Video Screencast Help

Best practice for IDM

Created: 02 May 2013 | 2 comments

Say I have a share with a bunch of files of varying size and type. I simply want to monitor those files; whether they're copied to a USB key, added as an attachment etc.

I can create an IDM index of that folder and then setup a policy that simply detects of someone does something with the files in the index.

Is there any best practice around this because presumably as soon as I apply this policy any file that a user copies or opens has to be uploaded and compared to the index.

Operating Systems:

Comments 2 CommentsJump to latest comment

tim.kerns's picture


I have always avoided targeting directories of files when creating IDM's because it's very rare to have enough of those files structured to a point where an IDM would make sense. I always recommend trying to find some commonalities between the files for example, find a directory with a certain amount of M&A documents but ONLY M&A. Combining different types of documents would only decrease your accuracy score.

Also, you may come across a spreadsheet that contains images and multiple sheets and/or password protection/archived which your IDM would then convert over to an exact match IDM which would mean that you can only generate incidents on an exact match. This also takes place if a file type exists in the directory that Symantec cannot detect. If the file type cannot be determined by DLP, then it just looks for the binary makup of the file types.

My recommendation would be to comb through the directory and make sure that you can find common file types with no encryption or archival and avoid unrecognizable file types like ISO's and JPEGS.

yang_zhang's picture

And, another consideration is: do not index the excel and PowerPoint file. That's mean, exclude the excel and PPT from the source of your index file folder.

If a forum post solves your problem, please flag it as a solution. If you like an article, blog post or download vote it up.