Problem Statement: DLP 12.5 Endpoint Agent Stops Triggering Any Incidents after deploying HIPAA and HITECH (including PHI) policy. Agens triggers incidents when HIPAA and HITECH (including PHI) is disabled.
Solution:
Enable IE channel in agent configuration if not already enabled.
Trigger any policy using Internet Explorer.
Set logging level to FINEST on an agent using agent management task.
logdump.exe -log=edpa_ext0.log -p=<password > c:\edpaclean.txt edpa_ext0 logs can be found in the agent install directory.
You will see similar error messages in the de-obfuscated logs:- 09/03/2014 18:26:54 | 2120 | FINEST | CoreServices.MessageLogger | MESSAGETYPE_DETECTION_REQUEST {90C4C6F0-7CA5-44AA-8DF0-95E240F3BE0C} 09/03/2014 12:56:54 [
Request Id #1767
Detection Request Details :
Session Command : Session Open Request
Session Id : {EE1CC0E7-C8DD-442D-9DED-F19B59C696E9}
Request Type : Data In Motion Request
Dim Detection Request Details :
Process Id : 7640
Process Path : \Device\HarddiskVolume1\Program Files\Internet Explorer\iexplore.exe
Application Name : Microsoft Internet Explorer
User : <username>
Domain : <domain>
Time Stamp : 09/03/2014 12:56:54
Dim Event Type : HTTP(S)
HTTP(S) Details :
URL : <url>
Network Info Details :
Source IP : <IP>
Source Port : 63816
Source Domain :
Destination IP : <IP>
Destination Port : 80
Destination Host Name : <domain>
]
09/03/2014 18:26:54 | 2120 | FINE | UI.UIProxy | Received a Detection Request message (req#1767).
09/03/2014 18:26:54 | 2120 | FINER | UI.UIProxy | Request message for user:<domain\username>
09/03/2014 18:26:54 | 2120 | FINE | UI.UIProxy | Request type: DIM_EVENT_HTTP
09/03/2014 18:26:54 | 2120 | FINER | UI.UIProxy | Added a detection request to the current transaction.
09/03/2014 18:26:54 | 2120 | FINE | UI.UIProxy | Scan message dropped.
09/03/2014 18:26:54 | 4116 | WARNING | GlobalDataIdentifierMatcher | Condition [-501] will not be evaluated because Identifier [[Identifier:51, Breadth:101]] could not be found
PS: While this procedure uses IE for testing, the test can be done using any endpoint agent channel. You will still see corresponding errors in the logs.