Document watermarking

Document watermarking using Fingerprint is a process of automatically assigning invisible markers to files according to predefined rules. These markers do not interfere with the file structure or its integrity – they follow the file in the NTFS data stream, which makes them resistant to moving, copying, or editing.

Introduction

Key features of Fingerprint

1. No impact on file structure:

   • The marker does not change the file checksum.

   • A file bearing a digital signature remains intact.

2. Invisible to the end user:

   • The marker is a string of characters in the NTFS data stream.

   • Visible only to the system eAgent and the administrator in the eAuditor console.

   • A single file can have multiple markers.

3. Identification in system logs:

   • The administrator sees the marker name that they previously defined in the system.

   • The number of markers in the system is unlimited.

Examples of use

1. Marking based on file content

• Example: The administrator creates a DLP policy that assigns a marker to every file containing the surname “Nowak” (case-insensitive).

• Configuration:

  • Criterion: File content contains “Nowak”.

  • Marker name: “File containing the boss’s surname”.

• Behavior: Every file meeting the condition will be automatically tagged with a string in the NTFS stream, e.g. 67asudhasd7a8s9diajsdhua7sd8aisddjausd8a. The administrator will see in the logs: “File ABCD.doc met the criteria and received the marker: File containing the boss’s surname”.

2. Marking based on location

• Example: The administrator assigns a marker to files saved in the “Downloads” folder.

• Configuration:

  • Criterion: File location C:\Users\Downloads.

  • Marker name: “Downloaded file”.

• Behavior: Every file saved in the “Downloads” folder automatically receives the marker.

3. Marking based on process

• Example: Files created by the process aplikacjatest.exe are to be marked with a marker.

• Configuration:

  • Criterion: Process aplikacjatest.exe.

  • Marker name: “File from test application”.

• Behavior: Every file created by the specified process, regardless of extension and location, receives the marker.

4. Combining rules and markers

Rules can be applied concurrently and overlap; for example, files containing “Nowak” saved in the “Downloads” folder may receive an additional marker.

Benefits and advanced uses

1. Log filtering and reporting

Markers enable easy filtering of logs in the system, allowing the administrator to find all files meeting specified criteria (e.g., content, location, process) by searching the marker name. Reports can also be generated with information about:

• File locations.

• Author (who created the file).

• File creation date.

2. Monitoring operations on marked files

Example: The “File Operations” policy monitors rename operations on a file marked as “File containing the boss’s surname”.

• Configuration: Define monitoring of rename operations for files with a given marker.

• Effect: Every attempt to rename the file is logged in the system, and the operation can also be blocked.

3. Blocking file edits

Example: Blocking editing of files marked as “File from test application”.

• Configuration: The policy blocks writing to files with a given marker.

• Effect: The user cannot edit or save changes to the file.

Configuration

System eAuditor enables assigning markers Fingerprint in two ways:

1. Using a schedule:

   • Files are classified cyclically, at defined time intervals.

   • The system, via the agent, scans specified locations and marks files that meet defined criteria.

   • Configuration is performed in the second step (skip the first)

2. Using the File Operation rule:

   • Files are classified dynamically at the moment of save or creation.

   • Any file meeting specified parameters will be automatically marked during the operation.

Configuration using a schedule

Configuration steps

1

Create a policy or add a rule

• Go to the main DLP policies view.

• Create a new policy or edit an existing one.

2

Add an action

Select an action Add marker or Remove marker:

• Add marker: Tagging files.

• Remove marker: Removing existing markers – this is the only option for an administrator to remove a marker.

3

Configure locations and files

Specify a location mask, e.g.:

• C:\Users\Documents – monitoring the “Documents” folder.

• Ability to specify exclusions for certain subfolders.

How to add/edit a mask?

Specify a file mask, e.g.:

• *.docx – monitoring Word documents.

• Ability to specify exclusions (e.g. test.docx).

How to add/edit a mask?

4

Enter credentials

• Provide credentials required by the agent to access the scanned location (e.g., a dedicated domain account with appropriate permissions).

• Select option Read-only files (if applicable).

5

Scan interval

Define the interval during which the specified locations will be scanned to classify files that meet the defined parameters.

6

Select marker

Select a marker from the available list:

• Adding new markers is described in the section Adding a new marker.

7

Add a content search pattern (optional)

• Select criteria for searching content within files:

  • Content contains: Search for files containing specified text.

  • Content does not contain: Search for files without the specified text.

• Supported file masks: *.docx, *.xlsx, *.pptx, *.txt.

• Adding new patterns is described in the section Adding a content search pattern.

8

Save configuration

9

Add notifications (optional)

Possible notification options:

• Admin log.

• E-mail for the administrator.

• Message for the user.

Configuration using the File Operation rule

Configuration steps

1

Create a policy or add a rule

• Go to the main DLP policies view.

• Create a new policy or edit an existing one

2

Add a trigger

• In the "When this happens..." add a new step and select a trigger File Operation.

• Adding or removing a marker is available for the following operation types:

  • Save.

  • Create.

NOTE! If you select other types of operations, the file classification option will be unavailable.

3

Define file parameters

Specify classification criteria:

• File location.

• File extension.

• More information about parameters in the section File operations.

4

Add an action

Select an action Add marker or Remove marker.

5

Select marker

Select a marker from the available list:

• Initially the list contains two example markers.

"Why don’t I see markers?" - Adding a new marker.

6

Add a content search pattern (optional)

• Select criteria for searching content within files:

  • Content contains: Search for files containing specified text.

  • Content does not contain: Search for files without the specified text.

• Supported file masks: *.docx, *.xlsx, *.pptx, *.txt.

"Why don’t I see content search patterns?" - Adding a content search pattern.

7

Save configuration

8

Add notifications (optional)

Possible notification options:

• Alert for the administrator.

• E-mail for the administrator.

• Message for the user.

• Alert for the user.

Adding a new marker

Below you will find instructions that will be useful if you have reached step 7 of configuration using the schedule or 6 of the File Operation rule.

The new marker will be added to the list and will be available when creating classification rules.

Adding a content search pattern

Below you will find instructions that will be useful if you have reached step 6 of configuration using the schedule or 5 of the File Operation rule.

A pattern added this way will appear in the list available when creating classification rules.

Summary

Document watermarking using Fingerprint is an advanced and flexible tool supporting the enforcement of security policies in the organization. Through precise file tagging, the administrator gains full control over monitoring and managing documents, regardless of their location, content, or source. Practical applications can be found in the section Case Study, which discusses use-case scenarios of this feature in detail.