Text Pasted from Clipboard

Pasting text from the clipboard can be used to exfiltrate sensitive content. You can detect and alert and prevent pasting text from clipboard to Websites in Browsers, any desktop applications and document-based applications (such as Office, WordPad and Notepad).

Text pasted from the clipboard is supported for:

Detection Rules: Generate alerts when text is pasted from the clipboard
Content Scanning: Trigger scanning when text is pasted from the clipboard
Prevention Rules: Block users from pasting sensitive content

The Agent detects and captures content pasted from the clipboard for all commonly used paste methods (Right-click menu, Ctrl-V, Shift-Insert).

This feature excludes Paste Text from Clipboard detection and prevention within the same app/website.

Prerequisites

Text Pasted from Clipboard is enabled at the Agent Realm level by turning on Detect Pasting of Text from Clipboard.

From the Admin application, select Endpoints > Agent Realms. In Advanced Settings > Triggers, turn on Detect Pasting of Text from Clipboard.

CTRL-SHIFT-V is currently not supported,

Paste Options within an application toolbar menu are not supported.

Custom Right-Click menu is supported only for the following applications: Word, Excel, PowerPoint, Chrome, Edge, and Outlook.

When Paste text from clipboard rule includes a content scanning condition, if all rule conditions are met but the content scan is still in progress, the paste operation will be blocked and a pop-up will notify the end user that Clipboard content is N/A, try to paste again in a few moments.

In Paste Text from Clipboard when the same text is pasted more than once to the same destination, it is not evaluated by the rule and is ignored.

Detection of Text Pasted from the Clipboard

When text is pasted from the clipboard, it can be detected by the Agent. You can set up rules to detect an alert.

You can view paste from clipboard activity in the Analytics applications using the Paste Text From Clipboard filter.

Activity > Primary Category / Categories > Paste Text From Clipboard

Detecting and Alerting on Text Pasted from Clipboard

You can set up a detection rule that alerts when text is pasted from the clipboard.

From the Detection Rule screen do the following:

From the If area in the Settings tab, select Select Field from the Select dropdown.
From the fields on the right, select Activity > Primary Category / Category fields.
From Select Values list, select Paste Text from Clipboard.

Add any other relevant fields you want, such as user name.
In the Then area, define the alert and notification policies you want.

Content Scanning for Text Pasted from Clipboard Trigger

Text is pasted from the clipboard can be used to trigger content scanning.

Prerequisites

Text Pasted from Clipboard must be enabled. In the Triggers area of the Advanced Settings, turn on Detect Pasting of Text from Clipboard.

From the Admin application, select Endpoints > Agent Realms. In Advanced Settings > Triggers, turn on Detect Pasting of Text from Clipboard.

Threshold Limits

The following thresholds allow you to set a limits that provide more control over the user experience.

(Agent Realm > Advanced Settings > Interaction > Enable Content Scanning > Advanced Options)

Text Paste from Clipboard - Max Size: Maximum clipboard text that can be content scanned from the source to the clipboard. Default is set to 1000 KB. Minimum value is 1 and maximum is 5000 KB. When the limit is reached the text is extracted from the beginning of the copied text up to the limit set. (partial scan will apply)
Text Paste from Clipboard - Max Memory Size: Maximum clipboard memory allocated to hold multiple pasted text that is waiting for content scanning. Default is 3000 KB. Minimum value is 1000 and the maximum is 15000 KB.

This value must be greater than the Text Paste from Clipboard > Max Size value. It is recommended that the maximum memory size be set to 3 times the Max Size.
Paste text from clipboard - scan time limit: Sets a time limit for the content scanning of the pasted text. The maximum time allowed is x minutes. Default time is 30 seconds.

Threshold Action

Action to apply if scan exceeds threshold (Agent Realm > Advanced Settings > Processing > Prevention Enabled > Advanced Options): This setting controls the action to apply (Allow or Block) and what End User Notification Policy to display to the monitored user is the time exceeds the threshold.

User Experience

In Paste Text from Clipboard, when the text is copied and pasted within the same Website, document or application, the Agent ignores capturing the paste (unless the Website/document/application is restarted before the paste). This allows the analyst to focus on real copy/paste events between different Websites/documents/applications.

Scanning pasted text is now prioritized over scanning of files. This provides a better user experience by enhancing productivity and reducing delays.

In Paste Text from Clipboard when the same text is pasted more than once to the same destination, it is not evaluated by the rule and is ignored unless the source application was restarted after the copy action.

Blocking Text Pasted from Clipboard

You can create prevention rules to block exfiltration of text pasted from the clipboard.

The following conditions can be used in Prevention Rules on Paste Text from Clipboard:

Indicator/Detector Name: (Detector > Indicator/Detector Name) Selected detector value.
Users name: (User > User Name) Name of the monitored user
Group Name: (User > Group Names) Group with monitored user
Executable Name: (Process/Application) Executable Name: Copied text from specific .exe files
Resource URL: (Files/Resources > Resource URL): Target URL to which the text is being copied
Resource URL: (Files/Resources > Tracking Origin Resource URL): Source URL from which text was originally copied to the clipboard (when copied from a Website)
Resource URL: (Files/Resources > Tracking Origin Process Application Name): Source application from which text was originally copied to the clipboard.
Resource URL: (Files/Resources > Tracking Origin User Interface Window Title): Source Window title that was displayed the moment the text was copied to the clipboard.

This feature requires a new Prevention Rule flow. For more details about the flow, see Prevention/Endpoint Rules. Contact your Proofpoint representative for more information.

During the rule evaluation process, the agent freezes the active window and when no rule matches automatically resumes the paste action.

Prompt action is not supported for Text Pasted from Clipboard prevention rules.

To avoid affecting productivity of users and endpoint resources, the prevention of paste text is not be applied if done within the same document from which the text was copied.

Prerequisites

Text Pasted from Clipboard must be enabled. In the Triggers area of the Advanced Settings, turn on Detect Pasting of Text from Clipboard.

From the Admin application, select Endpoints > Agent Realms. In Advanced Settings > Processing, turn on Prevention Enabled.

Creating a Rule to Block Text Pasted from Clipboard

From the Proofpoint Information and Cloud Security Platform, select the Administration app. Select Endpoints > Prevention/Endpoint . Rules.
Click New Rule and from the Prevention Rule area and click Create Rule and the Select Action to Perform panel displays.
For a prevention rule, select Prevention Rule.
In General tab, complete the Name field and Description (optional) field.
Click Next to continue to the Activity and Action tab.
In the Activity area, select Paste Text from Clipboard and in the Action area, select Block. Click Next.
In the Settings tab, in the If section, the Category is set.
Click Add Row and select the filters you want.
In the Then area, select the action. Click Next.
From the Agent Policies, select the Agent Policies that the rule applies to. Click Save.

Related Topics:

ITM / Endpoint DLP Prevention Rules

Detection Rules

Content Scanning