Abstract: The disclosed computer-implemented method for preventing data loss from data containers may include (1) identifying, at a computing device, a process running in a data container on the computing device, (2) intercepting an attempt by the process to exfiltrate information from the computing device via at least one of a file system operation or a network operation, and (3) performing a security action to prevent the intercepted attempt. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for enforcing data loss prevention policies on endpoint devices may include (i) detecting that an endpoint device has terminated a connection with a protected network that is protected by a network-level data loss prevention system and has connected to an external network that is not protected, (ii) switching, in response to detecting that the endpoint device has connected to the external network, from an in-network data loss prevention policy to an out-of-network data loss prevention policy, (iii) detecting an inbound data transfer to the endpoint device, (iv) determining that the inbound data transfer comprises a transfer from a protected source that is protected by the out-of-network data loss prevention policy, and (v) performing a security action in response to determining that the inbound data transfer to the endpoint device comprises the transfer from the protected source. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for threat and information protection through file classification may include (1) assigning a classification tag to each of an number of files on a computing device based on a set of rules, (2) storing the classification tag in the files and a corresponding file descriptor describing a sensitivity level of the files externally to the files, (3) detecting creation of a process associated with accessing the files, (4) determining whether the process is potentially suspicious, (5) identifying an operation initiated by the potentially suspicious process to access the files, and (6) performing a security action that protects the computing device from malicious activity by the operation initiated by the potentially suspicious process. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for enforcing data loss prevention policies may include (i) identifying an application installed on the computing device, where the computing device is capable of transmitting data to other computing devices via a wireless technology standard for exchanging data over short distances, (ii) examining the application for a module that indicates that the application is capable of transferring files via the wireless technology standard, (iii) monitoring for initiations of connections via the wireless technology standard by the application, (iv) monitoring, in response to detecting an initiation of a connection via the wireless technology standard by the application, file system access by the application, (v) determining that the application is attempting to open a file, and (vi) analyzing the file to determine if transferring the file via the wireless technology standard violates a data loss prevention policy.

Abstract: The disclosed computer-implemented method for enforcing data loss prevention policies on endpoint devices may include (i) detecting that an endpoint device has terminated a connection with a protected network that is protected by a network-level data loss prevention system and has connected to an external network that is not protected, (ii) switching, in response to detecting that the endpoint device has connected to the external network, from an in-network data loss prevention policy to an out-of-network data loss prevention policy, (iii) detecting an inbound data transfer to the endpoint device, (iv) determining that the inbound data transfer comprises a transfer from a protected source that is protected by the out-of-network data loss prevention policy, and (v) performing a security action in response to determining that the inbound data transfer to the endpoint device comprises the transfer from the protected source. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for encrypting files may include (i) detecting an event within a network that triggers an encryption of a file on the network, (ii) performing, in response to detecting the event, both encrypting the file to a file encryption key and encrypting the file encryption key to a public key of a source of the file, (iii) receiving, from a client, a file access request that includes the encrypted file encryption key, and (iv) transmitting, in response to determining that the client is authorized to access the file, a re-encrypted file encryption key to the client to enable the client to access the file. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for enforcing data loss prevention policies may include (i) identifying an application installed on the computing device, where the computing device is capable of transmitting data to other computing devices via a wireless technology standard for exchanging data over short distances, (ii) examining the application for a module that indicates that the application is capable of transferring files via the wireless technology standard, (iii) monitoring for initiations of connections via the wireless technology standard by the application, (iv) monitoring, in response to detecting an initiation of a connection via the wireless technology standard by the application, file system access by the application, (v) determining that the application is attempting to open a file, and (vi) analyzing the file to determine if transferring the file via the wireless technology standard violates a data loss prevention policy.

Abstract: Print operations are monitored and a DLP policy is applied, independently of the print interface technology used by applications that initiate print operations. A DLP component monitors for and detects print drivers being loaded into the print spooler. When a print driver is loaded, the print spooler creates a corresponding driver object, which is intercepted. The instantiated driver object creates multiple device objects to carry out various print functions. The device object print functions of interest are intercepted. Attempts to send text to the printer at a print driver level by intercepted device object functions are monitored, and application level context information is identified, such as the associated 0user. The DLP policy is applied to monitored attempts to send text to the printer at the print driver level, taking into account application level context information and the specific text of the monitored attempt.

Abstract: Print operations are monitored and a DLP policy is applied, independently of the print interface technology used by applications that initiate print operations. A DLP component monitors for and detects print drivers being loaded into the print spooler. When a print driver is loaded, the print spooler creates a corresponding driver object, which is intercepted. The instantiated driver object creates multiple device objects to carry out various print functions. The device object print functions of interest are intercepted. Attempts to send text to the printer at a print driver level by intercepted device object functions are monitored, and application level context information is identified, such as the associated 0user. The DLP policy is applied to monitored attempts to send text to the printer at the print driver level, taking into account application level context information and the specific text of the monitored attempt.

Abstract: Techniques describe preventing sensitive data from being misappropriated during a clipboard operation. A copy operation for data being copied to a clipboard is intercepted. Information describing a first application from which the data was copied is retrieved. The data and the information is stored into the clipboard. A paste operation is evaluated based on the data and the information is evaluated against a policy to determine whether the paste operation should be blocked.

Abstract: Techniques describe preventing sensitive data from being misappropriated during an operation performed by a cloud synchronization application. A request from a cloud sync application to upload a file to a cloud storage service is intercepted. The file is currently stored on a client computer of an enterprise network. An account associated with the request is identified. The file is evaluated based on a data loss prevention policy and the account associated with the request. The request is blocked based on the evaluation.

Abstract: A data loss prevention (DLP) manager running on a security virtual machine manages DLP policies for a plurality of guest virtual machines. The DLP manager identifies a startup event of a guest virtual machine, and installs a DLP component in the guest virtual machine. The DLP component communicates with the DLP manager operating within the security virtual machine. The DLP manager also receives file system events from the DLP component, and enforces a response rule associated with the guest virtual machine if the file system event violates a DLP policy.

Abstract: A data loss prevention (DLP) agent manages DLP polices of a shared network file system. The DLP agent identifies a request by an application to access a file from a shared storage device over a network, and enables monitoring on a local data store to detect file system requests by the application in response to the identifying. The DLP agent also analyzes data associated with the file to determine if the data violates a data loss prevention (DLP) policy, and enforces a response rule associated with the file if the data associated with the file violates the DLP policy.

Abstract: A data loss prevention (DLP) manager running on a security virtual machine manages DLP policies for a plurality of guest virtual machines. The DLP manager identifies a startup event of a guest virtual machine, and installs a DLP component in the guest virtual machine. The DLP component communicates with the DLP manager operating within the security virtual machine. The DLP manager also receives file system events from the DLP component, and enforces a response rule associated with the guest virtual machine if the file system event violates a DLP policy.