Managing the DLP Endpoint Agent with the Integrated Component

Summary:

In an earlier article I talked about installing the DLP Integrated Component within the Symantec Management Console. This article will cover how to manage the endpoint agent with this component

What can the DLP Agent Do?

The DLP Endpoint Agent provides control of Data Loss Prevention policies and manage the data on those machines. The DLP Endpoint Agent is made up of two agents, the endpoint agent and the watchdog agent. These two agents watch each other to make sure they are still running and will restart the service If one of those services are started.

With the endpoint agent, policies applied to the Data at Rest targets and the network via Data in Motion can be applied to laptops and desktops. All scans on endpoints are controlled through the agent and information is reported to the Enforce server.

Another important feature of the Endpoint Agent is it can control removable media and also can monitor the copy & paste buffer along with monitoring fax and print information. This controls information that is flowing on the endpoint.

For more information, see

Installing the DLP Agent

In order to install the DLP Agent from the Symantec Management Console, we first need to discover the computers, and then push the Altiris Agent followed by the DLP Endpoint Agent.

All work in deploying and configuring the Endpoint Agent is done through the Symantec Management Console and the Data Loss Prevention Portal. The portal looks like the following:

Discovering Computers

Before we deploy the Altiris Agent and the DLP Endpoint Agent we need to discover the computers to add them to the database. There are two types of discovery that can be done through the DLP Portal, a Domain Browse or an AD Import.

The Active Directory Import provides the best way to discover and import your machines into the Symantec Management Console. An important note is this is just a read of the Active Directory, we do not modify AD or even need to do an AD Schema modification.

To begin an Active Directory discovery, click on the link “AD Import” which will bring up the following page:

A couple of notes about this screenshot are that I have already selected the correct domain, subnet and sites to import. Also I have filled out a schedule, under “specified schedules” to automatically import and update the Management Console.

The second type of discovery is a Domain Browse import and can be run by clicking on the link in the Data Loss Prevention Portal and looks like the following:

Provide the domain information to browse and discover computers.

Installing the Altiris Agent

Once we have discovered the computers, we can install the Altiris Agent. After the Altiris Agent is installed we will push out the DLP Endpoint Agent. From the DLP Portal page under “2. Deploy Endpoint Data Loss Prevention,” select “Install Altiris Agent.” This will open up the following screen:

As you can see from the screenshot, the computers we have discovered show up in the list of computers. To install the Altiris Agent, highlight a computer and select “Install Altiris Agent.” Multiple machines can be selected by using either the shift key or control key.

Installing the DLP Endpoint Agent

Once the Altiris Agent is installed on the managed device we will install the DLP Endpoint Agent. From the Data Loss Prevention Portal in the Symantec Management Console, select “Install Symantec DLP Agent,” which will open up the following screen.

What is unique to this install is that it is a part of an ongoing policy on the Symantec Notification Server. By default any computer in the filter “Computers managed without DLP Agent” will receive the DLP Endpoint Agent the next time the computer checks in.

A brief note of explanation for those not familiar with the Notification Server. Polices are applied to groups of computers called “Filters.” A computer will be added into this filter when they have the Altiris Agent installed on them (managed) and do not have the DLP agent on them. Once the DLP agent is installed, the computer will automatically move out of the Filter.

This policy is not enabled by default. To do so, click on the Red button next to “Off” and select “On.” This will turn it to green. A client with the Altiris Agent will check in, receive this policy and install the DLP Agent.

Upgrading the DLP Agent

The first policy we talked about was the DLP Agent Install policy. This is the second policy in the DLP Portal page. To enable this policy, click on “Upgrade Symantec DLP link within the Symantec Management Platform. This will open up a window that looks like the following:

This policy is not enabled by default. To do so, click on the Red button next to “Off” and select “On.” The policy will then become active and will upgrade automatically any endpoint whose agent is older then the current policy.

Endpoint Agent Tasks

Within the DLP Portal Home page there are 8 default tasks created. The Symantec Management Console allows us to create and manage tasks to control the Altiris Agent and a managed (computer wit Altiris Agent on it) computer.

Start Agents/Stop Agents/Kill Agents/Restart

The first three agents are all about agent control and look and act the same way. This task allows us to control the status of the Endpoint Agent through the Altiris Agent. In case someone stops the Watchdog Agent or the Endpoint Agent, this task can reset the agent. The screenshot shows the Start Agent task

There are two ways we can execute this task, either via a quick run task or via a schedule. A quick run tasks executes immediately and through the drop down you can select the computer to run the task on. If you want to schedule one of these tasks over a time, you can do so through the scheduler.

Pull Agents Logs

The Pull Agent Logs task will copy the DLP Agent Logs from the managed computer to the Symantec Management Console server allowing you to review what is happening on the endpoints.

This task functions similar to the other tasks where you could schedule the task or run it immediately.

Set Log Level to Info/Set Log Level to Finest

This task allows you to change the logging level of the Endpoint Agent without having to interact with the agent locally or change things manually.

Get Agents Configuration

The final pre-built task allows you to get the configuration of the Endpoint Agent without visiting the machine.

One thought on “Managing the DLP Endpoint Agent with the Integrated Component

  1. Pingback: Deploying DLP on the endpoint may not be the scariest part « A Conservative Techie

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s