Data Loss Prevention

 View Only
  • 1.  Random incidents not showing up in Enforce web interface

    Posted Feb 05, 2013 12:11 PM

    DLP SMTP Prevent policy to capture "X" violation and create a email header and forward to mailgate way. Once there mailgate way policy looks for header "X" if found then quarantine. All this works and has been in place for a few days. Also all rights are correct to view all incidents. 

    Issue is we are seeing a few emails in the mailgate but not in DLP.

    The random missing incidents that are in mailgate way server show that the headers have been created so it does shows that DLP found it and tag it. But that email isn't shown in DLP.

    The incidents are not being deleted or moved.

    If restarted all the Enforce services --> didn't work.

    Log at in the SmtpPrevent_operational.log and found the email and it showed "disposition=MODIFY" so i know Prevent did it's part.

    ALso DLP system isn't showing any errors/alerts and DB is fine.

    FYI this random and has happend about a handful of times.

    Anyone have any ideas where to look because the GRC department won't let this go as a random issue? 



  • 2.  RE: Random incidents not showing up in Enforce web interface

    Posted Feb 06, 2013 03:55 AM

     

    Hi Fle,

    I the incident generated based on policy and its violation so even though some showing at mail gateway but all mail may might not be vialating the policy . This may be possibilty so that u are facing above.



  • 3.  RE: Random incidents not showing up in Enforce web interface

    Trusted Advisor
    Posted Feb 08, 2013 07:20 AM

    hi fletch

     

     First check if you dont have any filter in your report used to see DLP incident or if your role allow you to view all incident as there can be some filter in "Incident access" tab of role definition.

    If you dont have any other detection capabilities than prevent, you can also check "incident ID" values as it is incremented by step of 1. This can help you to be sure if you miss some incident or if you just dont have access to them.

     This never happened to us, so unfortunately i cant give you any other clue why some incident will not be stored in your DB.

     

     Regards.



  • 4.  RE: Random incidents not showing up in Enforce web interface

    Posted Mar 10, 2013 01:16 PM

    please check the policy config?



  • 5.  RE: Random incidents not showing up in Enforce web interface

    Posted Apr 06, 2013 03:16 PM

    Hi fletch,

    U will not get all such facilities as every application have some limited features. I hope my above reply has answerd u .



  • 6.  RE: Random incidents not showing up in Enforce web interface

    Posted Apr 08, 2013 12:40 PM

    Check for .bad incidents on the enforce server.  These are found on my server at: E:\apps\Vontu\Protect\incidents

    Normal incidents will have a .idc extension.  If you have .bad incidents in there they haven't made it to the database for some reason.  The most common reason i have found is that the response rule is really long and the incident persister cannot properly insert it into the database.