The SMB function in the Data Loss Prevention (DLP) agent does not work properly.
You tried to block computer 192.168.1.102 (no DLP agent installed to download files from 192.168.1.102 that has DLP agent installed) by clicking Add to add a policy in channel and expanding SMB function to add Blocked IP ranges/hosts under Data Protection > Company Policies in the web console.
After adding the IP, other users can still download files using the blocked IP.
The DLP blocked/approved list currently does not support the Server Message Block mode. It treats the SMB server as a server with SMB protocol installed.
SMB protocol is a file sharing protocol used on Windows-based computers by default. SMB 1.0 was designed for early Windows network operating systems, such as Microsoft LAN Manager and Windows for Workgroups. All Microsoft-based operating systems continued to use it more or less in its original format until Windows Server 2008 and Vista.
Take the following as our sample scenario:
192.168.1.101 SMB server with DLP agent installed
192.168.1.102 is a client computer without DLP agent installed
When users download a file to 192.168.1.102 from 192.168.1.101 (via SMB), the DLP agent on 101 will scan the file to check whether it is a sensitive file. However, the black list in the web console will not support this model. It means that you cannot block 192.168.1.102 from 192.168.1.101.
The black list only works when users upload file to other servers from 101. For example, when you copy a file from 101 to 102, this action will be blocked. The Blocked IP ranges/hosts in the web console only allows you to block user upload files to the computers listed in it (blocked IP ranges/hosts).
You can confirm if the client is using SMB server mode by checking the agent log for the following:
- 365 (02332) 07/08/2011 15:52:25.717 DSA> Info: [TMPolicyEngine::matchDataOnMotion] cannot match any rule for file
- 366 (02332) 07/08/2011 15:52:25.717 DSA> Info: using NT AUTHORITY\system to pop up CSA in SMB server mode