Tracking a DeviceID for use in a Symantec DLP Policy



Symantec Endpoint Prevent for DLP has the ability to track and limit data being copied to removable storage (USB drives, etc.).  Within a DLP policy we can leverage the DeviceID of a removable storage device as either an inclusion or exclusion to our policy. This document will cover how to set it up.


The first tool we need to leverage is “DeviceID.exe” which is a part of the Tools folder under the DLP agent source directory.  This executable will allow us to gather both the Device ID and the Regex that is needed for either the exclusion or inclusion.

This information is taken from the Help file for DLP and the DLP Admin Guide.

  1. Connect the USB Device to your computer
  2. From the command prompt navigate to the folder where the “Tools” directory is located
  3. Execute “DeviceID.exe” to get a list of the devices attached to your computerdevice id `1
  4. There are two values displayed per device connected to your laptop/desktop
    1. Dev ID: Contains the full string for the device connected to your laptop
    2. Regex: The value we want to put in our exclusion or inclusion
    3. NOTE: If you have a large amount of devices attached to your laptop or desktop the output can be directed to a text file via “DeviceID.exe > textfile.txt”
  5. Open up the DLP Console and navigate to System -> Agents -> Endpoint Devicesdevice id 2
  6. Select “Add Device” and fill out the form
    1. Note: Use the Regex value from DeviceID to fill out the device definition portion of things
    2. NOTE: The goal is to be both as generic and specific as possible to make sure there is not a giant list of device ids

device id 3

Leveraging the DeviceID in a DLP Policy

Once the DeviceID is created it can be used as either an exclusion or an inclusion within the policy

  1. Login to the DLP Console
  2. Navigate to Policy Portion (Policy -> Policy List)
  3. Edit (or create) the policy you would like to use this in
  4. Select “Add Exception”
    1. Towards the bottom of the Exception Type is “Endpoint Device Class or ID”
      1. Select this option and select “Next”
      2. device id 4
      3. Select the DeviceID you would like to use for an exclusion and select next
      4. device id 5
      5. Select “OK” to save your exception
  5. NOTE: This same process can be used to create an inclusion in your DLP Policy as well



Configuring scanning in Data Insight 5.0


In version 14 of their DLP product Symantec introduced the ability to scan corporate accounts via Network Discover to see what confidential data is stored within an organization’s environment. In Data Insight 5.0 we now have the ability to process to understand the context of the files in our account.

In previous posts I covered:

This guide will cover configuring scanning and then also provide some screenshots around what it looks like.

How it works

After logging into the Data Insight Console we will need to access the Settings tab of the Management Console to setup our “Cloud Sources” which can be found on the left side of the Console.

data insight box 21

In the above screenshot (Figure 1) it shows there is one Cloud Service enabled and we would like to add an additional source by clicking on “Add a new cloud service.” (While I have not seen an official roadmap, I would assume additional services are forthcoming.)

data insight box. 1PNG

In order to perform the scanning, we will need to authorize the account against the API

data insight box

In order to process everything correctly, make sure the owner account is used to connect and use the system. The above screenshot (Figure 3) shows the demo system being authenticated to the system.
One the indexer and collecter are assigned, we can then start the scanning of the account.


Now that the Cloud Source is configured we can start the Data Insight scan (or wait for the normal schedule). In the below figure (Figure 4) we have clicked on the “Actions” drop down and have selected “Scan Now.”

data insight box 4

Once the scan has been completed and the information has been processed, information will be in the Data Insight system.

data insight box 5

Figure 5 shows the result of the scan against the demo system.

Invalid Username and Password when trying to process the DLP IT Analytics Cubes

The problem:

Recently I was installing the stand-alone version of IT Analytics and the DLP Cubes and kept running into problems processing the cubes in regards to invalid username and password.  When the cubes were processed within IT Analytics a large error was created but the full text was not generated.  So I jumped in SQL Management Studio, connected to the Analysis Services, found my DLP Cubes and tried to process them.  It was within SQL Management Studio and found I was getting an error with invalid username and password.

This error message confused me as I was using the same account that I installed SQL with and installed IT Analytics with.  So I tried some troubleshooting and checked various roles within SQL and checked what permissions were set on the Database, Analysis Services, etc.
And it was time to panic, I had a demo today at a new to me customer and needed to have strong showing…. So it was off to Symantec Support to try and resolve the problem.  I had great success getting my incident resolved at 3:26pm EST when my demo started at 3:30pm EST.

So here’s the solution

The solution to my problem:

The first part that was wrong with my installation and configuration was I did not read the installation manual all the way to the end and missed a step.  Also there was another step that needed to be changed.

NOTE:  After making these changes you will need to restart your SQL Server Services to make sure everything is updated and fixed correctly.

Changes made to the provider

This first step is documented in the install guide and I just did not read all the way through it.  The OraOLEDB.Oracle  provider needs to have a setting changed in order for the processing to work.  We need to select “Allow inprocess” in order for the cubes to process correctly.

In SQL Management Studio, connect to the Database portion of your server and then we need to find the list of providers.  This is found under “Server Objects -> Linked Servers -> Providers and then right click on the OraOLEDB.Oracle provider and select properties.

Screen Shot 2015-07-13 at 2.54.45 PM

As shown in the screenshot, we need to select “Allow inprocess.”  Check this box and select “OK”

Changes made to the Data Source

The next change that needs to be made to the ITAnalytics Data Source.  This setting is found under the Analysis Server portion of your SQL Server.  If you already closed Management Studio, you will need to reopen it up and connect to the Analysis Server, if it is still open connect to the Analysis Server.  Under Databases find the ITAnalytics Database and expand “Data Sources” where you will find a listing for the “ITAnalytics” Data Source.  Right-click and select properties and you should see something that looks like the following screenshot

Screen Shot 2015-07-13 at 3.00.58 PM

What we will change is the “Security Settings from “Default” to the service account we are using for IT Analytics.  When you click on the “…” a new window will open up, select “Use a specific Windows user name and password” and provide the correct information.  My system looks like the following screenshot

Screen Shot 2015-07-13 at 3.03.08 PM

Restart the SQL Server Services and your DLP cubes will process correctly.

If you are using Symantec DLP, you should be using IT Analytics

Overview of IT Analytics

IT Analytics provides cube based reporting (pivot tables), additional reports, and Key Peformance Indicators (KPIs) for various Symantec products:

  1. Symantec IT Management Suite (Altiris)
  2. Symantec Data Loss Prevention (DLP)
  3. Symantec Critical Systems Protection (CSP)
  4. Symantec Endpoint Protection (SEP)

IT Analytics is developed by Bay Dynamics but is available as part of your Symantec license.  For more information visit:

One of the concerns in the past for using IT Analytics has been the requirement for a Symantec Management Platform (SMP also known as Altiris) to be configured first before you install and manage the cubes.  This is no loner the case as there is a stand-alone version of IT Analytics available (this will be covered in a separate blog post).  This post will cover why you should be using IT Analytics for your DLP system.

Why IT Analytics for Symantec DLP

Within the Symantec DLP console there are a bunch of ways to slice and dice the data that is generated in the system (Incidents, etc.) either by filtering the data or by creating various summarizations of the data.  IT Analytics adds several items that are not exposed without having to write a SQL query or leverage the API.  IT Analytics allows for someone who does not have access to the DLP console to run reports against the information.  Also IT Analytics can easily create trending reports to demonstrate how risk is being reduced over time.

Whenever people ask me why I should bother with IT Analytics there are two reports that I point to that demonstrate the value of IT Analytics.

User Action Audting

User Login Report

User Action Auditing - User Action Audting

User Action Auditing Report

The first screenshot (User Login Report) shows which users have logged into the DLP system and the second report (User Action Auditing Report) shows who has changed what policies in the DLP system.  These two reports are requested over and over by customers.  How can I prove to my auditors or management that no one is changing a DLP policy randomly?  This information is coming out of the Oracle Database but without ITA you would have to write a SQL statement and then clean it up to provide auditors or management.

Incident Trend by Product Area

Incident Trend By Product Area

A third common request is “how can I show trends” in my DLP system and the above screenshot shows this trend.

Finally IT Analytics provides Key Performance Indicators (both predefined or custom created) demonstrate how your Symantec DLP system is reducing risk over time and how the system is performing.Key Performance Indicators

How do  I get IT Analytics?

IT Analytics is provided free of charge however a license key and the MSI is needed before you can install ITA..  If you have Symantec Endpoint Protection in your environment the MSI for performing the installation is located on the Tools portion of the media.  However if you are not a SEP customer, please contact either your Symantec Account Manager or Bay Dynamics.  NOTE:  MY company (ITS Partners) can help you obtain the license

Symantec Connect Posts Round Up #3

I’ve really enjoyed writing these posts and hope you are finding something interesting from the various Symantec Connect posts that I’ve been linking to.  IF you are wondering why most of them (if not all) focusing on the Security Community within Symantec Connect it is because that is the focus of my job.

So here’s week #2 and week #1 and without further ado, here is week #3

  • Update the DLP system from version 10.5 to version 11.5 — This one goes on the record for longest connect post that I’ve seen in a long time (I actually shortened it for this blog post).  But it covers the process for updating your DLP system as you move from version 10.5 to 11.6 along w/ updating the server that everything runs on.  Remember if you are using 10.5 Windows Server 2008 R2 was not supported for hosting the Enforce platform on it.  Now with the latest version (11.6.1) Server 2008 R2 is supported and recommended for running the DLP Product on.  Read along with how to set this up.
  • Choice of Symantec product for business security — what programs — While this is not as long as the other post listed above it i interesting.  What we have hear is someone who uses Backup Exec and is looking to understand what security products Symantec has to help him/her out
    • This is something I help out my customers with each day.  Let’s sit down and have a conversation about how Symantec can help you out and advance your security posture.  What is the real question or goal of your organization as it becomes more mature in your security practice.  Drop me an email, would love to help you out.
  • SCCM (Systems Center Configuration Manager) — In this post the customer is looking to understand the best way to deploy Symatnec Endpoint Protection (SEP) by leveraging System Center for the deployment solution. Take a look at this article for a more complete answer to the question.  I know that my company will have a video up shortly about deploying SEP w/ both Altiris and Systems Center.
  • Implementing change management and configuration management for vontu — So this is going to be a full article/blog post and once I post it I’ll link it here as well.  Stay tuned but this is VERY IMPORTANT to handle and take care of
  • How to install DLP Client — This person is looking for help on deploying the Endpoint Agent on various machines in his/her organization.  There are numerous links in the comment section that can help out.  Also my company will putting up a video on this shortly as well.
  • Comparing Symantec cMobile Security 7.2 and Norton Mobile Security   — This one fascinates me and I haven’t spent any time reading or digging into the differences between the products.  This article is more of an FYI to myself so I can further figure out what the two products are
  • DLP – Let the User Decide — This post is still looking for answer, so if you can help awesome…  The end user is looking to see if there is a way to allow the end user to decide if an email that is blocked should be released or not.  I’m not quite sure if this is the best way to setup DLP but if you can help out this questioner let me know and I’ll try to give you extra Connect points.
  • GnuPg PGP Desktop Email — This is a question that I have long wondered about as well and the answer is MAYBE.  That is it depends on the version of GnuPGP and PGP Desktop.  Try it out it should work.

So that’s that… I hope you are finding these links interesting and maybe can help some people out still looking for support.

Drop me a note and let me know if you find them worthwhile or not.

Symantec Connect Post Round Up #2

Last week I posted a round up of various articles or posts that I’ve found interesting or exciting or something I wanted to save. One of the items that I posted here has since been solved so that’s pretty exciting.

This week was pretty light, not quite if it was due to me being busy or not finding a lot of information that made me excited.  One of the posts will warrant a further blog entry here.  So off to the round up…

  • eWeek agrees with Symantec: Server Security is different than Laptop Security: I’m not sure why “Laptop Security” and “Server Security” is capitalized but whatever.  The important thing here is the article from eWeek that talks about reasons why securing a server is different than securing a laptop.  While it is pretty basic stuff, the article does bring up some good points.  Interested in securing your critical systems (not just servers)?  Look into Symantec Critical Systems Protection
  • Search for a SSN inside DLP incidents:  The poster is looking if there is a specific way to search for a particular social security number within a bunch of incidents. As one poster mentions this might be possible with exporting the XML of all of incidents and then dumping it into a query.  Another person says you might be able to do it with IT Analytics.  ANyone have any great ideas for this person?
  • Standard Operating Procedure — Where to Start?: So this is a fascinating question to me, something that I’ve helped many many customers with.  Where does one start with during an implementation of a DLP product?  This forum post has spawned another blog post and I will link it, once I got it up and going (maybe the football games tomorrow will be boring and I’ll have a chance to be productive?).
  • How does DLP work with Images?: This is an interesting question and address within another forum entry.  Long story short I can fingerprint (IDM) a document or image to help track it down.  However Symantec DLP does not track specific images (flesh tones, colors, etc) but some products attempt to do tis.  Tracking down data stored in images is a complex tasks.

Well this was bit light on the round up, but some of the things I was looking at/reading on Symantec Connect.  Would like some feedback if you find this helpful or even interesting.


Symantec Connect Post Round up #1

I have been using Evernote for awhile but was recently introduced with the Chrome extension Evernote Clipper and this has changed how I browse the web and more importantly how I browse Symantec Connect.  So I started clipping various blog entries, articles and other information stored on the site to save for later.  In order to help share this information I will be creating a round up of various posts I’ve found interesting or important and post them to both my blog and also Symantec Connect.  Since I’m focusing on Symantec Security this year, these posts will be filed under the security portion of Connect.

So let’s get started on Round Up #1 (maybe 1 day I’ll come up with a better name or title)

  • What’s new in Symantec PGP 10.3: This is a forum post looking for information on Symantec PGP and the new release.  The answer links to the release notes for Symantec Encryption Desktop 10.3.  Some cool new things in PGP 10.3 besides renaming it include support for Symantec File Share Encryption and Dropbox on Apple iOS device along with WinPE 64-bit support.  For more information read the release notes and also test things before upgrading.
  • Is there a way to choose what response the DLP sends based upon the sender’s email address?:  The author of this post is looking to do some routing based on a sender’s email address.  I’m not quite sure what exactly is happening here, but found the question pretty interesting.  One of the limitations of Symatnec DLP is routing based on attributes or other items.  This is something my company is working on with more information to come.
  • Does SCSP support reverse-proxy between agent and management server: This post is looking for a good answer so if you know Symatnec Critical Systems Protection and can give a good answer feel free to take a stab at this one.  The user is looking to see if a reverse proxy would work for communication between the agent and the management server.  If you have answer send me a note and I’ll mark it as answer.
  • The Password Problem: A Call for Stronger Authentication: While this is not a Connect Post it does provide some very interesting information and a great starting part for conversations.  So its all about how passwords suck and must die.  This might lead to a further blog post so this is also a placeholder for more information.
  • PGP Email support for iOS:  In the PGP 10.3 some new things are released, see the release notes linked above. The person is asking what he is missing when it comes to leveraging the Symantec PGP Viewer of iOS.  The answer is the customer must leverage universal server which is now renamed the Symantec Encryption Management Server.
  • Symantec Positioned as a Leader in the Gartner Magic Quadrant for Endpoint Protection Platforms:  This is pretty exciting as Gartner has named Symantec and SEP 12.1 as a leader in the Magic Quadrant for Endpoint Protection Platforms.  Along with SEP, Symantec CSP is part of this report as well.  CSP employs a combination of HIDS and HIPS to help protect various environments.  Congrats to Symantec on this….
  • A ton of IT Analytics posts have been coming out from David Prager from Bay Dynamics and here are some that are specific to Symantec Security products

This is a starting point for my series on awesome Connect articles.  Hoping more will come

Catching up on DLP Links

There’s been a lot of discussion on the web these days in regards to DLP and also some of the moves Symantec made in regards to its purchase of PGP Corporation and also GuardianEdge:  Press Release here

Here are some more links that I’ve come across recently:

  1. Cisco Security Services and also Cisco’s Risk Assessment Service:  Didn’t even know that Cisco offered a DLP Solution, but it is based around the IronPort product.  I don’t know anything in regards IronPort but will plan to learn more as we have one customer who is looking at it instead of Symantec DLP
  2. Whitepaper released: Quick Wins with Data Loss Prevention:  This links to a whitepaper sponsored by McAfee and you can download the white paper from that link as well.  It is an interesting white paper and have added it to my collection
  3. How to shape an effective DLP policy:  An Information Week article that talks about how an organziation should write DLP policies.  More on this later.
  4. Breakout session from Symantec Vision:

Overview of DLP 10

Symantec has recently released an update to its DLP (Data Loss Prevention) product, version 10 and this article will provide a brief overview of some of the changes and differences.  More posts to follow will highlight other parts of DLP 10.


Console Changes
The first thing one will notice when connecting to a DLP 10 system is how the console has changed from previous versions.  The DLP 10 console has been simplified and streamlined to help it to be easier to navigate and make the system easier to be managed.  The new console looks like the following:

As highlighted in the next screenshot the menu system has been completely changed as well:


The menu is broken up into 4 areas, Home, Incidents, Policies, and System.  Home will open up what is set as your home page, in my system I have it setup for the Executive Summary for Endpoint.  Under Incidents we have the Incident Reports, then they are broken out by Network, Endpoint Protect and Discover, providing a simple way to find the incidents you are looking for.  Under Policies we find information related to the following:  Policy List, Response Rules, Endpoint User Groups, Discover Scanning, and Protected Content.  The Discover Scanning section is broken out further into Discover Targets and Discover Servers.  Under Protected Content you will also find Exact data and Indexed Documents.

Hopefully you will find it easier to navigate like I do.
Incident Changes

A lot of work  has been done in the Incident section of DLP 10.  The goal is to be able to understand the incident in under 5 seconds.  Is this a false positive?  Is this something I need to deal with right away?  What information can you tell me about this incident?  All questions that need to be dealt with as soon as possible and the changes made help you answer them quickly.

The example below shows a screenshot of a discover scan using sample data:


The incident is broken down into 3 sections or panes. The first pane provides the key info, history and correlations about the incident (see the following screenshot).


By seeing the Key Info right away I know what is going on with this incident at a quick glance and make a decision on whether or not i need to spend more time on it.  In DLP 9 this information was scattered a bit about but can bee seen quickly at a glance.

The second pane of an incident shows the match count behind this incident.  Based on the information I’ve read in the first pane, I will then spend time in the second taking a look at match count and also checking for false positives.

The third pane of an incident shows any custom attributes I am looking for or using.

Policy Changes

There have been some changes and additions to the default policies that ship with DLP however the way to write a policy has not been changed.  One of the policies has been modified to take a part some of the changes in the HITECH act.


As mentioned previously, under the menu Policies, you have the ability to configure the discover servers and scans and also edit the exact data and indexed documents. 

System Changes

There have been many changes to this part of the console as well.  The system section is broken up into the following areas:  Servers, Agents, System Reports, Settings, Incident Data, and User Management.

One really nice change is the addition of a credential manager, which is found under Credentials.  This allows me to save a credential and re-use it in different scans, etc.  This is found under System –> Settings –> Credentials and looks like the following:




Thanks for spending the time to read this overview of DLP.  In February I will be doing a webinar on DLP and if you are interested you can visit my company’s website (ITS Partners) here for more information and to sign up.

More employees steal data then ever survey says

The recession is creating camaraderie amongst workforces, at the expense of their employers, is the finding of a transatlantic survey. Carried out amongst 600 office workers in Canary Wharf London and Wall Street New York, 41% of workers have already taken sensitive data with them to their new position, whilst a third would pass on company information if it proved useful in getting friends or family a job.

From an article on a security website, it states more and more employees are stealing data when they leave their current employer.  A couple of interesting stats from the article:

  • 85% of people admit they know it’s illegal to download corporate data.
  • 57% of people say it is easier to take sensitive data this year, up 29% from last year
  • Top of the list is customer and contact details

During this current recession people are doing whatever they can to have an edge, especially in a new job.  If I take my current customer list to me new job, then I will instantly have a leg up.

As an employer you need to protect your data, do you even know where your data is?  Using a tool like Symantec’s DLP you can find that information, track that information and prevent it from leaving your network.