diff --git a/docs/endpointprotector/admin/agent.md b/docs/endpointprotector/admin/agent.md
index 2e062d0c40..fb5bc5eece 100644
--- a/docs/endpointprotector/admin/agent.md
+++ b/docs/endpointprotector/admin/agent.md
@@ -26,6 +26,9 @@ Global Settings page, is known as the Tamper Mode setting. It is designed to pre
termination or modification of the Endpoint Protector Agent.
:::
+:::note
+When enabling Debug logging, deploying a fresh installation, or during upgrade processes where critical drivers/services (such as DPI, browser plugins, or Outlook add-ins) must be reloaded, it is recommended to restart the operating system. This mandatory first step in troubleshooting ensures that all dependencies are properly initialized."
+:::
## Agent Installation
diff --git a/docs/endpointprotector/admin/cap_module/deeppacket.md b/docs/endpointprotector/admin/cap_module/deeppacket.md
index a4edb23ad2..9a88a3845e 100644
--- a/docs/endpointprotector/admin/cap_module/deeppacket.md
+++ b/docs/endpointprotector/admin/cap_module/deeppacket.md
@@ -30,6 +30,45 @@ To ensure consistent DPI behavior after enabling or disabling the feature or upg
the Endpoint Protector, a restart of your computer is required.
:::
+## Stealthy DPI vs. regular DPI
+
+What are the different network visibility strategies available on Windows?
+
+- Stealthy DPI: Taps into a newly established network flow, where the content is extracted, decrypted, analyzed, encrypted, and then reintroduced. This method creates a direct network flow between the original application and the internet, without intermediaries.
+- Regular DPI (Redirect-Based): Redirects network traffic to a transparent proxy server on localhost before it reaches the internet. This approach results in observable traffic directed to the localhost proxy on the local computer.
+
+How do Stealthy DPI and Redirect-Based DPI compare in terms of EPP Client functionality?
+
+- Stealthy DPI and Redirect-Based DPI are functionally similar and require no changes to Endpoint Protector policies. Users can select the mode that best suits their infrastructure preferences. Both methods use the same resources and generate identical events.
+- However, they differ in handling bypasses for failed connections:
+ - Regular DPI (Redirect-Based): Offers more flexibility by allowing a feature to bypass connections that cannot be intercepted, with the proxy rebuilding the network connection to the destination after a failure.
+ - Stealthy DPI: Achieves a similar bypass result using the improved "DPI Bypass" feature available in Endpoint Protector version 5.9.3.0.
+
+When should you choose Stealthy DPI over Regular DPI (Redirect-Based)?
+
+- Third-Party DLP or Firewall Software: If third-party software has trouble handling or blocking network traffic originating from a local proxy, switching to Stealthy DPI is recommended.
+- Security-Enhanced Applications: If certain applications experience connectivity issues with Regular DPI (Redirect-Based), opting for Stealthy DPI can resolve these issues.
+
+## Deep Packet Inspection Diagrams
+
+The diagrams below illustrate the high-level logic for Deep Packet Inspection (DPI) across different operating systems. Additionally, they illustrate the distinctions between Stealthy and Regular DPI modes of operation for macOS.
+
+### For Windows
+- regular DPI
+
+
+- Stealthy DPI:
+
+
+### For MacOS
+- intercept VPN off:
+
+
+- intercept VPN on:
+
+
+### For Linux
+
## Deep Packet Inspection Certificate
@@ -58,9 +97,14 @@ generated.
Issuing the Deep Packet Inspection Certificate on Windows is handled automatically and
transparently by the Endpoint Protector Client. No additional steps are required.
:::
+
+EPP DPI module generates a certificate only at the first time a user visits a website and caches that certificate for subsequent visits to the same website. The certificate cache deletion interval can be configured in EPP Server versions 5.8.0.0 and above (please refer to this UM section [System Settings - DPI certificate](/docs/endpointprotector/admin/systemconfiguration/systemsettings) . Alternatively, the certificate cache is cleared either upon computer reboot or when the DPI feature is disabled.
+
+Endpoint Protector employs the same criteria as the Chromium open-source web browser for verifying website certificates, referencing the corporate CA certificates found in the system certificate stores. You can assess this validation by using diagnostic websites like https://badssl.com/.
+
+If needed, this feature can be configured through the DPI Bypass option described here [Global Settings - DPI configuration](/docs/endpointprotector/admin/dc_module/globalsettings#dpi-configuration).
-
## Deep Packet Inspection Certificate on macOS
@@ -184,6 +228,10 @@ Protection Policy.
+:::note
+The "Local" flag setting will only function with "Stealthy DPI" on Windows and "Intercept VPN Traffic" on macOS. It is not operational on Linux.
+:::
+
In this section you can also manage the following settings:
- Text Inspection - enable this setting to monitor confidential content typed in Teams, Skype, Slack,
@@ -215,8 +263,7 @@ In this section you can also manage the following settings:
:::
-- Block unsupported protocols in New Outlook – Enable this setting to block the send email
- functionality in the New Outlook without interacting with the Outlook legacy functionality.
+- Block unsupported protocols in New Outlook – Enable this setting to block unsupported protocols and the send email function in New Outlook without affecting legacy Outlook. Recommended for those not using the EPP add-in to limit the app as an egress channel. Keep off if EPP add-in is used.
- Monitor webmail – Enable this setting to scan the subject and body for Gmail, Outlook and Yahoo on
the browser. Attachments will be monitored regardless of this setting.
@@ -255,6 +302,9 @@ In this section you can also manage the following settings:
+ :::warning
+ "To include consumer Google Accounts, such as those ending in @gmail.com and @googlemail.com, enter "consumer_accounts" in the list instead of "gmail.com". This change is necessary, and the current issue is being closed as "won't fix". We may consider opening a documentation task to link the relevant Google document to our user manual. For more information, refer to: [Google Support](https://support.google.com/a/answer/1668854?hl=en).
+ :::
### Monitor Webmail JSON Format Parser Usage
@@ -301,21 +351,6 @@ apply any changes in the JSON parser, unless Monitor Webmail is not working
:::
-### Note on Peer Certificate Validation Usage
-
-If Deep Packet Inspection is ON and Peer Certificate Validation is enabled then you cannot access
-unsecured websites and a certificate warning message is displayed.
-
-If Deep Packet Inspection is ON and Peer Certificate Validation is disabled then you can access
-unsecured websites and no certificate warning messages are displayed.
-
-For Example; your organization uses an SSL inspection proxy or gateway. The certificates injected by
-the proxy or gateway cannot be validated on the endpoint because they are either invalid or the
-issuer CA certificate is not installed in the "Trusted Root Certification Authorities" in the computer
-certificate store. To allow Deep Packet Inspection to work in this case you must skip peer
-certificates validation. Endpoint Protector Client assumes that in this case the peer certificate
-validation is performed by the proxy or gateway so that security is not compromised.
-
## Deep Packet Inspection Applications
From this section, you can enable or disable the Deep Packet Inspection functionality for each
diff --git a/docs/endpointprotector/admin/cap_module/dpilinux.webp b/docs/endpointprotector/admin/cap_module/dpilinux.webp
new file mode 100644
index 0000000000..65f9cb1c31
Binary files /dev/null and b/docs/endpointprotector/admin/cap_module/dpilinux.webp differ
diff --git a/docs/endpointprotector/admin/cap_module/dpimacosvpnoff.webp b/docs/endpointprotector/admin/cap_module/dpimacosvpnoff.webp
new file mode 100644
index 0000000000..bab03f539b
Binary files /dev/null and b/docs/endpointprotector/admin/cap_module/dpimacosvpnoff.webp differ
diff --git a/docs/endpointprotector/admin/cap_module/dpimacosvpnon.webp b/docs/endpointprotector/admin/cap_module/dpimacosvpnon.webp
new file mode 100644
index 0000000000..be8a227fde
Binary files /dev/null and b/docs/endpointprotector/admin/cap_module/dpimacosvpnon.webp differ
diff --git a/docs/endpointprotector/admin/cap_module/dpiports.webp b/docs/endpointprotector/admin/cap_module/dpiports.webp
index ae67bcacdb..d2431f0341 100644
Binary files a/docs/endpointprotector/admin/cap_module/dpiports.webp and b/docs/endpointprotector/admin/cap_module/dpiports.webp differ
diff --git a/docs/endpointprotector/admin/cap_module/dpiwinregular.webp b/docs/endpointprotector/admin/cap_module/dpiwinregular.webp
new file mode 100644
index 0000000000..6f1353f0d5
Binary files /dev/null and b/docs/endpointprotector/admin/cap_module/dpiwinregular.webp differ
diff --git a/docs/endpointprotector/admin/cap_module/dpiwinstealth.webp b/docs/endpointprotector/admin/cap_module/dpiwinstealth.webp
new file mode 100644
index 0000000000..df3ddb9b8e
Binary files /dev/null and b/docs/endpointprotector/admin/cap_module/dpiwinstealth.webp differ
diff --git a/docs/endpointprotector/admin/cap_module/msaddincentraladdinfileselect.webp b/docs/endpointprotector/admin/cap_module/msaddincentraladdinfileselect.webp
new file mode 100644
index 0000000000..0999dfb9c9
Binary files /dev/null and b/docs/endpointprotector/admin/cap_module/msaddincentraladdinfileselect.webp differ
diff --git a/docs/endpointprotector/admin/cap_module/msaddincustomappselect.webp b/docs/endpointprotector/admin/cap_module/msaddincustomappselect.webp
new file mode 100644
index 0000000000..97bb7f54e6
Binary files /dev/null and b/docs/endpointprotector/admin/cap_module/msaddincustomappselect.webp differ
diff --git a/docs/endpointprotector/admin/cap_module/msaddinspecifictargetuser.webp b/docs/endpointprotector/admin/cap_module/msaddinspecifictargetuser.webp
new file mode 100644
index 0000000000..0da586a95a
Binary files /dev/null and b/docs/endpointprotector/admin/cap_module/msaddinspecifictargetuser.webp differ
diff --git a/docs/endpointprotector/admin/cap_module/msadminaddindeploywebp.webp b/docs/endpointprotector/admin/cap_module/msadminaddindeploywebp.webp
new file mode 100644
index 0000000000..4526ee3982
Binary files /dev/null and b/docs/endpointprotector/admin/cap_module/msadminaddindeploywebp.webp differ
diff --git a/docs/endpointprotector/admin/cap_module/mscustomaddin.webp b/docs/endpointprotector/admin/cap_module/mscustomaddin.webp
new file mode 100644
index 0000000000..c1fbcc5aa3
Binary files /dev/null and b/docs/endpointprotector/admin/cap_module/mscustomaddin.webp differ
diff --git a/docs/endpointprotector/admin/cap_module/msnewoutlookaddintoolbar.webp b/docs/endpointprotector/admin/cap_module/msnewoutlookaddintoolbar.webp
new file mode 100644
index 0000000000..0e7ce70123
Binary files /dev/null and b/docs/endpointprotector/admin/cap_module/msnewoutlookaddintoolbar.webp differ
diff --git a/docs/endpointprotector/admin/cap_module/newoutlook.md b/docs/endpointprotector/admin/cap_module/newoutlook.md
new file mode 100644
index 0000000000..5354632f60
--- /dev/null
+++ b/docs/endpointprotector/admin/cap_module/newoutlook.md
@@ -0,0 +1,211 @@
+---
+title: "Content Aware Protection for New Outlook"
+description: "Content Aware Protection for New Outlook"
+sidebar_position: 50
+---
+
+# Content Aware Protection for New Outlook
+
+Starting from Endpoint Protector Clients version 5.9.4.3, New Outlook can be fully managed as a Content Aware Protection Exit Point via the Microsoft 365 Web Add-in. Unlike COM add-ins for classic Outlook, which are installed directly on individual endpoints, Microsoft Web Add-ins need to be deployed centrally using the Microsoft 365 Admin Center or manually within the user account in Outlook application.
+
+Microsoft 365 Web Add-ins are associated with user accounts rather than computers or devices. Once an add-in is deployed to a user account, every device that the user employs to access that account will have the add-in available. This means it cannot be restricted to just one device, such as the user's Mac computer only.
+
+For detailed instructions and more information, please refer to the official documentation available through Microsoft and Endpoint Protector resources:
+- [Microsoft resources](https://learn.microsoft.com/en-us/office/dev/add-ins/overview/office-add-ins)
+- [Centralized deployment FAQ](https://learn.microsoft.com/en-us/microsoft-365/admin/manage/centralized-deployment-faq?view=o365-worldwide)
+
+:::note
+Both Netwrix and Microsoft recommend deploying the add-in in phases, starting with a few users who work in IT and security or are business stakeholders, then selected groups of users, and finally the whole organization.
+:::
+
+:::warning Important
+It is important to configure the policy correctly so that the add-in is deployed selectively, rather than to all users—especially those who do not require it. Also the javascript's variables configuration allows for the add-in to remain inactive or non-obtrusive unless the EPP agent is running on a device. This ensures that the add-in does not block operations unnecessarily if the agent is not active. Please refer to dedicated subchapter [Default Behavior of New Outlook Add-in and EPP Client](#default-behavior-of-new-outlook-add-in-and-epp-client).
+:::
+
+When you install an add-in in Outlook.com, it will also appear in other versions of Outlook. For example, if you install an add-in in Outlook.com, you will see it when you open the desktop version of Outlook.
+
+The EPP Client will also enforce the Content Aware Policies on those accounts when accessed through Outlook on the Web, with no additional configuration needed. Note that the presence of the add-in is not displayed in the Outlook interface.
+
+To obtain the Outlook add-in manifest and validator files, visit the latest announcements on the Netwrix community portal or contact Netwrix Global Services & Support.
+
+## Requirements
+
+To ensure full configuration and functionality of the EPP Microsoft New Outlook add-in, three dependencies must be addressed collectively:
+
+1. Update EPP Clients\
+Ensure that all Endpoint Protector (EPP) Clients are updated to at least version 5.9.4.3. This version is necessary to support the features and capabilities of the new add-in.
+
+2. Deploy configured Microsoft Outlook Add-in (manifest.xml)\
+Configure and deploy the Microsoft Outlook add-in and assign it to the relevant user accounts. This can be managed centrally via the Microsoft 365 Admin Center or manually on individual user accounts.
+
+3. Host Validation Part and Icons\
+The Endpoint Protector add-in requires certain files to be hosted by the customer and accessible from the internet. This includes:
+
+ - **mainpage.html** - Needs to be hosted; this is the entry point of the add-in.
+ - **validator.js** - The script that performs the necessary functions for the add-in.
+ - **main_64.png, main_128.png** - These icons are also required by Microsoft; otherwise, the add-in cannot be validated by Microsoft admin center.
+
+ Hosting the above ensures that the add-in can communicate appropriately with the EPP system to enable its functionalities.
+
+ :::warning Important
+ Having any downtime to the hosted files (mainpage.html, validator.js) will result in an impossibility to send ANY emails for the users that have the add-in assigned to their account.
+ :::
+
+ :::note
+ It is recommended that the two files, mainpage.html and validator.js, be hosted together in the same directory (folder) and be accessible from the internet. If you choose to host the files differently, you must update the link to the validator in mainpage.html by modifying the "src" attribute as follows:
+ ```html
+
+ ```
+ :::
+
+4. Standard EPP Content Aware Protection Policy\
+Ensure that a standard Endpoint Protector (EPP) Content Aware Protection (CAP) policy is set up with the appropriate Outlook definition.
+
+5. Deep Packet Inspection Setting\
+Ensure that the setting under Content Aware Protection → Deep Packet Inspection called "Block Unsupported Protocols in New Outlook" is turned off. This setting is no longer needed if the EPP add-in is in use.
+
+:::note
+On MacOS a EPP certificate is utilized to ensure secure communication between the add-in and the EppClient. Please refer to the existing User Manual chapter for [detailed instructions](https://docs.netwrix.com/docs/endpointprotector/admin/cap_module/deeppacket#deep-packet-inspection-certi%EF%AC%81cate-on-macos). If you have configured DPI certificate on MacOS, you can ignore this note.
+:::
+
+## Pre-configuring add-in (manifest.xml)
+
+At the core of any Office Add-in is the manifest file (.xml). This file acts as the blueprint for the add-in, containing:
+
+- **Basic Information:** Includes the name, version, and description of the add-in.
+- **Entry Points:** Specifies the URLs that direct Outlook to the hosted HTML and JavaScript files.
+- **Permissions & Capabilities:** Defines what the add-in can do, such as accessing email data.
+- **Icons:** Visual assets that appear in Outlook, enhancing the add-in's interface.
+
+In short, the manifest tells Outlook how to integrate and run the add-in. If the manifest is missing or incorrect, the add-in won't function properly.
+
+In order to prepare the Netwrix EPP add-in for Outlook accounts, the provided template needs to be updated in several places listed below. All these places are marked with the comment ``.
+
+1. Define icons location\
+This part is mandatory for Microsoft add-in validator. Edit it by defining proper URL to mentioned files.
+
+ ```xml
+
+
+
+
+
+ ```
+
+2. Define domain name for add-in url
+ Edit it by defining proper domain.
+
+ ```xml
+
+ www.example.com
+ ```
+
+ Make sure that every domain in the URLs of the hosted files is added to the `` list:
+ - If the same domain is used for all URLs, it only needs to be added once.
+ - Extend the existing list by adding your domain at the end between the `` tags, and before the closing `` tag.
+
+3. Define validator location\
+ Edit it by defining proper URL to validator.
+
+ ```xml
+
+
+
+ ```
+
+4. Define mainpage validator\
+ Edit it by defining proper URL to mainpage validator.
+
+ ```xml
+
+
+
+ ```
+
+:::warning Important
+Ensure these URLs are correctly hosted on your server and accessible via the internet to enable required functionalities for the add-in.
+:::
+
+## Default Behavior of New Outlook Add-in and EPP Client
+
+The default behavior of the New Outlook add-in and EPP Client will align with the EPP Content Aware Protection (CAP) policy defined for email and Outlook actions. This includes capabilities such as reporting, blocking, and other egress channel controls when specific conditions are met.
+
+However, the add-in has a predefined, hardcoded behavior when it cannot communicate with the EPP Client, assuming the EPP Client is not present. In this scenario, it is configured to allow sending messages. For customers who wish to enforce a restrictive policy that blocks the option to send out emails, this option is available.
+
+**To change that:**
+
+1. Edit hosted **validator.js** file.
+2. In first line edit value:
+ ```javascript
+ const DEFAULT_ACTION = true; // true = Allow, false = block
+ ```
+3. Change argument value "true" for "false".
+
+:::warning Important
+Use this option carefully and ensure it is aligned with your rollout plan to avoid interruptions in essential business email communication.
+:::
+
+## Default Blocking Message of New Outlook Add-in
+
+There is also an option to replace the add-in default message in the tooltip prompt in the email editor window in New Outlook with a custom one.
+
+**To change that:**
+
+1. Edit hosted **validator.js** file.
+2. Edit 2nd line "DEFAULT_MESSAGE" value:
+ ```javascript
+ const DEFAULT_MESSAGE = "This email was blocked due to a policy violation. Please review and modify the message before resending.";
+ ```
+
+:::note
+This prompt supports only one language locale.
+:::
+
+ 
+
+## Manual Deployment Method
+
+Manual deployment method is not the recommended one as it requires to be repeated on each user account. This method is intended for pilot phases, troubleshooting or feature PoC's.
+
+This option is only available if your organization defines the possibility to add custom add-ins by user.
+
+Refer to official Microsoft KB article: [Use add-ins in Outlook](https://support.microsoft.com/en-us/office/use-add-ins-in-outlook-1ee261f9-49bf-4ba6-b3e2-2ba7bcab64c8)
+
+**Steps:**
+
+1. Host validators and icon files.
+2. Preconfigure manifest.xml as described in previous chapter.
+3. In your preferred browser, go to https://aka.ms/olksideload. This opens Outlook on the web, then loads the Add-Ins for Outlook dialog after a few seconds:
+4. Select **My add-ins**.
+5. In the Custom Add-in's section, select **Add a custom add-in**, then choose **Add from file**.
+ 
+6. Select the XML file for the add-in.
+7. Select **Open** to install the add-in.
+8. After making changes, please allow some time for them to propagate. According to Microsoft, this process can take anywhere from a few minutes to up to 24 hours.
+
+## Central Deployment Method
+
+The central deployment method provides administrators with the capability to deploy the EPP New Outlook add-in in phases across global user populations. This approach helps minimize administrative effort and ensures a smooth implementation process. For detailed guidance, please consult the official Microsoft Knowledge Base (KB): [Office add-ins](https://learn.microsoft.com/en-us/microsoft-365/admin/manage/office-addins?view=o365-worldwide)
+
+**To deploy the add-in through the Microsoft Admin Center (https://admin.microsoft.com/):**
+
+1. Host validators and icon files.
+2. Preconfigure manifest.xml as described in the previous chapter.
+3. Go to **Settings** → **Integrated apps** → **Add-ins**, select **Deploy Add-in**, and click **Next**.
+4. Choose **Upload custom apps**.\
+ 
+5. Under **Upload Apps to Deploy**, choose the **App type** of **Office Add-in**, choose **Upload manifest file (.xml) from device**, and click **Choose File**.\
+ 
+6. After selecting the file and clicking **Next**, under **Add users**, choose **Specific users/groups** and use the search box to populate the search box with the desired groups.\
+ 
+7. When the desired list appears under **To be added**, click **Next** and then click **Accept Permissions**. Review the needed permissions and click **Accept**.
+8. Ensure to keep **Deployment Method** as **Fixed (Default)**.
+9. Click **Next** and then **Finish deployment**.
+10. After making changes, please allow some time for them to propagate. According to Microsoft, this process can take anywhere from a few minutes to up to 24 hours.
diff --git a/docs/endpointprotector/admin/cap_module/webmailjson.webp b/docs/endpointprotector/admin/cap_module/webmailjson.webp
index b862228666..56749a1813 100644
Binary files a/docs/endpointprotector/admin/cap_module/webmailjson.webp and b/docs/endpointprotector/admin/cap_module/webmailjson.webp differ
diff --git a/docs/endpointprotector/admin/dc_module/easylocksettings.webp b/docs/endpointprotector/admin/dc_module/easylocksettings.webp
index efbd62a99a..3f378f6f39 100644
Binary files a/docs/endpointprotector/admin/dc_module/easylocksettings.webp and b/docs/endpointprotector/admin/dc_module/easylocksettings.webp differ
diff --git a/docs/endpointprotector/admin/dc_module/eeromode.webp b/docs/endpointprotector/admin/dc_module/eeromode.webp
new file mode 100644
index 0000000000..a031fe007a
Binary files /dev/null and b/docs/endpointprotector/admin/dc_module/eeromode.webp differ
diff --git a/docs/endpointprotector/admin/dc_module/globalrights.md b/docs/endpointprotector/admin/dc_module/globalrights.md
index 27e99c3667..c05b8dd665 100644
--- a/docs/endpointprotector/admin/dc_module/globalrights.md
+++ b/docs/endpointprotector/admin/dc_module/globalrights.md
@@ -79,6 +79,9 @@ On macOS version 14 (Sonoma) and higher, Bluetooth devices are managed only when
device is connected and visible under ‘My Devices’ in the Bluetooth section of ‘System settings’.
:::
+:::note
+Occasionally, the EPP system may display a limitation where certain webcams can be activated in Zoom meetings, even when rights are set to DENY in computer settings. To enforce proper rights after configuration, a restart of the PC is mandatory in such cases.
+:::
diff --git a/docs/endpointprotector/admin/dc_module/globalsettings.md b/docs/endpointprotector/admin/dc_module/globalsettings.md
index 43490b2e12..d733b49c79 100644
--- a/docs/endpointprotector/admin/dc_module/globalsettings.md
+++ b/docs/endpointprotector/admin/dc_module/globalsettings.md
@@ -228,7 +228,7 @@ Select from the drop-down list a client mode to define the Endpoint Protector C
- Display the system tray icon
- Display system tray notifications
- - Block all devices, regardless of authorization,, with the following exceptions:
+ - Block all devices, regardless of authorization, with the following exceptions:
- Keyboards are blocked either when a third one is connected to the same computer or after
48 hours have passed
@@ -267,6 +267,10 @@ systems, keep the Endpoint Protector Notifier window open.
## DPI Configuration
+:::note
+For more Deep Packet Inspection (DPI) description please refer to dedicated chapter: [Deep Packet Inspection](/docs/endpointprotector/admin/cap_module/deeppacket.md).
+:::
+
In this section, you can manage the following settings:
- Deep Packet Inspection - if enabled, network and browser traffic can be inspected for content. This
@@ -416,6 +420,10 @@ In this section, you can manage the following settings:
### Intercept VPN Traffic
+:::note
+For more additional DPI Intercept VPN traffic, check: [Deep Packet Inspection Intercept VPN Traffic](/docs/endpointprotector/admin/cap_module/deeppacket.md#deep-packet-inspection-diagrams).
+:::
+
If you enable this setting, the Endpoint Protector Client will intercept VPN traffic on macOS using
the network extension framework.
@@ -610,19 +618,17 @@ for recommended settings.
- Metadata Scanning - if you disable this setting, metadata will not be scanned for PDFs, ZIPs, and
Office Files DOCX, XLSX, PPTX, DOC, XLX, PPT).
-- Advanced Printer and MTP Scanning – Advanced Printer and MTP Scanning – if you enable this
- setting, a DLL is loaded into certain Windows applications when they are launched. This DLL
- enables Endpoint Protector to monitor printing and files copied to MTP devices by hooking into
- Windows API functions responsible for these actions. For example, when a user opens Microsoft
- Word, an Endpoint Protector DLL is loaded into Word’s address space. If the user attempts to print
- a document, the DLL scans the printed document content, and if sensitive data is detected,
- Endpoint Protector can block the print operation.
+- Advanced Printer and MTP Scanning – enables a feature in Endpoint Protector by which a small DLL is loaded into certain Windows applications when they are launched. That small DLL enables Endpoint Protector to monitor printing and files copied to MTP devices, by hooking Windows API functions responsible with printing and copying files to MTP devices.
+For example, when a user opens Microsoft Word, an Endpoint Protector DLL is loaded into Microsoft Word's address space. If the user wants to print a document, that DLL is called, and Endpoint Protector can scan the printed document content. If the printed content contains sensitive data Endpoint Protector can block the print operation.
+
:::note
This feature increases accuracy and reduces false positives for File Tracing and File
Shadowing. It is available only for Windows and will require a computer restart.
:::
+- Advanced Scanning Exceptions is a list of applications into which Endpoint Protector won't inject its DLL when the "Advanced Printer and MTP Scanning" is enabled.
+For example, many applications can't be used to print or to copy files to MTP devices, so it does not make sense to inject the Endpoint Protector DLL into them. For best performance or to avoid unexpected interactions with Endpoint Protector, these applications can be added to the “Advanced Scanning Exceptions” list.
- Block Print from Browsers – Enable this setting to prevent users from printing web pages from any
supported browser on Windows.
@@ -994,6 +1000,10 @@ Endpoint Protector installed or in relation to a list of trusted Endpoint Protec
+EE Read Only mode, will block write access to encrypted drive on computers not managed by EPP Client. Default value is OFF, it means that EE application will not start on computer not managed by EPP Client. For more information refer to [Enforced Encryption in Read-Only mode](/docs/endpointprotector/admin/ee_module/eemodule.md#enforced-encryption-in-read-only-mode)
+
+
+
## Additional Information
From this section you can restore global settings to default and view the name and date when the
diff --git a/docs/endpointprotector/admin/ee_module/eemodule.md b/docs/endpointprotector/admin/ee_module/eemodule.md
index 1a8c00b27f..6ae3848849 100644
--- a/docs/endpointprotector/admin/ee_module/eemodule.md
+++ b/docs/endpointprotector/admin/ee_module/eemodule.md
@@ -6,10 +6,7 @@ sidebar_position: 70
# Enforced Encryption
-Enforced Encryption, Formerly known as EasyLock, is a cross-platform solution that protects data
-with government-approved 256 bit AES CBC-mode encryption. For USB devices, it needs to be deployed
-on the root of the device. With the intuitive Drag & Drop interface, files can be quickly copied to
-and from the device.
+Enforced Encryption, Formerly known as EasyLock, is a cross-platform solution that protects data with government-approved FIPS 140-3 validated encryption. For USB devices, it needs to be deployed on the root of the device. With the intuitive Drag & Drop interface, files can be quickly copied to and from the device.
@@ -39,6 +36,10 @@ Enforced Encryption works on read-only mode if the device was formatted on Windo
Encryption configured on Windows or some files were encrypted on Windows. On macOS, these files can be
decrypted, except for NTFS due to incompatibility with Enforced Encryption.
+:::note
+Starting with Netwrix Enforced Encryption version 3.0.0.2 (5.9.4.2 release), a new encryption engine has been introduced, replacing the previous 256-bit AES CBC-mode encryption with FIPS 140-3 validated cryptography. This FIPS 140-3 validated encryption provides the highest standards of data protection, ensuring compliance with the latest industry regulations. While the new encryption engine is fully backward compatible for existing users, allowing for a seamless upgrade and continued use of previously encrypted drives, USB sticks encrypted with the FIPS 140-3 validated engine will not be compatible with older Enforced Encryption Clients. Therefore, we recommend updating EE Clients to ensure compatibility.
+:::
+
## Enforced Encryption Deployment
Enforced Encryption is supported for both Mac and Windows computers.
@@ -118,6 +119,21 @@ Enabling global File Tracing will not automatically activate the File Tracing op
Enforced Encryption Trusted Device™ and vice versa.
:::
+:::warning Important
+After deploying the Enforced Encryption Client with Read-Only (RO) mode enabled, ensure you launch the EE Client for the first time on the EPP Client-managed computer to complete the configuration process.
+:::
+
+:::warning Important
+When an Enforced Encryption (EE) encrypted USB drive is used by multiple users or across different machines with varying EE settings, the settings will not update automatically. To apply individual computer or user settings, the EPP administrator must update the related EE settings on the EPP Server at the computer/user level each time the USB drive is used on a specific computer or by a particular user. These settings will remain stored in the EE USB drive's configuration until further modifications are made.
+:::
+
+## Enforced Encryption in Read-Only mode
+
+Netwrix Enforced Encryption Read-Only Mode for unmanaged computers is an innovative feature designed to maintain data security standards across non-corporate devices. It allows administrators to grant access to EE encrypted drives on personal computers, conference room setups, or exhibition areas while ensuring security through a Read-Only configuration. This enables the seamless transfer of corporate data across different environments, providing robust protection without sacrificing accessibility.
+
+To activate this mode, navigate to the "Global Settings" section related to Enforced Encryption, and switch on the "EE Read-Only mode" toggle. Please refer to [Global Settings - EE configuration](/docs/endpointprotector/admin/dc_module/globalsettings#easylock-settings).
+
+
### Enforced Encryption Clients
diff --git a/docs/endpointprotector/admin/ee_module/eeromode.webp b/docs/endpointprotector/admin/ee_module/eeromode.webp
new file mode 100644
index 0000000000..5ca6edc092
Binary files /dev/null and b/docs/endpointprotector/admin/ee_module/eeromode.webp differ
diff --git a/docs/endpointprotector/admin/systemconfiguration/serverdisplayname.webp b/docs/endpointprotector/admin/systemconfiguration/serverdisplayname.webp
index 41ad2376ac..45bfab2058 100644
Binary files a/docs/endpointprotector/admin/systemconfiguration/serverdisplayname.webp and b/docs/endpointprotector/admin/systemconfiguration/serverdisplayname.webp differ
diff --git a/docs/endpointprotector/admin/systemconfiguration/systemsettings.md b/docs/endpointprotector/admin/systemconfiguration/systemsettings.md
index 0bb26f6120..5efe0ac74e 100644
--- a/docs/endpointprotector/admin/systemconfiguration/systemsettings.md
+++ b/docs/endpointprotector/admin/systemconfiguration/systemsettings.md
@@ -550,10 +550,14 @@ Edit contact details for the main administrator and then click Save to keep all
### Server Display Name
-Endpoint Protector users have the capability to visually differentiate environments within the
-Endpoint Protector console. This feature enables users to add custom text above the Endpoint
-Protector logo on the login page and alongside the logo in the Endpoint Protector header. You can
-customize text and upload a custom logo for further personalization. These visual cues are designed
-to prevent incidents like unintentional modifications on the wrong environment
+Endpoint Protector users can easily visually differentiate environments within the Endpoint Protector console, ensuring precise identification and preventing unintended actions in the wrong environment. This customization feature allows users to add custom text above the Endpoint Protector logo on the login page and alongside the logo in the console header. Moreover, users have the capability to upload a custom logo for further personalization.
+
+To assist customers in distinguishing between multiple EPP Server consoles, Netwrix has introduced options for configuring custom text, icon markings, and extended legal banners for compliance purposes. Organizations managing multiple consoles, such as those for production and testing environments, can implement distinct visual cues. These elements, including custom login text, background colors, and legal banner specifications, help administrators easily identify the environment they are working in, ensuring the appropriate usage of each console.
+
+Refer to the image above for guidance on customizing these elements. You can enable custom login and header displays, Enter your desired text and choose colors that will best highlight your environment’s uniqueness. Additionally, you can upload a custom logo and configure legal banners for added clarity and compliance. By strategically using these visual indicators, administrators can effortlessly distinguish between different operational contexts, enhancing both security and workflow efficienc
+
+:::note
+The legal banner placeholder can accommodate up to 5,000 characters.
+:::
diff --git a/docs/endpointprotector/requirements/client.md b/docs/endpointprotector/requirements/client.md
index ace6077597..f37a6b295e 100644
--- a/docs/endpointprotector/requirements/client.md
+++ b/docs/endpointprotector/requirements/client.md
@@ -53,104 +53,94 @@ below.
#### Recommended Exclusions for Windows
-
-
-
-
**Folder Level Exclusions**
+
```
-/Applications/EndpointProtectorClient.app/*
-/private/etc/epp/*
-/private/var/tmp/epp/*
+cssguard
+Endpoint Protector
+Netwrix Endpoint Protector Notifier
```
+**Folder Level Exclusions**
-**File Level Exclusions**
```
-/Applications/EndpointProtectorClient.app/Contents/MacOS/EppClient
-/Applications/EndpointProtectorClient.app/Contents/MacOS/sslsplit
-/Applications/EndpointProtectorClient.app/Contents/MacOS/netdlp_setup
-/Applications/EndpointProtectorClient.app/Contents/Applications/EppNotifier.app/Contents
-/MacOS/EppNotifier
-/var/log/eppclient.log
-/var/log/eppsslsplit.log
+C:\Program Files\CoSoSys\Endpoint Protector\*
+ Alternative:
+ C:\Program Files\CoSoSys\Endpoint Protector\EPPservice.exe
+ C:\Program Files\CoSoSys\Endpoint Protector\sslsplit.exe
+ C:\Program Files\CoSoSys\Endpoint Protector\cssguard.exe
+ C:\Program Files\CoSoSys\Endpoint Protector\EPPNotifier.exe
+C:\Windows\System32\config\systemprofile\AppData\Local\CoSoSys\EPP*
```
+**File Level Exclusions**
-**Process Level Exclusions**
```
-EppClient
-sslsplit
-netdlp_setup
-EppNotifier
+C:\Program Files\CoSoSys\Endpoint Protector\EPPservice.exe
+C:\Program Files\CoSoSys\Endpoint Protector\sslsplit.exe
+C:\Program Files\CoSoSys\Endpoint Protector\cssguard.exe
+C:\Program Files\CoSoSys\Endpoint Protector\EPPNotifier.exe
+ Alternative (for the above 4 files):
+ C:\Program Files\CoSoSys\Endpoint Protector\*
+C:\Windows\System32\drivers\cssdlp20.sys
+C:\Windows\System32\drivers\cssredir.sys
+C:\Windows\System32\drivers\cssdcflt.sys
+C:\Windows\System32\drivers\cssnwtap.sys
+C:\eppclient.log
+C:\eppsslsplit.log
```
-#### Recommended Exclusions for Linux
-
+**Process Level Exclusions**
-**Folder Level Exclusions**
```
-/opt/cososys/*
-/var/log/epp-client/*
+cssguard.exe
+EPPNotifier.exe
+EPPservice.exe
```
+**Registry level exclusions**
-**File Level Exclusions**
```
-/opt/cososys/sbin/epp-client-daemon
-/opt/cososys/sbin/epp_sslsplit
-/opt/cososys/sbin/epp_netdlp_setup
-/opt/cososys/sbin/netdlp_scripts/linux_install_certicates.sh
-/opt/cososys/bin/epp-client
-/var/log/epp-client/epp_client_daemon.log
-/var/log/epp-client/eppsslsplit.log
+Computer\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows
+NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\
+ Key:
+ C:\Program Files\CoSoSys\Endpoint Protector\EPPNotifier.exe
+HKEY_LOCAL_MACHINE\DRIVERS\DriverDatabase\DriverPackages\cssdlp20.inf_*
+HKEY_LOCAL_MACHINE\DRIVERS\DriverDatabase\DriverPackages\cssdcflt.inf_*
+HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\NativeMessagingHosts\com.cososys.epp_browser_broker
+HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DIFx\DriverStore\cssdcflt.inf_*
+HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DIFx\DriverStore\cssdlp20.inf_*
+HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DIFx\DriverStore\cssdlp20_*
+HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DIFx\DriverStore\sieflt20_*
```
+####
-**Process Level Exclusions**
-```
-epp-client-daemon
-epp-client
-epp_sslsplit
-epp_netdlp_setup
-linux_install_certicates.sh
-```
+#### Recommended Exclusions for macOS
**Folder Level Exclusions**
-```
-/opt/cososys/*
-/var/log/epp-client/*
-```
-**File Level Exclusions**
```
-/opt/cososys/sbin/epp-client-daemon
-/opt/cososys/sbin/epp_sslsplit
-/opt/cososys/sbin/epp_netdlp_setup
-/opt/cososys/sbin/netdlp_scripts/linux_install_certicates.sh
-/opt/cososys/bin/epp-client
-/var/log/epp-client/epp_client_daemon.log
-/var/log/epp-client/eppsslsplit.log
-```
-
-**Process Level Exclusions**
-```
-epp-client-daemon
-epp-client
-epp_sslsplit
-epp_netdlp_setup
-linux_install_certicates.sh
+/Applications/EndpointProtectorClient.app/*
+/private/etc/epp/*
+/private/var/tmp/epp/*
```
**File Level Exclusions**
+
```
+/Applications/EndpointProtectorClient.app/Contents/MacOS/EppClient
+/Applications/EndpointProtectorClient.app/Contents/MacOS/sslsplit
+/Applications/EndpointProtectorClient.app/Contents/MacOS/netdlp_setup
+/Applications/EndpointProtectorClient.app/Contents/Applications/EppNotifier.app/Contents
/MacOS/EppNotifier
/var/log/eppclient.log
/var/log/eppsslsplit.log
```
**Process Level Exclusions**
+
```
EppClient
sslsplit
@@ -161,12 +151,14 @@ EppNotifier
#### Recommended Exclusions for Linux
**Folder Level Exclusions**
+
```
/opt/cososys/*
/var/log/epp-client/*
```
**File Level Exclusions**
+
```
/opt/cososys/sbin/epp-client-daemon
/opt/cososys/sbin/epp_sslsplit
@@ -178,6 +170,7 @@ EppNotifier
```
**Process Level Exclusions**
+
```
epp-client-daemon
epp-client
@@ -186,5 +179,5 @@ epp_netdlp_setup
linux_install_certicates.sh
```
-By applying these exclusions, you will allow the Endpoint Protector Client to operate smoothly
-alongside other security products, ensuring both functionality and protection across endpoints.
\ No newline at end of file
+By applying these exclusions, you will allow the Endpoint Protector Client to operate smoothly alongside other security products, ensuring both functionality and protection across endpoints.
+```
diff --git a/docs/endpointprotector/requirements/components.md b/docs/endpointprotector/requirements/components.md
index 43f013d512..d630eb8d8f 100644
--- a/docs/endpointprotector/requirements/components.md
+++ b/docs/endpointprotector/requirements/components.md
@@ -27,8 +27,7 @@ The Client-side of Endpoint Protector has two different components:
- Endpoint Protector Client – enforcing the rights and settings received from the Server on Windows,
Mac, and Linux computers; it also automatically deploys Enforced Encryption on the USB storage
devices.
-- Enforced Encryption Client – enforcing 256 AES encryption on USB storage devices as specified from
- the Server; it is a stand-alone application compatible with Windows and Mac computers.
+- Enforced Encryption Client – enforcing FIPS 140-3 validated encryption on USB storage devices as specified from the Server; it is a stand-alone application compatible with Windows and Mac computers.
