Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Server Message Block (SMB) function is not working properly

    • Updated:
    • 6 Oct 2015
    • Product/Version:
    • Data Loss Prevention Endpoint 5.5
    • Data Loss Prevention Endpoint 5.6
    • OfficeScan 10.6
    • Platform:
    • Linux - Red Hat RHEL 4 32-bit
Summary

The SMB function in the Data Loss Prevention (DLP) agent does not work properly.

You tried to block computer 192.168.1.102 (no DLP agent installed to download files from 192.168.1.102 that has DLP agent installed) by clicking Add to add a policy in channel and expanding SMB function to add Blocked IP ranges/hosts under Data Protection > Company Policies in the web console.

After adding the IP, other users can still download files using the blocked IP.

Details
Public

The DLP black/white list currently does not support the Server Message Block mode. It treats the SMB server as a server with SMB protocol installed.

SMB protocol is a file sharing protocol used on Windows-based computers by default. SMB 1.0 was designed for early Windows network operating systems, such as Microsoft LAN Manager and Windows for Workgroups. All Microsoft-based operating systems continued to use it more or less in its original format until Windows Server 2008 and Vista.

Take the following as our sample scenario:

192.168.1.101 SMB server with DLP agent installed
192.168.1.102 is a client computer without DLP agent installed

When users download a file to 192.168.1.102 from 192.168.1.101 (via SMB), the DLP agent on 101 will scan the file to check whether it is a sensitive file. However, the black list in the web console will not support this model. It means that you cannot block 192.168.1.102 from 192.168.1.101.

The black list only works when users upload file to other servers from 101. For example, when you copy a file from 101 to 102, this action will be blocked. The Blocked IP ranges/hosts in the web console only allows you to block user upload files to the computers listed in it (blocked IP ranges/hosts).

You can confirm if the client is using SMB server mode by checking the agent log for the following:

  • 365 (02332) 07/08/2011 15:52:25.717 DSA> Info: [TMPolicyEngine::matchDataOnMotion] cannot match any rule for file
  • 366 (02332) 07/08/2011 15:52:25.717 DSA> Info: using NT AUTHORITY\system to pop up CSA in SMB server mode
Premium
Internal
Rating:
Category:
Troubleshoot
Solution Id:
1059011
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.


Need More Help?

Create a technical support case if you need further support.