Unknown URL warning or incident generated by DLP Endpoint Prevent Chrome or Edge HTTPS monitor
search cancel

Unknown URL warning or incident generated by DLP Endpoint Prevent Chrome or Edge HTTPS monitor

book

Article ID: 162676

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent Data Loss Prevention Data Loss Prevention Core Package

Issue/Introduction

A user notification dialog and/or incident in Data Loss Prevention (DLP) Endpoint Prevent displays the URL as 'Unknown' for incidents generated by the Chrome HTTPS or Edge HTTPS (Chromium Only) monitor.

  • The web content "Unknown" you are attempting to move, copy, save, or transfer potentially contains sensitive information that violates the following security policies.
  • URL: Unknown.

Cause

A component of the Chrome or Edge extension for the HTTPS monitor may have been tampered with or is being blocked. Similar messages include:

  • Chrome Monitoring Status Chrome extension not deployed.
  • Edge Monitoring Status Edge extension not deployed.

Resolution

There are several possible resolutions, depending on the cause.

If the server and the clients are on at least 16.0 RU1 and the problematic agents are Windows clients, then we advise using the Chrome Content Analysis Connector Agent SDK on the endpoints as means to resolve this issue. If the DLP infrastructure is not on at least 16.0 RU1 or this issue is occurring with Mac agents then continue reading below.

If client machines do not have access to the internet to download the extension from the play store contact support for the offline crx install for the extension.

Also note. Browsers using incognito (chrome) / in private (edge) mode will not load extensions by default. This can cause seemingly random incidents to report unknown URLs. See this KB for instructions on using Chrome / Microsoft administrative templates to force extensions to load. If the unknown URLs are consistent or incognito mode is not a factor then continue troubleshooting below.

Verify other browsers are working as expected

If the other browsers (IE, Edge, Firefox) are reporting incidents with an unknown URL then this could be an environmental settings issue (such as proxies).

Check the DLP Agent version

Make sure to be using the latest version of the DLP agent. For example, if using DLP 15.8 you will want to see if you have both the latest maintenance pack with the most recent hotfix. Note that the agent version can be newer than the Enforce / Detection version so long as the major & minor versions match up. For example, DLP version 15.8.00300.01040 (15.8 MP3) can be used with the 15.8 Enforce server. Refer to article ID: 185118 which describes: DLP Endpoint Agent build numbers and the latest hotfix information 

Check the System Requirements and Release Notes

Check the DLP system requirements and release notes for the version of DLP you are on and make sure the version of Chrome you are using is supported. If the version is too new this feature might be broken when used with older DLP agents.


Next Steps

If you are on the latest hotfix and your browser is up to date then this issue is most commonly caused by security policies imposed on Chrome / Edge. To check this do the following steps (details further below):

  • Verifying the policies in the browser on Chrome://policy or Edge://policy.
  • Manually check / modify the registries as needed.

 

For convenience and testing purposes only you can download the attached documents and rename them to .reg files and import them as a test or review them as a template. Importing these will put in the default values (and paths) for the agent policies and white list them. Note that these will overwrite any existing agent registries. These were written for the 15.8 agent only. The Chrome DLP extension will stop working if directly imported on a 15.7 agent.

Verifying the policies in the browser

The browser will not only tell you if the policy is present but it will also inform you if it has been overwritten or if there is a formatting error in the data. In addition, this will display policies that may not show up in standard locations in the registry and easily missed by a manual search.

Open your browser and type in Chrome://policy or Edge://policy (whichever is applicable)

When checking the policies you want to make sure that the status OK. If Error, Warning or Conflict show up then resolve those issues. Note that you will not be able to change the values within the browser. Changes should be made via GPO polices through the security admin or can be tested by modifying the registry manually (details further down).

Validate the following Policies:

ExtensionInstallForceList

This policy should always be present if DLP Agent is installed. 

Policy Value you should contain one of the following: (Note: this value can contain a long string of multiple extensions)

Chrome
DLP Agent 15.8, 16.0 - dehobbhellcfbmcaeppgfjhnldeimdph;https://clients2.google.com/service/update2/crx
DLP Agent 15.7 and earlier - eelojgpfkmhiikmhkineneemcahoehjo;https://clients2.google.com/service/update2/crx

Edge
All DLP Agents - lgliocaeggimgcpgbbejhdnbmajgaiii

For Chrome look in HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome

For Edge look in HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge

ExtensionInstallBlocklist

If present and an * is used in the value then an ExtensionInstallAllowlist policy will need to be implemented. Also ensure that the extensions listed above are not in the value.

ExtensionInstallBlacklist

This policy is deprecated.  See ExtensionInstallBlocklist if values exist.

ExtensionInstallAllowlist

This policy needs to be present only if the ExtensionInstallBlocklist or ExtensionInstallBlacklist are being used AND they include an * value. If this policy is needed, make sure it includes the proper extension values listed for the ExtensionInstallForcelist policy above.

ExtensionInstallWhitelist

This policy is deprecated. If the ExtensionInstallBlocklist or ExtensionInstallBlacklist are being used AND they include an * value then create and use the ExtensionInstallAllowlist policy as described above.

NativeMessagingBlackList

Chrome only. If this policy contains the value * then a NativeMessagingWhitelist policy is required with the proper value. If it contains com.symantec.dlp then remove that value.

NativeMessagingBlockList

Edge only. If this policy contains the value * then a NativeMessagingAllowlist policy is required with the proper value. If it contains com.symantec.dlp then remove that value.

NativeMessagingAllowList

Edge Only. Required if the NativeMessagingBlocklist is being used. Add com.symantec.dlp to the value.

NativeMessagingWhitelist

Chrome only. Required if the NativeMessagingBlacklist is being used. Add com.symantec.dlp to the value.

Manually Checking or Modify the Registries

We recommend you only modify the registries for testing purposes. Security policies should be updated by GPO.

Chrome

DLP Agent 15.8, 16.0
Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist
Key: 1
Data: dehobbhellcfbmcaeppgfjhnldeimdph;https://clients2.google.com/service/update2/crx
 
Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\ExtensionInstallAllowlist
Key: 1
Data: dehobbhellcfbmcaeppgfjhnldeimdph;https://clients2.google.com/service/update2/crx
 
If Key 1 is taken in ExtensionInstallAllowList, use next available.
 
Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\NativeMessagingHosts\com.symantec.dlp
Key: (Default)
Data: C:\Program Files\Manufacturer\Endpoint Agent\chrm_manifest.json
 
Validate the path above is correct.
 

DLP Agent 15.7 and earlier

Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist
Key: 1
Data: eelojgpfkmhiikmhkineneemcahoehjo;https://clients2.google.com/service/update2/crx
 
Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\ExtensionInstallAllowlist
Key: 1
Data: eelojgpfkmhiikmhkineneemcahoehjo;https://clients2.google.com/service/update2/crx

Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\NativeMessagingHosts\com.symantec.dlp
Key: (Default)
Data: C:\Program Files\Manufacturer\Endpoint Agent\chrm_manifest.json
 

Validate the path above is correct

Chrome Security Setting Registries (All versions of DLP Agent)

Network administrators can restrict browser extensions. Work with your administrator if you have a blacklist for NativeMessaging or ExtensionInstall. Check the following blacklist registries:
 
NativeMessagingBlacklist
 
Registry: HKLM\Software\Policies\Google\Chrome\NativeMessagingBlacklist
and
Registry: HKCU\Software\Policies\Google\Chrome\NativeMessagingBlacklist
 
Check this registry for any entries. If there is one with * then it is blocking messaging for all extensions. It will need to be removed or a whitelist entry added. 

HKLM\Software\Policies\Google\Chrome\NativeMessagingWhitelist
Key: 1
Data: com.symantec.dlp
Add this entry if there is a blacklist
 
 
Edge

Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\ExtensionInstallForcelist
Key: 1
Data: lgliocaeggimgcpgbbejhdnbmajgaiii

Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\ExtensionInstallAllowlist
Key: 1
Data: lgliocaeggimgcpgbbejhdnbmajgaiii

Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\NativeMessagingAllowlist
Key: 1
Data: com.symantec.dlp

Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Edge\NativeMessagingHosts\com.symantec.dlp
Key: Default
Data: C:\\Program Files\\Manufacturer\\Endpoint Agent\\chrm_manifest.json

Additional Troubleshooting

  • Verify the DLP antivirus settings, any of the DLP agent files are being blocked by antivirus this issue can occur. See this KB.

  • Verify that the Symantec Extension is enabled in the browser. If the extension is not enabled then enable it. If it is missing then attempt to manually install it from this play store link or reinstall the DLP agent.

  • Check to see if the brkrprcs.exe or brkrprcs64.exe is running while the DLP agent is loaded and browser is open. If those processes do not show up the extension is either broken, blocked, or not installed.

For further troubleshooting increase the agent logging level to FINEST using this KB and enable developer mode on Chrome then duplicate the issue. After duplicating the issue open the extensions and check to see if there are any errors. If so include them with any evidence for the support case.

Related Error Messages

07/15/2021 12:21:57 | 13240 | FINEST  | ApplicationConnector.ExtentionInstaller | ManageLGPO: for Browser (Edge Chromium), Error saving  machine registry key for GPO, -2147024864
07/15/2021 12:21:57 | 13176 | WARNING | ApplicationConnector.ExtentionInstaller | ERROR: Failed to add Chrome LGPO for : (Edge Chromium) Error code = 2147942432
07/15/2021 12:21:57 | 13176 | SEVERE  | MSEdge.EdgeConnector | Failed to install browser extension for browser Microsoft Edge, browser monitoring will not work | [SYMRESULT 0x80070020]

Additional Information

See also: DLP Agent Chrome and Edge browser extension management & DLP Endpoint Agent build numbers and the latest hotfix information 

NOTE: The msedge policies are case sensitive. 

 

Please note, as of DLP 16.0 it will be expected behavior to see duplicate registry entries 

Attachments

1626367784395__Chrome_DLP_Agent_15.8_Policy_regfile_TESTONLY.doc get_app
1626367776882__Edge_DLP_Agent_Policy_regfile_TESTONLY.doc get_app