Tags
customer report customer assessment customers End-User forms auto response attachments time entry address support User Directory scripts Knowledgebase canned Banlist announcements Hostname mail delivery CommandLine Power Shell PowerShell interface File Explorer Commands Interface Remote devices Remote Tools Paranoid Mode Training Mode Custom Ruleset Safe Mode The charging flow edit contracts Charging Flowchart Global Asset Rates Charging Plans Contracts charges calculated Remove role Edit a role staff interface Exclusions data loss prevention (DLP) network discoveries ITarian Remote Access Tool Tarian Remote Access Tool inactive devices Device removal settings Portal Set-up duplicate devices Malware File Name Security Sub-System Communication Client UI settings Communication Client Tray remove a department ticket submission configure department synchronize department submit ticket distributing Bandwidths client updates device management Bandwidth conservation malware activity virus scope autoruns Proxy servers fallback flag Inactive discovered devices SNMP Apple Device Enrollment Program set up service explorer manually deploy Comodo EDR agent parent process multiple ticket selection selected tickets security events folder transfer discoveries network management remote folder TLS TLS1.2 pci dss pci compliance ITarian Portal Endpoint Manager vdi environment vdi clone environment instant clone documentation vendor notice security dashboard events resolution remote tool partner onboard itarian unknown file hunter TLS Encryption procedure parameters pass profiles history performance metrics real time remote endpoints download browse service URL Security Components system Global Software Inventory 2 minutes Integrate intagrate Active Directory Portable Interception SSL enable reporting Rule Threat Protection Rule Advance spam Customize archived outgoing incoming administrator validate domains add Antispam type PCI data loss Location Network information start software session extensions appoinments resource connection computers Comodo Rescue Disk infected opportunity opportunities custom relationship management quote COMODO-CRM protect mac device email notifications registry COM Quarantined point system restore msi contained applications processes security client events Release date department registration particular os section Two Factor Authentication Login interface dashboard report generate Direct Download Link One drive Google drive HIPS mode cleanup automatic suspicious suspicious certificates shellcode injection detect Elevated Access system user access default charging groups move current malware list store push IP address ip installer acronis auto-remediation server machine icon Product Logos Rebrand backup Device Control data Chromoting WebRTC ports Protocol skip offline manual time entries ticket assignee Help Guide Tour schedule Reschedule appointment unknown application protection virtual desktop Local Verdict server manage calculation cost configuration charging SD contract prepaid hours products classification inventory analyze Device list OS patches global search bar Tool bar Windows Defender Security Center file group white Citrix record SPF work billable time onsite email template template variables emails Gmail SMTP disable Add collaborators admin action Audit logs feature requests submit vote remotely Reset proxy swg secure web gateway dome error disk ticket detail page thread section tickets section internal notes Sub-help topic help topic features Application control white_list Patch Management child parent scheduled customized get to headers columns company restrict customer technician remote access list iOS devices field Reports iOS device APN Certificate MAC OS X options Linux block Comodo Client Communication (CCC) allow Comodo Client Security (CCS) network zones active component tray icon hide show packages additional install block port baseline installation package bulk implement restrict firewall endpoints security and communication global export virus import Database folders files define exclusions change staff admin rating check reassign assign permissions new role create for user of device enroll associated use how profile specific Removing Devices Uninstall windows profile Configuration templates latest version clients comodo file ratings monitoring custom All Devices Ratings Track widgets Agent valkyrie malware files Kill chain report automated establishing endpoint remote session Users prevent Android organization windows assets Mac OS billing identified threats Sort Closed inside Program executed containment service desk remote control Locally runs update scan antivirus SLA Business Hours control CCS Password access Client Auto Specific Device Response Application Third party Status View Logs intended devices alert fails Company Information Configure Verdict Patch Procedures Executable Comodo Internet Security ITSM Analysis Command Line Heuristic Filter Unrecognized Trusted File Rate Malicious Purge Calendar Device Exclusion USB Admin Panel Settings ticket Default system-wide Specific Path Details Monitor Multi Set Currency Connected Who Quick Actions Comparison Version Enterprise Managed Service Provider C1 Portal Remote management Comodo Remote Control ticket management staff panel assign tickets
More

How to setup and run data loss prevention (DLP) scans in Endpoint Manager

Click 'Configuration Templates' > 'Data Loss Prevention'

  • Data loss prevention (DLP) rules let you scan Windows devices for files that contain sensitive information.
     
  • For example, the scan finds card numbers, social security numbers, bank account numbers, bank routing numbers, and more.
     
  • There are two types of DLP rules:
     
  • Discovery rules - Define the areas you want to scan, the type of information you want to search for, and the action you want to take on discovered files.
     
    • Discovery rules are added to profiles, which are in turn applied to managed devices. You also have the option to run on-demand discovery scans on devices.
       
    • You can review all files which contain sensitive data from the Endpoint Manager interface. You can then take actions to secure that data where required.
       
  • Monitoring rules – Block users from copying files to external storage devices.
     
    • Monitoring rules are directly created in a profile. EM monitors attempted data transfers to devices like USB drives and allow/blocks the transfer in real-time.

Use the following links to jump to the task you need help with:

Overview

  •   You first create a discovery scan rule at ‘Configuration Templates' > 'Data Loss Prevention' > 'Create Discovery'.  
     
  •   You then add the scan to the DLP section of a profile. The scan will run on all devices on which the profile is active.
     
  •   You can view scan results at 'Security Subsystems' > 'Data Loss Prevention' > 'Logs'.
     
  •   You can also manually run discovery scans on devices at ‘Security Sub-systems’ > ‘Data Loss Prevention’ >  'Device List'

Create a DLP scan rule

  • Click 'Configuration Templates' > 'Data Loss Prevention' >  'Create Discovery'

Scan rules tell the DLP scan exactly what type of data to search for. You will define the following items:

  • Location - The folders or drives that you want to scan on target devices. For example, 'C:\Users\'.
     
  • File types - The file extensions you want to inspect. For example, .doc, .xls, .txt.
     
  • Search pattern - The type of data you want to search for. For example, card numbers, bank account numbers, social security numbers, dates-of-birth, etc.
     
  • Action - The response Endpoint Manager should take when the rule conditions are met. The options are ‘ignore’ and ‘quarantine’.

You add the scan rule to a profile, which is in turn applied to target devices or users.

  • Click 'Configuration Templates' > 'Data Loss Prevention'
     
  • Click 'Create Discovery'



 

Complete the following fields:

Name - Enter a label for the rule

Description – Add a short note for your reference

Action - The response Endpoint Manager should take on files which meet the rule conditions. The options are:

  •   Ignore – Take no action on the file. You can still review the files at ‘Security Sub-systems’ > ‘Data Loss Prevention’ > ‘Logs’.
     
  •   Quarantine – The file is moved from its original location on the endpoint and placed in a secure holding area. Users cannot open quarantined files. You can review quarantined files as follows:
     
    •    Local Endpoint - Open Comodo Client Security > Click ‘Tasks’ > ‘DLP Tasks’ > ‘Data Loss Prevention Quarantine’. You can restore the files to the original location from here if required.
       
    •   Endpoint Manager - Click ‘Security Sub-Systems’ > ‘Data Loss Prevention’ > ‘Logs’.

Click 'Create’ to move to the rule configuration screen:


 

  • Click 'Edit' on the right.
     
  • Use the following links for help with each tab

Targets

Exclusions

Patterns

Document Types


Target/ Scan locations

Targets are the folders or drives that you want to scan on your managed devices.

  • Click the 'Targets' tab > 'Edit'
     
  • 'C:\Users' is included by default.
     
  • Click 'Add' > 'File Path' to add a new scan location


 

  • Enter the location you want to scan then click 'Ok'
     
  • Repeat the process to add more locations
     
  • Click the pencil icon in the 'Action' column to edit a location
     
  • Click 'Save'

Exclusions

You can omit specific locations and/or file types from your discovery scan.

  • Click the 'Exclusions' tab, followed by 'Edit'
     
  • Click 'Add'
     
    • File path -  Exclude a folder or file
       
    • File Groups - Exclude a specific set of file types



       
    •  Filegroups make it easy to exclude an entire class of file. Choose the group you want to exclude then click ‘Save’.
       
    •  Click 'Settings' > 'System Templates' > 'File Groups Variables' to view and manage file groups
       
    • See this wiki if you need help to create and manage file groups.
       
  • Repeat the process to add more exclusions.



 

Patterns

The patterns tab is where you tell the scan what types of data you want to search for.

  •  A 'pattern' is the format used by the type of data you want to find. Each pattern is a combination of a keyword group and information format.
     
  • For example, the ‘Name with SSN’ pattern consists of:
     
    • Keyword group = ‘Names’ group.
       
    • Information format =  9 digit number arranged in 3-2-4 formation, like '123-45-6789'.
       
  • EM ships with a number of patterns which you can use to search for sensitive data.

Add patterns

  • Click the 'Patterns' tab then 'Edit'
     
  • Click 'Add Pattern'



 

  • Select Pattern - Choose the type of information that you want to search for in scanned locations. For example, credit card numbers, social security numbers, bank routing numbers, etc.
     
  • Threshold - The number of times that data matching the pattern must be found in a document. Endpoint Manager will flag a document if it contains the threshold quantity of pattern examples.



 

Note – You MUST add keywords to the keyword group or the search will not work. For example, you must add some names to the ‘Names’ group.

The following table shows the information formats and keyword groups contained in each pattern:
 

                Pattern 

                                   Description

 Name with 5-8 Digit Account Number

 Consists of Keyword Group 'Names' and a bank account number

 Name with 9 Digit Account Number

 Consists of Keyword Group 'Names' and 9 digit bank account number

 Name with 10 Digit Account Number

 Consists of Keyword Group 'Names' and 10 digit bank account number

 Name with SSN

 Consists of Social Security Number and Keyword Group 'Names'

 ABA Routing number

 Consists of American Bankers Association (ABA) routing number. This is the nine digit bank code printed in negotiable instruments in the US.

 Date of birth 

 Consists of Birth Date

 Credit Card Number

 Consists of Credit Card Number

 IP Network

 Consists of IPv4 and IPv6 IP Addresses

 Examples:

 192.0.2.0/24

 198.51.100.0

 2001:0db8:85a3:0000:0000:8a2e:0370:7334

 2001:db8:1234::/48

 Network Address 

 Consists of URLs, and domain names

 Examples:

 http://domain.name

 https://domain.name

 www.domain.name

 domain.com

 local.net

 IBAN Code

 Bank account number in International Bank Account Number (IBAN) format.

 MAC Address

 Searches for mac addresses, the unique identifier assigned to network cards.

 

  • Click 'Ok'

Repeat the process to add more patterns



 

  • Click the pencil icon on the left if you want to edit a pattern
     
  • Click 'Save'.

Document types

  • This tab lets you choose which types of file you want to scan for sensitive data.
     
  • You can choose PDFs, Word documents, HTML files, text files and/or ZIP files.
     
  • The scan will search the content of all files which have a matching file extension in the locations you specified.

Click the 'Document Types' tab then 'Edit':


 

  • Use the switches in the status column to choose which types of files you want to scan.
     
  • Click 'Save'
  • Repeat the process to add more rules.

You can now add the rule to a profile. If your pattern contains the ‘Name’ group, please make sure you have added keywords to the group

Add keywords to keyword groups

Click 'Settings' > 'System Templates' > 'Keywords Variables'

  • Keyword groups are used by DLP scans to identify sensitive data. Each group is a list of specific items which the scan will search for.
     
  • For example, the ‘Names’ group should contain the surnames of the employees/users in your protected network.
     
  • The keyword group is paired with an ‘information format’ to form a 'pattern'.
     
    • An information format is a notation used by the type of data you want to find. For example, the information format of an SSN is a nine-digit number in 3-2-4 formation, like '123-45-6789'.
       
    • So a search for the SSN ‘pattern’ will identify all instances of ‘Name + SSN’ in target documents.
       
  • You MUST add some names to the ‘Names’ group or the search will not work. Patterns that have an empty keyword group will not produce any results.

Add names to the ‘Names’ keyword group

  • Click 'Settings' > 'System Templates'
     
  • Click the 'Keywords Variables' tab
     
  • Click '+' at the left of a group name



There are two ways you can add keywords:

1    Type them in the field provided. Click ‘Add’ after each keyword.

 


 

  • Repeat the process to add more keywords

2    Import them from .csv file. Click the import icon on the right then browse to your .csv file:
 

 

 
   Advice:

  • The scan searches for an exact match on the keywords you add.
     
  • Because of this, we advise you add only surnames to the ‘Names’ group at first. This will detect the most variants of the subject’s name.
     
  • For example, the keyword ‘Bowman’ will catch the following variants in an SSN pattern search:

    Robert T Bowman 123-45-6789
    Rob Bowman 123-45-6789
    Robert Bowman 123-45-6789
    R. Bowman 123-45-6789
    Bowman Robert 123-45-6789
    etc.


Add DLP discovery rules to a profile

The final step is to add a DLP section to your profile, then populate it with your scan rules.

  • Click 'Configuration Templates' > 'Profiles'
     
  • Click the ‘Profiles’ tab
     
  • Open the Windows profile applied to your target devices
     
    • Open the 'Data Loss Prevention' tab

      OR

       
    • Click 'Add Profile Section' > 'Data Loss Prevention', if it hasn't yet been added
       
  • Click the 'Discovery' tab (if it is not open already)


 

  • Click 'Add'



 

Choose Data Loss Prevention rule - Add an existing discovery rule to the profile.

  • Start typing the first few letters of a rule name then select from the suggestions.
     
    • If you can’t remember your rule names, click ‘Configuration Templates’ > ‘Data Loss Prevention’
       
  • Repeat the process to add more rules to the profile

Click 'OK' to save your settings

The interface shows all discovery rules you have added:


The profile pushes the DLP scan to the target devices.

Manually run a DLP scan

You can run DLP scans on-demand from the data loss prevention section:

  • Click 'Security Sub-systems' > 'Data Loss Prevention'
     
  • Select the 'Device List' tab
     
  • Select your target devices
     
  • Click 'Action on Endpoint' > 'Run all discoveries':



 

  • The scan command is sent to the selected devices. CCS runs the scans based on the rules included in the profile active on the device.
     
  • Click the 'Details' link when the scan finishes viewing files containing sensitive information
     
  • See View scan results for more on the results.

View scan results

Click 'Security Sub-systems' > 'Data Loss Prevention' > 'Logs'

  • The logs interface shows files identified by a DLP scan as containing sensitive information
     
  • You can see the file name, the location of the file on the device,  the rule that intercepted the file, and the type of sensitive information in the file.
     
  • You can use the 'Remote Tools' feature to connect to the target device and access the files on the path provided. You can then move/ remove/ edit file permissions as required.

View DLP scan logs

  • Click 'Security Sub-systems' > 'Data Loss Prevention'
     
  • Click the 'Logs' tab



 

  • Date Time - The date and time at which the file was discovered
     
  • Device Name - The device on which the files reside.
     
    • Click the name of the device to view its details.
       
  • Action - The action taken on the file as per the rule. The only available action is 'Ignore'. You can manually take action on the file by remotely accessing the device through the 'Remote Tools' feature.
     
  • Rule - The name of the DLP discovery rule that identified the file.
     
  • File Name - The label of the file
     
    • Click the   icon to copy the file name to the clipboard.
       
  • File Path - The location of the file on the device.
     
    • Click the   icon to copy the file path to the clipboard.
       
  • Pattern - The type of data contained in the file.
     
  • Match Count - The number of times the data of the type occurred in the file.

Take action on identified files

There are two ways you can connect to remote devices in order to manage files that contain sensitive data:

1) Endpoint Manager - Click 'Devices' > 'Device List' > select a running Windows device > Click 'Remote Tools' > 'File Explorer'.

2) Remote Control app - Click 'Devices' > 'Device List' > 'Device Management' > select a Windows device > Click the 'File Transfer' button.

You need to download and install the remote control app to use this feature.

  • See this wiki for help to use both of these remote control apps.


Add a DLP monitoring rule to a profile

Monitoring rules let you prevent users from copying files to external devices.

  •   Click 'Configuration Templates' > 'Profiles'
     
  •   Click the ‘Profiles’ tab
     
  •  Open the Windows profile applied to your target devices
     
    •  Open the 'Data Loss Prevention' tab

      OR

       
    •  Click 'Add Profile Section' > 'Data Loss Prevention', if it hasn't yet been added
       
  •  Click the 'Monitoring' tab:


 

  •  Click the ‘Edit’ button at top-right and select ‘Enable DLP Monitoring’
     
  • Then click ‘Add Rule’ > ‘Removable storage access rule’:


 

  • Choose the action and device targets:

Action – What EM should do if it detects data being moved to the target devices:

  •  Block – The storage device is set to ‘Read-only’ mode. Users cannot copy data to/from the storage device.
     
  •  Ignore – Data transfers to the device are allowed.

Criteria – Select the type of device to which the rule applies. The only option available is:

  • USB data device

Options – Choose whether you want to create an event log whenever the rule is enforced.

  • You can view the logs via the CCS installed on the device
     
  •  Click ‘Logs’ on the home screen and select DLP logs.
     
  •  Click ‘Ok’

The monitoring rule is added:
 


 

  • Click ‘Save’ to apply your changes. The rule will take effect on all endpoints to on which the profile is active.