Print Detection and Prevention

This feature prevents printing of files with sensitive information.

Windows Agent supports Network Printer, Local Printer, and Print to File.

Supported Files Types

For supported file types, content is scanned and printing is prevented according to the prevention rule you define. (Depending on the rule settings you choose, you can either block or prompt the user.)

To enable this print prevention, from Processing settings in the Advanced Settings of the Realm, enable Print Prevention. This option is available only when you have enabled Advanced SettingsProcessing > Prevention.

Print Prevention for Microsoft Word and Excel and Acrobat Reader

Print prevention is supported for locally installed MS Word, MS Excel, Acrobat Reader ver XI and above.

For MS Word and MS Excel, content scanning will scan the actual content of the document in edit mode. So the scan is on the most recent content.

Content Scanning based print prevention is supported for locally installed MS Word, MS Excel, Acrobat Reader ver XI and above.

For MS Word and MS Excel, content scanning will scan the actual content of the document in edit mode. So the scan is on the actual content that was sent to print.

For Acrobat Reader, the saved file content is scanned.

For Acrobat Reader, the saved file content and not the actual content sent to print is scanned.

When a file is sent to print using Right Click + Print from Windows File Explorer, an instance of the program must be opened.

If you run Word / Excel files as Administrator, print will not be prevented.

Print prevention for Save to pdf is the same as Print to pdf.

Print Prevention from Microsoft Outlook

Print Prevention supports Microsoft Outlook. The body of emails that are sent or received can be scanned. The mechanism is based on evaluating the rule criteria when the Print window is opened and is all criteria is matched. The large Print button will be disabled.

Print Prevention from Outlook occurs when Print is selected from Outlook menu, before the destination printer is chosen. Printer Name and Printer Type are therefore not supported as fields for Print Prevention from Microsoft Outlook.

If you already have Prevention Rules on print based on Printer Name/ Printer Type, it is recommended that you modify them to use the Not In condition.

For example, you already have a Prevention Rule to block printing of sensitive information to Network Printers based on the condition

Printer Type In Network Printer.

It is recommended to modify it to:

Printer Type Not In Print to file, Local Printer as shown.

Known Issues

Print Prevention from PowerPoint

Print Prevention now supports Microsoft PowerPoint.

Only content sent to print is scanned. This does not include comments or any other content that is not sent to the printer.

Print Prevention from PowerPoint is handled by a virtual printer (it-agent Virtual PDF Printer) that is automatically added when you install the Agent.

Known Issues

Prevention Filter By

You can filter by:

  • Indicator/Detector Name (Detector > Indicator/Detector Name)

  • User Name (User > User Name): Name of the user monitored.

  • Groups (User > Groups): Groups a user is a member of.

  • Printer Type (Devices > Printer Type)

  • Printer Name (Devices > Printer Name)

  • File Name (File/Resources > File Name)

Example: Prevent Printing of Files with Sensitive Information

In this example, you want to scan content to make sure that files with social security numbers are not sent to print.

  1. From the Proofpoint Information and Cloud Security Platform, select the Administration app. Select EndpointsPrevention/EndpointRules.

  2. Click New Rule and from the Prevention Rule area and click Create Rule.

  3. In General tab, complete the Name and Description (optional) fields. If you want to add a tag to the rule, in the Rule Tags area, click Add tags and select the tag from the Add/Edit Tags list. Click Done. (For more information about tags, see Tag Management .) Click Next.

  4. In the Activity tab, select Printer and click Next.

  5. In the Settings tab, define the new rule using if/the logic. In the If section.

  6. Protocol is Printer and Categories is File Write.

  7. Now add the detector you want to block.

    Click Add Row. From Select dropdown, select DetectorIndicator/Detector Name.

    From Select Values, select Social Security Numbers. Click Done.

  8. in the Then section, select Block to block or Prompt the User to Provide a Justification if you want you can add a Notification Policy.

  9. In the Agent Policies tab, select the Agent Policies you want associated with this prevention rule. Click Save.

Print from an Unsupported Program

This option prevents users from exfiltrating sensitive data using an application that the Agent does not support print monitoring activity. This feature acts as a low level gatekeeper, intercepting all print jobs and applying any relevant rules.

This feature is available on request, contact your Proofpoint representative.

Currently supported actions are Allow and Block. Prompt is not supported.

This feature is enabled at the Realm level in the Processing area, Print PreventionAction to apply on prints from unsupported program in the Advanced Settings of the Agent Realm.

Action to apply is either Block or Allow and by default, the action is set to Block. An End User Notification must be assigned for Block action.

When this feature is initially turned on by Proofpoint, by default, the action is set to Block and the default prompt notification for the Realm is assigned. To modify and save the Realm, use Allow action if relevant or Block action with an End User Notification.

You must assign an End User Notification for a Block action. A Realm cannot be saved with the default prompt notification for a Block action.

Print Prevention must be enabled to use this feature.

Content Scanning based Print Prevention

From version 4.0 (Windows and Mac), Content Scanning based print prevention is available as limited availability (LA). The feature is supported on print from Microsoft Office Word, Excel, PowerPoint, Acrobat Reader and Preview.

This feature is available on request. Contact your Proofpoint representative.

For Mac Agents: New permissions were added in the 4.0 Configuration Profile for the Content Scanning based Print Prevention on Mac. You must update the Configuration Profile to use this feature.

This capability is supported when printing via the menu of the supported applications, for both the Block and Prompt actions. It allow preventing printing based on:

  • DLP Detectors (content scanning)

  • Printer Name

  • User/Group

During Content Scanning, Print dialog freezes.

 

ITM / Endpoint DLP Prevention Rules