Data Loss Prevention

 View Only

  • 1.  DLP 12.5.1 can block IDM full match file but can not detect the partial match file and mail body or print

    Posted Feb 03, 2015 09:26 AM

    Hi All,

    I want to block IDM file so I install DLP 12.5.1.

    I really can block IDM full match file but can not detect the partial match file and mail body or print.

    Somebody has the same issue?

    I install the all-in-one DLP on Windows server 2012 R2.

    Is the DLP 12.5.1 not support the Windows server 2012 R2?

    Any solution for this issue?

     

    Thanks.



  • 2.  RE: DLP 12.5.1 can block IDM full match file but can not detect the partial match file and mail body or print

    Posted Feb 10, 2015 11:22 AM

    With Agent IDM detection the DLP Agent for Windows evaluates documents locally in real time for exact file and exact file contents matches. Agent IDM lets lets you use the block, notify, and user cancel response rules on the endpoint with IDM
    policies.

    Agent IDM does not support partial file contents matching. If you want to use partial file contents matching on the endpoint, you must use two-tier detection.

    If the server index is deployed to an Endpoint Server, the system uses two-tier detection to perform matching (assuming that two-tier detection is enabled). With two-tier IDM the DLP Agent sends the data to the Endpoint Server for matching against the server index. If two-tier detection is enabled for IDM, the server supports all forms of matching, including exact file, exact file contents, and partial file contents. If you use two-tier detection for IDM on the endpoint, make sure you understand
    the performance implications of two-tier detection    .

    Detection.TWO_TIER_IDM_ENABLED.str can be located in the Advanced Agent Settings



  • 3.  RE: DLP 12.5.1 can block IDM full match file but can not detect the partial match file and mail body or print

    Posted May 05, 2015 04:42 AM

    Hello,

    the problem is on Endpoint server, the incidents can be caught by policies.

    However we want to prevent that critical file during sending or uploading process. Prevention notification could not appear.

    we forget something on the agent configuratıon side or in response rule?

    Although the described keyword can be prevented, only the fingerprint of that file could not be prevented.

    Do you know any information about this issue?

    Thanks.



  • 4.  RE: DLP 12.5.1 can block IDM full match file but can not detect the partial match file and mail body or print

    Posted May 11, 2015 05:58 AM

     

    Hello,

    @ allenchung

    If the issue is just on detection probably you have the two_tier_idm enabled setting turned off OR your computer is not connected to network. As NDeen said, you need connection to endpoint server to match partially the documents as it cannot be resolved itself on agent.

    @ NDeen

    "Agent IDM lets lets you use the block, notify, and user cancel response rules on the endpoint with IDM"

    Thta'ts not completely true. The reality is that just a small percentage of documents (IDM indexed) can actually be blocked/user cancel'ed on agent..

    @ ipeque

    If I understand correctly, the response rules are not working for IDM detection method. That's because the agent needs to contact the endpoint server to identify if the document is violating any policy; meanwhile it can't block/notify the end-user "on the fly" (it needs time let's say..) so the DLP will create an incident after some time but won't block the action. There is a small percentage of documents which the agent itself has enough information to decide if the action should be allowed or not, and in that case you might have a block/user cancel immediately. Summarizing, even documents which match exactly or 100% are difficult to be blocked on endpoint.

     

    BR,