Transcription
Applications Monitored in theEndpoint Application Channel forForcepoint DLP EndpointEndpoint Applications Forcepoint DLP Endpoint v8.4.xYou can monitor the operations performed by end users on any number of applicationsto prevent data loss from endpoint clients both on and off network—operations suchas file access, cut or copy, and paste. Forcepoint has analyzed the metadata for morethan a hundred applications, and has provided templates for these applications so youcan monitor them in the Endpoint Application channel.This document lists the predefined application templates by Application Group andlists the operating systems and operations that are monitored. While Forcepoint hasanalyzed the metadata for these applications, Forcepoint has not formally tested andcertified these applications in all environments for each Forcepoint DLP Endpointrelease. After selecting a specific application to monitor, test the application fileaccess monitoring in your environment and reconfigure if needed.This document also describes how to import user-defined applications if desired. Built-in application templates, page 1 Importing other applications, page 11Built-in application templatesEndpoint Applications Forcepoint DLP Endpoint v8.4.xIn the Forcepoint Security Manager, select Main Resources EndpointApplications to choose the applications to monitor for the Endpoint Applicationchannel, or select Endpoint Application Groups to select entire groups ofapplications, such as encryption software or browsers.Following are the application templates that you can choose to monitor on theendpoint when you set up your endpoint policy in the Forcepoint Security Manager.This includes software applications, web applications, and cloud applications.Forcepoint Endpoint Applications 1
Applications Monitored in the Endpoint Application Channel for Forcepoint DLP EndpointAlso noted is whether the application is supported on Windows endpoints, Macendpoints, or both, and the type of operations that can be analyzed by Forcepoint CutPasteFile AccessCopy/CutPasteCopy/CutPasteFile AccessCopy/CutPasteFile AccessInternet Explorer(IE)Microsoft EdgeOperaSafariTorTorchCD BurnersAcoustica MP3CD BurnerAlcohol 120%CD-MateDisk UtilityiTunesNero BurningROMRoxio – EasyMedia CreatorWindows MediaPlayer2 Forcepoint Endpoint
Applications Monitored in the Endpoint Application Channel for Forcepoint DLP EndpointGroupApplicationCloudStorageAmazon aultOperationsCopy/CutPasteFile AccessCopy/CutPasteFile AccessEgnyteFile AccessOnlyFile AccessOnlyGoogle DriveCopy/CutPasteFile AccessCopy/CutPasteFile AccessBoxBox.com forWindowsand Mac;Box storeapp forWindowsDropboxDropboxstore appiCloud*iCloudDrive forbothWindowsand MacFile AccessFile AccessOneDriveOneDrivestore app**forWindowsCopy/CutPasteFile AccessCopy/CutPasteFile AccessSalesforce Files***ShareFileSyncplicityWatchDoxForcepoint Endpoint Applications 3
Applications Monitored in the Endpoint Application Channel for Forcepoint DLP EndpointGroupApplicationEmailApple MailEudoraWindowsMacIncludesEudoraLightEudora teFile AccessPasteCopy/CutPasteFile AccessFile AccessLotus NotesMailMateMicrosoftOutlookMicrosoftOutlook ExpressMozillaThunderbirdPegasus MailPostboxSparrowWindows LiveMailWindows MailEncryptionSoftwareDK2 NetworkServer RemoteMonitor - DK2DESkeyFile EncryptionXPWindowsPrivacy Tray(WinPT)4 Forcepoint Endpoint
Applications Monitored in the Endpoint Application Channel for Forcepoint DLP EndpointGroupApplicationFTPCore FTP LEWindowsMacIncludesCute FTP tPasteFile AccessFile AccessFile TransferProgram(MicrosoftUtility)FileZilla FTPClientFlash FXP 3.6build 1240FTP Voyager 15Ipswitch WSFTP HomeLeech FTPServ-UFile ServerEXE;File ServerTrayApplication;FTP ServerSetup UtilitySmart FTP ClientForcepoint Endpoint Applications 5
Applications Monitored in the Endpoint Application Channel for Forcepoint DLP EndpointGroupApplicationIM nsDefaultOperationsCopy/CutPasteFile AccessFile File AccessFile AccessPasteApple MessagesCamfrogCisco WebExGoToMeetingICQICQ storeapp (forWindows)JabberMessengerManyCamMicrosoft Lync2010Miranda IMooVooPidginSkype forBusinessTeamViewerTeccent QQTrillianViberYahoo! InstantMessenger6 Forcepoint EndpointInstantMessenger(Windowsand Mac);YServerModuleServer(Windows)
Applications Monitored in the Endpoint Application Channel for Forcepoint DLP EndpointGroupApplicationOfficeApplicationsAdobe aultOperationsCopy/CutPasteFile ice/ApacheOpenOfficeMellelMicrosoft OfficeAccessMicrosoft OfficeExcelCopy/CutPasteFile AccessMicrosoft OfficeInfoPathMicrosoftOneNoteMicrosoft OfficePowerPointMicrosoft OfficeProjectForcepoint Endpoint Applications 7
Applications Monitored in the Endpoint Application Channel for Forcepoint DLP ed)Microsoft OfficePublisherMicrosoft faultOperationsCopy/CutPasteFile AccessCopy/CutCopy/CutPasteFile AccessDownloadCopy/CutDownloadMicrosoft eGreatSequel8 Forcepoint Endpoint
Applications Monitored in the Endpoint Application Channel for Forcepoint DLP PasteFile AccessFile AccessPasteCopy/CutPasteFile AccessFile eMuleFrostWireKazaa LiteKazaadownload/databaseviewer a - KDat;KazaaQuickLinksHandler/Generat - KSig;klrun:protocol Kazaa agingSoftware7-Zip FileManageriArchiverWinRARWinZipForcepoint Endpoint Applications 9
Applications Monitored in the Endpoint Application Channel for Forcepoint DLP EndpointGroupApplicationPortableDevicesBluetooth StackCOM Server DefaultOperationsCopy/CutPasteFile AccessFile AccessCopy/CutPasteFile AccessDownloadCopy/CutDownloadCopy/CutPasteFile AccessNoneFsquirtiTunesWireless LinkFile TransferApp – IrftpWCESMgrCloud(SaaS)****Aplicor (online)CRM.comHostAnalyticsIntacctNetSuiteOracle CRM NT backup toolVista backup toolVMWare*File Access only. The Copy, Cut, and Paste operations are not monitored.**Requires adding the applications runtimebroker.exe, bulkoperationhost.exe, and filemanager.exe tothe FTP application group. See the section on importing Windows desktop applications for instructions.*** This application does not operate correctly on Mac 10.11.1, regardless of endpoint.****The cut, copy, paste, file access, and download operations are not monitored for cloud apps onWindows endpoints when they are used through a Windows Store browser. Online application download isnot supported in Firefox.10 Forcepoint Endpoint
Applications Monitored in the Endpoint Application Channel for Forcepoint DLP EndpointYou can also configure the system to block and/or audit screen captures when aspecific endpoint application is running. Navigate to the Resources EndpointApplications page and click on the application name to enable this feature.Importing other applicationsEndpoint Applications Forcepoint DLP Endpoint v8.4.xIf you want to monitor an endpoint application that is not not already provided as atemplate by Forcepoint, follow the instructions below. The instructions varydepending on the operating system, as well as the type of application. Windows desktop applications, page 11 Windows Store apps, page 12 Mac Applications, page 13Windows desktop applicationsThe following applies to Windows applications prior to Windows 8, as well asWindows 8 desktop applications. For instructions on how to monitor Windows Storeapplications, see the section below, Windows Store apps.There are 2 ways to import applications onto the Forcepoint DLP server for Windowsdesktop applications:1. Selecting Main Resources Applications New Application/OnlineApplication. See Endpoint Applications.When you add applications using this screen, they are identified by theirexecutable name. Occasionally, users try to get around being monitored bychanging the executable name. For example, if you are monitoring “winword.exe”on users’ endpoint devices, they may change the executable name to “winword.exe” to avoid being monitored.2. Using an external utility program, EPRegApps.exe. This method records theapplication’s metadata, so that Forcepoint DLP can analyze the metadata.In other words, if the name of the application is modified by an end user,Forcepoint DLP Endpoint can still identify the application and apply policies.NoteThis tool can be copied to any other machine and beexecuted on it as long as it has connectivity to theForcepoint Security Manager.To use the external tool to import applications in the Forcepoint DLP server:Forcepoint Endpoint Applications 11
Applications Monitored in the Endpoint Application Channel for Forcepoint DLP Endpoint1. Go to [%DSS Home%] directory (Default: C:\Program Files\Websense\DataSecurity Suite) and double-click EPRegApps.exe. The Get File Properties screendisplays.2. Complete the following fields:FieldDescriptionIP Address/HostnameInsert the IP Address or Hostname of the Forcepoint DLP server.User NameProvide the user name used to access the Forcepoint DLP server.This is the user name assigned to administrators that have relevantpermissions.PasswordEnter the password used to access the Forcepoint DLP server.This is the password assigned to administrators with relevantpermissionsFile NameInsert the File Name of the application (e.g., Excel.exe) OR clickthe Browse. button and in the Open dialog box, navigate to theFile Name of the application and double-click it.Display NameEnter the name of the application as you want it displayed in theForcepoint Security Manager.3. Click OK.A message displays indicating that the application was successfully registered withthe Forcepoint DLP server. The Get File Properties screen is then re-displayed withthe Forcepoint DLP server fields completed, but the File Name and Display Nameempty. This allows you to select additional applications to register with the ForcepointDLP server. Continue this process until all applications are registered. When you arefinished adding applications, click the Cancel button in the Get File Properties screen.Windows Store appsThe following instructions apply only to Windows Store apps, and do not apply toWindows 8/8.1 desktop applications. For instructions on how to monitor Windows 8/8.1 desktop applications, see the section above, Windows desktop applications.NoteTo monitor file access on Windows 8 Store apps, you mustfirst add RuntimeBroker.exe as an endpoint application,and monitor file access on this application. For Windows8.1 store apps, you must also add BulkOperationHost.exeand FileManager.exe. The endpoint monitors all WindowsStore apps accessing files through the runtime broker andnot just the designated app. RuntimeBroker.exe is aWindows desktop application, so follow the instructions inWindows desktop applications to add this as an endpointapplication.12 Forcepoint Endpoint
Applications Monitored in the Endpoint Application Channel for Forcepoint DLP EndpointTo import Windows 8 Store apps, select Main Resources Applications NewApplication. See Endpoint Applications.Windows 8 Store app are identified by their application name. You should use thisname in the executable name field on this screen. Wildcards are supported.To identify the application name:1. Open PowerShell (run as administrator if you want to collect Windows 8Store apps for all users, or run as the current user if you want to collect appsfor the current user).2. Run the command “Get-AppXpackage -Allusers” to list apps for all users(requires you to run PowerShell as administrator).orRun the command “Get-AppXpackage” to list apps for the current user.3. Find the application name located in either the Name field orPackageFullName field.a. When entering the value from the Name field into Forcepoint DLP, youmust add the wildcard “*” after the application name (e.g.,microsoft.microsoftonedrive*). This method allows for greater flexibilitywhen the app version changes.b. When entering the value from the PackageFullName field intoForcepoint DLP, no wildcard is necessary, but you will need to update thevalue if the app version changes.Mac ApplicationsTo import Mac applications, select Main Resources Applications NewApplication. See Endpoint Applications.To find the value to enter for Mac applications:1. Locate the application you want to monitor.2. Right-click on the application and click Show Package Contents.3. Open the file info.plist in the Contents folder.4. Look for the key(s) CFBundleName and enter the value of the string(s)under it (e.g., for “ string Example /string ” enter “Example”).5. If there is no key by that name, or no info.plist file, use the process(es)name(s).If there are multiple CFBundleName keys and/or multiple string entries below thekey(s), each string value must be added separately.Very rarely, apps will launch other processes along with the main application. Theseprocesses should be added as endpoint applications as well. To know what processesbelong to an app you need to see what processes are created when opening anapplication, for example by using Activity Monitor.Forcepoint Endpoint Applications 13
Applications Monitored in the Endpoint Application Channel for Forcepoint DLP Endpoint 2017 Forcepoint. Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint.Raytheon is a registered trademark of Raytheon Company. All other trademarks used in thisdocument are the property of their respective owners.14 Forcepoint Endpoint
NetSuite Oracle CRM on demand RightNow Salesforce WorkDay None FoxPro Copy/Cut Paste File Access None Ld MSTSC NT backup tool Vista backup tool VMWare *File Access only. The Copy, Cut, and Paste operations are not monitored. **Requires adding the applications runtimebroker.exe, bulkoperatio
