Defining Endpoint Agent Policy Actions Parent topic

  1. On the Step 4: Action screen, select the Transmission Scope for DLP monitoring.

    Transmission Scope Radio Buttons

    Radio Button
    Description
    All transmissions
    DLP monitors all files transmitted outside the local host.
    WARNING
    WARNING
    This is strict filtering that is only recommended for offline agents.
    Only transmissions outside the Local Area Network
    DLP monitors all files transmitted outside the LAN.
    The LAN boundary includes only private IP address ranges, including 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. However, if a destination IP address is a private IP address but is listed in Global Exceptions as a Monitored Target, DLP considers it as outside the LAN.
    DLP approves private IP ranges by default. Even if you use a 10.0.0.0/24 network for your LAN, the private IP addresses 172.16.x.x, 192.168.x.x and every other 10.x.x.x IP are also approved by default. Subnet boundary checking is not currently supported.
    Note
    Note
    This is the recommended setting for online agents.
    “Network” is the company network, including traffic to standard private IP addresses:
    • A: 10.0.0.0~10.255.255.255
    • B:172.16.0.0~172.31.255.255
    • C:192.168.0.0~192.168.255.255
    The Transmission Scope that you select impacts network-related channels: SMB, FTP, HTTP, HTTPS and IM. The impact to IM channel traffic is for File Transfer only (since the message channel is always sent out to the global IM server with an IP outside the company network).
    Transmission Scope impacts Email channels (Outlook, Lotus, and SMTP) with some differences. When Transmission Scope is set to Only transmissions outside the local area network, DLP only scans email in which recipients are not in the internal email domain. You can configure the internal email domain at AdministrationGlobal Exceptions.
    Note
    Note
    When DLP checks for incidents, DLP complies with the settings of your Monitored Targets, Non-monitored Targets, and Transmission Scope. When these settings conflict, Monitored Targets is the first priority for DLP checking, followed by Non-monitored Targets. The last priority is Transmission Scope checking.
    In other words, the destination listed in Monitored Targets will always be an incident source even if the destination is a local machine or within the LAN boundary. If the destination is not on the Monitored Targets list and is on the Non-monitored Targets list, the destination is in compliance and no checking will occur. If the destination is not in the Monitored Targets or Non-monitored Targets lists, DLP determines if the destination does not comply with the Transmission Scope setting.
  2. Specify the System Action when Online. This is the action for DLP to take if an incident is triggered while the agent is connected to the management server.
  3. Specify the System Action when Offline. This is the action for DLP to take if an incident is triggered while the agent is not connected to the management server.

    System Action Considerations

    System Action
    Description
    Notify the customer
    You can set a policy-based URL in the client side alert screen instead of setting a global URL at AdministrationAgent ConfigurationAdvanced Settings. This way, you can set different URLs for different policies.
    Encrypt;
    Prompt user to enter justification
    You can only select Encrypt and Prompt user to enter justification if you selected only the Removable Storage channel.
    Record data
    If you select Record data, DLP automatically encrypts the forensic data with a pre-defined password and securely stores the data on the DLP server. The default password for encrypted files is 12345678. It is recommended that you change this password at AdministrationAgent ConfigurationAgent Settings.
    WARNING
    WARNING
    Record data uploads files to the DLP server which could occupy too much hard disk space. Trend Micro highly recommends that you only record highly sensitive information.
  4. Click Finish to save the policy.
    The policy appears on the Policy List.
  5. On the Policy List, click the Status icon to disable or enable the policy.
  6. Click Deploy Now. DLP deploys all enabled policies in the list to the agents.
    Click the up or down arrows in the Order column to change the policy priority. When multiple policies are involved in an incident, DLP executes the most strict rules. However, when matching block and encryption actions, DLP takes actions based on order. The lowest number has the highest priority and is executed first.
    Moving the mouse over a policy name displays a snapshot of the policy content.
    Note
    Note
    The management server waits an interval of one minute for each policy deployment. If you continually click Deploy Now, DLP waits one minute and redeploys the policies. In this case, Deploy Now is disabled after one minute and a message displays, “Policies have been deployed.”