Video Screencast Help

Random incidents not showing up in Enforce web interface

Created: 05 Feb 2013 | 5 comments

DLP SMTP Prevent policy to capture "X" violation and create a email header and forward to mailgate way. Once there mailgate way policy looks for header "X" if found then quarantine. All this works and has been in place for a few days. Also all rights are correct to view all incidents. 

Issue is we are seeing a few emails in the mailgate but not in DLP.

The random missing incidents that are in mailgate way server show that the headers have been created so it does shows that DLP found it and tag it. But that email isn't shown in DLP.

The incidents are not being deleted or moved.

If restarted all the Enforce services --> didn't work.

Log at in the SmtpPrevent_operational.log and found the email and it showed "disposition=MODIFY" so i know Prevent did it's part.

ALso DLP system isn't showing any errors/alerts and DB is fine.

FYI this random and has happend about a handful of times.

Anyone have any ideas where to look because the GRC department won't let this go as a random issue? 

Discussion Filed Under:

Comments 5 CommentsJump to latest comment

kishorilal1986's picture

Hi Fle,

I the incident generated based on policy and its violation so even though some showing at mail gateway but all mail may might not be vialating the policy . This may be possibilty so that u are facing above.

stephane.fichet's picture

hi fletch

 First check if you dont have any filter in your report used to see DLP incident or if your role allow you to view all incident as there can be some filter in "Incident access" tab of role definition.

If you dont have any other detection capabilities than prevent, you can also check "incident ID" values as it is incremented by step of 1. This can help you to be sure if you miss some incident or if you just dont have access to them.

 This never happened to us, so unfortunately i cant give you any other clue why some incident will not be stored in your DB.


kishorilal1986's picture

Hi fletch,

U will not get all such facilities as every application have some limited features. I hope my above reply has answerd u .

Jsneed's picture

Check for .bad incidents on the enforce server.  These are found on my server at: E:\apps\Vontu\Protect\incidents

Normal incidents will have a .idc extension.  If you have .bad incidents in there they haven't made it to the database for some reason.  The most common reason i have found is that the response rule is really long and the incident persister cannot properly insert it into the database.