Data Loss Prevention

We have a client that is running 12.5.2 with Endpoints deployed.  When the Endpoint generates an incident using a Data Identifier with a Randomized SSN medium breadth poilcy its incorrectly highlighting what is being triggered for the incident.  The result is that the text that is provided within the endpoint incident report is not being displayed correctly.  Is there a way to increase the text promixmity that is sent with the stain data for incident reports? So instead of just sending the row associated could you send 2-3 rows instead? 

Thanks,

Skyler

Hi relyksb - I've not had a chance to test this, but I feel if you go under the Endoint Server - Server Settings & we might want to increase the below values and test if it works out:

IncidentDetection.MaxContentLength
IncidentDetection.MinNormalizedSize

I just tried changing those values and there was no change. I recycled the server and the agent also.

Hi,

We are very interested if resolved this issue with SYMANTEC support cause we have the exact same issue on Endpoint Incidents.

The detection and occurences are fines and reals but the yellow highlights in he console view is totaly wrong and highlighting random parts...

Sometimes it's even weirder cause at the beginin of the incident the highlights are correct and goes wrong gradually.

> This is realy bad and risky for first level assesment who will potentially classify these incidents as a false positive ones.

For more detail:

• This beahvior is totaly random and we have correct higlighted incident for the same policy
• It's more frequent on multiple incidents, when a same file violated several policies
• We are in 12.5.2 version Agents/Servers

Did you resolved this?

Thank you in advance.