The Endpoint Prevent: Notify response rule action displays an on-screen notification to the endpoint user when the user attempts to copy or send a sensitive file. You can provide a reason for the notification as well as options for the endpoint user to give a justification for the action.
This response rule action is available for Endpoint Prevent.
Note: The notify action is not triggered for a copy of sensitive data to a local drive.
Select the variables that you want to include in the on-screen notification to the endpoint user.
You can select variables based on the following types:
Application
Content Name
Content Type
Device Type
Policy Names
Protocol
Allow user to choose explanation
Select this option to display up to four user justifications in the on-screen notification. When the notification appears on the endpoint computer, the user is required to choose one of the justifications. (If you select Allow user to enter text explanation, the user can enter a justification.) Symantec Data Loss Prevention provides four default justifications, which you can modify or remove as needed.
Available Justifications:
Broken Business Process
False positive
Manager Approved
User Education
Custom (new justification)
Each justification entry consists of the following options:
Check box
This option indicates whether to include the associated justification in the notification. To remove a justification, clear the check box next to it. To include a justification, select the check box next to it.
Justification
The system label for the justification. This value appears in reports (for ordering and filtering purposes), but the user does not see it. You can select the desired option from the drop-down list.
Option Presented to End User
The justification text Symantec Data Loss Prevention displays in the notification. This value appears in reports with the justification label. You can modify the default text as desired.
To add a new justification, select New Justification from the appropriate drop-down list. In the Enter new justification text box that appears, type the justification name. When you save the rule, the system includes the new justification as an option (in alphabetical order) in all Justification drop-down lists.
Note: You should be selective in adding new justifications. Deleting new justifications is not currently supported.
There is another response rule option where you can directly block.
The Endpoint Prevent: Block action :
The Endpoint Prevent: Block response rule action blocks the movement of confidential data on the endpoint computer and optionally displays an on-screen notification to the endpoint user.
This response rule action is specific to Endpoint Prevent incidents. This response rule is not applicable to two-tiered detection methods requiring a Data Profile.
If you combine multiple endpoint response rules in a single policy, make sure that you understand the order of precedence for such rules.
Note: The block action is not triggered for a copy of sensitive data to a local drive.