Video Screencast Help

Can we monitor DLP IDM and EDM by DLP Endpoint

Created: 07 Sep 2012 | 4 comments
Manish vats's picture


I am using Symantec DLP 11.1, I made some IDM and EDM policy and want to monitor by DLP endpoint agent but not able to generate incedents.

I know, in DLP 11.6 we can monitor IDM and EDM by the DLP Endpoint. But can we do the same in DLP 11.1

Comments 4 CommentsJump to latest comment

yang_zhang's picture

The IDM and EDM policy can work on DLP endpoint agent. But, there are some limitations.

For example, you create a IDM policy, and, the end user copy a IDM violated doc to the USB disk, the DLP agent cannot block such action. But, there will be an incident generated on DLP enforce. The admin can audit this kind of incident.

This function is OK on DLP 11.1. Could you double check your endpoint incident?

If a forum post solves your problem, please flag it as a solution. If you like an article, blog post or download vote it up.
ShawnM's picture


yang_zhang is correct. It does function, but there are restrictions to it. The main thing is that you need to configure the functionality to happen. My understanding is we can leverage the IDM/EDM only if there is whats called a Two-Tier policy.**(See correction below) This would involve putting 2 rules in a policy:

  1. Look for copy to USB
  • AND
  1. Compare data to IDM/EDM

Because we will hit the first (USB Copy rule), we will then send the data back to analyze against rule 2. This will result in successfully generating an incident.

To my understanding, we don't yet fully support an explicit IDM/EDM rule by itself in a policy on the endpoint.**(See correction below) The other option is to look into using the VML option. VML is supported on the endpoint, and in some cases can provide just as good a coverage depending on how well the data sets are that are provided to the engine to analyze.


I apologize as my above comment wasn't 100% accurate. We do support single tiered IDM/EDM, as yang_zhang had illustrated. I should clarify, that my suggestion would be for the sake of scalability and network bandwidth, you might want to consider the Two-Tier detection method instead. With many types of data needing to be compared to IDM/EDM rules, there is more data which will need to be sent back to the detection server.

Symantec Corporation | Sr Systems Engineer | CISSP, CCSK, VCP

If a post solves your problem, please flag it as solved.

If you like an item, please give it a thumbs up vote.

kishorilal1986's picture

EDM and IDM can work whwn endpoints are connected to endpoint server but if they are not connected or offline, they will work on DCM.

kishorilal1986's picture

yes u can do it but only when endpoint agent is connected to endpoint server. In off the corporate network it will just check for DCM.