cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
McADOC1
Level 7
Report Inappropriate Content
Message 1 of 6
‎03-23-2021 10:49 AM

DLPe - can I limit/restrict file on share/map drive where user cannot copy or send it?

Hi,

[only using DLP endpoint]

I have a folder on a server with a specific path...c:\confidential\data\

1.  is there a way to have all files in there automatically tagged when it is created?

        I can do a discovery but that is only once a day!

 

going further, i have select users that will map to that location.  they need to edit and save that file to that mapped location.  we do not want the file to leave the server (to the best we can).

2.  How can i configure the policy on the users computer to be restricted to just open, edit and save back to that location?

 

The goal is to prevent this user from taking the file and emailing or posting on a different share.

Thoughts?

 

thanks.

 

0 Kudos
Reply
5 Replies
Corey-DLP
Employee
Employee
Report Inappropriate Content
Message 2 of 6
‎03-24-2021 08:35 AM

Re: DLPe - can I limit/restrict file on share/map drive where user cannot copy or send it?

Hello and thank you for posting here!

If the directory location you are looking to monitor is local to the system, then I believe a discovery scan would be your best option. We do have a location based fingerprinting classification criteria that would fingerprint files upon creation, but that can only focus on UNC shares. 

Additionally, DLPE does have a Network Share protection rule which can take action on files uploaded to a network share. However, there currently is not an option to block files within that rule. The only rule reaction options are Monitor (no action), Encrypt, Request Justification and Apply RM Policy. 

I know you mentioned DLP Endpoint only, however an alternative might be to use DLP Discover to scan the network shares you are concerned with. A DLP Discover scan can be configured to scan for files that have been proactively classified and move them to a different location.

0 Kudos
Reply
McADOC1
Level 7
Report Inappropriate Content
Message 3 of 6
‎03-24-2021 11:15 AM

Re: DLPe - can I limit/restrict file on share/map drive where user cannot copy or send it?

thank you for the follow up.

i do not think we have a license for DLP discover but will check.

can you clarify this 'location based fingerprinting classification criteria' - rather where in the manual to help me get started.

https://docs.mcafee.com/bundle/data-loss-prevention-11.6.x-product-guide/page/GUID-0629B0B5-504A-445...

 

Thanks.

 

0 Kudos
Reply
Corey-DLP
Employee
Employee
Report Inappropriate Content
Message 4 of 6
‎03-24-2021 11:22 AM

Re: DLPe - can I limit/restrict file on share/map drive where user cannot copy or send it?

The product guide link you posted would be a good place to start. The DLP Interface Guide also has some details explaining each option within the location content finger printing criteria page.

 

0 Kudos
Reply
McADOC1
Level 7
Report Inappropriate Content
Message 5 of 6
‎04-05-2021 04:10 PM

Re: DLPe - can I limit/restrict file on share/map drive where user cannot copy or send it?

Hi,

i can't get it to work or see it work.

i put my steps in the attached doc.

any thoughts on where i am going wrong?

would the policy be applied to the server that has the file or the endpoints (where i applied it) that connect to that unc location? - or am i misinterpreting this?

Thanks.

 

0 Kudos
Reply
Corey-DLP
Employee
Employee
Report Inappropriate Content
Message 6 of 6
‎04-06-2021 11:49 AM

Re: DLPe - can I limit/restrict file on share/map drive where user cannot copy or send it?

I reviewed the Word doc you attached. So, the Network Share Protection Rule will only generate an incident when a file is copied to that network share location, not from. That said, with just the Location Based Fingerprinting Classification alone, those files on that share should get tagged when the end user interacts with those files in some way. You could then build other rules (Email Protection, Web Protection) using that same Fingerprinting Classification to block or prevent those files from leaving the environment.

0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use our Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from product experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by employees.
Join the Community
Join the Community

TrellixSkyhigh Security | Support Trellix.com SkyhighSecurity.com

Legal Privacy Copyright © 2023 Musarubra US LLC