard templates
All templates, including the ones you created and added to those included with the DLP devices,
are listed on the Templates page. In ePolicy Orchestrator, go to Menu | Data Loss Prevention |
DLP Policies | Templates.
TIP: Open any template to learn to construct one of your own.
Removing a template from a rule
Use this task to remove a template that has been applied to a rule or filter.
NOTE: This task does not remove the template. Templates that are attached to rules or capture filters cannot be
removed.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Policies.
2. Click on the rule or filter to which it is attached.
3. Click on the red minus icon to remove the element containing the template.
4. Click Save.
TIP: To delete templates one by one, click the trash can icons.
Deleting templates
Use this task to delete templates one by one, or as a group.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Policies | Templates.
2. Click the box of one or more templates.
3. Select Delete from the Actions menu.
4. Click Confirm or Cancel.
TIP: To delete templates one by one, click the trash can icons.
Using templates
McAfee DLP 9.0.1 Product Guide 167
Using the case management system
How case management worksAssigning incidents with common attributes to a single case allows employees to collaborate to
resolve them more quickly. Each staff member involved can focus on a single attribute to
advance the resolution of the case.
For example, a case that contains emailed evidence might be assigned to members of a legal
team, who might develop it so that it can be used in court. Each member of that team might add
notes and citations, change status and priority, notify stakeholders, or redirect the case to
another user who may be able to add information.
NOTE: Case dashboards display information based on organizational responsibilities. For example, Human
Resources personnel might see Acceptable Use violations, but not SOX compliance issues.
Collecting credit card violations in a caseIf credit card violations are being detected on a regular basis, start a case with the first few, then
add others as they come in.
NOTE: A privacy policy must be installed to produce the credit card violations.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Case Management and select
one or more incidents.
2. From the Actions menu, select Assign to Case | New Case.
TIP: If a case has already been opened, select Existing Case.
3. Type a name into the Headline field.
4. Type in one or more Keywords.
5. Set an Owner for the case — for example, Compliance:group.
6. Set the Resolution status — for example, Under Investigation.
7. Select the Notify Owner checkbox (optional).
8. Select the Notify Submitter checkbox (optional).
9. Select a Status— for example, In Progress.
10. Select a Priority— for example, Urgent.
11. Add a note (optional) — for example, Visa and MasterCard numbers found.
12. Click Apply.
Adding a new caseUse this task to add a new case to contain incidents that have not been detected yet.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Case Management.
2. From the Actions menu, select New.
3. Type in a Headline.
168 McAfee DLP 9.0.1 Product Guide
Using the case management system
4. Select an Owner.
5. Select a Resolution state (optional).
6. Select a Status (optional).
7. Select a Priority (optional)
8. Type in one or more Keywords.
9. Check the Notify Submitter box (optional).
10. Check the Notify Owner box (optional).
11. Type in Notes (optional).
12. Click Apply.
NOTE: No more than 100 incidents can be added to a case at one time.
Using incidents to create a caseUse this task to create a case from one or more incidents.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Incidents.
2. Check one or more incident boxes.
NOTE: No more than 100 incidents can be added to a case at one time.
3. From the Actions menu, select Assign to Case | New Case.
4. Type in a Headline.
5. Select an Owner.
6. Select a Resolution state (optional).
7. Select a Status (optional).
8. Select a Priority (optional).
9. Type in Keywords.
10. Chuck the Notify Owner box (optional).
11. Check the Notify Submitter box (optional).
12. Type in Notes (optional).
13. Click Apply.
Adding incidents to an existing caseUse this task to add an incident to an existing case.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Incidents.
2. Select one or more incidents.
3. From the Actions menu, select Assign to Case or Existing Case.
4. After completing the assignment, click on the Assign link of the case to view the case details.
TIP: If you cannot see the Assign link on the right, expand your dashboard.
Using incidents to create a case
McAfee DLP 9.0.1 Product Guide 169
5. Click Apply.
NOTE: No more than 100 incidents can be added to a case at one time.
Adding comments to a caseUse this task to add a comment to a case.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Case Management.
2. Select a case.
3. Click the Details icon.
4. Type text into Add Notes.
5. Click Apply.
Notifying users about a caseUse this task to send notification of an action taken to the submitter or owner of a case.
1. IIn ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Case Management.
2. Click the Details icon.
3. Check the Notify Submitter or Notify Owner boxes.
4. Click Apply.
Changing ownership of casesUse this task to reassign the case to another user or group.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Case Management.
2. Select the Details icon of the case.
3. From the Owner menu, select a new or existing user.
If the owner you want to select is not listed, add the new user or user group, then return to the case.
TIP: To notify the owner or originator by email, select the Notify Owner or Notify Submitter box.
4. Click Apply.
Changing resolution of casesUse this task to change the state of resolution of a case.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Case Management.
2. Select the Details icon of the case.
3. From the Resolutionmenu, select a new status.
TIP: To notify the owner or originator by email, select the Notify Owner or Notify Submitter box.
170 McAfee DLP 9.0.1 Product Guide
Using the case management system
4. Click Apply.
Changing status of casesUse this task to change the status of a case.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Case Management.
2. Select the Details icon of the case.
3. From the Status menu, select a new status.
TIP: To notify the originator by email, select the Notify Submitter box.
4. Click Apply.
Customizing Case List columnsUse this task to add or remove Case List columns on the dashboard.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Case Management.
2. From the Options menu, select Customize columns.
3. Use the Add and Remove buttons to move Available columns to the Selected box.
4. Use Move buttons to move Selected column headers up or down.
TIP: If you cannot see the Move buttons, expand your dashboard.
5. Click Apply.
Customizing case notificationsUse this task to set up notifications of changes in a case. For example, the case owner might set
up a daily status update notification to himself and the submitter.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Case Management.
2. Select one or more cases.
3. From the Options menu, select Customize Case Config.
4. Select checkboxes to automatically send email to the Submitter or Owner when the case is updated.
TIP: Set up a daily email reminder to those responsible for new or pending cases.
5. Select radio buttons to set a standard interval, or add items from the weekly and monthly menus to add more
specific parameters.
6. Click Save.
Exporting casesUse this task to save a case to the Exported Cases list.
Changing status of cases
McAfee DLP 9.0.1 Product Guide 171
NOTE: Exported cases can be downloaded to local computers. There are no limits on the number of incidents
that can be exported.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Case Management.
2. Select one or more case checkboxes, or export a single case by clicking its Export icon.
TIP: Click the box in the column header to Select All cases.
3. From the Actions menu, select Export Selected Cases.
4. Click OK to verify export. The case will appear in the file list under Exported Cases.
5. Click on the exported case link to open or save it.
Managing case permissionsIf you are an administrator, you can control access to cases so that they can be seen and
processed only by authorized users.
NOTE: Users who create cases are automatically allocated all three permissions (Read,Write and Delete) —
but if the case owner is changed, those permissions are lost.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Case Management.
2. Click the Details icon of the case.
3. Scroll down to the Options menu and select Permissions.
4. Select the Read,Write and Delete boxes corresponding to the assignment of the case to users and groups.
5. Click Apply.
NOTE: Global permissions that are set under DLP Sys Config | System | User Administration | Groups |
Details | Task Permissions | Case Permissions take precedence over cases configured individually. If there
is a conflict between permissions assigned under an individual case and those that are assigned globally,
global group permissions take precedence.
Example:
If Lee has a need to know about a case and he has been given read access, case information
might display on his DLP Homepage— but Apply, Save, Delete or Assign buttons will not
display because he is not allowed to take those actions.
Example:
If Juan is given responsibility for a group of legal cases, an administrator might assign Read and
Write but not Delete privileges. All menus and buttons except the Delete icon will be available to
him.
NOTE: WhenWrite permission is assigned, Read permission is implicit.
Reprioritizing casesUse this task to reprioritize the severity of a case.
172 McAfee DLP 9.0.1 Product Guide
Using the case management system
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Case Management.
2. Select the Details icon of the case.
3. From the Priority menu, select a new severity.
TIP: To notify the originator by email, select the Notify Submitter box.
4. Click Apply.
Deleting an incident from a caseUse this task to delete an incident from a case.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Case Management.
2. Select the Details icon of the case.
3. Inside the case, select an incident box.
4. Select Delete from the Options menu.
TIP: If you cannot see the link, expand your dashboard.
5. Click Apply.
Deleting casesUse this task to remove a case from the Case List.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting | Case Management.
2. Click the Delete icon.
TIP: If you cannot see the icon, expand your dashboard.
Managing DLP systems
Managing the system
All DLP setup, configuration and management tasks are handled by DLP Manager, which coordinates all
DLP systems. Managed devices may include the DLP product appliances (Monitor, Discover, Prevent) and
servers (DHCP, LDAP, NTP, DLP Host and syslog) that provide added functionality.
If you have the proper administrative permissions, you can monitor and manage your DLP
systems from the System Administration dashboard.
Configuring DLP devices
Configuring DLP devices
Use this task to reconfigure any DLP device.
Deleting an incident from a case
McAfee DLP 9.0.1 Product Guide 173
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config | Devices.
2. Click the configure link of the device to be configured.
3. Change parameters on the System Configuration page.
4. Click Update after each change is made.
TIP: If you are on a standalone appliance, you can click on SetupWizard to review all settings.
If the setup is not changed, you can select Cancel to leave the SetupWizard and go directly to the dashboard.
Adding devices to DLP Manager
Use this task to add a DLP appliance. This process creates an SSH communication tunnel
between DLP Manager and the DLP appliances.
The CPU usage indicates that the registration tasks being performed. DLP Manager does not
display any CPU activity, because it serves only as a collection point for the data. Other
machines are capturing and indexing data and the processor indicates the CPU utilization. It
should not go over 70-80%.
On some networks you can choose a port configuration. The DLP appliance is a Gigabit network
device, so the bringing it down is possible.
NOTE: Adding a Network DLP appliance wipes the current configuration of that machine, but captured data,
cases and incidents will not be lost. Unless you have previously deployed policies to All Devices, you will have
to edit them to add the device.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config | Devices.
2. Select New Device from the Actions menu.
3. Type in the IP address and password.
NOTE: The user account used for association is root. It is recommended that you change the root passwordon the appliance before adding it to NDLP Manager. If you change the IP address, the network service needs to
be restarted. Stingray will automatically restart the box to register the change.
The Add Device page is also used to add a Host DLP server. Several fields are not available
until the DLP Host Server box is checked.
4. Click Add.
5. Click OK to confirm or cancel registration.
6. Wait for the Status icon in the device list to turn green.
TIP: If registration seems to be taking a long time, try refreshing the page.
Adding Host DLP servers to DLP Manager
Use this task to add a DLP Host server to DLP Manager.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config | Devices.
2. Check the DLP Host Server box.
174 McAfee DLP 9.0.1 Product Guide
Managing DLP systems
3. Select a Host DLP Version.
NOTE: Version 3.0 is required to use Host and Network DLP separately in the ePO interface.
4. Type in the IP or host name and password.
5. Type in the database port, user, and database names.
6. Type in the ePO database, IP address, user name and password, and port.
7. Click Add.
8. Click OK to confirm or cancel registration.
9. Wait for the Status icon to turn green.
TIP: If registration seems to be taking a long time, try refreshing the page.
ePO installation issues
In this release, Host and Network DLP are integrated in an ePO 4.5 framework or in a Linux-
based configuration. For more information, download the McAfee Installation Guide for DLP 9.0
on ePO 4.5 from the ServicePortal.
NOTE: If the ePO 4.5 server loses connection to the database, you cannot use
https://servername:port/core/config to reconnect the ePO 4.5 server to the database. Refer to
KB66320 in the McAfee Knowledgebase for more information.
Changing link speed
If DLP is installed on a network that supports devices that have specific speed and duplexing
requirements, DLP Monitor might not be able to auto-negotiate traffic to capture interfaces.
Use this task to change link speed to accommodate existing hardware.
NOTE: Depending on your network configuration, you might have to replace your standard Ethernet cable with
one that is appropriate for your network.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config | Devices.
2. Select a device from the list.
3. Click on the Configure link.
4. Select link speeds for each capture interface from the Speed and Duplex menus.
5. Click Update. A notification message will launch to verify the change.
Managing disk space
The Reconnex file system (RFS) divides the DLP Monitor disk into partitions.
● Capture partitions hold all the content captured, which is organized by type.
● Non-Capture partitions contain the operating system and the results partitions (A-Z), which fill sequentially.
Deleting an incident from a case
McAfee DLP 9.0.1 Product Guide 175
Use this task to get a complete report of disk space, including information about partitions and
volumes.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config | Devices.
2. Selecting the More link of the device.
3. Under Utilities | Application Information, click on Disk Usage.
NOTE: Space-based wiping is the default policy. It erases the earliest results after 80% of the disk is used.
When that threshold is reached, the system erases data to the 70% watermark.
Backing up DLP systems
Use this task to create a backup archive to ensure that configuration files, users, logs and cases
are not lost during system operations.
TIP: Back up whenever there is a change in content or configuration. After 30 days or 150,000 incidents, the
oldest incidents are lost, and if a managed mode device is deregistered, all incidents are lost.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config | Backup.
2. Type in the Remote Host Name of an external storage device.
NOTE: Only Linux devices are supported.Microsoft Windows computers have not been tested.
1. Type in the user name and password required to log on to that machine.
2. Browse to the directory that will receive the backup.
3. Select the Port to be used to connect to the remote host.
4. Click Backup.
NOTE: The local archive filename will be made up of a date and backup number (for example, 20091030-1346). But on the Remote Host and other DLP devices, the filename will also include the FQHN (fully-qualified
host name) and device type (inSight = Manager, iGuard = Monitor), followed by date_backup#.tar>.
Example
abc-123.lab.company.net-inSight-20091030-1346.tar
TIP: Refresh the File List and select the archive with the latest date and highest backup number. You will be
able to verify the build number after extraction.
Archive contents
● Active configuration files (policies, rules, action rules, concepts, templates, network and content capture
filters, DHCP settings, schedules, task definitions and credentials)
● Local and Active Directory users
● Network settings
● User Action Logs
● Cases
176 McAfee DLP 9.0.1 Product Guide
Managing DLP systems
Depending on the volume of data to be backed up, processing time might be lengthy. When the process is
complete, email is sent to the address in the user's profile, and the file list is populated with the name of the new
archive.
Restarting DLP systems
Use this task to restart, shut down or reboot any of the McAfee Network DLP appliances or
services.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config | Devices.
2. SelectMore for the device you want to restart or shut down.
3. Scroll down to the bottom of the Utilities window.
4. Select the appropriate link.
Deregistering devices from DLP
If you have to re-synchronize a timed-out system, overwrite an older configuration, or register a
device to a different DLP Manager, you might have to use this task to deregister a device.
NOTE: If the device is to be reconfigured as a standalone system, you must reinstall it.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config | Devices.
2. SelectMore.
3. Scroll down and select Deregister Device.
4. Click confirm or cancel.
NOTE: Because the messaging service must be restarted whenever a device is deregistered, you might get a
log in error message like "could not connect to service" before you can log in again. If so, the messaging
service will generally be back up in 1-3 minutes.
5. Confirm that the deregistered device has been removed from the list.
Adding servers to DLP systems
Configuring servers with DLP systems
DLP systems support several different types of servers that extend its functionality. Enterprise
DLP configurations usually have DHCP, DNS and LDAP (Active Directory) services configured,
as well as connections to mail, NTP and syslog servers. McAfee Logon Collector must also be
installed if Active Directory servers are to be supported.
These connections can be made from the DLP Manager interface, or from the DLP ePO frame-in.
If the applications are set up to work through ePO, Host DLP and McAfee Agent will also have to
be installed.
● Adding a DHCP server supports accurate resolution of the sources and destinations of network
transmissions.
Adding servers to DLP systems
McAfee DLP 9.0.1 Product Guide 177
● Adding an LDAP server supports integration with existing user systems, enables notification of users, and
authenticates user accounts. DLP supports Microsoft Active Directory LDAP services.
● McAfee Logon Collector can be configured with DLP Manager to resolve user identities by retrieving
collections of user account information from all Active Directory servers that have been added to the DLP
system.
● Adding a Host DLP server supports integration with ePO .
● Syslog servers receive DLP error messages.
● NTP servers make it possible to synchronize DLP systems.
Setting up DHCP services
Using DHCP servers with DLP
DLP systems can accurately resolve the sources and destination of network transmissions by
using DHCP services. A DHCP server must be added to the system to provide those services.
NOTE: Senders and receivers can be easily identified if they have static IP addresses, but dynamic addresses
are more commonly used. Because they change frequently, it is often difficult to pinpoint the sources and
destinations of transmissions.
The DHCP server automatically assigns an IP address from an appropriate pool of addresses to
the clients connecting to the system. The server then extracts, parses and loads log files to
resolve the address to a host name, and the information is passed along to the DLP system.
Adding DHCP servers
Use this task to set up DLP to get location information about incidents that have been flagged by
the DLP capture database.
NOTE: DHCP servers are used by most ISPs to assign dynamic addresses to the hosts they administer.
Because dynamic addresses expire at specified times, hosts using them can be tracked only through DHCP
server records.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config | DHCP Servers.
2. From the Actions menu, select Add DHCP.
3. Type in a name for the server. Typing in a description is optional.
4. Select the Server Type. Internet Systems Consortium, Solaris and Microsoft Windows types are supported.
5. Select an Access Mode to retrieve directory information, get and put log files, and perform related transfer
tasks. The access mode determines the method of transfer.
NOTE: SMBClient access mode is supported only for Windows Server.
6. Type in the IP address, domain name, user name, and password to log on to the server.
7. Type in the Folder name, if needed.
8. Add the File Pattern name to enable DHCP logging.
NOTE: The DHCP log file name depends on the DHCP server operating system. DhcpSrvLog is a Windows
file name pattern. Use dhcpd* for ISC and Solaris DHCP logs (dhcpd.leases).
178 McAfee DLP 9.0.1 Product Guide
Managing DLP systems
Matching this pattern enables DHCP logging.
For the SMB client, 'mget DhcpSrvLog*' can be used from the SMB prompt to link to Windows files such as
DhcpSrvLog-Wed.log or DhcpSrvLog-Sun.log.For SCP or SFTP, use /var/state/dhcp/dhcpd.leases or /var/state/dhcp/dhcpd*.
9. Set a Lease expiration interval to determine when IP addresses will be reassigned.
The interval must be set because some DHCP servers (Windows) do not put the expiration time in the logs.
10. Set the Frequency to indicate how often the server should be polled to pull down new information.
11. Check the boxes of devices to be connected to the DHCP server.
12. Click Save.
Setting up directory services
Using LDAP servers with DLP
DLP products use Lightweight Directory Access Protocol services to integrate with existing user
systems, authenticate user accounts, extend notification to users by role, and support other
objects that might be imported from an LDAP server.
DLP supports Microsoft Active Directory LDAP services. Importing multiple user accounts is a
common task that is made possible by adding an Active Directory server to DLP Manager. If
customized attributes are added to the directory database, the information in those fields will
automatically populate the default user fields on the DLP dashboards.
Adding Active Directory servers
Use this task to add a Microsoft Active Directory (LDAP) server to DLP.
NOTE: The server must be configured before adding users to the system.
Sample Configuration
LDAP Label: myserver
Domain:
Authorization Server abc.example.net
Server Port 389
Timeout (sec) 3
Retries (sec) 3
LoginID Attribute samaccountname
Login DN admin or username
Password ******
Confirm Password ******
Base DN dc=example,dc=net
Limit Search Results to 20
Adding servers to DLP systems
McAfee DLP 9.0.1 Product Guide 179
NOTE: Although more than one LDAP server can be added from the user interface, multiple LDAP servers
require ip2user mapping, which is not currently supported.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config | DHCP Servers. | Directory
Services.
2. Select Create Directory Server from the Actions menu.
3. Type in a label to identify the LDAP server.
4. Type in the domain of the LDAP server (optional).
NOTE: If you use this option, you must login to an administrative account on the LDAP server. The system will
then query the Domain Name Server to find the domain controller for the Active Directory domain.
5. If you are not using the LDAP domain server name, type in the name or IP address of the authorization server.
If you are using SSL to encrypt the connection, you must enter the FQDN cited in the uploaded certificate (see
below).
NOTE: Unlike the LDAP server domain name, you can use any valid account that has permission to read from
the LDAP server (an administrative account is not necessary). If you have already entered the domain name of
the LDAP server in the previous step, any information you enter here will be ignored.
6. Type in the port to be used for the connection.
7. Set intervals for connection timeouts and retries (in seconds).
8. Type in the LoginID attribute. Use samaccountname to retrieve user names from the server.
9. Type in the user name. Use an administrative account whose password does not expire to maintain the
connection, but a non-administrative account name is acceptable when using an authorization server.
10. Identify the local domain components (for example, dc=mydomain,dc=com).
11. Type in the number of records you want to retrieve at one time. Before entering a value higher than 10, consult
the administrator of the Active Directory server to find out how many records can be served per request.
12. Check the SSL box to encrypt the connection and enable LDAP over SSL (LDAPS).
NOTE: A secure connection is not required, but is strongly recommended. Accept any available
certificate, or select one by uploading it. If you take this step, you must find the FQDN name of the
authorization server in the encrypted file by logging in to the back end of the DLP appliance and
running the following command:
# openssl x509 -noout -in <filename>.cer -subject
The FQDN will be returned in reverse order:
subject= /DC=net/DC=reconnex/CN=tyche
Read from right to left to get the name of the authorization server.
tyche.reconnex.net
13. Type the name into the authorization server name field.
14. Select a Scope to set the directory depth to be accessed on the server,
15. Click Apply.
180 McAfee DLP 9.0.1 Product Guide
Managing DLP systems
Adding LDAP Users
Use this task to add users after an LDAP server has been added to DLP Manager.
NOTE: LDAP users must be assigned to existing groups. If you have not yet decided on a user group design,
review user group management.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config | DHCP Servers | User
Administration | Actions | Create LDAP User.
2. Select the LDAP host.
3. Retrieve one or more users using one of the following techniques.
● Enter an asterisk (*) to retrieve a list of all users on the server and select a radio button.
● Type in a known Login ID or user name.
● Use an asterisk (*) as a metacharacter to retrieve related users (for example, R* or *st*).
NOTE: User names containing special characters cannot be retrieved.
5. Click Find.
6. Click a radio button to select a user.
7. Select one or more groups from the Available groups for the new user and Add.
8. Click Apply.
NOTE: User permissions are assigned by membership in a user group. When permissions have been changed
by addition or subtraction of membership in a group, users must log in again for the change to register.
7. Go to Incidents | My Views | Actions | Copy View to Users to copy over views available to new users.
8. Check the boxes of all views the new user should be able to see.
9. Pull down the Actions menu.
10. Select Copy View to Users.
11. Select one or more checkboxes of users who should see the selected views.
12. Click Apply.
To make changes to the user's status later, go to System | User Administration | Users and select the Detail
icon of the user. For example, you can use the Actionmenu to Disable or Delete the user.
Configuring Active Directory servers for DLP
The LDAP RWL client works with directory services to enable retrieval of all LDAP data. Use this task to provide
basic LDAP functions to DLP systems.
1. Log on to DLP Manager.
2. Get the integration files by typing the zip file location into the address bar.
https://<DLP_address>/activedir/ADintegration.zip.
3. Save the zip file to your desktop.
Adding servers to DLP systems
McAfee DLP 9.0.1 Product Guide 181
NOTE: The rwl_client.exe file in this zip file has been changed in the 9.0 release. If you already have it
installed on an 8.6 appliance, you must reinstall it.
4. Extract the two files from the archive to your desktop.
5. On the Microsoft Windows server desktop, go to Start | Administrative Tools | Active Directory Users and
Computers.
6. Right-click on the domain name (currently reconnex.net) in the navigation bar.
7. Go to Properties | Group Policy | Default Domain Policy.
8. Select Edit.
9. Under User Configuration, click onWindows Settings | Scripts | Logon.
10. On the Scripts tab, click Show Files.
11. Drag the rwl_client.exe and logon.bat from your desktop to the Group Policy Object Editor window.
12. Right-click the logon.bat file.
13. Select Edit and Run.
14. After rwl_client.exe, type in the IP address of the DLP Manager or Monitor (if you are on a standalone
machine).
Example
REM Substitute the following 'hostname.example.org' argumentREM with the hostname or IP address of your Monitorrwl_client.exe iGuardHostname.reconnex.net
When the batch file gets executed, DLP Monitor is notified that a user has logged in.
15. Save.
16. Close the window containing the rwl_client.exe and logon.bat files.
17. Click OK on the Scripts tab of the Logon Properties dialog box.
18. Close the Group Policy Object Editor window.
19. Click OK on the Group Policy tab of the reconnex.net Properties dialog box.
20. Close the Active Directory Users and Computers window.
The next step is to add the server to DLP Manager.
Exporting certificates from Active Directory
Use this task to get a certificate from a Microsoft Active Directory server, export it, and add it in
the DLP Manager interface. This process supports encryption of an LDAP connection.
By default, LDAP traffic is transmitted unsecured, but using secure LDAP over SSL technology encrypts the
connection.
1. Log in as either a member of the local Administrator security group for standalone computers, or as a member
of the Domain Administrator security group for any computers that are connected to the domain.
2. Install the certificate on the Microsoft Windows server, which will install the server certificate on the Microsoft
Active Directory server.
182 McAfee DLP 9.0.1 Product Guide
Managing DLP systems
a. Click Start | Administrative Tools | Certificate Authority to launch the Microsoft Management Console.
b. Select the CA machine.
c. Right-click and select Properties.
d. From the Generalmenu, click View Certificate.
e. Select the Details view.
f. Click the Copy to File button on the lower right corner of the window.
g. Use the Certificate Export Wizard to save the CA certificate in a file.
NOTE: Save the CA certificate in either DER Encoded Binary X-509 format, or Based-64 Encoded X-509
format.
3. Verify that SSL is enabled on the Microsoft Active Directory server (Microsoft Windows 2000 or Microsoft
Windows 2003).
a. Ensure thatWindows 2000 Support Tools (Windows Support Tools on Microsoft Windows 2003) is
installed on the Microsoft Active Directory machine.
b. Find the suptools.msi setup program in the \Support\Tools\ directory on your Microsoft Windows CD.
c. Start the ldp tool.
For Microsoft Windows 2000 systems, go to Start | Windows 2000 Support Tools | Tools | Active Directory
Administration Tool. ForWindows 2003, go to Start | Windows Support Tools | Tools | Command Prompt.
4. Select Connection | Connect from the ldp window.
5. Type in the host name and port number (secure port 636 is required).
If the connection is successful, a window will be displayed listing information related to the Microsoft Active
Directory SSL connection. If it is unsuccessful, restart your system and repeat the procedure.
How ADAM servers extend DLP Manager
DLP products now enable retrieval of information from Microsoft Active Directory Application
Mode servers. ADAM allows DLP to access objects in customized database schemas by
modifying its default attribute mappings to recognize the names of equivalent fields.
Use of a Certificate Authority supports secure transmissions through LDAPS or HTTPS. Verification can be
disabled by selecting Accept Any Certificate when adding the server.
NOTE:Whenever SSL communication is requested, the hostname should be name of the server with domain
clearly specified. An IP address will not work.
Mapping LDAP directory attributes
Use this task to map the customized user attributes of an LDAP directory server to the Network
DLP defaults.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config | DHCP Servers | Directory
Services.
2. Click on Edit.
Adding servers to DLP systems
McAfee DLP 9.0.1 Product Guide 183
3. Type the new attribute names into the Directory Server Mapping Attributes fields.
4. Click Apply.
Default Attribute Mappings
UserName=cn
UserID=sAMAccountName
UserTitle=title
UserCompany=company
UserDepartment=department
UserCity=givenName
UserZipcode=postalCode
UserCountry=countryCode
UserManager=manager
UserGroups=memberOf
UserEmail=proxyAddresses
NOTE:When an incident is reported to the dashboard, user attribute columns will contain the information found
in the corresponding fields on the existing LDAP server.
Setting up McAfee Logon Collector
Using McAfee Logon Collector with DLP
Before MLC can be used with DLP, an Active Directory server must be added to DLP Manager.
Then secure communications must be established between DLP and MLC.
Use the following tasks in this sequence to complete the SSL connections.
1. Export a certificate from MLC.
2. Import the MLC certificate into DLP Manager.
3. Export a certificate from DLP.
4. Import the DLP certificate into MLC.
5. Restart MLC.
After these steps are complete, secure communications between DLP and MLC are enabled,
and data on Active Directory servers is available for searching and rule construction.
Authenticating DLP Manager and MLC
Use this task to connect DLP to a McAfee Logon Collector so that certificates can be exchanged,
authenticating each to the other.
When the process is complete, an SSL connection will be set up between them.
1. Open a web browser and login to the MLC.
2. In ePolicy Orchestrator, go to Menu | Configuration | Server Settings | Identity Replication Certificate.
184 McAfee DLP 9.0.1 Product Guide
Managing DLP systems
3. Scroll to the bottom of the page.
4. Highlight and copy all text in the Base 64 field.
5. Open a web browser and login to the DLP Manager.
6. Go to System | Directory Services.
7. Select Add a McAfee Logon Collector from the Actions menu.
8. Type in the IP address of the MLC.
9. Click the paste radio button and paste the text into the box.
TIP: Save this Base 64 data to a text file on your desktop so you can re-use it.
10. Click Apply.
11. Click Export to save the Network DLP certificate to your desktop.
12. Open a web browser and type in the address of the McAfee Logon Collector.
13. Go to Menu | Configuration | Trusted CA.
14. Click New Authority.
15. Browse to the netdlp_certificate.cer file you saved to your desktop.
16. Click Open.
17. Click Save. This adds the DLP Manager to MLC.
18. Open a Remote Desktop session on the MLC server.
19. Shut down and restart the MLC server.
The connection is now complete.
Setting up syslog and time servers
Using syslog and time servers with DLP
You will need an NTP server on your network to synchronize the DLP devices and servers. A
syslog server is not required, but does not require setup and can be useful for managing the
system.
Connecting to syslog servers
If a syslog server is installed on the network, DLP automatically sends messages about
significant events in the following format. The health of the box as well as the rule hits are
automatically transferred to the syslog server.
Jul 7 15:38:18 172.16.0.50 RTS:CEF:0|McAfee|Monitor|3.2|-test-rule1|3|cs1=-chein-prevent cs1Label=policies cn1=1cn1Label=MatchCount src=51.0.16.172 dst=53.0.16.172 spt= 5281dpt= 25 suser= duser=cs2="testing" cs2Label=Subjectfilename="specscdrom.pdf"
Adding servers to DLP systems
McAfee DLP 9.0.1 Product Guide 185
Message Structure and Format
Date Date the event was logged
HostNameName or IP address of the machine that loggedthe event
Component Component or Process that generated the alert
Format Format version of the syslog output
Device Vendor Vendor name
Device Product Manager, Monitor, Discover or Prevent
Device Version Product version
Rule Search rule
Severity # Critical, High, Medium, Low, Informational
Policy Policy name
Policy label Type of object
Match Count Matches found
Match CountLabel
Type of object
Source IP Source IP address
Destination IP Destination IP address
Source Port Source port
Destination Port Destination Port
Source username
Source user name
Destinationname
Destination user name
Email subject Email subject
File name File name
NOTE: Syslog servers are automatically recognized if they reside on the same network as DLP devices; no
special connection is needed.
Correcting system time in the interface
If an error message is displayed when logging in, you might be able to use this task to re-
synchronize DLP appliances with the server.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config. Click on the configure link for
the local system.
2. On the System Configuration page, scroll down to Time Configuration.
3. Select the Manual radio button,
4. Enter the correct time and date.
5. Select Update.
186 McAfee DLP 9.0.1 Product Guide
Managing DLP systems
6. Click Logout.
7. Click Login.
If this doesn't work, login to the back end as root and reset the time from the DLP Monitor command line.
Resetting system time manually
Use this task to stop and restart the NTP service before resetting the time manually.
1. Stop the NTP daemon.
# service ntpd stop
# chkconfig --level 2345 ntpd off
2. Restart the NTP daemon.
# service ntpd start
# chkconfig --level 2345 ntpd on
The service command will control the service while the system is running; the chkconfig commands will
control what happened at boot time.
Synchronizing DLP devices
If you get a system time error when attempting to log in to the user interface, use this task to re-
synchronize DLP device time with your desktop.
1. Open the Microsoft Windows date/time display.
2. Adjust local time to Greenwich Mean Time.
3. Log on to DLP Monitor and use the date --utc command to enter the corrected data and time.
# date --utc MMDDhhmmCCYY
4. Use the GMT setting to provide the correct time.
# date --utc 080216492009
5. Watch the clock on the date/time display and press enter to send the command when the two times sync up.
6. Type in the hardware time command.
# hwclock -w
7. Type in the date command.
# date
8. If the date is correct, reset Stingray.
# service stingray reset
9. Find and kill the current process.
# ps -ef | grep java
Adding servers to DLP systems
McAfee DLP 9.0.1 Product Guide 187
# kill -9 <process id number>
10. Relogin to DLP Monitor root.
11. Restart Stingray and reboot the machine.
# service stingray restart
# reboot
12. Log in to the web browser. The user interface should launch normally.
13. Return the Microsoft Windows clock setting to the correct time zone.
Managing users and groups
Setting up users and groups
McAfee DLP is designed to use RBAC , which makes it possible to give users different levels of
permissions depending on their roles in the organization.
User accounts are dependent on the groups to which they belong. Users may be created locally,
or an Active Directory server may be used to import existing accounts.
TIP: Before creating a new user group scheme, review the task and policy permissions of the pre-configured
user groups. Clone or reconfigure them as templates to design a user system that will fit your existing
organization.
Administrative Example
A CSO of a large company might log in as primary user and create administrative groups with
specific sets of rights to manage the DLP Manager. These groups might include the following:
● System Administrators
● Network Administrators
● Installation and Setup Administrators
● Policy Administrators
Each administrator might then create Forensics and Analyst groups for users who report to them.
Organizational Example
The primary DLP administrator might decide that user groups should reflect user roles in existing
departments. New groups like the following might be created to reflect the current organization of
the company.
● Engineering Group
● Manufacturing Group
● Marketing Group
● Sales Group
188 McAfee DLP 9.0.1 Product Guide
Managing DLP systems
In this example, the rights assigned to each of these groups match departmental tasks and
responsibilities.
Managing user groups
Working with user groups
DLP User Administration matches the rights of individual users to their roles, which are defined
by user group permissions. In ePolicy Orchestrator, go to Menu | Data Loss Prevention |
DLP Sys Config | User Administration | Groupsto add, delete, and and assign group privileges.
NOTE: Click on the Details icon of any user or group to review task and policy permissions. You must have
administrative permission to assign them.
Using pre-configured user groups
Pre-configured groups provide useful templates for user group design. DLP systems include
eight customizable users and user groups that correspond to common organizational roles.
In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config | User
Administration | Groups to view pre-configured user groups.
NOTE: Click on the Details icon of any user or group to review task and policy permissions. You must have
administrative permission to modify them.
Adding user groups
Use this task to add a user group. You must be an administrator to do this.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config | User Administration | Groups.
2. Select Create New Group from the Actions menu.
3. Type in the name and description (optional) of the new group.
4. Type in an email address.
5. Select users in the Available Users box.
6. Click Add to move them to the Current Members pane.
7. Click Apply.
TIP: Alternatively, you can create a group first, then add users and assign them to the group.
8. Click on the Task Permissions tab.
9. Open the Permissions groups and select one or more checkboxes.
10. Click Apply.
11. Click on the Policy Permissions tab.
12. Open the Policies group and select one or more checkboxes.
13. Click Apply.
TIP: Check View and Execute for all policies.
NOTE: Policy Execute and Task View Dashboards permissions are required to see the Incidents dashboard.
Managing users and groups
McAfee DLP 9.0.1 Product Guide 189
Restricting user groups
Use this task to add restrictions to user groups. For example, you might create a view only group
for users who do not act on incidents.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config | User Administration | Groups.
2. Click the Details icon.
3. Click the Task Permissions or Policy Permissions tab.
4. Open a Permissions group.
5. Select one or more checkboxes.
6. Click Apply.
7. Repeat until all permissions are set.
8. Click Apply.
TIP: Select the top Delete checkbox under Policy Permissions to keep users from deleting policies.
Deleting user groups
Use this task to delete a user group. You must be an administrator to do this.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config | User Administration | Groups.
2. Click on the Details link of the group you want to delete.
3. Select Delete from the Actions menu.
4. Click Go.
5. Confirm or cancel.
Managing users
Working with users
DLP User Administration matches the rights of individual users to their roles, which are defined
by user group permissions.
Go to ePolicy Orchestrator Menu | Data Loss Prevention | DLP Sys Config | Users to view
existing users.
TIP: Click on the Details icon of any user or group to review task and policy permissions.
NOTE: Administrative permission is required to add, delete or disable users.
Adding users
Use this task to add users.
1. Go to ePolicy Orchestrator Menu | Data Loss Prevention | DLP Sys Config | Users | Actions | Create Local
User.
TIP: You can add multiple users by importing them from an LDAP server.
190 McAfee DLP 9.0.1 Product Guide
Managing DLP systems
2. Type in the user's login ID, name, email address and password.
3. Select an Available group to which you want the user to belong.
4. Click Add to move it to Current group membership.
5. Repeat until the user is a member of all appropriate groups.
6. Apply.
NOTE: If the user doesn't fit logically into the available groups, you must add a new group.
Using pre-configured user types
Pre-configured users provide useful templates for user account design. DLP systems include
eight customizable users and user groups that correspond to common organizational roles.
All pre-configured user groups are listed on the System | User Administration | Groups page.
Administrative permission is required to add or delete them.
TIP: Click on the Details icon of any user or group to review task and policy permissions.
Changing passwords and profiles
Use this task to make changes in your user profile.
1. Go to ePolicy Orchestrator Menu | Data Loss Prevention | DLP Sys Config | Users.
2. Select the Details icon for the account to be changed.
3. In the User Information dialog box, type in the old password and confirm the new one.
4. Click Update.
Creating an ePO database user
ePO is a Windows server, and DLP Manager is a Linux system that does not support Windows-
based authentication of users. For this reason, you must create an ePO database user to
establish a connection between DLP and ePO systems.
This task is just one aspect of establishing that connection. Consult Installing Host and Network
DLP 9.0 on ePO for more information.
Using a primary administrator account
The primary administrator account is owned by the initial user of the DLP system.
TIP: Create an equivalent administrative user immediately after logging on to preserve the integrity of the
default account.
Primary administrators have complete access to all task and policy permissions and are
responsible for creating users and custom user groups. However, the primary administrator can
assign that task to other administrators.
If you need primary administrator permission to log in, contact McAfee Technical Support.
Managing users and groups
McAfee DLP 9.0.1 Product Guide 191
Viewing active user sessions
Go to ePolicy Orchestrator Menu | Data Loss Prevention | DLP Sys Config| Live Users to view
active user sessions.
Only administrators can view and manage Live User sessions. Click on the Session ID link of a user to see
what actions have been taken.
TIP: Select Clear All from the Filter by... pane to view all the actions that can be reported.
Setting permissions
Assigning permissions
Use this task to assign permissions to users. Only administrators can assign permissions, and if
group permissions are modified, all its members will have to log out and re-login.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config | User Administration | Groups.
2. Select the Details icon of a group.
3. Select the Task Permissions or Policy Permissions tab.
4. Open a Permissions group.
5. Select one or more checkboxes.
6. Click Apply.
7. Repeat until all permissions are set.
8. Click Apply.
NOTE: Policy Execute and Task View Dashboards permissions are required to see the Incidents dashboard.
Checking permissions
All rights are inherited from group affiliation, so users must know their group affiliations to check
permissions. Only administrators can assign permissions.
Use this task to check permissions. This procedure will work only if an administrator has given
the user's group permission to view permissions.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config | User Administration | Users.
2. Select the Detail icon of the user.
3. Make a note of Current group membership.
4. Go to System | User Administration | Groups.
5. Select the Detail icon of the group.
6. Select the Task or Policy Permissions tab.
7. Open a Permissions group.
8. Review the checked boxes.
9. Repeat until all permissions are viewed.
10. Click Cancel.
192 McAfee DLP 9.0.1 Product Guide
Managing DLP systems
Setting policy permissions
Users who are tasked with ensuring compliance with company policies might be given view, edit and execute
permission for policies like Acceptable Use, Human Resources, and Suspicious Activity. Similarly, users
responsible for implementation of regulatory issues might have view and execute permission for policies like
SOX Compliance, State Privacy Laws, PCI and GLBA Compliance.
Use this task to assign policy permissions to a user group.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config | User Administration | Groups.
2. Select the Detail icon of the group.
3. Select the Policy Permissions tab.
4. Open Policies.
5. Select or clear the View, Edit, Execute or Delete boxes.
6. Click Apply.
NOTE: Policy Execute and Task View Dashboards permissions are required to see the Incidents dashboard.
Setting task permissions
For example, users who are tasked with Discover scanning repositories might have Select All boxes selected
under Document Registration and Discover Scan Permissions. Similarly, users who process incidents and
cases might have checkboxes under Case and Incident Permissions selected.
Use this task to assign task permissions to a user group.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config | User Administration | Groups.
2. Select the Detail icon of the group.
3. Select the Task Permissions tab.
4. Open a Permissions group.
5. Select or clear the relevant checkboxes.
6. Click Apply.
NOTE: Policy Execute and Task View Dashboards permissions are required to see the Incidents dashboard.
Managing user accounts
Working with user accounts
With this release, security is enhanced by the addition of customized login and password
settings.
Type in alphanumeric entries in the values fields to configure password settings and select from
the drop-down lists to enable lockout.
Customizing login settings
Use this task to discourage unauthorized logins.
NOTE: Lockout is disabled by default.
Managing users and groups
McAfee DLP 9.0.1 Product Guide 193
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config | User Administration | User
Settings.
2. Check the Enable Lockout box.
3. Enter login parameters in the Login Settings dialog box.
When a user exceeds the maximum number of attempts, the system will no longer respond.
When automatic lockout is set, the session will time out for the time set in minutes.
4. Click Submit.
Customizing password settings
Use this task to force users to create more secure passwords.
NOTE: You must have administrative permissions to change password settings.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config | User Administration | User
Settings.
2. Enter password parameters in the Password Settings dialog box.
When a user creates a password, the requirements will be displayed.
3. Click Submit.
Configuring failover accounts
Failover accounts are disabled by default because failover accounts allow backdoor access to DLP Monitor.
The link between DLP Manager and Monitor is open, and the default failover account could be used to log on
to Monitor.
The username and password for the failover account are the same as that of the primary administrator. Use this
task to disallow failover logins.
1. Go to DLP Sys Config | User Administration | Failover Account.
2. Type in a username and password for the account.
3. SelectOff from the Allow Loginmenu.
4. Click Update.
If a attempt is made to log in, an error message is launched indicating that the capability has
been turned off.
Auditing users
Using audit services
The user audit log records all user activity on DLP systems. Users who have administrative
permissions can monitor them.
Re-order the audit log elements by clicking the column headers, or use the Filter by feature in
the navigation bar to sort the results for greater readability.
Filtering audit logs
Use this task to find out who has logged into DLP Monitors and what actions have been taken.
194 McAfee DLP 9.0.1 Product Guide
Managing DLP systems
For example, if you suspect a system problem was caused by a single user or action, checking
entries at the time the problem appeared might reveal its source.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config | User Administration | Audit
Logs.
2. Pull down the Timestampmenu under Filter by... .
3. Select a period of interest.
4. Click plus to add a filtering category.
5. Pull down the Filter by...menu and select Device to sort by DLP system.
6. Select equals or not equal from the second pull-down menu.
7. Click "?" to launch a pop-up with the names of the available DLP devices.
Alternatively, you can type in the host name of the machine (listed in the Device column).
8. Repeat the action for any of the other elements listed in the log.
9. Click Apply.
10. Review the log information.
11. Correct or reverse the action.
NOTE: Clear All before creating another filter.
Getting audit log reports
Use this task to get a CSV report of an audit log.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config | User Administration | Audit
Logs.
2. Select Export as CSV from the Actions menu.
3. Open or save the log using the existing tools in your browser.
NOTE: IfMicrosoft Excel is installed and you selectOpen, the CSV report will launch in a
spreadsheet.
Filtering audit log reports
Use this task to filter audit log entries.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config | User Administration | Audit
Logs.
2. Determine which cell in the audit log table will act as the primary key.
3. Click on the cell to automatically create a filter in the Filter by... pane.
The dashboard data will immediately change to reflect your selection.
NOTE: Clear All before creating another filter.
Auditing live users
The Live Users feature records all activity in all live sessions. Click on the Session ID to launch
the user audit log .
Managing users and groups
McAfee DLP 9.0.1 Product Guide 195
Re-order the audit log elements by clicking the column headers, or use the Filter by feature in
the navigation bar to sort the results for greater readability.
Sorting audit log reports
Use this task to sort audit log entries.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config | User Administration | Audit
Logs.
2. Determine which column will act as the primary key.
3. Click a column header to rearrange the log entries.
NOTE: Actions are reported chronologically, so the Timestamp column cannot be sorted by clicking the header.
Using capture filters
Working with capture filters
DLP Monitor capture engine captures all network traffic. The indexer captures and identifies all
TCP/IP traffic, breaking it down into content types. Anything that cannot be identified is tagged
Unknown Protocol.
Because all content is indexed, a capture filter can be used to filter out large portions of network
traffic that do not need to be analyzed by the capture engine.
Filtering network data can cut down on the vast amounts of data captured and analyzed, so it is
important to tune the system using capture filters when it is set up.
This not only improves performance, but makes it easier to expose only the most significant data
for investigation.
NOTE: Under certain circumstances, capture filters can also be used to store critical sessions and applications-
level data.
Types of capture filters
Capture filter types are determined by the layer of the OSI model that is recognized and stored
by the capture database.
● Content capture filters reveal significant data types and improve performance by eliminating selected
portions of Flow A (Layer 1) traffic.
● Network capture filters reveal significant data streams and improve performance by eliminating large
portions of Transport (Layer 4) traffic, usually in a specific sequence.
Types of capture filter actions
Content and network capture filters allow different types of user actions.
196 McAfee DLP 9.0.1 Product Guide
Managing DLP systems
● Content capture filter actions keep certain types of traffic from being recognized by the capture engine.
● Network capture filter actions ignore specific components of network traffic or store data that is
transmitted via certain protocols.
How content capture filters work
Standard content capture filters included with DLP systems reveal significant data types and
improve performance by eliminating selected portions of Flow A (Layer 1) traffic.
NOTE: Unlike network capture filters, content capture filters can be applied to the network data stream in any
order.
Standard Content Capture Filters
Ignore binary Excludes all binary files
Ignore BMP and
GIF imagesExcludes images in BMP and GIF formats
Ignore crypto Excludes encrypted data
Ignore HTTP Gzipresponses
Keeps compressed files from beingopenedmore than once (excludes HTTP Gzipresponses)
Ignore HTTP headers Excludes HTTP headers
Ignore P2P Excludes all peer-to-peer traffic
Ignore small JPGimages
Excludes insignificant images(JPG images smaller than 4 MB)
Ignore flow headers Excludes flow headers
Content capture filter actions
Content capture filter actions may drop elements or sessions, or store only metadata.
Drop Element
For example, if your network has a large cache of video files that you know are not a security threat because you
have controlled them with configuration management software, you can set up a filter that drops these secure files,
saving time and resources for analysis of data at risk.
Drop Sessions
For example, if your employees are authorized to send or receive any SMTP content that is processed by your
company's mail server, you can drop those communications.
Drop elements and store metadata only
For example, if you want to know what kind of data is moving through the network data stream without storing its
content, storing metadata allows you to keep incidental information (like the source and destination of the data,
Using capture filters
McAfee DLP 9.0.1 Product Guide 197
data types being transmitted, and protocols being used to transmit it).
Adding content capture filters
Use this task to design and add a content capture filter.
For example, suppose you want to create a filter to ignore all traffic to and from your web server that contains
RTSP files. This would eliminate a significant portion of network activity, making it easier to focus on other types
of traffic that you suspect might be compromised.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config | Capture Filters.
2. Go to System | Capture Filters.
3. Click Create Content Filter.
4. Type in a name and description.
5. Select Ignore or Store from the Actionmenu.
In this case, you want to ignore RTSP files.
6. Select the DLP Monitor on which you want to install the filter.
If you want to deploy a capture filter at a later time, select the None checkbox under Devices.
7. Open Protocol.
8. Select Protocol from the Element menu.
9. Click "?".
10. Select RTSP from the popup menu.
11. Click Apply.
12. Click Save.
TIP: Add more elements to focus the concept, like size of the files, date and time transmitted, and source and
destination of the traffic.
How network capture filters work
Standard network capture filters included with DLP systems reveal significant data streams and
improve performance by eliminating large portions of Transport (Layer 4) traffic, usually in a
specific sequence.
For example, most businesses are interested in monitoring traffic carried to or from external IP addresses.
When the RFC 1918 filter is active, IP addresses set aside by IANA for internal use can be excluded from
analysis by the capture engine.
198 McAfee DLP 9.0.1 Product Guide
Managing DLP systems
Standard Network Capture Filters
Ignore RFC1918
Excludes traffic routed to 10.0.0.0.-10.255.255.255,172.16.0.0.-172.31.255.255 and 192.168.0.0-192.168.255.255
IgnoreHTTPResponses
Excludes program output sent from a server afterreceiving and interpreting an HTTP Request
Ignoreunknown
Excludes traffic using unknown protocols
IgnoreSMB
Excludes Session Message Block and MicrosoftBasic Input/Output System (NetBIOS) traffic
Ignore SSH Excludes secure shell traffic
Ignore POP Excludes Post Office Protocol 3 traffic
Ignore
IMAPExcludes Internet Message Access Protocol traffic
IgnoreHTTPS
Excludes secure Hypertext Transport Protocol Traffic
IgnoreLDAP
Excludes Lightweight Directory Access Protocol traffic
IgnoreNTLM
Excludes Microsoft New Technology Local AreaNetwork Manager traffic
BASEBase Configuration filter (opens the system for storageof incoming data)
Network capture filter actions
Network capture filter actions may ignore or store network data depending on port or protocol
used.
Ignore
For example, you can ignore all web traffic by using HTTP filters, or eliminate authorized email by ignoring traffic
using port 25 (SMTP).
Store
For example, you can store chat traffic by creating a filter that identifies and keeps data transmitted using AOL_
Chat,MSN_Chat, or Yahoo_Chat protocols.
Ignoring or storing IP addresses
Use this task to find to search for individual IP addresses, a range of addresses, or addresses on
a subnet.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config | Capture Filters.
2. Click Content or Network filter.
Using capture filters
McAfee DLP 9.0.1 Product Guide 199
3. Open Source/Destination.
4. Select IP Address.
5. Select source or destination.
6. Enter IP addresses in the value field.
7. Click Search.
Example
192.168.1.244,172.25.3.100-172.25.3.199,192.168.2.1/25
Adding network capture filters
Use this task to add a network capture filter. Designing one requires experimentation, but taking
the time to streamline the capture process can save a lot of processing time.
TIP: Before creating a network capture filter, open the All category in the Network Filter dialog box. This action
either captures or cuts off all traffic, depending on the capture action you select, so that you can observe a
limited pool of data before deciding what to filter.
NOTE:When a network capture filter is applied to the network data stream, its position in the list indicates its
priority. Because the BASE filter instructs the system to store all data that has not been dropped from the data
stream, it must always run last.
1. Make a list of the sessions you want the capture engine to store or ignore.
2. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config | Capture Filters.
3. Select Create Network Filter.
4. Name and describe the filter.
5. Select the devices for deployment.
If you want to deploy a capture filter at a later time, select the None checkbox under Devices.
6. Select a capture action.
7. Configure the Source/Destination, Protocol, and Date/Time components to define the sessions to be stored
or ignored by the capture filter.
8. Click Save.
9. Use the Priority icons to change the order in which filters will be run.
10. Test the filter and modify it, if necessary.
TIP:When establishing a sequence for applying network capture filters to the network data stream, remember
that changing the order of a single filter might skew your results.
Reprioritizing network capture filters
Use this task to reprioritize network capture filters that modify others. Please filters that define the
largest portions of traffic at or near the top of the list to improve processing time.
200 McAfee DLP 9.0.1 Product Guide
Managing DLP systems
NOTE:When a network capture filter is applied to the network data stream, its position in the list indicates its
priority. Because the BASE filter instructs the system to store all data that has not been dropped from the data
stream, it must always run last.
For example, if you add a filter to ignore all traffic to and from ports 80 and 453, the capture engine would
ignore all HTTP and HTTPS traffic.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config | Capture Filters.
2. Click Create Network Filter and define its parameters.
The new filter is added to the bottom of the Network Filters list.
3. Use the UP arrow in the Priority column to move it up to the correct position.
4. Click Apply.
TIP: Move the new filter up until it is in a position to filter out more traffic than the filters below it, but less than
those above it.
Deploying capture filters
Use this task to deploy a capture filter.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config | Capture Filters.
2. Double-click the filter you want to deploy.
3. In the Devices box, check the appliance on which you want to install the capture filter.
4. Click Save.
NOTE: If you want to deploy a capture filter at a later time, select the None checkbox under Devices.
Editing capture filters
Use this task to edit a capture filter.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config | Capture Filters.
2. Double-click on the name of the filter.
3. Redefine the filter by changing its parameters.
4. Click Save.
Using undeployed capture filters
Use this task to apply capture filters to targets after they have been created.
If you want to deploy a capture filter at a later time, select the None checkbox under Devices.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config | Capture Filters.
2. Click on the undeployed capture filter.
3. Select one or more checkboxes of devices on which the filters should be deployed.
4. Click Save.
Using capture filters
McAfee DLP 9.0.1 Product Guide 201
Viewing deployed capture filters
Use this task to find out which filters are deployed on each DLP Monitor.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config | Capture Filters.
2. If DLP Manager is managing several Monitors, scroll down the page to see all the filters.
NOTE: If you are using a standalone DLP Monitor, you will see only the filters deployed on your own machine.
If you are using an DLP Manager, scroll down the list to get complete information on all managed systems.
Deleting capture filters
Use this task to delete a capture filter.
If you are on a standalone DLP Monitor, you can delete a capture filter — but on DLP Manager, you can only
remove a capture filter from the Monitor to which it has been deployed.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config | Capture Filters.
2. Select the Remove icon next to the filter you want to delete.
3. Click OK or cancel.
TIP: Before deleting, view deployed filters to determine which DLP Monitors are using the filter.
Setting up system alerts
Configuring system alerts
This release supports device down alerts.
Device down alerts allow you to set up DLP Manager to notify up to 25 users whenever one of
the registered DLP devices goes down.
NOTE: If you have a syslog server, system events are regularly reported to the events database. The database
is polled every 2 minutes, and every alert in the database is sent to the dashboard within this interval. A
timestamp is reported for each alert.
Configuring device down alerts
Use this task to set up notification for users who need to know when DLP devices go down.
NOTE: The notification is the same whether the devices are disconnected or just turned off.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config | Devices | System Alerts.
2. Type in the email addresses of the users to be notified. Up to 25 email addresses are supported.
3. Select the alert types you want to send.
4. Click Apply.
202 McAfee DLP 9.0.1 Product Guide
Managing DLP systems
Types of device down alerts
There are three possible configuration intervals for a device down alert.
● Notification that the device has recovered and has been up for X minutes
● Notification that the device was down for X minutes
● Notification is sent every X minutes after the device went down
Technical specifications
Understanding specifications
Any modifications to DLP equipment, unless expressly approved by the party responsible for compliance, could
void authority to operate the equipment.
DLP hardware has been tested and found to comply with the limits for a Class A digital device,
pursuant to Part 16 of the Federal Communications Commission rules.
Operation is subject to the following two conditions:
● the device may not cause harmful interference, and
● the device must accept any interference received, including interference that may cause unwanted
operation.
These limits are designed to provide reasonable protection against harmful interference when
the equipment is operated in a commercial environment.
DLP equipment generates, uses, and can radiate radio frequency energy. If not installed and
used in accordance with the instruction manual, it might cause harmful interference to radio
communications. If operation of this equipment in a residential area causes harmful interference,
it must be corrected at owner expense.
Power Redundancy
To ensure redundancy on the DLP appliances with more than one power supply, all must be
active to share the load while operating at nominal power.
Additional protection is provided if two electrical outlets that are on different circuit breakers are used.
Should one power supply fail, a back-up fan automatically turns on, an alarm sounds and a
warning LED is illuminated. If this occurs, contact McAfee Technical Support for a replacement
unit.
NOTE: If the appliance loses power for any reason, it will not come back up unless you change the BIOS setting
in advance. The motherboard is set to off by default.
Rack Mounting Requirements
Use this information to ensure safe configuration of DLP appliances.
Technical specifications
McAfee DLP 9.0.1 Product Guide 203
A) Elevated Operating Ambient Temperature
If installed in a closed or multi-unit rack assembly, the operating ambient temperature of the rack environment
may be greater than room ambient. Therefore, consideration should be given to installing the equipment in an
environment compatible with the TMA specified by the manufacturer.
B) Reduced Air Flow
Installation of the equipment in a rack should be such that the amount of air flow required for safe operation of the
equipment is not compromised.
C) Mechanical Loading
Mounting of the equipment in the rack should be such that a hazardous condition is not created due to uneven
mechanical loading.
D) Circuit Overloading
Consideration should be given to the connection of the equipment to the supply circuit and the effect that
overloading of the circuits might have on overcurrent protection and supply wiring. Appropriate consideration of
equipment nameplate ratings should be used when addressing this concern.
E) Reliable Earthing
Reliable earthing of rack-mounted equipment should be maintained. Particular attention should be given to supply
connections other than direct connections to the branch circuit (use of power strips).
Safety Compliance Guidelines
DLP hardware must be installed only in Restricted Access locations (dedicated equipment
rooms, electrical closets, or the like).
CAUTION: Disconnect all power supply cords before servicing. RISK OF EXPLOSION if battery is replaced by
an incorrect type. Dispose of used batteries according to the instructions.
Contacting Technical Support
Contacting DLP Technical SupportContact McAfee Technical Support by phone, email or web.
Telephone (800) 937-2237; (408) 988-3832
Email www.mcafee.com/us/about/contact/index.html
Support Portal mysupport.mcafee.com
TIP: Troubleshooting tips are available on the WebHelp home page. You can also get system information by
clicking More or Configure links atMenu | Data Loss Prevention | DLP Sys Config.
204 McAfee DLP 9.0.1 Product Guide
Contacting Technical Support
Creating a Technical Support PackageUse this task to give your technical support representative background information.
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config.
2. Select a Monitor or Discover system and click More.
TIP: If you cannot see the link, expand your dashboard.
3. Click Create tech support package.
The system will automatically build a file. It may take a few minutes.
4. Click check back.
5. Click Save to download the file to your desktop.
6. Email the file to your McAfee support representative.
Creating a Technical Support Package
McAfee DLP 9.0.1 Product Guide 205
206 McAfee DLP 9.0.1 Product Guide
Creating a Technical Support Package
Glossary
A
action ruleAn automatic rule that uses one or more specific Prevent Policy actions (allow, block, bounce, encrypt, notify,quarantine, redirect) to resolve violations flagged by the capture engine.
Active DirectoryMicrosoft directory service used to provide basic organizational LDAP functions, such as integration with exist-ing user systems.
administrator accountDefault user account for the primary NDLP administrator (admin).
alertA message triggered by a significant system event that may require a response.
anchor commandsReference markers that set conditions for matches found in network data by a Concept.
archiveCompressed files that can be extracted and evaluated by the search engine.
audit logA record of all actions taken by DLP users.
authenticationA security measure that confirms the identity of a user or entity attempting to access a system.
B
bandwidth throttlingA setting that restricts the quantity of data transmitted to prevent network congestion.
blockingAn action taken to prevent transmision of data outside of a network.
C
capture engineA DLP component that captures, analyzes, processes, and saves all data on a network.
capture filterA component that is used to isolate significant portions of data to streamline processing by the DLP captureengine.
case systemA collaborative framework that centralizes resolution of incidents flagged by DLP queries and rules.
centralized alertingAn alert notification process controlled by McAfee DLP Manager.
McAfee DLP 9.0.1 Product Guide 207
Glossary
certificateA digital component generated by a Certificate Authority that authenticates a secure connection between usersor servers.
certificate authorityAn entity or service that issues and manages digital security certificates.
CIDR (Classless Inter-Domain Routing)Notation used to define IP addresses and subnet masks beyond 8-bit 'classful' limits to efficiently describe rout-ing of IPv4 or IPv6 packets.
cipher textEncrypted text that is unreadable until it has been converted into plain text.
cleartextUnencrypted plain text that is readable by anyone on a network.
compliantA state that indicates that no policy violations have been found after rules have been applied to the network datastream.
ConceptA DLP component that finds collections of significant data related to a single issue.
consoleThe centralized Manager device that coordinates DLP appliances.
content filteringThe process of classifying all network data into content types that can be processed by a capture engine.
content typeA database object that defines data according to file type.
crawlAn automated process that scans and indexes the contents of a database or file system.
credentialA utility made up of user name, domain, and password that authenticates entry to a repository or database.
D
Data at RestStatic data at risk that can be found in a repository or database during a DLP scanning process.
Data in MotionDynamic data at risk that is flagged by DLP Monitor in the network data stream.
Data in UseStatic data at risk that can be found on host devices that use network resources.
deploymentThe process of distributing policies and rules from DLP Manager to its attached appliances.
208 McAfee DLP 9.0.1 Product Guide
Glossary
DHCPServices used to assign dynamic IP addresses whose sources and destinations can be traced and identified.
Discover scanA type of scan that uses policies, rules, and Concepts to find data that is at risk.
distributed searchingA technique used by DLP Manager to construct queries of network data through multiple DLP Monitors.
drilldownThe process of discovering increasingly granular information about an incident by clicking through link levels onDLP dashboards.
Dynamic Host Configuration ProtocolServices used to assign dynamic IP addresses whose sources and destinations can be traced and identified.
E
endpointsHost devices, including laptops, desktops, servers, printers, removeable media and mobile devices that utilizecorporate resources.
exceptionA parameter added to a rule that keeps the capture engine from reporting false positives.
exclude listA collection of documents that are not to be reported if they are detected during a scan.
F
failover accountA default account that provides backdoor access to a DLP appliance if the link to its Manager is broken.
false positiveAn incident that is reported when a rule produces a hit that resembles, but does not match the definition of a vio-lation.
filterA feature that provides customized views of captured data by selectively screening results on DLP dashboards.
fingerprintingThe process of using an algorithm to create a digital signature that identifies data at risk.
I
incidentAn object of interest that is reported to a DLP device when a rule parameter matches a string in network or end-point data.
inheritanceThe application of settings of a DLP policy to its rules.
McAfee DLP 9.0.1 Product Guide 209
Glossary
Inventory scanA type of scan that produces a manifest of all data available in a repository or database.
L
Lightweight Directory Access ProtocolDirectory services used by DLP Manager to identify and extract user accounts residing on external servers.
link speedA setting that may need to be changed if devices on a network monitored by DLP devices have specific speedand duplex requirements that prevent auto-negotiation.
logical operatorA symbol that is used to construct DLP keyword queries in a shorthand fashion.
M
Mail Transfer AgentAn email relay server used by DLP Prevent to communicate actions to be implemented when data at risk is iden-tified.
Message digest (MD5)A cryptographic hash function used by DLP devices to identify data that has been fingerprinted.
N
network storage scanA type of Discover scan that crawls network attached storage repositories or databases.
Network Time ServerA local or remote server used by DLP to synchronize date and time with other network devices.
nodeA host connected to a network.
P
permissionsPrivileges allowing role-based access to DLP users who are assigned specific tasks based on their role in theorganization.
policyA collection of related rules used by DLP devices to identify and classify data at risk.
Prevent Policy actionsA set of actions (allow, block, bounce, encrypt, notify, quarantine, redirect) that can be automatically applied todata at risk by an action rule.
proxy serverA component that acts as an intermediary between a group of intranet devices and the internet.
publishingThe act of distributing policies to DLP appliances from a centralized DLP Manager.
210 McAfee DLP 9.0.1 Product Guide
Glossary
Q
quarantineEnforced isolation of a file or folder that violates policy or poses a risk to the system.
R
RBAC (Role-Based Access Control)A system that assigns privileges to DLP users based on their roles in an organization.
reactionAn aspect of a host DLP rule that uses one or more specific actions (encrypt, monitor, notify, quarantine, storeevidence, delete) to process incidents or violations flagged by the McAfee Agent.
Registration scanA type of scan that crawls a designated database or file share and generates unique signatures to protect dataat risk.
remediationThe process of using action rules to resolve violations found during a DLP discovery scan of a repository or data-base.
repositoryA server, or a share on a server, containing files that are to be crawled by DLP Discover.
repository typeA file system defined by the protocol used to access it.
ruleAn entity that identifies anomalies in network or endpoint data by matching its parameters to one or more attrib-utes of data at risk.
RWL (Real World Locality)An entity whose name is likely to be used in a directory search request.
S
scanA process that locates data at risk while crawling a network repository or database at a designated time.
shareA device, volume, partition, directory that has been targeted for remote access by a scan operation.
signatureA unique hexidecimal number generated by an algorithm that identifies data at risk.
syslog serverA system log server that automatically receives and records messages from a DLP Manager or Monitor.
McAfee DLP 9.0.1 Product Guide 211
Glossary
T
tar fileA UNIX or Linux archive containing compressed files.
templateA DLP component used to save keystrokes when searching network data, adding rules, or creating capturefilters.
tuning a ruleThe process of modifying a rule in stages to gradually eliminate false positives from search results.
U
unpublishingThe act of removing policies from deployment on DLP appliances.
V
view vectorA configuration that displays incidents from one of three capture databases (Data-in-Motion, Data-at-Rest, Data-in-Use) on DLP dashboards.
viewsA framework that displays incidents found in captured or scanned data in a variety of different configurations onDLP dashboards.
violationA risk that is reported when a query or rule matches an attribute in the capture database.
W
wiping policyA setting regulating use of disk space on a DLP Monitor appliance.
212 McAfee DLP 9.0.1 Product Guide
Glossary
Index
A
Action Rules
configuring 89-91, 156, 158-159
deleting 159
types 157
using 155-157
Activation
defining 146
Active Directory 177, 181-183,185
Alerts
defining 202
notification 202
types 203
Audit logs
defining 194-195
filtering 194-196
C
Capture Filters
actions 196-197, 199
activating 201
by size 25
creating 198, 200
default network 198
default standard 197
definition 196
deploying 201
IP address 16
modifying 201-202
ports 25
reprioritizing 200
types 196
viewing 202
Cases
adding to existing 169, 173
assigning 169
changing owner 170
changing priority 172
changing resolution 170
changing status 171
creating 168
deleting 27-28, 170, 173
managing 168
Concepts
adding conditions 159-160,163
creating 160, 162, 165-166
defining 160
deleting 166
DocReg 102
network 161, 164
syntax 164
Configuring
backing up 175-176
dashboard 65-66, 72-73, 171
NDLP devices 173, 175
restarting 177
restoring 175-176
shutting down 177
time 186-187
Content types 28
company 29
213 McAfee DLP 9.0.1 Product Guide
Index
document 29
office 30
proprietary 30
source code 30
Credentials
creating 122
deleting 122
modifying 122
D
Database crawling 105-112
Devices
adding 174
deregistering 177
viewing 173
DHCP services
adding 178
using 178
Disk space
managing 175
E
Error messages
Discover 98-99
F
Filtering
by browsing 124
by group 74
by time 73-74
examples 10, 13, 15, 168
manually 125
Filters
clearing 73
H
Host DLP
defining 91-95, 156
I
Incidents
deleting 75-76
details 66-67
labeling 76
match strings 131
L
LDAP
adding a server 57-61, 179,184
adding users 181-183
N
NDLP
overview 1-6
product naming 2
P
Permissions
assigning 97, 192
checking 192
Discover 97
policy 193
task 193
McAfee DLP 9.0.1 Product Guide 214
Index
Policies
activating 145-146
changing ownership 147
creating 143, 145
deactivating 146
defining 142
deleting 148
executing 148
inheritance 146
modifying 148
publishing 147
renaming 147-148
standard 143-144
Prevent
actions 78-80, 82, 90, 155
configuring 80, 82
how it works 77, 80-81
using 17
Profile
changing passwords 191
R
registering
by scanning 100
by web upload 101
complete doc paths 102
deregistering data 104, 139
documents in motion 101, 104
excluding text 102
managing resources 104
methods 101, 139-140, 142
signature types 103
with rules 103
registering devices
Discover 96-97
Registration
endpoint data 92-93
Remediation
adding columns 88
applying actions 78-79, 83-84
copying incidents 85
deleting incidents 85
encrypting 86
exporting incidents 84
methods 82
moving incidents 87
resolving problems 83
reverting actions 88
viewing actions 88
Reports
CSV 68
My Reports 64, 69, 76-77
PDF 68-69
save 67, 73
scan history 131-132
schedule 69
Rules
activating 150
creating 22, 94-95, 149-150
deactivating 150
deleting 151
exceptions 58, 61, 151-153
inheritance 150
modifying 77, 151
reconfiguring 150
tuning 154
215 McAfee DLP 9.0.1 Product Guide
Index
viewing 149
S
Scan 123
Scanning
default directory 129
defining file properties 127
defining folders 128
defining nodes 126
defining shares 128
fetching files 129
in duplex mode 115
reports 130
results 130
setting bandwidth 115
setting policies 129
statistics 131
storage 138
Scans
configuring 117-120, 138-141
deleting 116
deleting schedules 123
deploying 114
managing 112
modifying 116
modifying schedules 123
modifying states 113
scheduling 123
starting 114
stopping 113-114
viewing 113
viewing scheduled scans 123
Search
by concept 52-54
by content type 38
by digest 38
by email address 31
by email attachment 33
by file owner 37
by file size 37
by file type 37
by filename 36
by filename pattern 36
by IP address 40-41, 199
by keyword 41-45
by location 45-46
by protocol 47-49
by URL 46
by user ID 61-64
chat 31, 35
country codes list 47
custom templates 53
data at rest 132
discovered data 134-137
discovered data\ 134
distributed 27
email by domain 32
email by hostname 31
email by recipient 34
email by sender 33
email by subject 33-34
finding share names 136-138
fleshtone images 39
images 39
IP addresses in data at rest 133
McAfee DLP 9.0.1 Product Guide 216
Index
limitations 26, 54-57
logical operators 42, 45
on subnet 40
repositories 133
results 27
scan operations 132
search List 28
using DocReg 133
Webmail 32, 35
Searching
filters 24, 49-51
Specifications 203-204
T
Tech support
create a summary 205
how to contact 204
Templates
creating 166
deleting 167
standard 167
U
Use Cases 6
confidential data 8
covert email 16
data leaked 7-8
Discover 12
encrypted data 15
financial leaks 17
overseas leaks 23
source code leak 9
unhappy employees 12
user investigation 11, 18-19,21, 23
website posts 14
websites visited 13
Users
add user 189-190, 193-194
add user group 189-190
design a system 188
failover account 191, 194
preconfigured groups 189,
191
primary admin 191-192
V
Views
copying 70
default 66, 71
deleting 70
saving 70
vectors 71
217 McAfee DLP 9.0.1 Product Guide
Index
McAfee DLP 9.0.1 Product Guide 218