Dear ManageEngine community,
We are currently testing a potencial DLP/Data Protection solution that will fit our needs. Little about current test environement configuration:
1 x DataSecurityPlus Management Server (Windows Server 2022)
1 x File Server (Windows Server 2022)
1 x Workstation (Windows 10 LTSC)
All OS-es are fully updated and current. ManageEngine DataSecurityPlus 6.1.0 build 6170, agent build number on Workstations and File servers 6160
The installation and configuration part is correctly done according to official documentation. Test policies for all four coverings Auditing, Analysis, Risk and Endpoint DLP are configured.
While testing a solution we wanted to highlight some issues we met during the policy test phases.
Issue 1: Drag and drop
We have files on a network share, labeled as Restricted. These files must not be copied to local folders such as Desktop. Clipboard policy is in place on Endpoint DLP and set up to display an alert.
When user copy a file using a menu in file explorer, policy works and prevents a copy action.
When user drags the same file from a share folder to desktop, policy is NOT activated. This way user can bypass the security and copy the file further to unprotected shares without being detected.
* there is a workaround by disabling drag and drop in registry but this is not a secure solution
Issue 2: Mail attachments
Simmilar to previous issue, but with files labeled as Restricted in mail attachments. When user drags the same file that should not ce copied to new mail form and press send, that mail is not prevented by the Outlook plug-in. We could see that the plug-in registered the outgoing mail along with atachment, but didn't recognise that attachment had a label.
The test file is labeled manually, we don't know where the file label information is kept but it's not transmited with the file when the file is added as attchment to the Outlook.
Issue 3: Automatic labeling policies
In Risk Analysis there is an option to add a classification profile that will mark all files matched by a policy with a label. While adding a new profile, classification label drop down was empty even there are four predefined categories of labels. So we created a new label called "Restricted".
We defined file match rules and policy before. Then we initiated a full scan of the file share.
When the scan finished, we analysed the results and most of the files matched our policy, but with the issue that only Office documents were labeled according to the results. Other types such as txt, zip etc. were not labeled even they matched a policy.
Then we wanted to double check if the labeled files were really labeled. Came to the workstation and checked the file, but the file had no label attributes.
This may be an issue with custom labeling, but we are not sure why this is happening. Domain account used to scan Windows domain has modify rights on a share.
* We will cover the questions and desires about data classification in more detail in another topic.
These issues may be caused by a bug or a current limitations. It will be great if these issues can be somehow resolved. If we did not pay attention to something we would be happy to hear from you.
Thank you.