SEARCHINFORM DLP CAPABILITIES
2
Contents
SearchInform DLP Capabilities ............................................................................... 3
1 Capabilities of EndpointController Interception Modules for Windows ............. 3
2 Capabilities of NetworkController Interception Modules .................................. 8
3 Capabilities of NetworkController Integration with Mail Servers, Lync (Skype for Business) and ISA/TMG .................................................................................. 10
4 Capabilities of EndpointController Interception Modules for Linux (Ubuntu,
CentOS, Rosa, Gos, Astra) .................................................................................... 11
5 Blocking Capabilities in SearchInform DLP .................................................... 12
5.1 Blocking at the Level of Agent ....................................................................... 12
5.2 Blocking at the Level of Network ................................................................... 13
5.3 Blocking Email at the Level of Workstation or Mail Server (Agent) ..................... 14
6 Protection of Data at Rest .............................................................................. 15
3
SEARCHINFORM DLP CAPABILITIES
SearchInform Data Loss Prevention (SearchInform DLP) is used to collect and analyse
information flows within the local computer network. Data can be captured in two ways,
depending on the server component: SearchInform EndpointController or SearchInform
NetworkController. Server components are the platforms on which data interception modules
operate. Each interception module operates as a traffic analyzer and controls its own data
transmission channel.
This document provides detailed capabilities of interception modules of SearchInform DLP
server components.
1 CAPABILITIES OF ENDPOINTCONTROLLER INTERCEPTION
MODULES FOR WINDOWS
The table shows capabilities of SearchInform EndpointController that operates through agents
installed on network workstations.
Module Features Capabilities
KeyLogger
1. Capturing key strokes 2. Capturing function keys 3. Capturing text from
clipboard
Filtration for Users/Groups or processes
Capability to exclude system actions
Capability to exclude interception of passwords
Blocking PrintScreen keystroke
Interception of only keyboard keys/clipboard/all
Set up of clipboard size
FileController Control of any event of file system (creating, changing, opening, deleting, etc.) for files or folders
Filtration for Users/Groups or processes
Capability to exclude system actions
Audit of changes of file/folder access rights
Capability to exclude audit of temporary MS Office files
CameraController
1. Taking snapshots 2. Recording video 3. Connecting to camera in real
time
Capability to set up interval for taking snapshots, options of video recording, particular options for selected applications, users, URLs
Cloud &
SharePoint
1. Google Docs 2. OneDrive 3. Office 365 4. Dropbox 5. Evernote 6. Yandex.Disk 7. Cloud.mail.ru 8. Amazon S3 9. iCloud 10. DropMeFiles 11. OwnCloud 12. SharePoint
N/a
FTPController Capturing files sent over FTP protocol Maximum size of a captured file, update interval, timeouts of last activity
4
Module Features Capabilities
ProgramController
Control of time spent in applications and on websites
Control of time spent on websites is possible in the following browsers:
Internet Explorer (from version 8)
Mozilla Firefox (from version 50.1.0)
Google Chrome (from version 55.0.2883.87)
Yandex Browser (16.11.0.2680)
Opera (Presto) (36.0.2130.80)
Opera (Chromium) Safari Tor Browser Netscape Navigator Amigo (from version
54.0.2840.189) Sputnik (from version
2.1.1051.0) Flock (02.06.2001) Avant Browser Lunascape Maxthon SeaMonkey K-Meleon SlimBrowser Edge (from version 38.14) Comodo Dragon (from
version 52.15.25.664) CoolNovo (2.0.9.20)
Cốc Cốc (from version 56.3.150)
Titan Browser (from version 33.0.1712.0 (235591)
Uran (from version 43.0.2357.134)
Filtration for Users/Groups or processes
Capability to exclude system actions
Capability to disable audit of activity on websites
PrintController
1. Control of printing on local printers
2. Control of printing on network printers
3. Control of printing on virtual printers
Options of quality (compression) for images
Filtration by users, processes, description, printer, and location
Feature of blocking Escape functions (control of a printer by escape commands)
HTTPController 1. Capturing POST queries 2. Capturing GET queries
Limitation by minimum size of POST query
Limitation by intercepted nodes, IP addresses, ports, type (SSL/no SSL), processes
Capability to add a list of anonymizers
Capability to block SPDY and QUIC
Capability to exclude MIME types (audio, video, images)
5
Module Features Capabilities
MonitorController
1. Taking screenshots 2. Videorecording user’s
actions 3. Connecting to a user’s
screen in real-time mode
Capability to set up interval of taking screenshots, interval of taking screenshots of Skype video conferences and for URLs, particular options for selected applications, users; color settings, settings for several monitors
Capability to adjust color and exclude background; frame frequency settings
Capability to configure a schedule and operating mode (for all/for selected)
Capability to specify access settings for connection by password or for specified users
MicrophoneController
1. Sound recording with a microphone
2. Connecting to a user’s microphone in real-time mode
3. Audio recognition (speech-to-text transcription)
Capability to specify settings for profiles In Office/Out of Office: maximum duration, noise reduction, quality of recording, speech recognition, list of software, schedule
Capability to configure a schedule of recording
Capability to specify access settings for connection by password or for specified users
MailController
Interception of the following protocols:
IMAP MAPI (without encryption) POP3 SMTP NNTP WebMail as part of:
mail.ru gmail.com tut.by yandex.ru rambler.ru outlook.com office 365 ukr.net yahoo.com qip.ru Google Sync
Etc.
General settings:
Filtration by sender, recipient, domain user, subject, protocol, size, number of recipients
Individual settings for WebMail: capability to activate/deactivate interception of incoming email messages
Blocking outgoing (SMTP) email messages by content and/or context criteria
6
Module Features Capabilities
IMController
Interception of the following protocols:
1. ICQ 2. MMP (mail.ru agent) 3. XMPP (Jabber) 4. MSN 5. Gadu-Gadu 6. Lync 7. Viber 8. Telegram 9. HTTPIM as part of:
vk.com ok.ru facebook.com mamba.ru my.mail.ru LinkedIn Evernote Google+ Yammer Fotostrana Web-Skype icq.com etc.
Interception of contact list
Capturing chats, calls, files, contact; settings of maximum file size, sound and duration
Capturing chats, calls, files, contacts, message history; settings of maximum file size, sound and duration
Audio recognition (speech-to-text transcription)
SkypeController Capturing calls, messages, files, SMS via Skype for desktop
Capturing chats, calls, files, contacts, SMS, message history
Settings of maximum file size, sound and duration
Audio recognition (speech-to-text transcription)
7
Module Features Capabilities
DeviceController
a) Audit + Block of Access:
1. USB HID devices (except keyboard and mouse)
2. Printers (USB) 3. Bluetooth adapters (USB) 4. Scanners (USB) 5. All USB devices (except
concentrators) 6. COM ports 7. LPT ports 8. Bluetooth 9. Printers 10. IR ports 11. Media devices 12. HID devices (except
keyboard and mouse) 13. Keyboard and mouse 14. FireWire 15. Smart cards 16. PDA 17. Tape device 18. Block of folders 19. Block of disks
b) Only block of access:
1. Modems 2. Wi-Fi
c) Audit + Block of access + Shadow copy:
1. USB devices
2. CD/DVD-ROM
3. Cameras/Scanners
4. Floppy disks
5. SCSI
6. Network folders
7. RDP disks
8. Portable devices of Windows
Android
Apple
Blackberry
Palm
Windows Phone
All portable devices
d) Available blockings:
1. USB devices 2. Block at the start of
software 3. CD/DVD-ROM 4. Floppy disks 5. SCSI 6. Network folders 7. Clipboard 8. RDP disks 9. Portable devices of
Windows 10. Processes
General capabilities:
Maximum size of a processed file
Exclusion of system users Black and white lists by type,
device, manufacturer, serial number, user, computer
Capabilities for A group:
Users/Groups Computers Full right access/No access Audit On/Off Exclusion of system users
Capabilities for B group:
Users/Groups
Computers
Full right access/No access
Capabilities for C and D groups:
Capabilities described above, as well as:
Shadow copy by file name, file type, process, user, computer
Access by file name, file type, process, user, and computer
Shadow copy of data stored on device
8
Module Features Capabilities
Data encryption Encryption of all data types sent to external USB storage devices using a unique key (generated by user)
Encryption is available for selected users or groups
For encrypted files you can configure access settings for:
• All users except specified
• Only specified users
A file can be opened only if agent is available and there is a permission to open
Black/white list settings are also available for encryption
You can configure settings of shadow copy, where ONLY encrypted files will be captured
SSL notifications Notifications about failed attempts of agents to trap connection1
Automatic addition of such connections in exclusions
Filtration by time, computer, user, process, and type
Audit of technical data
Audit of technical data from PCs with agents2:
Installed software Hardware configuration Active user Status of agent and
computer Free space on disk Last agent’s activity Audit of data of task
manager
N/a
2 CAPABILITIES OF NETWORKCONTROLLER INTERCEPTION
MODULES
Below, there is a table of features of SearchInform NetworkController operating under
network data capturing using SPAN technology (mirroring) or under integration with proxy
server3. Blocking capability is available only with integration with proxy server over ICAP.
1 This report can be created only together with HTTPController. 2 The feature is available regardless used protocols. Licensing is not required. 3 All connections established with SSL can be captured only together with integration with proxy server; or certificate substitution scheme + SPAN on specific equipment.
9
Module Where available Features Capabilities
Cloud & SharePoint
Full-fledged operation, as a rule, in ICAP (all connections are encrypted)
Or certificate substitution
+ SPAN (for example, with Palo Alto equipment)
Interception of the following services via web interface (not using application!):
1. Interception of the Google Docs service
2. Interception of the OneDrive (Microsoft) service
3. Interception of the Office 365 (Office Online) service
4. Interception of the Dropbox service
5. Interception of the Evernote service
6. Interception of the Yandex.Disk service
7. Interception of the Cloud.mail.ru service
8. Interception of SharePoint
Limitation by ports
Filtration by hosts, sender, size and content
Block by attributes is available4
MailController SPAN – all is available
ICAP = only web mail
Interception of the following protocols:
IMAP MAPI (without encryption) POP3 SMTP NNTP WebMail as part of:
mail.ru gmail.com tut.by yandex.ru rambler.ru outlook.com office 365 ukr.net yahoo.com qip.ru Google Sync
General settings:
Filtration by sender, recipient, domain user, subject, protocol, size, port
Individual settings for WebMail: capability to deactivate/activate interception of incoming messages
Capability to block WebMail by attributes
HTTPController
SPAN and ICAP both
GET will not work for some proxy servers***
Capturing POST queries
Capturing GET queries
Limitation by minimum size of POST query
Limitation by intercepted nodes, IP, ports, sender, size
Capability to add a list of anonymizers
You can configure blocking by attributes
FTPController
SPAN and ICAP both
Capturing files sent over FTP
Maximum size of a captured file, update interval, time outs of last activity
4 Blocking is available only via ICAP scheme, it doesn’t work with SPAN!
10
Module Where available Features Capabilities
IMController SPAN – all is available
ICAP – only web IM
Interception of the following protocols:
ICQ MMP (mail.ru agent) XMPP(Jabber) MSN YAHOO! HTTPIM as part of:
vk.com ok.ru facebook.com mamba.ru my.mail.ru LinkedIn Evernote Google+ Yammer Fotostrana Web-Skype icq.com
Limitation by captured nodes, IP, ports, sender, size
Capability to add a list of anonymizers
Capability of capturing any specified protocol using HTTP tunneling
Capability to block Web IM by attributes
Telephony Only SPAN
Capturing audio calls and text messages of SIP telephony via the standards:
GSM A-Law u-Law
G.722
Capability to limit by ports, users, computers, IP addresses, and MAC addresses
***
The proxy servers listed below operate in full (incoming and outgoing traffic):
SQUID, BLUE COAT, MCAFEE, WEBSENSE (ForcePoint), ISA/TMG.
The proxy servers mentioned further support only outgoing traffic:
FortiGate, Check Point.
The list is not full and comprehensive. It contains the proxies tested by the SearchInform
experts for compatibility with the SearchInform DLP solution.
3 CAPABILITIES OF NETWORKCONTROLLER INTEGRATION
WITH MAIL SERVERS, LYNC (SKYPE FOR BUSINESS) AND
ISA/TMG
Module Where available Features/Capabilities
Lync/Skype for Business
Interception:
Chats
Audit:
Calls Files
In the integration mode, only messages will be intercepted properly. Sent files and calls will be registered in audit, but their content will remain unavailable.
It is recommended to use the EndpointController platform for full-fledged interception of files and calls.
ISA/TMG 1. Interception of POST queries 2. Interception of GET queries
The solution is fully operational in terms of data capturing, but it cannot block because of the peculiarities of the TMG architecture (this proxy does not support ICAP, that is why we use a
separate integration module).
11
Module Where available Features/Capabilities
Mail servers
1. Control of corporate email boxes via POP3 and IMAP
2. Control of corporate email boxes via EWS
3. Interception of SMTP
These integration methods are not tied to particular manufacturers or versions of mail servers (excluding EWS). They are general and can be used in Exchange, Lotus, Postfix and even a number of public mail servers.
4 CAPABILITIES OF ENDPOINTCONTROLLER INTERCEPTION
MODULES FOR LINUX (UBUNTU, CENTOS, ROSA, GOS,
ASTRA)
Module Features Capabilities
Cloud & SharePoint
Interception of the following services working via web interface (not using application!):
Google Docs OneDrive Office 365 Dropbox Evernote Yandex.Disk Cloud.mail.ru Amazon S3 iCloud DropMeFiles
Own Cloud
N/a
FTPController Capturing files sent over FTP protocol Maximum size of a captured file, update interval, timeouts of last activity
HTTPController 1. Capturing POST queries 2. Capturing GET queries
Limitation by minimum size of POST query
Limitation by intercepted nodes, IP addresses, ports, type (SSL/no SSL), processes
Capability to add a list of anonymizers
Capability to block SPDY and QUIC
Capability to exclude MIME types (audio, video, images)
MailController
Interception of the following protocols:
IMAP MAPI (without encryption) POP3 SMTP NNTP WebMail as part of:
mail.ru gmail.com tut.by yandex.ru
rambler.ru outlook.com office 365 ukr.net yahoo.com qip.ru Google Sync
General settings:
Filtration by sender, recipient, domain user, subject, protocol, size
Individual settings for WebMail: capability to activate/deactivate interception of incoming email messages
12
Module Features Capabilities
IMController
Interception of the following protocols:
1. ICQ 2. MMP (mail.ru agent) 3. XMPP (Jabber) 4. MSN 5. HTTPIM as part of:
vk.com ok.ru facebook.com mamba.ru my.mail.ru LinkedIn Evernote Google+ Yammer Fotostrana Web-Skype webim.ru
Individual settings for:
1 –Interception of contact list
SSL notifications
Notifications about unsuccessful attempts of agent to trap connection
Automatic addition of such connections to exclusions
Filtration by time, PC, user, process and type
5 BLOCKING CAPABILITIES IN SEARCHINFORM DLP
SearchInform Data Loss Prevention does not only perform detailed audit of data in transit and
create shadow copies of document, but it also allows blocking data transfer over a wide range
of data channels. The list of channels that can be controlled and the list of channels that can
be blocked differ, so below we provide a detailed description of blocking capabilities of
SearchInform DLP.
Blocking can be performed at different levels: while transmitting data over network, on an
endpoint, and using customer’s mail server.
5.1 BLOCKING AT THE LEVEL OF AGENT
Blocking any connected device by its type, serial number and other attributes. For
example, blocking COM, LPT ports, printers, scanners, etc. The first table in the
document provides the full list of capabilities of the DeviceController module.
Blocking data sending to storage devices (USB, CD/DVD, SCSI, etc.)
Blocking software launch, including portable versions
Blocking data transmission when working with remote desktop (via connected disks,
network folders and clipboard)
Blocking by type of connected device (Android, Apple, Blackberry, Palm, Windows
Phone, etc.)
Blocking wireless networks and interfaces (Wi-Fi and Bluetooth)
Blocking data transmission to network storages (SMB)
Blocking operation with local folders
Blocking operation with local disks
13
5.2 BLOCKING AT THE LEVEL OF NETWORK
The system also allows blocking HTTP(S) network traffic according to transmitted text,
selected users, hosts, URI, POST, GET and many other attributes*. Such blocking, besides
prohibition to transmit specified text, allows implementing secure schemes of operating with
web mail, chats, forums, cloud storages. For example, it is possible to block sending a file
from company’s network to a cloud storage (downloading remains available). Also, there is a
capability to save drafts and attachments when working with web mail, capability to block
loading to social network (not blocking other functionality of social network), and many other
capabilities.
*
Method Options Can contain
Text
All words Text or regular expression
Any word Text or regular expression
Exact word or phrase Text or regular expression
None of the given words Text or regular expression
Date
Equal Date/month/year
NE Date/month/year
In range Range of dates/months/years
Out of range Range of dates/months/years
Time
In range Hours
Out of range Hours
Day of week
Equal Days of week
NE Days of week
User
Equal Users
NE Users
IP address
Local address Address or range of addresses
Remote address Address or range of addresses
HTTP method
GET
POST
CONNECT
PUT
Web field
URI Contains, missing, present, starting with, ending with,
14
equal, NE, in range, out of range, etc.
HOST Contains, missing, present, starting with, ending with, equal, NE, in range, out of range, etc.
USER-AGENT Contains, missing, present,
starting with, ending with, equal, NE, in range, out of range, etc.
Content-length Contains, missing, present, starting with, ending with, equal, NE, in range, out of
range, etc.
This option is available at the network level, with unencrypted and SSL traffic both. Blocking
can be applied on PC and other network equipment inside a company regardless the
connection (Ethernet or Wi-Fi) for HTTP(S) or FTP(S) traffic.
Combining these rules, one can fine-tune block of services or block of features on these
services. For example,
The rule (Web field = host contains mail.ru) AND (Web field URI contains attaches/add) will
block the possibility to save or send attachments in mail.ru working via web interface.
The rule (Web field = host contains vk.com) AND (Web field URI contains act=do_add or
act=add_doc or act=album_photo) will block the possibility to load files to vk.com.
The rule (Web field = URI contains /objects) AND (Web field host contains
api.asm.skype.com) AND (HTTP method = PUT) will block the possibility to send files over
web Skype.
5.3 BLOCKING EMAIL AT THE LEVEL OF WORKSTATION OR MAIL SERVER (AGENT)
Also, the system allows blocking outgoing corporate email. It is implemented via blocking
agent installed on the destination mail server (edge) or local PC with further check of all
outgoing correspondence. An email message violating security policies will be stopped before
being checked manually. After it is checked, the message can be eventually blocked or sent
to the destination.
Blocking can be:
Context: sender, recipient, file type (over 114 formats**), size, attachment and many
other attributes
Content: based on the presence of confidential data in transmitted documents. For
example, digital fingerprints, phrases, synonyms, morphological forms, regular
expressions, encrypted attachments, images visually similar to passports, credit cards,
documents containing official stamps, falsified documents.
15
6 PROTECTION OF DATA AT REST
SearchInform DLP can audit and detect confidential data inside files in the following data
storages:
Local PCs (Windows)
Roaming user profiles (in Active Directory or Novel eDirectory)
Network folders (Windows, Linux, Unix, Mac)
Corporate NAS (Synology, HP, QNAP, etc.)
Corporate storages SharePoint
Text fields in popular DBMSs (MS SQL, MySQL, PostgreSQL, Oracle, etc.)
Databases of web sites
Web mail
Cloud storages (Dropbox, etc.) – under development
Personal portable storage devices (USB HDD, flash drives) – when connected to
corporate equipment.
Personal mobile devices (telephones, tablets) - when connected to corporate
equipment in the file system access mode.
**
Below, you will find a non-exhaustive list of possible formats that SearchInform DLP can
operate with. Additionally, it is possible to create own types of files and assign parsers to
them (process as binary, text, xml, etc.)
o MS Office files
DOC
DOCX
DOT
XLS
XLSX
XLSB
XLSM
XLTX
XLTM
XLT
PPT
POT
PPTX
RTF
VSD
VST
VSDX
o Local database files
MDB
o Internet files
HTM
HTML
SHTML
CSS
JS
MAFF
o Mail files
MSG
EML
o Windows program files
TXT
CSV
DJVU
XML
LST
CHM
BAT
LOG
INI
WRI
MHT
HLP
o In archive files
7Z
ARJ
RAR
ZIP
JAR
TAR
ISO
GZ
GZIP
TGZ
TPZ
CAB
LZH
LHA
Z
TAZ
LZMA
BZ2
BZIP2
TBZ2
TBZ
HFS
001
o Programming files
JAVA
PAS
DFM
DPR
BAS
CPP
HPP
C
C++
H
CS
SQL
JSP
ASP
ASPX
PHP
SH
WSDL
PY
PL
INC
VB
VBS
XLA
CMD
o Programming files
(Power Builder)
SRA
SRJ
SRW
SRU
SRM
SRS
SRF
SRD
SRQ
SRP
o Audio/Video
MP3
AVI
WAV
o OpenOffice.org
16
SXW STW ODT ODS
o CAD Files DWG DXF
o Image files JPG JPEG TIF
TIFF BMP
PNG GIF CDR
o Old text formats LEX
INDIA CONTACTBD SOFTWARE DISTRIBUTION PVT. LTD.1209, 12th Floor, Satra Plaza, Plot No.19 & 20,Sector 19d,
Vashi, Navi Mumbai - 400703 MAHARASHTRA.
Phone : +91 829 160 1105
E-mail : [email protected]