Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Easy Answer Probably

Created: 25 Jan 2013 • Updated: 25 Jan 2013 | 6 comments

What is the best way to allow emails that are marked as false positives to be sent to the intended recipient?

Thanks!

Comments 6 CommentsJump to latest comment

pete_4u2002's picture

can you explain the use case for false positive of email?

enebdu's picture

Thanks Pete,

We are protecting against PCI and PII. If the blocked message does not fall into either of those categories, it is marked as false positive. With how vital it is to ensure that sensitive info is secure we are not adding any exceptions for them based on body content, attachments or sender. We want to have as much control as we possibly can.

Make sense?

Mark N's picture

Are you using SMTP Prevent to do this? If so, have you considered using a "Modify SMTP Message" response rule to trigger a downstream quarantine?

A false positive email can be released from the downstream device's quarantine.

yang_zhang's picture

You can integrate DLP with Symantec Message Gateway (SMG) to implement an email workflow.

SMG can forward the email to DLP for detection, after the detection of email whether it's confidential, DLP will 'tell' SMG to hold this email for admin's review.

If a forum post solves your problem, please flag it as a solution. If you like an article, blog post or download vote it up.
DLP Enthusiast's picture

I think we may also do this by applying an Exception to the existing policy . The exception should be a rule of " Match Regular Expression " and then paste the contents of the Email (if text) and try testing it .

Jsneed's picture

enebdu,

We create temporary exceptions and let the e-mails through.  If we find that we are having a decent number of the same type of e-mail we will craft a more permanent exception.  We also have a list of special codes that our service desk has that someone can put in their e-mail to let it through.  These are only used in "emergencies" and each of these incidents is thoroughly investigated.