Good afternoon,
I've had a Symantec DLP 12.0 Enforce server running in our EV 10.0.4 environment since October of last year. We had setup and tested a very basic Attorney-Client Priveledge policy shortly after and had success with running it in test mode.
Right now, the policy just says - if an email is sent to test@emaildomain.com (the real policy has a real, internal mailbox address specified) classify the email to be excluded from review.
When the policy is in test mode, and I send an email to the email address specified in the policy, I can check the Enforce server admin console and see the email I sent is flagged as an incident. If I take the policy out of test mode, send another email to the email address specified in the policy, the test email NEVER shows up as an incident in the Enforce server admin console.
After taking the policy out of test mode, I've gone through and verified all the settings again and saved the policy, but it just doesn't work unless it's in test mode. Putting it back in test mode will capture new emails sent to the email address in the policy as an "incident".
Has anyone seen this happen before?