Abstract: Techniques presented herein describe data loss prevention (DLP) methods for saving a file to a destination over a network via an application, such as a productivity application having such features. A DLP agent injects components to the productivity application intercept save operations initiated by a user. When the user initiates a save operation for a file, the components suspend the operation and store a current version of the file (including unsaved file data) in a temporary location accessible to the DLP agent on disk. The DLP agent evaluates the current version of the file and file destination based on network and security policies to determine whether to allow or block the save operation.

Abstract: A method for managing data loss prevention policies for applications may include 1) maintaining, in at least one database, a categorization of at least one application as either a business application or a personal application, 2) assigning, in the database, a data loss prevention policy to the application based on the categorization of the application in the database as either a business application or a personal application, 3) detecting that the application is attempting to access sensitive data, and 4) applying, in response to the detected attempt by the application to access sensitive data, the data loss prevention policy assigned to the application to the detected attempt by the application to access sensitive data. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: In response to an instruction to dismount a storage volume, for example, an object in the storage volume is identified and a handle that references the object is closed. Once an exclusive lock on the storage volume is acquired, the storage volume can be dismounted. The storage volume can then remounted.

Abstract: A computer-implemented method for applying data-loss-prevention policies. The method may include (1) maintaining a list of applications whose access to sensitive data is controlled by data-loss-prevention (DLP) policies, (2) detecting an attempt by a process to access sensitive data, (3) determining that the process has a parent-child relationship with an application within the list of applications, and (4) applying, based at least in part on the determination that the process has the parent-child relationship with the application, a DLP policy associated with the application to the process in order to prevent loss of sensitive data. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for configuring computing systems may include (1) detecting an event associated with a client device that potentially impacts a group to which the client device is assigned and, in response to detecting the event, (2) discovering at least one attribute of the client device that has the potential to impact the client device's group assignment, (3) identifying at least one rule that defines conditions for assigning client devices to groups, (4) determining, by applying the rule to the discovered attribute of the client device, that the client device's group assignment should be modified, and (5) modifying, in response to determining that the client device's group assignment should be modified, the client device's group assignment based on the discovered attribute of the client device. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for preventing data loss via temporary-file generating applications may include (1) identifying an application that is configured to update a file by generating a temporary file that includes updated content of the file and replacing the file with the temporary file, (2) detecting an attempt by the application to update the file by detecting an attempt by the application to generate the temporary file and/or an attempt by the application to replace the file with the temporary file, and (3) performing, in response to detecting the attempt by the application to update the file, a data-loss-prevention action on the file instead of the temporary file. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for preventing data loss over virtualized networks may include (1) receiving, by a data loss prevention callout driver registered to a switch, a network packet from a virtual machine, (2) identifying, by the data loss prevention callout driver registered to the switch, flow context information that specifies a context associated with transmitting the network packet, (3) providing the flow context information and the network packet to a data loss prevention service, and (4) applying, by the data loss prevention service, a data loss prevention policy to the network packet based on the flow context information. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for detecting data leaks may include (1) monitoring at least one data-distribution channel utilized by an entity, (2) detecting a plurality of full DLP policy violations and/or partial DLP policy violations committed by the entity by analyzing data distributed by the entity via the data-distribution channel, (3) determining that the entity's DLP policy violations cumulatively exceed a predetermined threshold, and (4) performing a security action in response to determining that the entity's DLP policy violations cumulatively exceed the predetermined threshold. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for protecting services may include (1) identifying a service control manager, the service control manager having access to modify a configuration of at least one service, (2) identifying a request from a process for permission to access the configuration of the service, and, in response to the request, (3) authenticating the process based on at least one attribute of the process, (4) providing an authentication token to the process, (5) intercepting an attempt by the process to access the configuration of the service via the service control manager, the attempt including the authentication token, and, in response to the attempt, (6) validating the authentication token, and, in response to validating the authentication token, (7) allowing the process to access the configuration of the service. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A data loss prevention (DLP) manager running on a security virtual machine manages DLP policies for a plurality of guest virtual machines. The DLP manager identifies a source associated with a file open or create event. The source is at least one of an application or a device being used by a guest virtual machine (GVM). The DLP manager enforces a first response rule associated with the GVM when the source is a non-approved source per a source control policy. The DLP manager enforces a second response rule when the file violates a DLP policy.

Abstract: A computing system invokes a proxy agent in a virtual environment hosted by the computing system to obtain configuration change data for a virtualized application from an agent residing in a physical environment hosted by the computing system. The proxy agent changes a configuration of the virtualized application based on the configuration change data to cause the virtualized application to load a plug-in in the virtual environment. The computing system launches the virtualized application and the virtualized application loads the plug-in in the virtual environment to utilize a function of the plug-in in the virtual environment.

Abstract: A computer-implemented method for applying data loss prevention policies to closed-storage portable devices may include (1) injecting a data loss prevention component into at least one application process that is running on a computing device, (2) intercepting, via the data loss prevention component, an attempt by the application process to transfer a file to a closed-storage portable device that is connected to the computing device, (3) identifying a data loss prevention policy that applies to the attempt by the application process to transfer the file, (4) determining that the attempt by the application process to transfer the file violates the data loss prevention policy, and (5) performing a security action in response to determining that the attempt by the application process to transfer the file violates the data loss prevention policy. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for applying data loss prevention policies to closed-storage portable devices may include (1) injecting a data loss prevention component into at least one application process that is running on a computing device, (2) intercepting, via the data loss prevention component, an attempt by the application process to transfer a file to a closed-storage portable device that is connected to the computing device, (3) identifying a data loss prevention policy that applies to the attempt by the application process to transfer the file, (4) determining that the attempt by the application process to transfer the file violates the data loss prevention policy, and (5) performing a security action in response to determining that the attempt by the application process to transfer the file violates the data loss prevention policy. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Method and apparatuses for detecting violations of data loss prevention (DLP) in NTFS removable media and non-NTFS removable media are described. In NTFS, when an application opens a data file, a DLP file system filter driver internally opens the same data file using file system transaction and is transparent to the application. Application read/writes are redirected to the remote transaction. When the application tries to close the file, the DLP agent scans the data being written to the file for detection of violations and commits or aborts the remote transaction depending upon the detection of a violation of the policy.

Abstract: A computer-implemented method for enforcing data loss prevention policies on sandboxed applications may include identifying an application process that is in a sandbox, wherein a broker process has created a file handle for a file on behalf of the application process within the sandbox, intercepting an input/output request performed on the file handle by the application process, wherein the input/output request comprises an identifier of the application process, extracting the identifier of the application process from the input/output request and enforcing a data loss prevention policy on the file by attributing the input/output request to the application process instead of to the broker process based on the identifier of the application process. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for applying data-loss-prevention policies. The method may include (1) maintaining a list of applications whose access to sensitive data is controlled by data-loss-prevention (DLP) policies, (2) detecting an attempt by a process to access sensitive data, (3) determining that the process has a parent-child relationship with an application within the list of applications, and (4) applying, based at least in part on the determination that the process has the parent-child relationship with the application, a DLP policy associated with the application to the process in order to prevent loss of sensitive data. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for protecting services may include (1) identifying a service control manager, the service control manager having access to modify a configuration of at least one service, (2) identifying a request from a process for permission to access the configuration of the service, and, in response to the request, (3) authenticating the process based on at least one attribute of the process, (4) providing an authentication token to the process, (5) intercepting an attempt by the process to access the configuration of the service via the service control manager, the attempt including the authentication token, and, in response to the attempt, (6) validating the authentication token, and, in response to validating the authentication token, (7) allowing the process to access the configuration of the service. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Registry information systems and methods are presented. In one embodiment, an application dedicated registry hive method comprises: performing application dedicated registry hive agent operations, including: an online initiation phase in which a system independent application dedicated registry hive from a shared resource is loaded into the system namespace; a monitoring phase in which status of the system independent application dedicated registry hive is monitored; and an offline initiation phase in which the system independent application dedicated registry hive is unloaded from the system namespace; and performing an application dedicated registry hive driver filter process, including redirecting read and write operations to the system independent application dedicated registry hive. The system independent application dedicated registry hive can include a registry content file and a corresponding transaction log file.

Abstract: A computing device detects a command to perform a print screen operation. On detecting the command to perform the print screen operation, the computing device identifies a file associated with a displayed application window. The computing device determines whether the file contains confidential information. Upon determining that the file contains confidential information, the computing device performs an action to enforce a data loss prevention policy.

Abstract: A data loss prevention (DLP) manager running on a security virtual machine manages DLP policies for a plurality of guest virtual machines. The DLP manager identifies a source associated with a file open or create event. The source is at least one of an application or a device being used by a guest virtual machine (GVM). The DLP manager enforces a first response rule associated with the GVM when the source is a non-approved source per a source control policy. The DLP manager enforces a second response rule when the file violates a DLP policy.