Watermarking, DLP, and DRM

  • Watermarking is supported for PDFs which are not open-password-protected or edit-password-protected.
  • Watermarking of Microsoft Office and PDF inside zip files supported as long as the zip is not password protected.
  • DLP, and DRM are supported for documents stored in Office 97-2004 or newer file formats. However there are limitations on watermarking depending on the type of watermark (visible, invisible, and callback) and the Microsoft application being used.
    Document Type Visible Watermark Invisible Watermark Callback
    Office 97-2004 format files (.xls, .doc, .ppt) No Yes No
    Office 2007 and later Word and Powerpoint (.docx, .pptx Yes Yes Yes
    Office 2007 and later Excel files (.xlsx) Yes No No
    PDF Files No Yes No
  • Office 365, specifically powerpoint online, cannot display powerpoint files that have been applied the invisible or callback watermark.
  • Upload of complex/large spreadsheets bypass DLP in some situations to avoid app timeouts:
    • XLS/XLSX larger than 1MB will bypass DLP scanning during the upload process and the Access log will be tagged with ScanBypassed. This will allow the upload to complete successfully and the Cloud policy will then catch the uninspected file to apply the appropriate action (e.g. Quarantine).
  • During encryption upon upload if large files could not be processed within 40 seconds, an exception is made and the file is uploaded to the cloud and then captured by the API scan.
  • When downloading an attachment from gmail via the Save Link As option no DRM is being applied.
  • When applying DRM to files, URL links within the file are stripped and are replaced with a plain text underline.
  • The DRM action is applied via our AJAX-VM technology. Since mobile mail apps do not execute AJAX code, it is not possible to run it through AJAX-VM and thus a DRM action on mobile mail apps will result in a block action instead.

API Scanning

  • The API will scan files that are 40mb or less. Any files larger than 40mb will be skipped.
  • Scanning will also be applied to image files as well as images that are embedded inside of PDF files.
    • PDF files that contain only scanned images will be OCR'd and scanned. If the PDF contains any readable text, the PDF will not be OCR'd, instead the readable text will be scanned for DLP matches. In addition, Forcepoint ONE SSE will OCR and scan any .bmp, .jpe, .jpeg, .jpg, .png and .tiff image files.
  • OneDrive and Sharepoint files may be shared (1) by Links Giving Access or (2) Direct Access. During DLP API scans, Office365 Graph API returns a definitive list of all direct shares. However, Graph API is not definitive with respect to link shares as follows.
    • Limitation 1: When a file is shared by link with a specific set of users, Graph API does not return the list of users. As a result Forcepoint ONE SSE deems the file externally shared. We make a best effort to identify the list of recipients by scanning the logs of the file owner spanning a window of one hour.
    • Limitation 2: When a user deletes a link share, Graph API does not notify that the file properties have changed. Therefore, API scan results will be out-of-date until the file is scanned again for other reasons.
  • AWS Glacier Deep Archive storage class option is not able to be scanned by API due to the nature of these repositories. They are setup to be deep archives that are rarely accessed and as such, this limitation prevents API scanning.
  • Number of calls per day will show as 0 if the OAuth API token has not been used for at least 1 day.