Data Loss Prevention

 View Only
  • 1.  Incidents are gettig generated twice for Endpoint DLP

    Posted Mar 06, 2015 08:00 AM

    Hello,

    I have a Endpoint DLP environment in which i have 2 endpoint servers and few agents reporting to them. I have created few policies and deployed them to the agents. Now the Endpoint agent is generating 2 incidents for every violation. Initially i thought there was some problem with the policy and configuration. but i feel everything is proper in place. I have analzed the incidents and i feel other than the Incident id,every single field in the incident is similar in both the incidents . same policy, same matached,same timing etc.. everything looks the same. Is there any setting which has to be done to overcome this behaviour. anyone faced similar issue.

    Note: the problem is only with HTTP and Print incidents. HTTPS and removable storage incidents works fine.



  • 2.  RE: Incidents are gettig generated twice for Endpoint DLP

    Trusted Advisor
    Posted Mar 10, 2015 04:31 AM

    Hello,

    Did you try using wireshark at same time on the workstation to see if there is not really two requests sent by workstation. For example for HTTP, it could be due to authentication request to your company proxy (first one will receive a request for authentication (login/mdp or NTLM or any other) and then next one to really request internet web server).

     

     Regards



  • 3.  RE: Incidents are gettig generated twice for Endpoint DLP

    Posted Mar 10, 2015 05:00 AM

    Hi Stephane,

    Thanks for the reponse. I will check the HTTP incidents,But i am facing the same for print incidents also.



  • 4.  RE: Incidents are gettig generated twice for Endpoint DLP
    Best Answer

    Posted May 19, 2015 04:48 AM

    Checked with Symantec Support, came to know that it a product bug and will be rectified in future versions



  • 5.  RE: Incidents are gettig generated twice for Endpoint DLP

    Posted May 19, 2015 05:11 AM

    Symantec has a few bugs related to incident duplication. The last one I saw was an active EDM detection policy generating duplicate incidents in all other policies using Active Directory User Groups. Big mess..



  • 6.  RE: Incidents are gettig generated twice for Endpoint DLP

    Posted May 20, 2015 09:43 AM

     

    @Sym_DLP, what version of DLP are you using?



  • 7.  RE: Incidents are gettig generated twice for Endpoint DLP

    Posted May 21, 2015 12:13 AM

    12.5.1