Data Loss Prevention

 View Only

  • 1.  Can we create rule based on negative result?

    Posted Jan 17, 2019 01:05 PM

    I looked through DLP docs and it seems only rule/action we can create for a policy is if it detects a violation. Is there a way to trigger an action if a scan is negative?

     

    Requirement:

    I have a filesystem that I want to scan. If scan is negative for a file (i.e. no malicious content found), then I want to move the file to a staging directory for further processing.

    If, on the other hand, the scan is positive, leave ithe file where  it is, and send email/open INC ticket etc.

    I think the second part is doable, but is the first part doable?



  • 2.  RE: Can we create rule based on negative result?

    Posted Feb 14, 2019 10:09 AM

    Hello,

    You could create 2 differents policies.

    One for detection and sending a mail.

    Another with the same detection but all in exception. if there is an incident trigered, this means that there are no malicious file and you could ask to move the file.

    With regards



  • 3.  RE: Can we create rule based on negative result?

    Posted Feb 27, 2019 08:42 AM

    Sorry, saw this response just now. I am not too familiar with Symantec. Do you have some example confiurations which will do this?

     

     



  • 4.  RE: Can we create rule based on negative result?

    Posted Feb 28, 2019 05:36 AM

    Hello Sanjay,

    Create a policy and on the Detection Tab, put the way you want to trigger a malicious file.

    On the Response tab, put a response rule with the mail you want.

    Also create another policy and put the same trigger for malicious file but this time in Exception (Also in Detection tab)

    on the response tab, put a response rule to copy the file where you want.

    Hope this help.