As of May 14, 2024, Knowledge Base (KB) articles will only be published and updated in our new Trellix Thrive Knowledge space.
Log in to the Thrive Portal using your OKTA credentials and start searching the new space. Legacy KB IDs are indexed and you will be able to find them easily just by typing the legacy KB ID.
Technical Articles ID:
KB84085
Last Modified: 2022-02-14 19:26:18 Etc/GMT
Environment
Data Loss Prevention (DLP) Endpoint 11.x
Summary
This article is a consolidated list of common questions and answers. The article is intended for users who are new to the product, but can be of use to all users.
Recent updates to this article
Date
Update
February 14, 2022
Added new content in the "Compatibility FAQs" section.
Click to expand the section you want to view:
What kind of DLP Endpoint configuration and licensing options are available?
DLP Endpoint is available in two configurations:
Device Control
DLP Endpoint (Full DLP Endpoint)
Each configuration is available with two licensing options:
90-day trial
Unlimited license
The default installation is a 90-day license for McAfee Device Control. On installation, the McAfee Device Control configuration is activated. Upgrading the license key in DLP Settings in ePO Console changes to the full-featured configuration.
What features are included in DLP Endpoint?
A full DLP Endpoint license has all capabilities of a Device Control license. In addition, full DLP Endpoint software includes the following:
Universal protection that protects against data loss through the broadest set of data-loss channels. For example, removable devices, email (including attachments), web posts, printing, and file system.
Persistent content-aware data protection that protects against data loss regardless of the format in which data is stored or manipulated. It enforces data loss prevention without disrupting legitimate user activities.
Protection on-the-go that prevents transmission of sensitive data from desktops and laptops, regardless of whether they’re connected to the enterprise's network.
What licenses are available for DLP?
DLP is a suite of products, each of which protects different types of data in your network. License types available:
Data Loss Prevention Endpoint - Inspects and controls content and user actions on endpoints.
Device Control - Controls the use of removable media on endpoints.
Data Loss Prevention Discover - Scans file repositories to identify and protect sensitive data.
Data Loss Prevention Prevent - Works with your web proxy or MTA server to protect web and email traffic.
NOTE: Data Loss Prevention Prevent for Mobile Email is no longer supported. This product used to work with MobileIron to monitor Microsoft Exchange ActiveSync or Microsoft Office 365 ActiveSync requests
All licenses have trial versions and Perpetual versions. Trial versions use a 90-day license key.
Where can I find my license key?
You can find the license key text on the Product Downloads page under the "Notes" section and on the ePO Software Manager page under the product description.
If you have a trial package but don’t have the text file, contact your sales representative or sales engineer for assistance in downloading the software.
How long does the license remain active?
The trial license remains active for 90 days before expiring. After 90 days, your policies won’t be applied. Perpetual licenses don’t expire.
Where can I find best practice recommendations or white papers for using Data Loss Prevention?
What are Scanners and indexers?
Scanners and indexers are applications that iterate files for scanning, such as:
Antivirus Software
Backup Applications
Windows Search
Indexers and scanners scan through the hard drive and access many files. When a scanner/indexer accesses tagged files, the DLP Endpoint Agent loads all tagged content's fingerprints into the memory. For them to not load these memories into the system, indexers and scanners must be set to use a Trusted Application Strategy. This setting is considered a best practice in configuring DLP Endpoint. The reason is because there’s no need for the DLP Endpoint Agent to track all files. It also improves system performance significantly.
How do I configure a Trusted Application Strategy Policy?
Application strategies are set on the Application Template page in DLP Policy Manager, Definitions. Use the built-in templates, or create your own custom templates.
NOTE:You can't edit strategies in the built-in templates. You can create overrides on the DLP Policy, Settings, Application Strategy page. Create and remove overrides as needed to experiment with fine-tuning the policy.
Change the strategy as needed to optimize performance. For example, the high level of observation that an editor application receives isn’t consistent with the frequent processing of backup software. The performance penalty is high and the risk of a data leak from such an application is low. So, we don't recommend using the trusted strategy with these applications.
You can also create more than one template for an application and assign it more than one strategy. To achieve different results in different contexts, use the different templates in different classifications and rules. You must be careful in assigning such templates within rule sets to avoid conflicts. DLP resolves potential conflicts according to the following hierarchy: archiver, trusted, explorer, editor. That is, editor has the lowest ranking. If an application is an editor in one template and anything else in another template in the same rule set, DLP doesn’t treat the application as an editor.
For more detailed information, see the Data Loss Prevention 11.4.x Product Guide.
Do scanners and indexers affect how tagging works?
When a file is accessed, the DLP Endpoint Agent analyzes the content, then create and store its fingerprints in memory (RAM).
Do DLP Endpoint tags work on the entire file or content of the file?
On the file system level, DLP Endpoint tags are stored in a file's extended file attributes (EA) or alternate data streams (ADS). When a tagged file is accessed, the DLP Endpoint Agent tracks data transformations. Also, it maintains the classification of the sensitive content of the tagged file persistently, regardless of how it’s used.
Tags work on content. So, if a whole file contains just a part of tagged content, such as content copied from another document, only that part is tagged. Only that part is tagged even though Manual Tagging indicates that the file is tagged. With the default agent configuration, at least two chunks, or about 350 non-repeating characters, are needed to identify and track tagged content. For more information, see KB53436 - Details about the smallest data set that triggers a Data Loss Prevention reaction.
How does tagging propagate from one file to another?
Tags work in much the same way as signatures and are generated in a similar way to fingerprint hashes. These signatures help to identify if the content of the file matches the original signature content.
When a tagged file is accessed, the tagged content signatures are loaded into memory (RAM). From that point on, if a user accesses and changes another file to contain identical content in the tagged file, the new file is tagged when it’s saved. The result is similar, regardless of whether you copy a file to a new document or an existing document. Only the relevant part of the file is tagged.
How about when you copy content of a file and paste it in an email body or web browser form?
When a tagged file is accessed, the tagged content signatures are loaded into memory (RAM). From this point forward, all protection rules actions apply to this content. If an Email Protection Rule is configured to block the tag, content pasted from a tagged file is blocked. The same condition applies to Web Post Protection Rules.
How is the tag stored on the file system?
Tag technology works with the NTFS (New Technology File System) functionality of the host. Unlike FAT32 (File Allocation Table), NTFS has extra allocation space for the files to be stored. This fact allows tagging technology to work independently on file properties. The fallback method for FAT32 is ADS and ODB$ (in FAT32). For file systems that don’t support EA or ADS, DLP Endpoint stores tag information as a metafile on the disk. The metafiles are stored in a hidden folder named ODB$. DLP Endpoint agent creates this folder automatically.
NOTE:Because the tag isn’t stored directly in the file or file properties, the content isn’t affected when a file is tagged.
Can a tag be lost if it’s uploaded through web post or transferred via FTP?
The uploaded file isn’t tagged. Upload via web post or FTP only deals with the file content itself, and not the additional information in the file system. If there are web/network protection rules configured, the file upload or transfer can be monitored or prevented.
If I’m accessing a file that isn’t tagged but the content matches tagged content, is it tagged?
Although no content is being copied from tagged FILE_1 to FILE_2, FILE_2 is still tagged when it’s saved. It’s tagged because the content matches the tag signatures stored in memory when FILE_1 was accessed. This method is similar to a signature matching technology, where the end file resembles the content of the fingerprinted file.
How can the tags in memory be deleted?
The tags stored in memory are deleted when the user logs out or restarts the system.
Does resetting a tag remove the tags from the extended attribute of the file?
Yes. If a tag was reset, the identification (GUID) of the tag is changed. When the agent has the latest policy and it detects a tag identification that it doesn’t recognize, the tag is removed from the extended attributes when the file is saved.
How does allow list complement a tag?
The content in allow list are prevented from being tagged. Normally, allow list is useful for common contents like disclaimer or standard company templates.
Does allow list affect previously tagged files already residing on the user endpoint?
It works on newly tagged files or files tagged before allow list is configured. As long as the part of content is in allow list, protection rules aren’t applied to the content.
How does DLP Endpoint tagging work with compression software?
If a tagged file is compressed, the resulting archive is also tagged. The Administrator must make sure that the archiver application is set to use the Archiver application strategy. Technical Support has included in DLP Endpoint the application strategy of some popular archive applications like WinZip.
Is USB AttachedSCSI (UAS) Mass Storage Device supported in allow list?
No. DLP doesn’t read the device if it isn’t found in the Device Manager. DLP blocks SCSI at the adapter level, so it isn’t supported in the allow list. For more information, see KB91074 - How to block a USB Attached SCSI (UAS) Mass Storage Device.
What languages are supported?
See the "Supported languages" section in the DLP Endpoint Release Notes for details about localized language support.
Which DLP Endpoint applications are installed in ePO?
The following DLP Endpoint applications are installed in ePO:
DLP Endpoint policy console
DLP Incident Manager and DLP Operational Events
DLP Event Parser
DLP Settings
DLP Endpoint and Help Content
Do I need to install McAfee Agent?
Yes. To add data loss protection, you must also deploy the DLP Endpoint plug-in for McAfee Agent. You can install the plug-in using the ePO infrastructure.
How do I install the DLP Endpoint extension, the DLP Endpoint client software?
Instructions are provided in the "Install McAfee DLP Endpoint software" section of the applicable DLP Endpoint Installation Guide for your version.
How do I manually install the DLP Endpoint client software?
Use the following steps to manually install DLP Endpoint client software:
Extract McAfeeDLP EndpointndpointXXLicensed.zipto a temporary folder.
Navigate to the following in the temporary folder:
\TAG_AGENT_X_X_XXX_XXX\Signed_Packagewhere X_Xis the product version number, andXXX_XXX is the update and build number.
Example:\TAG_AGENT_11_1_400_00\Signed_Package
Run DLPAgentInstaller.yy.exe(where yy is either x86 or x64).
How do I manually uninstall DLP Endpoint from the client?
DLP Endpoint client software is protected from unauthorized removal. Manual removal is available using the Microsoft Windows Add or Remove Programs option. This method requires a challenge‑response key, which is obtained from the DLP Endpoint administrator.
Use the following steps to disable the challenge-response prompt in DLP Policy:
Log on to the ePO console.
Click Menu, Data Protection, DLP Policy.
Click Agent Configuration, Edit Global Agent Configuration.
Click the Advanced Configuration tab.
Select each of the following entries, and configure as needed to enable or disable the challenge-response key. Then click OK:
Show challenge-response on upgrade Show challenge-response on uninstall
Click Apply to save the changes. For more information, see the DLP Endpoint Installation Guide for your version.
What is the purpose of the DLP Endpoint Policy Manager?
The DLP Endpoint Policy Manager console allows administrators to define and enforce their enterprise information security policy. The Policy Manager is used to create the security policy and administer the DLP Endpoint components. It’s accessed in ePO.
Can I back up and save policies?
You can save policies as a backup by going to the ePO Menu, DLP Settings, Backup and Restore tab. Select Backup to File. This function is useful for DLP policy backup. It creates a file named, dlpConfig.backup.
It contains DLP policies, classifications, and definitions.
To restore policies using this backup or a backup from a different EPO server, go to Menu, DLP Settings, Backup and Restore tab. Browse to backup file location and click Restore from file.
NOTE: The DLP Extension version must be higher than the version being imported.
How do I suppress reboot messages after DLP Endpoint installation?
Before DLP 11.0.5, a reboot was needed on the endpoint when product was upgraded. But, restarts are no longer needed after upgrading DLP to versions later than 11.0.5. We recommend always upgrading DLP to the latest available version.
How do I run multiple DLP Endpoint versions at the same time (clients, extensions, or both)?
You can manage multiple DLP Endpoint client versions using the latest version of the DLP Endpoint ePO extension. Configure the Backward compatibility mode option in the DLP Endpoint policy as follows:
Log on to the ePO console.
Click Menu, Data Protection, DLP Settings.
Click the dropdown next to Backward Compatibility and select highest available version of DLP and later
Click Save in the bottom-right corner.
NOTE: You can install only one DLP Endpoint extension per ePO server.
Can I modify or customize the NDLP appliance?
No. Although. Some customers look to see if any changes can be applied at the Operating System (OS) level as a part of the security implementation. For example, SCD 12.
It’s similar to applying a security layer on the OS level to prevent risk and impact, against threats.
NDLP doesn't provide support for any such changes.
NOTES:
McAfee Linux OS (MLOS) is used, which is a hardened variant of RHEL or CentOS, and no further change is allowed.
Data Loss Prevention appliances (DLP Prevent and DLP Monitor) appliances aren't designed to support the installation of a third-party software. Installing a third-party software might disrupt the function of it.
What is McAfee Device Control?
McAfee Device Control prevents unauthorized use of removable media devices. McAfee Device Control provides persistent content-aware protection that:
Controls what data can be copied to removable devices
Blocks devices completely
Makes devices read-only
Blocks applications that run from removable devices
What are the types allow list does DLP Endpoint use?
DLP Endpoint uses four types of allow list:
Application - Allow needed applications such as encryption software. The definitions for allow list applications can be created to exempt applications from blocking rules.
Content - Contains text files that define content (typically boilerplate text) that isn’t tagged and restricted. Its purpose is to improve the efficiency of the tagging process by skipping content that doesn’t need to be protected.
Plug and Play devices - Automatically excluded from device management because some plug-and-play devices don’t handle device management well.
Printers - Prevent printing of confidential data. DLP Endpoint replaces the original printer driver with a proxy driver that intercepts printing operations and passes them through to the original driver.
What type of encryption does DLP Endpoint support?
DLP Endpoint supports encryption in the following ways:
Provides built-in device definitions that recognize DLP Endpoint for removable media devices and content encrypted with File and Removable Media Protection (FRP) software.
Incorporates the built-in device definitions from FRP to allow creation of device rules that permit only encrypted content to be saved to devices.
Supports in-file system discovery rules for Adobe LiveCycle and Microsoft Rights Management protection.
Provides filtering rules by the encryption status of a document (encrypted/not encrypted).
Provides filtering in file system discovery, email storage discovery, and most protection rules by Adobe LiveCycle or Microsoft Rights Management protection.
Provides Encryption on Demand.
What happens when an agent determines a policy violation has occurred?
The agent generates an event and sends it to the ePO Event Parser. EPO administrators can then view these events in DLP Incident Manager in EPO. To see the incidents list, go to Menu, Data Protection, and Incident DLP Incident Manager.
What is evidence and where is it stored?
Evidence is a copy of the data that caused a security event to be posted to the DLP Incident Manager. DLP Endpoint stores evidence in a temporary location on the client between agent-server communication intervals. When McAfee Agent passes information to the server, the folder is purged. Also, the evidence is stored in the server evidence folder. You can specify the maximum size and age of local evidence storage when the computer is offline.
Prerequisites for evidence storage
Enabling evidence storage is the default condition for DLP. If you don’t want to save evidence, you can disable the evidence service to improve performance. The following are either needed or set as defaults when setting up the software:
Evidence storage folder — Creating a network evidence storage folder and specifying the UNC path to the folder are requirements for applying a policy to ePO. Specify the default path on the DLP Settings → General page.
Evidence copy service — The default UNC path is copied to the Evidence Copy Service pages in the Policy Catalog. For DLP Discover, DLP Prevent, and DLP Monitor, the Evidence Copy Service page is in the Server configuration. For McAfee DLP Endpoint, it is in the Windows and Mac OS X client configurations. You can specify different evidence storage folders in the configurations.
NOTE: If your DLP appliance is in a DMZ, you can specify an evidence server outside your firewall. Specify it in the General page in the DLP Appliance Management policy catalog.
Reporting Service — For DLP Endpoint for Windows, you must also activate the Reporting Service and Evidence Copy Service options to enable evidence collection. Activate the options on the Operational Modes and Modules page of the client configuration.
How does ePolicy Orchestrator (ePO) generate the DLP Endpoint Agent Status in the dashboard?
The DLP Endpoint Agent Status in the dashboard isn’t generated in real time. The Agent Status is a general representative state of Agents when the DLP MA Properties Reporting Task is executed. By default, this task is executed once per day. This task copies DLP MA properties from ePO tables to DLP Endpoint reporting tables. DLP MA Properties are retrieved from McAfee Agent when endpoints send their properties during an agent-server communication call. By default, communication happens every 60 minutes.
On the ePO dashboard, I noticed that some PCs are reporting the following DLP Endpoint Agent Status: Agent is running (at least one user session is unprotected). Should I be concerned?
Usually, the displayed status is normal and there’s no cause for concern. DLP Endpoint provides multi-session support. DLP Endpoint protects only the logged-on user session by default. The following are a few possible scenarios when this status is seen:
The user has logged off the system. Because agent-server communication can happen after the user logged off, DLP Endpoint reports the Agent Status for the logged-off user session as Agent isn’t running. On a system level, the DLP Endpoint Agent is still running.
The user has logged off the system, but an application is still running under that user ID.
The dashboard isn’t generated in real time and relies on agent-server communication.
On the ePO dashboard, I noticed that there are some systems reporting the following DLP Endpoint Agent Status: Agent Up – No Policy. What must I do?
Check the system from the ePO System Tree. You can perform an Agent wake-up call to retrieve the latest properties. Under Data Loss Prevention Endpoint, you can see the latest status. If the status is Agent Up - No Policy, the policy might not be applied to the Agent for one of the following reasons:
The Agent is installed or upgraded and rebooted, but hasn’t received the latest policy. To fix this situation, perform an Agent wake-up call.
After an upgrade, the policy isn’t updated properly. To make sure that the policies are upgraded, open and resave the DLP policies and Agent configuration.
The Agent might be older or newer than the DLP Endpoint Extension in ePO. If the Agent is older, make sure that backward compatibility is configured to support the older Agent. If the Agent is newer, upgrade the DLP Endpoint Extension.
How do I verify the DLP Endpoint Agent Status from the registry?
DLP Agent Status can be determined by going to below Registry key on the endpoint:
For a logged-on user session, check the following registry key:
The following is a list of possible values and descriptions:
Active/Status
DLP Endpoint Agent Status
Description
0
User logged off
The user is logged off. This status is mainly for compatibility with Agents earlier than version 9.3.
1
Agent is Running
The Agent is running.
2
Agent drivers initialization failed
The driver isn’t installed correctly, the driver isn’t loaded, or DLP Endpoint isn’t running.
If DLP Endpoint doesn’t load, it tries to repair the drivers or registry; if that fails, it sets this key.
3
Agent Installed, pending reboot
The Agent installed needs a restart. This status displays only after installation.
4
Agent running but no policy
The Agent is running (fcag processes running, but no policy enforcement has occurred yet). The computer has restarted after DLP Endpoint was installed, but it hasn’t yet received the policy.
5
Agent installation failed
If the installer fails, it writes to the registry.
6
Agent removed
DLP Endpoint creates an event for the McAfee Agent to send to the database. Only the CMA reporting task can read this plug-in. Because the DLP plug-in doesn’t exist anymore, there’s no way for DLP Endpoint to communicate this fact to ePO.
7
Agent isn’t running
The Agent isn’t running.
8
Agent running in Full DLP Mode
The Agent is running in Full DLP Endpoint mode.
9
Agent running in RS + Device Control
The Agent is running in Removable Storage and Device Control mode.