DeviceLock DLP Questions & Answers
Free Web Demo (flash)
- What is DeviceLock Endpoint DLP Suite, and what does it do?
DeviceLock Endpoint DLP Suite is a policy-based endpoint Data Loss Prevention (DLP) security solution that controls and logs user access to ports, devices, network protocols, and certain applications.
Using DeviceLock Endpoint DLP Suite, an administrator can control user access to any port, device type or network interface: USB and FireWire, infrared, serial and parallel ports, Wi-Fi and Bluetooth adapters, tape, internal and external disk drives, smartphones, clipboard, SMTP and SMTP-SSL e-mail sessions, HTTP and HTTP-SSL web sessions, web mail and social networks, instant messenger sessions, file exchange over FTP and FTP-SSL, Exchange (MAPI) email, local shares and web-based file sharing cloud services, Telnet sessions, and more. IPv4 and IPv6 are supported.
DeviceLock Endpoint DLP offers Virtual DLP to mitigate the threat of data loss in desktop and application virtualization scenarios from major vendors, such as Microsoft, Citrix and VMware.
DeviceLock Endpoint DLP Suite thoroughly audits and shadows user, port, peripheral device, protocol and data exchange activities.
Administrators can now be conditionally alerted via SMTP email or SNMP traps.
DeviceLock Endpoint DLP Suite allows IT security administrators to set and enforce policy for the exfiltration of data via any of the pathways listed above, thereby preventing the loss or leakage of sensitive data from the organization.
- How would you categorize the DeviceLock Endpoint DLP Suite? What sort of product is it?
DeviceLock Endpoint DLP Suite is a Data Loss Prevention solution, which means it is designed to prevent corporate data from leaking out of the corporate network or off corporate-controlled BYOD laptops/devices through deliberate malicious intent, negligence, or through an unintentional mistake.
Solutions that prevent corporate data leakage through various data storage and transfer channels, such as e-mail, Internet services, computer peripheral devices, Removable media, etc., are generally referred to as “DLP products” or “DLP solutions”.
A DLP solution must be capable of intercepting and analyzing transferred files and messages, and then determine whether to block, allow and/or audit and shadow the transfer based on pre-defined policies that the IT security admin or CISO/IAM have put in place.
A DLP solution must also allow for the collection of event logs and archival copies of data in question for use in forensic analysis.
- What are some of the benefits of deploying DeviceLock Endpoint DLP?
Data loss prevention and logging data movement activities are obviously the primary missions of any DLP solution. The scope of a solution however is ample to meet a number of other security challenges:
- Help meet industry-standard or statutory data security compliance mandates (ex. SOX for public USA companies, HIPAA for USA health care, PCI for credit card handling, etc.) or enforce internal “written” data handling policies that also require confirmation of control or monitoring;
- Avoid disruptive and damaging distractions caused by dissemination of sensitive information to the wrong people at the wrong time;
- Prevent inappropriate or non-work-related use of Internet and network resources;
- Help protect the corporate network from the introduction of SPAM, viruses and other malware to endpoints by controlling and limiting access to network protocols and prevent the use of unknown devices that employees may bring into the workplace;
- Help optimize bandwidth usage by controlling unauthorized network traffic and by leveraging Quality of Service (QoS) controls for our solution’s handling of shadowed data.
- Can the product control the actions of specific users or is it simply deployed the same way for all users?
DeviceLock Endpoint DLP Suite security policy is by definition computer-based, but the solution provides very granular and flexible Permission List/White List access and audit parameters for specified users and groups to all managed device types, ports, and protocols, whether they are Active Directory domain, LDAP domain, built-in Windows user contexts, or even local computer accounts.
- What is content analysis required for?
Content analysis technologies are useful when basic contextual control of data transfer channels is not sufficient to attain an objective, which leads to a need for an in-depth control of transferred data, e.g. checking the data for sensitive information when no ports, interfaces or other transfer channels are otherwise restricted.
The content analysis techniques allow checking data flows selectively based also on sender (and in some cases recipient) context, consequently reducing the number of false responses, as well as creating shadow copies of data depending on its verified content.
DeviceLock exploits various search technologies: administrator created regular expression (RegEx) patterns with numerical conditions and Boolean combinations of matching criteria and keywords, keyword-based search, true file type determination, predefined pattern groups (credit card numbers, addresses, passport/social insurance numbers, etc.), built-in industry specific dictionaries, file properties (name, size, password protection, date/time, text data), Oracle IRM parameters, and more.
- What are regular expressions or patterns required for?
Perl-based regular expressions are one of the most powerful and effective methods of content analysis used by ContentLock to detect structured data like government-assigned social service numbers, banking codes, health care codes, e-mail addresses, document meta data, card and phone numbers, etc.
Regular expressions are used to create standard reference patterns to compare files and managed session data with for explicit matches. These are further conditioned by contextual parameters like users and user groups, computers, ports or interfaces, device and channel types, data transfer directions, date/time ranges, numerical thresholds with duplication handling, and more, among 50+ parameters to be used when creating the patterns.
- Can the transfer of data containing e.g. credit card or passport numbers be restricted with DeviceLock?
Yes, it can. The task is performed by ContentLock component analyzing and filtering data content. Meeting this and similar traditional informational security challenges, DeviceLock checks the transferred data against built-in RegEx patterns or the administrator may even customize the appropriate RegEx pattern template copy to detect other variations of the targeted data or flag common attempts to get around the standard pattern rule.Is DeviceLock capable of “passive mode” functioning, i.e. not restricting data transfer, but logging and shadow copying?
Yes, DeviceLock is capable of functioning in any administrator set mode. We also call this “observation mode”.
In cases where access to ports, devices, or network protocols is not blocked or content-filtered by policy, logging and data shadowing policy can be actively logging and keeping records in audit and shadow logs in “passive mode”.
If there is a restrictive access policy active, DeviceLock DLP blocks the transfer and prevents data leakage on a controlled endpoint in real time.What is the critical distinction between DeviceLock and other competitive DLP solutions?
First off, DeviceLock Endpoint DLP is a targeted best-of-breed point solution that is designed exclusively to prevent data leakage at the endpoint layer. It is not an appliance, antivirus by-product, or limited module that you might find in other “Endpoint Security” protection suites.
DeviceLock Endpoint DLP Suite has no required hardware elements that wouldn’t already be in place, which significantly reduces the typical costs of implementation and maintenance.
Historically, DeviceLock evolved as a product with every necessary feature to prevent data leakage through peripheral devices and ports. Now, compared to competitive port-device control solutions, DeviceLock has the most features to meet the challenge. NetworkLock and ContentLock components introduced in 2011 promoted the product to the class of fully-featured DLP solutions by incorporating the most commonly used network channels using the most effective techniques of content analysis and filtering.
Since 1996, DeviceLock has been an EDPC top performer. Since 2011, the product is a DLP trendsetter. A number of product features (e.g. mobile device local synchronization channel control) is unique and patented.
“Try Before You Buy” is an important competitive distinction of DeviceLock. Having nothing to conceal from our existing and potential customers, we stick to the principle of total transparency by providing a freely available trial version for 30 days. One can learn about DeviceLock on their own or engage with our technical pre-sales team or local VARs for additional assistance.
Providing that dedicated time and system administration skills are sufficient, with comprehensive installation guides, videos, knowledge base, other self-service resources, documentation and technical support available no matter if a license has been purchased or not, there is no obstacle in product installation and maintenance. A 30-day trial version is fully functional for a limited number of computers, which provides any potential customer with a possibility to form an opinion about the product, as well as to identify distinctions between DeviceLock and other competitive DLP solutions.
Another advantage of DeviceLock DLP is that all modules are pre-integrated and deployed “sight unseen” with the core platform with module-based licensing that allows for the ability to phase desired modules of the DLP solution into the environment when ready by simply turning licensing on and configuring settings. This reduces the costs and labor contribution to both the initial rollout and ongoing maintenance.
The clientele of DeviceLock as of 2012 is more than 4 million controlled endpoints worldwide, which is direct evidence of the solution’s reliability despite highly varied (hard-, software and security policy) operational environments, as well as due to its cost of ownership advantages.
The largest rollout (as of 2012) is 71,000+ endpoints. There are largest enterprises, banks, government, municipal and military institutions in the list of DeviceLock loyal and repeat customers.Is there a server component of DeviceLock and what does it serve as?
There are two server components in the suite: DeviceLock Enterprise Server (DLES) and DeviceLock Content Security Server, and both require a Microsoft SQL or SQL Express database. They are referred to as “server” components as they generally need to run on Windows “server” class operating systems due to the concurrent connection limitations of “workstation” class clients. They can be hosted on virtual servers and/or piggyback on existing servers that have available user-connection bandwidth during the day (“backup”, “staging”, “patch” servers, etc.).
The DeviceLock Enterprise Server component is not critical to administration and is only necessary if the customer intends to centrally aggregate audit and shadow data for reporting and forensic analysis. In mid-to-large size environments, generally there would be multiple DLES agents used for performing the collection tasks efficiently. The server module does not perform any endpoint management tasks (DeviceLock agents receive the access control policies either via Active Directory Group Policy GPOs, or directly from DeviceLock administrative consoles), nor does it store DLP policy settings.
The customer does not need to purchase licenses for the DeviceLock Enterprise Server component, as it is included with the DeviceLock Core module licensing that is tied to the number of endpoints being managed. The server can be installed and used in any number of instances required for efficient collection of audit and shadow data. DeviceLock agents can have audit data and shadow copies pulled back by any number of DeviceLock Enterprise Servers to the back end SQL and folder repository. Traffic optimization with stream compression, fastest server response history, and Quality of Service settings is included.
The DeviceLock Content Security Server is an additional component used to perform other security reporting related tasks. There is one server function (DeviceLock Search Server-DLSS) included now, and more coming.
Search Server provides full-text indexing and search of logged data and shadow files collected by the DeviceLock Enterprise Servers and placed in the common Microsoft SQL/SQL Express and folder repository. These search capabilities make it easier and more efficient to manage the increasing amount of data in DeviceLock Enterprise Server databases to validate and/or assist in tuning security policies.
Search Server can automatically detect, index, find and display documents of many formats including Adobe Acrobat (PDF), Ami Pro, archives (GZIP, RAR, ZIP), Lotus 1-2-3, Microsoft Access, Microsoft Excel, Microsoft PowerPoint, Microsoft Word, Microsoft Works, OpenOffice, Quattro Pro, WordPerfect, WordStar and many more.
Note that in most cases, the customer does need to purchase a separate license to use the Search Server component. Licensing is based on the desired maximum number of indexed/searchable documents and log entries.Is there an option to set various policies for office- and off-hours?
Yes, there is. An administrator can selectively set hour-of-day and day-of-the-week based intervals of every applied DLP policy. These settings are per user/group and per device type/port/protocol as desired.Is there an option to configure various access control policies for laptops in- and out of the corporate network?
Yes, there is. DeviceLock does support various on- and off-corporate-line security policies. This way you can have one policy when the laptop is behind the firewall/DMZ and a totally different policy when the laptop is out in the wild.What is on- or offline security policy?
Those are two different sets of DLP policies, Regular and Offline, which are automatically applied to a controlled endpoint by DeviceLock agent depending on its network status. The Offline policy can be triggered by the laptop using either cached or confirmed Windows credential authentication, whether it can connect to any of its known DeviceLock Enterprise Servers, or if in wired vs. unwired state.Can I view user transferred data later?
Yes, you can. Once an administrator instructs DeviceLock to make shadow copies, the transferred data is saved to be analyzed. Shadow copies can either be stored on controlled endpoints, or centrally collected to a DeviceLock Enterprise Server repository.What is Shadow Log? Can I search data in it?
The Shadow Log of the DeviceLock Enterprise Server is a repository generally using both Microsoft SQL for log entries with file pointers and a folder structure for any shadowed files. You can search the database either using a built-in viewer filtering and sorting technologies, or by means of full-text Search Server linguistic analysis technologies.How much free space is required for a shadow database?
Highly customer specific. There are correlations between selected DLP access/audit/shadow policy, channels shadowed, traffic generated by controlled employees, size of files, and retention period.
You can learn more in this Knowledge Base article http://devicelock.com/support/kb_view.html?ID=14802&find_message=devicelock+enterprise+server+requirements&find_kb_category_id=0.Does DeviceLock impact the performance of data copy to removable storage devices operations?
No, unless content analysis rules apply to the transferred data. In this case, the speed directly depends on the complexity of the effective set of rules, as well as on the size of transferred data.Does DeviceLock impact the Internet, or network performance in general?
No, unless content analysis rules apply to the transferred data. In this case, the speed directly depends on the complexity of the effective set of rules, as well as on the size of transferred data.
Generally, DeviceLock does not impact local networking performance.
Audit and shadow data transfer is a background process that can be flexibly configured in order to distribute the network load, stream-compress the data, use Quality of Service (QoS) priority levels, and allow for the installation of several instances of the DeviceLock Enterprise Server component to improve efficiency of collection.
Data transfer control
- What data leak channels does DeviceLock Endpoint DLP Suite control?
DeviceLock Endpoint DLP Suite controls virtually every local I/O channel on controlled computers, including peripheral devices and interfaces, clipboard, locally connected smartphones and PDA’s, as well as printing channel (local, network, and virtual printers) with the DeviceLock component.
The NetworkLock component controls e-mail messaging via open or SSL-encrypted SMTP sessions (messages and attachments separately), web mail, MAPI/Exchange, web access and other HTTP/HTTPS applications, many instant messengers (including Skype), many social networking and file sharing web sites, file transfer via FTP or FTP-SSL protocols, and Telnet sessions.
You can find the specs at http://www.devicelock.com/products/specs.html
- Can I control device write operations by file type?
Yes, you can. Allow or deny access to specified verified file types regardless of permissions set for a device or a protocol, flexibly set shadow copying policy in order to decrease the volume of server stored data. The definition of file type is signature based and not dependent on file name extension. 4,000+ true file types are supported.
- What file types are supported by the content analysis system?
DeviceLock Endpoint DLP Suite controls file types on two levels:
- The first level of control is performed by the core DeviceLock and NetworkLock components in order to optimize the control process. You can allow or deny access to selected file types regardless of access permissions set for a device or a protocol, as well as set shadow copying policy in order to decrease the volume of server stored data. The definition of file type is signature based and not dependent on file name extension. 4,000+ file types are supported;
- The second level of control is performed by ContentLock component analyzing the content of transferred files or data. More than 80 file formats, including Microsoft Office, Adobe PDF, OpenOffice, Lotus 1-2-3, WordPerfect, WordStar, Quattro Pro, e-mail archives and repositories, CSV, DBF, XML, Unicode, GZIP, RAR, ZIP are supported.
- Can a text-containing image, e.g. a scan of a document, be analyzed?
Now, there is no OCR-like module for providing this kind of analysis in DeviceLock Endpoint DLP Suite, due to the interception and control of the transferred data performed at the very moment of sending the data. OCR technologies, in their turn, are highly resource-intensive. Hence, combining DLP and OCR functionality inevitably results in significant slow-down of data transfer, making it highly impractical to use at least at this stage of computing technology evolution.
Nevertheless, DeviceLock Endpoint DLP Suite has a feature of recognizing text embedded in graphics, count its percentage ratio to the overall size of the document, and set relevant control policies.
- Can social networks, e.g. Facebook or Twitter, be controlled?
Yes, they can. NetworkLock component allows controlling and logging chats and file or data transfer in Google+, Facebook, Twitter, LiveJournal, LinkedIn, MySpace, and more.
You can find the list at http://www.devicelock.com/products/specs.html
- Can DeviceLock Endpoint DLP Suite control instant messengers and e-mail?
Yes, it can. NetworkLock component allows controlling and logging chats and files or data transferred via e-mail or instant messengers.
The supported messengers include Skype, ICQ/AOL, MSN Messenger, Jabber, IRC, Yahoo! Messenger and Mail.ru Agent.
E-mail control capabilities include SMTP/SMTP over SSL, listed Webmail services, and MAPI protocols.
Find the specs at http://www.devicelock.com/products/specs.html
- Can DeviceLock Endpoint DLP Suite control Skype?
Yes, it can. NetworkLock component controls Skype at endpoint level by integrating itself into the Skype client.
It intercepts and analyzes Skype traffic that includes group chats, transferred files, audio and video chats.
Text chats and transferred files can be shadowed while shadow copying of audio and video chats is planned for future versions.
A unique Skype control related feature is the ‘Network Protocols White List’ allowing administrators to limit participants of a chat to specified user accounts included in the approved list.
Moreover, using the ContentLock component, administrators can flexibly set a Skype control policy that includes chat content control, content, size, type and other parameters of transferred files check, allowed hours, and more.
- What webmail services can DeviceLock Endpoint DLP Suite control?
NetworkLock component controls and logs mail messages and attachments sent and received via Gmail, Yahoo!Mail, Windows Live Mail, AOL Mail, Mail.ru, Yandex Mail, Rambler-Mail, GMX.de, and Web.de services.
Check the list at http://www.devicelock.com/products/specs.html
- What web sites are DeviceLock Endpoint DLP Suite capable of controlling?
There is no specific URL filter web site control feature implemented in NetworkLock component. Any HTTP/HTTPS traffic regardless of site category can be controlled and content-filtered, but convenient categories like Social Networks, Webmail, and File Sharing Services are provided as convenient control groupings in the Suite. Please refer to the product documentation to learn about control capabilities. Being highly numerous and flexible, they cannot be described within the framework of this FAQ.
- Can DeviceLock Endpoint DLP Suite intercept data transferred via encrypted SSL channels?
Yes, it can. NetworkLock component allows intercepting and analyzing data transferred via SSL protected protocols: HTTPS, FTPS, SMTP over SSL, encrypted messenger protocols.
- Can a specific flash drive be allowed for a specific user account?
Yes, it can. ‘USB Devices White List’ feature supports authorization of a USB device, based on its model number (VID+PID) or unique internal serial number (VID+PID+DID).
- Can an employee be notified about the reason of access denial?
Yes. DeviceLock has a feature of displaying pop-up messages to users when they try to access a number of controlled channels and are blocked from doing so by policy.
- Is content analysis inside archives or documents supported?
Yes, it is. DeviceLock is capable of analyzing archives, including nested archives of any depth. In case a sub-archive is password protected, an administrator can block the transfer of the whole archive.
DeviceLock is also capable of analyzing files embedded into MS Office or Adobe PDF documents.
- Can DeviceLock Endpoint DLP Suite encrypt flash drives?
We agnostically leverage the capabilities of trendsetting third-party and open source encryption products and detect/verify some of their technologies, without implementing any excessive encryption features of our own and avoiding the licensing/exportability/cost issues of built-in proprietary encryption technologies.
DeviceLock Service can detect disks (USB flash drives and other removable media) encrypted by third-party products and apply special “encrypted” access permissions to them while preventing or mitigating access to “generic” partitions. This feature allows you to define more flexible access control policies and helps to prevent writing sensitive data to unencrypted media.
DeviceLock supports BitLocker To Go, TrueCrypt, DriveCrypt, PGP Whole Disk Encryption, Sophos Safeguard Easy, SafeDisk, and more for detecting and verifying removable partition encryption.
Find the list at http://www.devicelock.com/products/specs.html.
- Can DeviceLock Endpoint DLP Suite control network printers?
Yes, it can. DeviceLock controls local, network and virtual printers from the endpoint’s perspective and can also create shadow copies of printed data. Moreover, content analysis and filtering of printed data is provided as well.
- Do files written to flash drives get shadow copied?
Yes, provided that shadow copying is configured in general or contingent on file content.
- Can the content of files written to flash drives be controlled?
Yes, it can. ContentLock component can analyze and filter data written to removable devices.
- Does DeviceLock Endpoint DLP Suite oversee terminal sessions and virtual environments?
Yes, it does. MS RDP, RemoteFX, Citrix XenDesktop, Citrix XenApp, virtualization solutions by VMWare and Microsoft (Hyper-V) are supported.
Supporting Citrix Application Virtualization and Application Steaming technologies, DeviceLock can control access of any application (any user working with an application) to any data transfer channel regardless of the transport used by an application. DeviceLock’s agent would be installed to a computer host where the application is executed on, and the policy rules will govern access, auditing, and shadowing just as though the user was locally authenticated.
- Can a user overcome DeviceLock protection?
In case a skillful user is targeted at stealing confidential information at all costs, sooner or later he or she will find a way regardless of what DLP system implemented. This means, one not only has to use DLP products, but also be implemented and maintained correctly in order to secure data from being stolen by a technically competent insider.
Nevertheless, in case an employee would like to overcome DeviceLock security policy by switching off access restriction to a device or a protocol, he will not succeed, provided that an administrator properly configures the self-protecting functionality of the product called the ‘DeviceLock Administrators’control.
- Can a local administrator disable DeviceLock?
The ‘DeviceLock Administrators’ feature provides sufficient protection even against local administrative user accounts. No one but authorized administrators can stop or disable DeviceLock agent when the protection is enabled. This applies to members of local Administrators group as well.
Protection of DeviceLock files and system registry keys, including the keys of applied DLP policy from unauthorized impact, driver unhook protection (rootkit protection), monitoring of policy consistency and integrity automatically modifying the policy to meet the master policy, build a comprehensive self-protection system*. This also protects in Windows Safe Mode.
*Necessary technical measures restricting system boot from any source different from system drive as well as access to BIOS and system restores to dates prior to DeviceLock’s introduction, are expected to be taken in order to prevent users from bypassing the protection.
- What happens when a user makes a screenshot of a document and writes it to a flash drive?
Screenshots are either made using standard Windows PrintScreen functionality, or using a third-party application. Clipboard is the place where screenshots are stored when made.
DeviceLock can control access to all of the above. An administrator can selectively block PrintScreen or third-party application screenshot tools, and control the clipboard. DeviceLock policy can be configured to block and log clipboard data transfer between applications (e.g. from Microsoft Word to Microsoft Excel, or OpenOffice). Contextual control of user access to clipboard operations is performed on object and data type level including text, graphical, audio or unrecognized data.
Installation and management
- How many endpoints can be controlled by an instance of DeviceLock Enterprise Server?
Unlimited. The server components of DeviceLock do not carry the load of managing the agents while the volume of network traffic unlike many other DLP systems is controlled on endpoints and not a bottlenecked gateway appliance/server solution.
- How many accounts can DeviceLock DLP control?
Unlimited. The largest DeviceLock installation now is over 71,000 endpoints in one enterprise.
- Are there central management capabilities in DeviceLock Endpoint DLP Suite?
Definitiely. Agents’ deployment, installation, uninstallation or update, and DLP policy management can be performed remotely and centrally using traditional DeviceLock consoles. The most powerful and effective way to manage DeviceLock centrally, however, is via Active Directory Group Policy with DeviceLock’s MMC snap-in console to the Microsoft GPMC or ADUC interfaces.
- Can DeviceLock be installed automatically (without user interference)?
Yes, it can. Run DeviceLock setup with the “/s” parameter (e.g. ‘setup.exe /s’).
Learn more about unattended (silent) setup in the DeviceLock User Manual.
- Can I install DeviceLock without local administrative privileges?
No, you cannot. Local administrative privileges are required to install DeviceLock. In a domain, you will need domain administrative privileges as well.
- What are recommended hardware requirements for a computer to install an instance of DeviceLock Enterprise Server (DLES) on?
This is unique to each customer and implementation. It is not generally possible to precisely identify hardware and storage requirements ignoring the server working load (type of information collected, number, type, and size of files shadowed), as well as network architecture, number of DLES collection agents employed, and SQL server configuration, since the requirements totally depend on all of these parameters as well as the access, audit, shadow policies controlled by the administrator. That means that it is only possible to define the requirements when testing the product in every specific case over a relevant time period to accurately forecast these specifications. However, there are general recommendations for effective performance of DeviceLock Enterprise Server (DLES).
Windows Server Operating Systems can generally handle approximately 150 concurrent service-to-service agent connections (instances of DeviceLock Service installed and running on controlled client computers where log+shadow data is being collected). It is usually recommended to at least start with two DLES instances for the ability to load balance and have contingencies if one instance is down or too busy. Where possible, these should all point back to the same SQL and folder repositories. This configuration requires 1 GB of RAM if there is no SQL Server running on the same computer, and twice as much memory if SQL Server (or SQL Express) is installed and running when files are stored on the disk (i.e., 2GB RAM). In case files are stored in SQL database (not the default or recommended setting), the value will have to be multiplied by 2 (i.e., 4 GB RAM). NOTE: It is best to store shadow files in a folder repository (default setting) and the Shadow Log entries simply link to these file locations.
If there are thousands of controlled computers in your network, it is strongly recommended to install two or more DeviceLock Enterprise Servers with the Many-To-One scenario described above (see DeviceLock User Manual for details). In this case, you do not need to install another instance of SQL Server, provided that there already is one instance installed on another computer (that with 2 GB of RAM, minimum).
- Is there a need to install DeviceLock agents to controlled computers?
Yes, there is. Access to peripheral I/O ports, devices and network protocols is controlled at the very moment of an attempt to access them. Moreover, external device control is impossible to ensure without a locally installed agent. Hence, installing DeviceLock agents to controlled endpoints is a must.
- Is there a need to install DeviceLock agents to endpoints in order to control network protocols?
Yes, there is. The NetworkLock component controlling network protocols is integrated into the DeviceLock agent platform and gets installed to endpoints with the core module agent. It is dormant unless licensed and/or configured, but already “deployed” when ready to use.
- Is there a need to reboot an endpoint after DeviceLock agent has been installed?
No, there typically is not a need to reboot, but that sometimes depends on the installation method (Group Policy MSI, SCCM, DLEM console, other software distribution tools, etc.).
- Is there support of Group Policy in a Windows domain?
Yes, there is. It is one of our primary differentiating architectural features vs. other solutions. Moreover, DeviceLock is fully integrated, meaning an administrator can deploy/update/uninstall DeviceLock agents via Group Policy (including auto-deployment when a computer joins the domain), update DLP policy (DeviceLock policy objects transform into Group Policy objects), manage DeviceLock with the DeviceLock Group Policy Manager snap-in console integrated into the Group Policy Management Console, Active Directory Users & Computers interface, or the Group Policy Object Editor.
DeviceLock agents can be installed to remote computers with a predefined set of DLP policy by deploying a custom installation package (MSI). An administrator can create the package using the DeviceLock Management Console (DLMC).
Domain/OU Administrators can check currently applied security policy, or security policy to be applied using the standard Resultant Set of Policy (RSoP) snap-in.
Managing DeviceLock via Active Directory Group Policy is the most convenient and scalable method in networks of any size.
- Is it required to install and manage DeviceLock via an Active Directory domain?
No, it isn’t. DeviceLock can function in a non-domain environment just as it does in a domain setting. In case there is no AD domain environment, an administrator can use the DeviceLock Enterprise Manager (DLEM) console designed to centrally manage DeviceLock policy on controlled endpoints in non-domain environments, including various LDAP environments: Novell eDirectory, Open LDAP, etc. or even workgroups.
- Can DeviceLock be installed via Microsoft Systems Management Server (SMS) or Microsoft System Center Configuration Manager (SCCM)?
Yes, it can. Find the special DeviceLock.pdf (for SMS 1.x) or DeviceLock.sms (for SMS 2.0 and higher) packages archived in ‘sms.zip’ file in DeviceLock setup package.
- Does DeviceLock conflict with antivirus software?
No, it does not in general.
However, there is a chance that some antivirus software will, since DeviceLock agent functions on the very low core level of operating system called the kernel. If there ever is any conflict, most commercial A/V solutions will have a method of allowing, excluding, or exempting specific applications to operate. Generally, we recommend that administrators add DeviceLock to the list of antivirus software exclusions as a proactive step.
- Can DeviceLock be installed on Mac OS X endpoints?
Yes, it can. Check the list of supported OS at http://www.devicelock.com/products/specs.html
The limitations are:
- One can only install DeviceLock Service agents on Mac computers; DeviceLock consoles and other components can only be installed on Windows computers;
- ContentLock and NetworkLock are not yet supported in DeviceLock Service for Mac.
- Is it secure to use RPC protocol and Server service?
We believe it is. First off, it must be emphasized that RPC mechanism is one of the cornerstones of Windows operating systems and networking. The OS cannot be remotely managed properly without it.
Users are not capable of blocking RPC since the operating system utilizes it even when not network connected.
DeviceLock can significantly reduce the RPC related potential security treat by using fixed TCP ports for communication between DeviceLock components and by using Group Policy for installations, upgrades, and policy setting updates.
As to the local Server service, it is not required unless deployment and maintenance of DeviceLock agents is performed via Group Policy in an Active Directory domain.
- How do I instruct DeviceLock agents to use a fixed TCP port to communicate with DeviceLock consoles?
By default, DeviceLock Service is using port 9132 for communication with DeviceLock consoles, making it easier to configure a firewall. However, in case this port was unavailable during DeviceLock installation, another port will be selected dynamically.
To instruct DeviceLock Service to use a fixed port you should: 1. Either reinstall DeviceLock Service specifying a fixed TCP port during installation, or 2. Open Registry Editor on the computer controlled by DeviceLock Service, and create the following entry:
- Key: HKEY_LOCAL_MACHINE\SOFTWARE\SmartLine Vision\DeviceLock
- Name: ncacn_ip_tcp[port number]
- Type: REG_SZ
- Value: not used (can be empty)
- Port number - the fixed TCP port number that you want to use for the communication between DeviceLock Service and DeviceLock management consoles;
Once done, restart DeviceLock Service for the settings to take effect.
Now, to connect via DeviceLock consoles to the computer where DeviceLock Service was configured to use a fixed port, you should specify this port in square brackets next to the computer name, e.g. computer_name[port number].
Please note that when you connect to DeviceLock Service using a fixed port, the remote install/update function is disabled, i.e. you cannot install or update DeviceLock Service on remote computers without using dynamic ports. Also, Audit Log Viewer does not work if the TCP port 139 is closed in the firewall.
- How do I set up a firewall in order to remotely manage DeviceLock agents?
You can instruct DeviceLock to use a fixed port, making it easier to configure a firewall. However, in case you are going to use dynamic ports, you need to open:
- Port 135 (TCP) - for Remote Procedure Call (RPC) Service;
- Port 137 (UDP) - for NetBIOS Name Service;
- Port 138 (UDP) - for NetBIOS Netlogon and Browsing;
- Port 139 (TCP) - for NetBIOS session (NET USE);
- All ports above 1024 (TCP) – for RPC communication.
DeviceLock works just like any other built-in Windows administrative tool (Event Viewer or Computer Management), hence if these tools function properly, DeviceLock does, too. Find more information at http://support.microsoft.com/kb/179442/en-us.
- I studied FAQ and product documentation, but have not found an answer to my question. What shall I do?
Check the other sources:
- Support documents PDF library available at http://www.devicelock.com/support/docs.html;
- Web demo at http://www.devicelock.com/dl/demo/contents1.html;
- Forum http://www.devicelock.com/forum/;
- Knowledge Base http://www.devicelock.com/support/kb.html. Find the most common issues and solutions in the ‘How-To’ section of the base (http://www.devicelock.com/support/kb_list.html?find_kb_category_id=1106).
If none of the above helps, please contact DeviceLock support team either at http://www.devicelock.com/support/ticket_list.html.
- I am receiving the error 1722 ("The RPC Server is unavailable") whenever I try to connect to a computer.
The error 1722 means that DeviceLock management consoles cannot access DeviceLock agents on remote computers. There are several possible reasons:
- The remote computer does not exist on the network (the computer's name or IP address is incorrect or this computer was shut down recently but its name still exists in the network browser);
- The remote computer is not a Windows NT 4.0/2000/XP/Vista/7/8 computer and DeviceLock® Service cannot be installed on this computer;
- The remote computer is behind a firewall that was not configured properly (to configure a firewall, please read answer How do I set up a firewall in order to remotely manage DeviceLock agents?);
- The remote computer is on another segment of your network that is not accessible from your segment, i.e. the routing was not configured properly and you cannot access that network's segment at all.
- I am receiving the error 1747 ("The authentication service is unknown") whenever I try to connect to a computer.
The error 1747 occurs when the "Client for Microsoft Networks" option is not installed. To resolve this problem, install the "Client for Microsoft Networks". If you don't require the "Client for Microsoft Networks", it is best to disable it after installation (DeviceLock runs properly in this configuration). You can find more information on how to configure the Client for Microsoft Networks in the Microsoft's TechNet Library.
Also, on Windows NT 4 systems, the RPC Security Service Provider could be configured incorrectly. Open the Control Panel's "Network" applet, select the "Services" tab, highlight the "RPC Configuration" record from the "Network Services" list and press the "Properties..." button. Then in the "RPC Configuration" dialog, set the "Security Service Provider" combobox to "Windows NT Security Service".
- I am receiving the error 1748 ("The authentication level is unknown") whenever I try to connect to a computer.
By default, DeviceLock uses the highest level of authentication (it encrypts the argument value of each remote call, verifies only that all data received is from the expected source and authenticates and verifies that none of the data transferred between DeviceLock management consoles and DeviceLock Service has been modified). However, the computer on which you run DeviceLock management consoles may not support this level of authentication and you will need to decrease it. Start "Registry Editor" (regedit.exe) and create the "SecurityLevel" (type DWORD) parameter in the "HKEY_CURRENT_USER\Software\SmartLine Vision\DLManager\Manager" subkey, change the value for this parameter to 5 (1 - indicates lowest level, 6 - indicates highest level), then restart the console.
- I am receiving the error 1825 ("A security package specific error occurred") whenever I try to connect to a computer.
The error 1825 is similar to the error 1747, so please read this answer.
Purchase, licensing and support. Co-operation with Devicelock Inc.
- We are in the process of picking a DLP solution and would like to evaluate DeviceLock. How can we do that?
We are committed to the principle of transparent product marketing. You can download a trial version of DeviceLock Endpoint DLP Suite at http://www.devicelock.com/download/.
The trial version is a full-functional free version to be used for 30 days on a limited number of endpoints. You do not need to license it.
Note that DeviceLock Endpoint DLP Suite installer package comes with all of the components of the suite pre-integrated. You cannot download a DLP or “server” component separately; still you can choose the components to be installed in the installation wizard. Access to ContentLock/NetworkLock controls are based on licensing. Both are accessible with the downloaded demo, but require separate production licenses to the DeviceLock core module.
- With whom may I have a DeviceLock related consultation?
First, please have a look at DeviceLock User Manual, Web demo, and other product information at our web site.
If you still would like a consultation on product functionality and features, our sales and support specialists are available to help. You can contact DeviceLock sales team at +1-925-231-4400 or email@example.com or the technical support team either at http://www.devicelock.com/support/ticket_list.html.
- Where do I get the product information from?
You can find every piece of it including detailed product documentation, free web demo, knowledge base and the product itself, at our web site http://www.devicelock.com.
Alternatively, you can contact DeviceLock sales team at +1-925-231-4400 or firstname.lastname@example.org or the technical support team at http://www.devicelock.com/support/ticket_list.html.
- What limitations are there in an unregistered version?
There are no functional limitations for an unregistered version and you may use DeviceLock® Endpoint DLP Suite (during the 30-day evaluation period) as a fully registered program but only on a few remote computers. An unregistered version of DeviceLock® displays nag screens and expires in 30 days.
- How much time and effort is normally required to deploy DeviceLock Endpoint DLP Suite?
DeviceLock is quick to deploy in virtually any type of environment, and especially in Microsoft Active Directory Group Policy sites. The time to implement a solution with a Group Policy-based MSI software installation for the endpoints and GPOs for policy settings really only takes a few hours or a few days at the outside. The real variables are in the planning for what contextual and content policies to employ.
They typically depend upon the following conditions:
- Sufficient skills and time ranges that directly responsible staff needs to analyze informational security threats, design a coherent security access/audit/shadow/alert policy, roll-out and support DeviceLock;
- Degree of preparedness and readiness to adopt the DLP solution: regulatory documents in place, technicians’ (administrators’ and security officers’) and minimal existing hardware (e.g., servers with idle connection capacity during the day to collect audit and shadow records to then insert into SQL database(s)).
Subject to the above variables, deployment and implementation of the DeviceLock Endpoint DLP Suite can take several days or much less. Based on internal DeviceLock implementation practice on large enterprises, the most labor- and time-consuming phase has always been design and analysis/testing that usuallylasts one to two months.
DeviceLock customers, however, generally manage to implement the product on their own, quite often even without requesting much if any technical support. DeviceLock is designed for Windows Administrators to quickly understand and deploy with familiar tools like the Microsoft GPMC, though admittedly other stakeholders will usually need to be involved for determining content-based rules, thresholds, and compliance needs.
Purchase and licensing
- How do I purchase DeviceLock?
- Can DeviceLock be purchased directly from its vendor?
Yes, it can. Please contact your local DeviceLock office: http://www.devicelock.com/company/offices.html, or contact DeviceLock support team that will redirect you to a sales manager either at http://www.devicelock.com/support/ticket_list.html.
- Are there special offers for those changing their current DLP solution?
Yes, there are. Please contact DeviceLock support team that will redirect you to a sales manager either at http://devicelock.com/support/ticket_list.html.
- How do DeviceLock licenses and their price get calculated?
A Single license allows you to install and use DeviceLock (its agent, DeviceLock Service) on one endpoint only. To control more endpoints with DeviceLock, you need to purchase a corresponding number of licenses. Please see this knowledge base article for more details http://www.devicelock.com/support/kb_view.html?ID=17094&find_message=&find_kb_category_id=1105.
Note that DeviceLock consoles and DeviceLock Enterprise Server are unlicensed components, and you may use as many instances of them as required.
As to the prices, you can find them at http://www.devicelock.com/purchase/.
We recommend to contact your local DeviceLock office sales team (http://www.devicelock.com/company/offices.html), or DeviceLock support team either at http://www.devicelock.com/support/ticket_list.html.
- I purchased a Single license. Can I use DeviceLock to control multiple endpoints?
A Single license allows you to install and use DeviceLock (its agent, DeviceLock Service) on one endpoint only. To control more endpoints with DeviceLock, you need to purchase a corresponding number of licenses.
Note that NetworkLock and ContentLock components are licensed separately. Please see this knowledge base article for details: http://www.devicelock.com/support/kb_view.html?ID=17094&find_message=&find_kb_category_id=1105.
Note that there is a progressive discount depending on the number of purchased licenses.
- Why are DeviceLock Endpoint DLP Suite components licensed separately?
Selective component licensing helps meet the specific enterprise data security requirements and minimizes the costs of purchasing to just what is necessary. You can purchase the separately licensed components of NetworkLock, ContentLock or DeviceLock Search Server as an addition to DeviceLock core module, which allows administrators to phase the DLP solution components in and reduce the costs and labor contribution to the rollout and maintenance. DeviceLock installer package includes all of the DLP Suite components. Therefore, activating an additional license does not require re-installing the suite, or any of its components.
- How do I license console and server components, and what are the prices?
Consoles and DeviceLock Enterprise Server components are unlicensed modules, which means you can use as many instances of them as required.
Note that DeviceLock Endpoint DLP Suite installer package comes with all of the components of the suite pre-integrated. You cannot download a DLP or “server” component separately; still you can choose the components to be installed in the installation wizard. Access to ContentLock/NetworkLock controls are based on licensing. Both are accessible with the downloaded demo, but require separate production licenses to the DeviceLock core module.
- Is there a need to purchase MS SQL Server? If yes, can we purchase it from you?
No, there is not, unless you need to store audit and shadow database exceeding 4 GB. For smaller storage needs, you can use MS SQL Express, a free edition of the database management system with some limitations.
If you need to support an audit and shadow database that would be more than 4 GB, you should use the full version of MS SQL Server http://www.microsoft.com/sqlserver/en/us/default.aspx.
NOTE: DeviceLock Inc. does not sell any third-party products.
- Do I need to purchase a new license when a DeviceLock update is released?
No, you typically do not if licensed for the module(s) updated. Purchasing a license of any type gives you the privilege of installing any module-specific update of the suite released during the next year (starting from the date of the purchase) or for longer if a pre-paid multi-year coverage plan was purchased. Please reference the license file information in the DeviceLock consoles to see the coverage end date.
Co-operation with Devicelock Inc.
- Who can I contact to become a partner?
Please contact your local DeviceLock office: http://www.devicelock.com/company/offices.html, or DeviceLock support team either at http://www.devicelock.com/support/ticket_list.html.
- How do I become a DeviceLock Inc. partner?
Please contact your local DeviceLock office: http://www.devicelock.com/company/offices.html.
- Where do I find DeviceLock marketing information?
You can find the basic marketing information at our web site http://www.devicelock.com. If you need additional information, please contact DeviceLock support team either at http://www.devicelock.com/support/ticket_list.html.
- Where do I get technical support?
First, please search for a solution in DeviceLock’s Help, DeviceLock User Manual, Web demo and/or Knowledge Base. The resolution is likely to be there.
In case you still need assistance please contact DeviceLock support team either at http://www.devicelock.com/support/ticket_list.html.
- How do I get a faster reaction from DeviceLock support team?
To speed up processing of your request, provide support specialists with the following information:
- Version and build number of DeviceLock;
- Your license ID (licensed requestors’ requests have higher priority);
- Version of operating system, including updates and service packs;
- Hardware information (CPU, memory, etc.);
- Problem description (as detailed as possible, including a step-by-step guide to reproduce the issue in DeviceLock test lab).
- How long do I wait for initial reaction when sending a support request?
For web-based or email-based requests on business days, it is usually within a few business hours response in most cases. For calls and/or voicemails left, the response is usually the same or next business day at the outside. Further resolution times however, directly depend on the complexity of the issue, information provided in the initial request and subsequent requests for more diagnostic information by support engineers. Please note that it is not always possible to resolve issues instantly as some cases require additional diagnostics, reproduction, and cooperation by the customer to often determine the root cause outside of the DeviceLock solution.
- Where do I get the product manuals and documentation from?
You can find all detailed product documentation, free web demo, knowledge base, and the product itself, at our web site http://www.devicelock.com.
- Is there phone support?
Support by phone or any messenger can be provided as Extended Support option.
- Do you provide technical support via forum?
No, we do not believe the User Forum is the right venue to register and resolve current issues that the ticket system is designed to handle. The User Forum is an online community to search and/or list general questions about the DeviceLock DLP or to share ideas and use cases with other DeviceLock customers. Please mention that User Forum has moved to Acronis website. You can find DeviceLock Changes history and post messages to start new or participate any DeviceLock-related discussion here. Old User Forum topics are available as read-only here.
- How do I contact DeviceLock support team?
You can DeviceLock support team either at http://www.devicelock.com/support/ticket_list.html.
NOTE: delivery of an email message over the Internet cannot be guaranteed for many reasons beyond our responsibility, so using the web interface is preferable to ensure a ticket is created or updated.
- Can I get DeviceLock supported before I have purchased a license?
Yes, you can. Please contact your local DeviceLock office: http://www.devicelock.com/company/offices.html.