dlpnetch
OfficeScan can monitor data transmission through the following network channels:
Email clients
FTP
HTTP and HTTPS
IM Applications
SMB protocol
Webmail
To determine data transmissions to monitor, OfficeScan checks the transmission scope, which you need to configure. Depending on the scope that you selected, OfficeScan will monitor all data transmissions or only transmissions outside the Local Area Network (LAN). For details about transmission scope, see Transmission Scope and Targets for Network Channels.
OfficeScan monitors email transmitted through various email clients. OfficeScan checks the email’s subject, body, and attachments for digital assets. For a list of supported email clients, see:
http://docs.trendmicro.com/en-us/enterprise/officescan.aspx
Monitoring occurs when a user attempts to send the email. If the email contains digital assets, OfficeScan will either allow or block the email.
You can define monitored and non-monitored internal email domains.
Monitored email domains: When OfficeScan detects email transmitted to a monitored domain, it checks the action for the policy. Depending on the action, the transmission is allowed or blocked.
If you select email clients as a monitored channel, an email must match a policy for it to be monitored. In contrast, an email sent to monitored email domains is automatically monitored, even if it does not match a policy.
Non-monitored email domains: OfficeScan immediately allows the transmission of emails sent to non-monitored domains.
Data transmissions to non-monitored email domains and to monitored email domains where "Pass" is the action are similar in that the transmission is allowed. The only difference is that for non-monitored email domains, OfficeScan does not log the transmission, whereas for monitored email domains, the transmission is always logged.
Specify domains using any of the following formats, separating multiple domains with commas:
X400 format, such as /O=Trend/OU=USA, /O=Trend/OU=China
Email domains, such as example.com
For emails sent through the SMTP protocol, OfficeScan checks if the target SMTP server is on the following lists:
Monitored targets
Non-monitored targets
For details about monitored and non-monitored targets, see Transmission Scope and Targets for Network Channels.
Monitored email domains
Non-monitored email domains
This means that if an email is sent to an SMTP server on the monitored targets list, the email is monitored. If the SMTP server is not on the monitored targets list, OfficeScan checks the other lists. If the SMTP server is not found on all the lists, the email is not monitored.
For emails sent through other protocols, OfficeScan only checks the following lists:
Monitored email domains
Non-monitored email domains
When OfficeScan detects that an FTP client is attempting to upload files to an FTP server, it checks for the presence of digital assets in the files. No file has been uploaded at this point. Depending on the Digital Asset Control policy, OfficeScan will allow or block the upload.
When you configure a policy that blocks file uploads, remember the following:
When OfficeScan blocks an upload, some FTP clients will try to re-upload the files. In this case, OfficeScan terminates the FTP client to prevent the re-upload. Users do not receive a notification after the FTP client terminates. Inform them of this situation when you roll out your Digital Asset Control policies.
If a file to be uploaded will overwrite a file on the FTP server, the file on the FTP server may be deleted.
For a list of supported FTP clients, see:
http://docs.trendmicro.com/en-us/enterprise/officescan.aspx
OfficeScan monitors data to be transmitted through HTTP and HTTPS. For HTTPS, OfficeScan checks the data before it is encrypted and transmitted.
For a list of supported web browsers and applications, see:
http://docs.trendmicro.com/en-us/enterprise/officescan.aspx
OfficeScan monitors messages and files that users send through instant messaging (IM) applications. Messages and files that users receive are not monitored.
For a list of supported IM applications, see:
http://docs.trendmicro.com/en-us/enterprise/officescan.aspx
When OfficeScan blocks a message or file sent through AOL Instant Messenger, MSN, Windows Messenger, or Windows Live Messenger, it also terminates the application. If OfficeScan does not do this, the application will become unresponsive and users will be forced to terminate the application anyway. Users do not receive a notification after the application terminates. Inform them of this situation when you roll out your Digital Asset Control policies.
OfficeScan monitors data transmissions through the Server Message Block (SMB) protocol, which facilitates shared file access. When another user attempts to open, save, move, or delete a user’s shared file, OfficeScan checks if the file is or contains a digital asset and then allows or blocks the operation.
The Device Control action has a higher priority than the Digital Asset Control action. For example, if Device Control does not allow files on mapped network drives to be moved, transmission of digital assets will not proceed even if Digital Asset Control allows it. For details on Device Control actions, see Permissions for Storage Devices.
For a list of applications that OfficeScan monitors for shared file access, see:
http://docs.trendmicro.com/en-us/enterprise/officescan.aspx
Web-based email services transmit data through HTTP. If OfficeScan detects outgoing data from supported services, it checks the data for the presence of digital assets.
For a list of supported web-based email services, see:
http://docs.trendmicro.com/en-us/enterprise/officescan.aspx
See also: