In incident snapshot attachment is showing as part of body for HTTP and HTTPS upload
Last Updated April 12, 2016
Attachment is showing as part of body when uploads from Internet Explorer 10 or 11. If same attachment is uploaded via IE 8 or IE 9 it appeas as attachment in Incident snapshot.
Uploaded file to mail.naver.com via IE 8. IE 8 uploaed file using "Content-Type: multipart/form-data" method as result of this we received incident where attachment name is displayed as attachment instead of body. Where as the same upload via IE 11 uses method "Content-Type: application/x-www-form-urlencoded; charset=utf-8" which shows file name as body instead of attachment in incident.
Content-Type: multipart/form-data; boundary=---------------------------7df7929160242
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2)
By default DLP Network Monitor and Web prevent support multipart/form-data method for attachmet. For any different method like application/x-www-form-urlencoded we need to modify NonMultipartAttachment.properties file.
In order to detect attachmet we need to update NonMultipartAttachment.properties file as below.
1>. Take backup of file C:\SymantecDLP\Protect\config\NonMultipartAttachment.properties
2>. Add below line to NonMultipartAttachment.properties.
Host == mail.naver.com && URI == upload :: HEADERFIELD:filename
Host == link.ndrive.navercorp.com && URI == upload :: HEADERFIELD:filename
Host == ndrive1.navercorp.com && URI == upload :: HEADERFIELD:filename
NOTE: If there is any uncomment line for naver.com present in this file comment it before appending above 3 lines.
3>. Recycle VontuMonitor service on Web prevent server.
4>. Send web mail from mail.naver.com with attachment. Check out triggered incident and see if attachment file name is captured
as attachment instead of body.
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe