Data Loss Prevention

We are in testing with the DLP agent and one of the first things I noticed is that transferring an MDB/ACCDB file causes a huge delay. Really, that's no surprise because the agent is supposed to scan the contents of the file.

What is surprising is that in my test policies I have exclusion of MS Access database files over 100MB. Despite this exclusion, I am seeing a 1min :45sec delay (sitting at 0%) before even starting the file transfer. The file is ~845MB and it's an MDB, so this should match the exclusion.

I even disabled *all* policies on the endpoint servers. No change. The only way I could get it to go away was by shutting down the agent.

Does anyone have experience successfully excluding MS Access files?

hello,

 you should try to exclude them using agent configuration ("filter by file properties") instead of DLP policies exclusion rule.

Then you need to redeploy agent configuration once you have performed this change or update agent configuration if you have created a new one.

 Regards

Thank you. I didn't think about excluding it from that level, but it does make sense.

Do you happen to know how to restart an agent after it was issued a "shutdown and do not restart" command?

I can start it using admin cmd "net start edpa" which ends up starting the watchdog as well...

When enforce is no more able to send command to agent (for any reason) , you could:

- reboot workstation. This should restart DLP agent as windows services are (by default) in autostart mode.

- restart windows services on workstation. Their usual name is WDP (for watchdog service) and EDPA (for Agent service) if it was not change when it was installed on workstation (and usually i change names because I dont like to let any default configuration for security systems). This operation is not always possible/working so you get back to proposal #1. this could be done through services.exe or "sc" command line.