Today I will be showing you how to create a DLP policy to block a word from been copied to a txt document, warn the user with a pop-up message and report the incident to ePO. This rule can be useful to block from copping critical text onto another document. For this policy to work we are going to do the following:
- Create a classification for the word we want to block.
- Create a rule-set and assign the classification to DLP Policy Manager
- Test the rule/policy on a system
Create a Classification
First we are going to create a classification for the word “Credit Card”. This is the word we want to monitor or block.
- In ePO select “Menu>Data Protection>Classification”.
- Click on “New Classification”.
- Give it a name “Contain Credit Card Classification” and click “OK”.
- Now click “Action>New Content Classification Criteria”.
- Name it “Contains Credit Card Criteria” and select “Dictionary” on the left.
- Leave comparison as “one of (or)”, and click on the 3 dots, this will present you with the build in list.
- For this example we are going to create a new list, click on “New Item”.
- Name this list “Contain Credit Card Dictionary“, at the bottom under “Phrase” type the phrase we will be blocking “Credit Card“. Scroll to the right.
- Then click the “Add” button to add the phrase we want to block.
- Scroll back, and check that the phrase was added and then click on “Save”.
- Next look for the value “Contain Credit Card Dictionary”, add a check and then click “OK”.
- On the next window click “Save” at the bottom of the page.
- Next, click on “Actions>Save Classification”.
Creating A Rule Set & Policy Assignment Using DLP Policy Manager.
On the next steps we are going to create a rule set for how our rule is going to work. For this rule set we are going to be using “Clipboard Protection”. After the rule set is created, we must assign it to a policy.
- In ePO go to “Menu>Data Protection>DLP Policy Manager”.
- First we are going to create a rule set, click on “Action>New Rule Set”.
- Name it “Prevent Credit Card from being copied“, and press “OK”.
- Click on the rule set we just created “Prevent Credit Card from being copied”.
- Make sure the tab “Data Protection” is selected, click on “Action>New Rule>Clipboard Protection”.
- Name the rule “Prevent Credit Card from being copied Protection“, then change the state from disable to “Enable” and severity from warning to “Major”. Next under classification click on the 3 new dots.
- On the next screen select “Contains Credit Card Classification” then click OK.
- Select the “Reaction” Tab, in Action change it to “Block” under notification section click on the 3 dots.
- Next click “New Item”.
- Next name it “Tried to copy the word Credit Card” and under description type the message the user will received, “You have just tried to copy the word “Credit Card” and it has been blocked. This action violates company policy!“. Then click “Save”.
- Next put a check mark next to “Tried to copy the word Credit Card” then click “OK”.
- Checked “Report Incident” and then click “Save”.
- On the next page click “Close” and close until your back at DLP Policy Manger.
- Next we want to apply this rule to a policy, click on the Policy Assignment tab. Click “Action>Select Assign Rule Sets to a Policy”.
- Select the policy you wish to assign this rule set to, for this example I am using “My Default DLP Policy”. Make sure the rule set “Prevent Credit Card from been copied” is checked then click “OK”.
- Next click on “Actions>Apply Selected Policies”.
- On the next window select the DLP policy “My Default Policy” and click “Apply Policy”.
- You will get a confirmation that the policy apply successfully, click “OK”.
- The policy Pending Changes will change from “Yes” to “No”.
Testing The Rule-Set Policy On A System
Our last step is to send an a wake up call to the system we are testing with and test our rule set and policy assignment. If everything was done correctly, DLP should block the word “Credit Card” from been copied and paste to another document.
- Go to System Tree, find the system, check it and click on “Wake up Agents”.
- On the next windows select “Force complete policy and task update” then click “OK”.
- To make sure the policies enforce properly, open the agent monitor by right click on the McAfee icon, select “McAfee Agent Status Monitor”.
- Click on “Check New Policies” and “Enforce Policies”.
- On the desktop create two new text files, name them test-1 and test-2. Open test-1.txt file and type the word Credit Card, highlight and copy it. Then open the second file and try to past it, it will get blocked and on the bottom right corner you will received a message from DLP letting you know that copying the word “Credit Card was blocked.
This is a list of actions that can be blocked:
- Application File Access Protection
- Clipboard Protection <- This is what we just used
- Cloud Protection
- Email Protection
- Network Communication Protection
- Network Share Protection
- Printer Protection
- Removable Storage Protection
- Screen Capture Protection
- Web Post Protection
As an ePO administrator, you should be able to view this incidents from the ePO console.
- To review the incident go to “Menu>Data Protection>DLP Incident Manager”.
- In the DLP Incident Manager you should be able to see that there was an attempt to copy the word “Credit Card” with the clipboard.
- To review the details, click on the “Incident ID” number.
- The details of the incident reported will pop up, giving you details of the computer that reported the incident, user login to the system, rule and classification that was trigger, etc.
This concludes this guide on how to create a DLP policy to block a word from been copied, if you have any question or comments please let me know in the comment area.