Data Loss Prevention

I followed the steps as written in the administration guide - index generated and allocated to a policy. BUT probably I am missing something cause the documents are not generating any incidents. Response rule block.

Most of tests completed are with docx and xlsx files.

As reference also read: https://www.symantec.com/connect/videos/data-loss-prevention-14-lesson-8-demo-creating-idm-index

 

Any one using IDM policies out there? Thanks for your assistance.

 

Hello,

Have you looked into the incident snapshots and confirmed that the policy isn't actually recording the IDM incidents.  I was running into this after I allocated the IDM to a pre-existing policy.  After testing it in my lab enviroment and checking the incident snapshots I could see the events registered with not only the pre-existing information but also the IDM information.  I would check there first.

Hi,

 

Whats the DLP 14 version? 14.0.2? Endpoint environment?

Assuming that the Index was well generated, I would suggest the following:

• Change the document exposure when assigning the IDM Profile to a detection (sometimes, even if an incident is provoked with the same file indexed, the match might not be 100% / exact match)
• Confirm that the Index was deployed successfully in your Ednpoint/Network server
• Confirm that you do not have Endpoint response rules linked to Network channel
• Turn OFF the metadata detection in the Agent Advanced Settings
• Turn OFF the metadata detection in the Server Settings

Thanks Morgado for complete reply. I deactivated the metadata and now works.but how is possible? Can you explain it?