Tags
customer report customer assessment customers End-User forms auto response attachments time entry address support User Directory scripts Knowledgebase canned Banlist announcements Hostname mail delivery CommandLine Power Shell PowerShell interface File Explorer Commands Interface Remote devices Remote Tools Paranoid Mode Training Mode Custom Ruleset Safe Mode The charging flow edit contracts Charging Flowchart Global Asset Rates Charging Plans Contracts charges calculated Remove role Edit a role staff interface Exclusions data loss prevention (DLP) network discoveries ITarian Remote Access Tool Tarian Remote Access Tool inactive devices Device removal settings Portal Set-up duplicate devices Malware File Name Security Sub-System Communication Client UI settings Communication Client Tray remove a department ticket submission configure department synchronize department submit ticket distributing Bandwidths client updates device management Bandwidth conservation malware activity virus scope autoruns Proxy servers fallback flag Inactive discovered devices SNMP Apple Device Enrollment Program set up service explorer manually deploy Comodo EDR agent parent process multiple ticket selection selected tickets security events folder transfer discoveries network management remote folder TLS TLS1.2 pci dss pci compliance ITarian Portal Endpoint Manager vdi environment vdi clone environment instant clone documentation vendor notice security dashboard events resolution remote tool partner onboard itarian unknown file hunter TLS Encryption procedure parameters pass profiles history performance metrics real time remote endpoints download browse service URL Security Components system Global Software Inventory 2 minutes Integrate intagrate Active Directory Portable Interception SSL enable reporting Rule Threat Protection Rule Advance spam Customize archived outgoing incoming administrator validate domains add Antispam type PCI data loss Location Network information start software session extensions appoinments resource connection computers Comodo Rescue Disk infected opportunity opportunities custom relationship management quote COMODO-CRM protect mac device email notifications registry COM Quarantined point system restore msi contained applications processes security client events Release date department registration particular os section Two Factor Authentication Login interface dashboard report generate Direct Download Link One drive Google drive HIPS mode cleanup automatic suspicious suspicious certificates shellcode injection detect Elevated Access system user access default charging groups move current malware list store push IP address ip installer acronis auto-remediation server machine icon Product Logos Rebrand backup Device Control data Chromoting WebRTC ports Protocol skip offline manual time entries ticket assignee Help Guide Tour schedule Reschedule appointment unknown application protection virtual desktop Local Verdict server manage calculation cost configuration charging SD contract prepaid hours products classification inventory analyze Device list OS patches global search bar Tool bar Windows Defender Security Center file group white Citrix record SPF work billable time onsite email template template variables emails Gmail SMTP disable Add collaborators admin action Audit logs feature requests submit vote remotely Reset proxy swg secure web gateway dome error disk ticket detail page thread section tickets section internal notes Sub-help topic help topic features Application control white_list Patch Management child parent scheduled customized get to headers columns company restrict customer technician remote access list iOS devices field Reports iOS device APN Certificate MAC OS X options Linux block Comodo Client Communication (CCC) allow Comodo Client Security (CCS) network zones active component tray icon hide show packages additional install block port baseline installation package bulk implement restrict firewall endpoints security and communication global export virus import Database folders files define exclusions change staff admin rating check reassign assign permissions new role create for user of device enroll associated use how profile specific Removing Devices Uninstall windows profile Configuration templates latest version clients comodo file ratings monitoring custom All Devices Ratings Track widgets Agent valkyrie malware files Kill chain report automated establishing endpoint remote session Users prevent Android organization windows assets Mac OS billing identified threats Sort Closed inside Program executed containment service desk remote control Locally runs update scan antivirus SLA Business Hours control CCS Password access Client Auto Specific Device Response Application Third party Status View Logs intended devices alert fails Company Information Configure Verdict Patch Procedures Executable Comodo Internet Security ITSM Analysis Command Line Heuristic Filter Unrecognized Trusted File Rate Malicious Purge Calendar Device Exclusion USB Admin Panel Settings ticket Default system-wide Specific Path Details Monitor Multi Set Currency Connected Who Quick Actions Comparison Version Enterprise Managed Service Provider C1 Portal Remote management Comodo Remote Control ticket management staff panel assign tickets
More

How to run data loss prevention (DLP) scans in Comodo Client Security

Release Time
02/04/2020
Views
none

Click 'Settings' > 'Data Loss Prevention'

  • Data loss prevention (DLP) rules let you scan Windows devices for files that contain sensitive information.
     
  • For example, the scan finds card numbers, social security numbers, bank account numbers, bank routing numbers, and more.
     
  • You can review all files which contain sensitive data from the 'Logs' interface. You can then take action to secure that data where required.

Use the following links to jump to the task you need help with:

Overview

  • You first create a discovery scan rule at ‘Settings' > 'Data Loss Prevention' > 'Discovery Rules'.  
     
  • The rules let you specify the areas you want to scan, and the types of information you want to search for.
     
  • You can also run discovery scans from 'General Tasks' > 'Data Loss Prevention Scan'
     
  • Results – you can view scan results at 'Logs' > 'Data Loss Prevention Events'.

Create a DLP scan rule

  • Click 'Settings' > 'Data Loss Prevention' > ‘Discovery Rules’

These rules tell the scanner exactly what type of data to search for. You will define the following items:

  • Location - The folders or drives that you want to scan
     
  • File types - The file extensions you want to inspect. For example, .doc, .xls, .txt.
     
  • Search pattern - The type of data you want to search for. For example, card numbers, bank account numbers, social security numbers, dates-of-birth, etc.

You can then run the scan on the device from General Tasks' > 'Data Loss Prevention' > 'DLP Discovery Scan'.

  • Click 'Settings' > 'Data Loss Prevention' > 'Discovery Rules'
     
  • Click ‘Add’ at the top


 

  • Rule Name - Enter a label for the rule.

Complete the following steps to create a DLP discovery rule:

Step 1 - Add scan targets

Targets are the folders or drives that you want to scan.

  • Click the ‘Targets’ tab if not already open
     
  • 'C:\Users' is included by default.
     
  • Click ‘Add’


     
    • File - Browse to the file location, select it and click ‘Open’
       
    • Folder - Browse to the folder location, select it and click ‘OK’. You can also select a drive if required.
       
  • Repeat the process to add more targets

Step 2 - Add Exclusions (optional)

You can exclude specific locations and/or file types from your discovery scan.

  • Click ‘Exclusions’ then ‘Add’



 

File Groups - Exclude specific file types.

  • Filegroups make it easy to exclude an entire class of files – for example, ‘Windows startup files’ or ‘Metro files’.
     
  • CCS ships with a range of preset groups. You can edit these groups or create your own.
     
  • Click 'Settings' > 'File Rating' > ‘File Groups’ for help with this.
     
  • See this help page if you want help with managing file groups. 

File – Exclude a particular file

Folder – Exclude a particular file

  • Repeat the process to add more exclusions.

Step 3 - Search patterns

Patterns let you tell the scanner what kind of sensitive information you want to find. For example, credit card numbers, social security numbers, bank routing numbers, etc.

  • A pattern is a format used by the type of data that you want to find. Each pattern is a combination of an ‘information format’ and a ‘keyword group’.
     
  • For example, the ‘Name with SSN’ pattern consists of:
     
    • Keyword group = ‘Names’ keyword group.
       
    • Information format =  9 digit number arranged in 3-2-4 formation, like '123-45-6789'.
       
  • CCS ships with a number of patterns that you can use to search for sensitive data.

Add patterns

  • Click the 'Patterns' tab then 'Add':
     


 

  • Choose the type of information that you want to search for in scanned locations. For example, credit card numbers, social security numbers, bank routing numbers, etc.

Note – You MUST add keywords to the keyword group or the search will not work. For example, you must add some names to the ‘Names’ group.

The following table shows the information formats and keyword groups contained in each pattern:

                 Pattern

                                      Description

 Name with 5-8 Digit Account Number

    Consists of Keyword Group 'Names' and a bank account number

 Name with 9 Digit Account Number

   Consists of Keyword Group 'Names' and 9 digit bank account number

 Name with 10 Digit Account Number

   Consists of Keyword Group 'Names' and 10 digit bank account number

 Name with SSN

   Consists of Social Security Number and Keyword Group 'Names'

 ABA Routing number

  Consists of American Bankers Association (ABA) routing number. This is the nine digit bank code printed in negotiable instruments in the US.

 Date of birth

  Consists of Birth Date

 Credit Card Number

  Consists of Credit Card Number

 IP Network

  Consists of IPv4 and IPv6 IP Addresses

  Examples:

  192.0.2.0/24

  198.51.100.0

  2001:0db8:85a3:0000:0000:8a2e:0370:7334

  2001:db8:1234::/48

 Network Address

  Consists of URLs, and domain names

  Examples:

  http://domain.name

  https://domain.name

  www.domain.name

  domain.com

  local.net

 IBAN Code

  Bank account number in International Bank Account Number (IBAN) format.

 MAC Address

  Searches for mac addresses, the unique identifier assigned to network cards.

 

The pattern is added to the rule:
 


 

  • Threshold – Specify the number of times that data matching the pattern must be found in a document. For example, if you set a threshold of 2 then the scan must find 2 instances of the pattern in a document before it flags the document.
  • Repeat the process to add more patterns



 

  • Click the 'X' icon on the right if you want to remove a pattern from the rule

Document types

This tab lets you choose which file extensions you want the scan to inspect. For example, if you select ‘.doc’, then the scan will check ALL .doc files in the target locations.

  • Click the 'Document Types' tab



 

  • Use the switches in the status column to choose which types of files you want to scan.
     
  • Click 'OK' to save your settings.
  • Repeat the process to add more rules.

You can now run a DLP scan with the rule. If your pattern contains the ‘Name’ group, please make sure you have added keywords to the group

Add keywords to keyword groups

Click 'Settings' > 'Data Loss Prevention' > 'Keywords Groups'

  • Keyword groups are used by DLP rules to identify sensitive data. They are a list of specific items that the scan searches for. For example, the 'Names' group is a list of common first names and surnames.
     
  • Keyword groups are paired with an ‘information format’ to form a 'pattern'.
     
    • An information format is a notation used by the type of data you want to find. For example, the information format of a social security number is a nine digit number in 3-2-4 formation, like '123-45-6789'.
       
    • So a search for the SSN ‘pattern’ will identify all instances of ‘Name + SSN’ in target documents.
       
  • You MUST add some names to the ‘Names’ group or the search will not work. Patterns that have an empty keyword group will not produce any results.

Add names to the ‘Names’ keyword group

  • Click 'Settings' > 'Data Loss Prevention' > 'Keywords Groups'



 

By default, there are two keyword groups – Network terms and names. These groups cannot be removed.

  • Network Terms – This keyword group is under development. Will be available in a future release.
  • Names – Add the names that you want to search for. The names group is paired with a variety of information formats to form many of the patterns used in DLP rules. For example, the names group + nine digit number is used for the social security number pattern.

 
   Advice:

  • The scan searches for an exact match on the keywords you add.
     
  • Because of this, we advise you to add only surnames to the ‘Names’ group at first. This will detect the most variants of the subject’s name.
     
  • For example, the keyword ‘Bowman’ will catch the following variants in an SSN pattern search:

    Robert T Bowman 123-45-6789
    Rob Bowman 123-45-6789
    Robert Bowman 123-45-6789
    R. Bowman 123-45-6789
    Bowman Robert 123-45-6789
    etc.

 

Add keywords to a group

There are two ways to add keywords:

Manually add keywords to a group

  • Select a group then click ‘Add’:
     


 

  • Add Keyword – Enter the keyword (e.g. name) you want to search for. Click ‘OK’

Repeat the process to add more keywords to the group

Click ‘OK’ then ‘OK’ again

Import keywords to a group

You can import keywords from a text file to a group. Each keyword should be in a separate line

  • Select a group and click ‘Import’ above
     


 

  • Navigate to the file, select it and click ‘Open’
     
  • The keywords are imported into the group


 

  • Click ‘OK’

Manually run a DLP scan

You can run DLP scans on-demand from the 'General Tasks' interface:

  • Click 'Tasks' on the CCS home screen
     
  • Click 'General Tasks' > 'Data Loss Prevention Scan'



 

The scan interface shows all the rules you added in the DLP section.



 

  • Start button - Run a scan with all rules at once

           Or

  • Use the start buttons on the left to run a scan with a specific rule.

View scan results

The ‘Logs’ screen lets you view all files upon which sensitive data was found:

  • Click ‘Logs’ at the top of the CCS home screen

    OR
     
  • Click ‘Tasks’ > ‘Advanced Tasks’ > ‘View Logs’
     
  • Select ‘Data Loss Prevention Events’ from the first drop-down:

 

Each event is an instance where sensitive data was found:
 


 

  • Date Time - Date and time the file was discovered.
     
  • Path - The location of the document.
     
  • Rule - The name of the DLP rule that discovered the file.
     
  • Action - How the DLP event was handled by CCS. The only action available at the moment is ‘Ignore’. We will add file operations in future versions, but for now, you must manually review target files.
     
  • Details - The specifics of the items found. See View details of a file for more info.

You can use the filter options at the top to search the logs by time, location of the file, rule or action.

View file details

  • Click the ‘Show details’ link in a DLP log row:


 

  • The screen shows the name of the file and the rule/pattern which discovered sensitive data in the file.
     
  • Click ‘Jump to Folder’ to view the document itself.