Data Loss Prevention

Situation: the laptop is protected by Symantec DLP, has agent, and goes to tje trip outside the intranet.
Question:

Can the user copy confidential data via USB flash drive, for example?

As I can see this kind if activity can be monitored but not prevented.

The agent monitors/protects while the laptop is disconnected from the network.  If an incident is detected it will protect and store the incident locally on the laptop until the laptop (or agent) connects back to the endpoint server at which time an incident will be created. 

Thank you
Could you enlighten me on the following. If the agent does protect the laptop - does that mean that all necessary data for 'confidential rules break' analysis stored locally on the laptop?
I thought (told by some experts) that database (Oracle) stores not only incidents and evidence, but also all the data needed to perform check if the confidential policied were violated (vocabularies, etc).

I'll try to answer you from what I think you are trying to ask.  If you are asking if Oracle is the only place where incidents are stored.  Answer No.  Each detection server including the client the agent is on has an agent store, or an incident store.  If there is ever a disconnect between any detection server or the enforce server and the oracle db, then incidents are stored on that server until the connection is available. 

With the endpoint agent, you specify a default size of the store to be a % of the client disk space, default is 5%.  Does that help?

This was the very clear and strict answer. Thank you, UpNorth

... and sure - this is solution :)