Selecting endpoint destination channels to monitor

Administrator Help | TRITON AP-DATA | Version 8.3.x

As well as removable media, you can set up a rule to monitor and analyze endpoint data sent to other destination channels. For example, you can check Web traffic, and software applications on the endpoint.

To select endpoint destinations for monitoring:

Select Main > Policy Management > DLP Policies.

Click Manage Policies.

Do one of the following:

Click a policy and select Add > Rule

Click a rule and select Edit

Go to the Destination section for the rule.

You can select from the following:

Email - Select Endpoint Email to monitor outbound or internal email messages sent to the destinations you specify. By default this option covers all endpoint destinations. To select particular destinations, click Edit and select the destinations to watch.

Note that the system analyzes all email messages sent from endpoint users, even if they send them to external Web mail services such as Yahoo.


	Important For endpoint email to be analyzed, you must specify one or more internal email domains. Navigating to Settings > General > Endpoint and then click the Email Domains tab. If no domain is listed, endpoint email is not analyzed.

For Windows, TRITON AP-DATA can analyze endpoint email generated by Microsoft Outlook and IBM Notes. (Note that rules are not enforced on Notes messages if Notes is configured to send mail directly to Internet, rather than through the Domino server.)

The system supports the desktop version of Outlook 2010, 2013, and 2016 but not the Windows 8 touch version. TRITON AP-DATA supports IBM Notes versions 8.5.1, 8.5.2 FP4, 8.5.3, and 9.

For macOS, the system can analyze endpoint email generated by Outlook 2011, Outlook 2016, and Apple Mail.

TRITON AP-DATA can detect incidents in S/MIME encrypted messages sent from Outlook 2013 (Windows), Outlook 2016 (Windows), and Outlook 2016 (Mac).

Web - Select Endpoint HTTP/HTTPS from the Channels drop-down list to monitor endpoint devices such as laptops, and protect them from posting sensitive data to the Web. You can monitor traffic when endpoints are not connected to the network.

When the endpoint analyzes data via the Web > Endpoint HTTP/HTTPS destination, it intercepts HTTP(S) posts as they are being uploaded within the browser. (It does not monitor download requests.)

For both Mac and Windows-based endpoints, the system analyzes posts from Internet Explorer, Firefox, and Chrome browsers.

The system does not support the HTTP destination channel on Linux endpoints.

For a list of supported browser versions, see the Certified Product Matrix.

Note that this destination is different from the Endpoint Application > Browsers destination which looks at the data as it is being copied, pasted, or accessed. The system can monitor these operations on most browsers, such as Internet Explorer, Firefox, Safari, and Opera.

It's possible to see URL category information on the incident if the Linking Service is active. (See Linking Service for details.)

Endpoint printing - Select this option to monitor data being sent from an endpoint machine to a local or network printer. The system supports drivers that print to a physical device, not those that print to file or PDF.

Endpoint application - You can monitor or prevent sensitive data from being copied and pasted from an application such as Microsoft Word or a Web browser. This is desirable, because endpoint clients are often disconnected from the corporate network and can pose a security risk.

If you choose to analyze all activities on a rule's condition page and then select browsers here, this is akin to analyzing all Web content that is downloaded to endpoints. To prevent performance degradation:

When files are saved to the browser's cache folders, the crawler analyzes only .exe, .csv, .xls/xlsx, .pdf, .txt, and .doc/.docx files.

When files are saved to any other local folder, it analyzes all file types.

The system can monitor copy and paste operations on most browsers, such as Internet Explorer, Firefox, Safari, and Opera.


	Note If a user's browser is open, new endpoint policies are not enforced on those browsers. Users must close and reopen their browser for new policies to take effect.

The applications that the system supports out of the box are found in the Technical Library article TRITON AP-DATA Endpoint Applications. You can also add custom applications.

Endpoint removable media - You can monitor or prevent sensitive data from being transferred to removable media. In the action plan, you define whether to block it, permit it, ask users to confirm their action, encrypt it with a profile key configured by administrators, or encrypt it with a password supplied by endpoint users. Here, define the devices to analyze.

The system monitors unencrypted data being copied to native Windows and Mac CD/DVD burner applications. It monitors non-native Windows CD/DVD burner applications as well, but only blocks or permits operations without performing content classification.

Non-native CD/DVD blocking applies to CD, DVD, and Blue-ray read-write devices on Windows 7, Windows 8, Windows Server 2008 R2, and Windows Server 2012 endpoints.

Linux endpoint does not support CD/DVD burners.

On Windows 7, the system can also monitor unencrypted data being copied to Android devices through the Windows Portable Devices (WPD) protocol.

Endpoint LAN - Users commonly take their laptops home and then copy data through a LAN connection to a network drive or share on another computer. They also commonly take data from a shared folder (at work) to copy onto their laptop. With TRITON AP-DATA:

You can specify a list of IPs, hostnames, or IP networks of computers that are allowed as a source or destination for LAN copy.

You can intercept data copied from an endpoint client to a network share.

You can set a different behavior according to the endpoint type (laptop or other) and location (connected or not connected).

Endpoint LAN control is applicable to Microsoft sharing only.

Please note, if access to the LAN requires user credentials, files larger than 10 MB are handled as huge files which are only searched for file size, file name and binary fingerprint. Files smaller than 10 MB are fully analyzed.

The huge files limit for other channels is 100 MB.

All destination channels are supported on Windows endpoints.

On Linux endpoints, only removable media is supported. The HTTP/HTTPS and email channels are not supported on Linux, nor are the print or LAN channels or endpoint applications.

On Mac, all destination channels except the print channel are supported, with the exceptions noted below.


Destination Channel	Windows	Mac	Linux
Email
Web HTTP/HTTPS
Printing
Applications*
Removable media
LAN

*Cloud apps are not supported on Mac endpoints. The cut, copy, paste, file access, and download operations are not supported for cloud apps on Windows endpoints when they are used through a Windows Store browser.

For more information on monitoring destinations and protecting data on endpoints, see Custom Policy Wizard - Destination.