Hi, we’re running DLP Endpoint on a number of machines and I’m having issues trying to filter out false positives that are being generated by SCCM processes on our systems. I have a policy set up to identify and create incidents for credit card numbers, with the scope set to Narrow width. I’m seeing numerous incidents being generated that are false positives, example below.
Endpoint Location: On the Corporate Network
Application: Microsoft Host Process For Windows Services
URL: http://sccm-server.mydomain.local:8530/ClientWebService/client.asmx
Destination IP: 10.20.150.25:8530
The message body has 87 matches for what it beleives are credit card numbers, however upon inspection it’s definitely false positives:
<DriverVerVersion> 2814750890000385</DriverVerVersion><Class>{4D36E97D-E325…00:00Z</DriverVerDate><DriverVerVersion> 2814750890000385</DriverVerVersion><Class>{4D36E97D-E325…00:00Z</DriverVerDate><DriverVerVersion> 2814750890000385</DriverVerVersion><Class>{4D36E97D-E325…00:00Z</DriverVerDate><DriverVerVersion> 2814750890000385</DriverVerVersion><Class>{4D36E96C-E325…00:00Z</DriverVerDate><DriverVerVersion> 2814750890000385</DriverVerVersion>
In my Agent Configuration I’ve already added the SCCM server’s hostname and IP address to the Filter By Network Properties field in the formats below
IP Filters: -,10.20.150.25
Domain HTTP Filters: -sccm-server.mydomain.local
However this doesn’t appear to have worked as I’m still getting events generated even after recycling the detection server and restarting the agents.
I’ve also tried editing the policy and adding an optional validator to the Credit Card policy to exclude beginning characters “<DriverVerVersion>” but when I try to save this it throws up an error as it contains non-digits.
What’s the best way to filter out this sort of traffic?
Cheers