Data Loss Prevention

 View Only

  • 1.  IDM Policy with endpoint SMTP block

    Posted Apr 26, 2012 07:50 AM

    Hi,

     

    I use DLP Endpoint prevent module ver 11.1.1.

    I created an IDM Policy for two specific documents and in the response rule I tried to add the rule Endpoint Block, but I got this error message

    "Marked EDM, IDM, and/or DGM rules will not trigger Endpoint Prevent: Block and Endpoint Prevent: Notify response rules. For the policy to exhibit correct behavior, you may either modify the marked detection rule(s) or the marked response rule(s)."

    So my question is

    1. Why can't I use the end point block response rule with IDM policy

    2. What does marked detection or marked response rule mean.

     

    My requirement is to block mails when the IDM policy is violated.

    Can you help

     



  • 2.  RE: IDM Policy with endpoint SMTP block

    Posted Apr 26, 2012 02:25 PM

    If you want to block mails based on IDM, you'll need to use a Network Prevent for Email server. I don't think EDM and IDM rules are supported on Endpoint servers.



  • 3.  RE: IDM Policy with endpoint SMTP block

    Posted Apr 26, 2012 05:40 PM

    Xlloyd is correct...you will be unable to invoke a block response on the Endpoint with an IDM or EDM rule.  The reason behind this is that all index-based detection happens back on the Endpoint Server, not at the Endpoint itself.  So since that's an asynchronous transaction, there's no support for being able to block. 

    However, with a properly configured policy, you can DETECT against an EDM/IDM on the Endpoint.  What you need to do is set up a compound rule.  For instance, if your EDM is looking for customer SSN and last name, you can set up a policy that goes to the Endpoint where you have the compound rules like this:

    (1) pattern matches SSN (using the data identifier) - AND

    (2) match Last Name and SSN from your EDM profile.

    What happens in this case is that the first rule triggers an SSN match, and the Endpoint will ship the message content back to the Endpoint server for further inspection.

    Note of caution...you could end up shipping a lot of data across your network from Endpoints to Endpoint servers doing this, so you need to first understand what the impact is going to be.  You'd start to do this by deploying just the DI rule and getting a guage on how many incidents would trigger the deeper inspection. However, even doing this, you still can't block at the endpoint against the indexed based rule.

    ~Keith



  • 4.  RE: IDM Policy with endpoint SMTP block

    Posted Apr 27, 2012 04:12 AM

    Assuming I go for Network prevent with an IDM Policy, can the mails be blocked if the end point if off the network.



  • 5.  RE: IDM Policy with endpoint SMTP block

    Posted Apr 28, 2012 02:51 AM

    Assuming I go for Network prevent with an IDM Policy, can the mails be blocked if the end point if off the network.

     



  • 6.  RE: IDM Policy with endpoint SMTP block

    Posted Apr 30, 2012 12:33 PM

    Sure thing, as long as the mail will hit the MTA before going out you will be fine. Unless you have a different MTA/mail server for web access, I can't think of a case that the mail wouldn't hit the particular MTA before going out.



  • 7.  RE: IDM Policy with endpoint SMTP block

    Posted May 02, 2012 08:57 AM

    Thanks Xlloyd. Since I am using Brightmail, it should work alright for me. You can mark this as a solution



  • 8.  RE: IDM Policy with endpoint SMTP block
    Best Answer

    Posted May 02, 2012 09:11 AM

    As the owner of the thread, only you can mark it as a solution wink



  • 9.  RE: IDM Policy with endpoint SMTP block

    Posted May 02, 2012 09:14 AM

    Done Sire