Data Loss Prevention

 View Only

  • 1.  Endpoint Agent - Match On Question

    Posted Dec 21, 2016 10:33 AM

    Good Morning,

    I have endpoint agents installed with a configuration where outlook is enabled.  I have a policy that is doing a regular expression match for email addresses.  I have the Match On selected for only envelope, however, when the policy creates an incident it is showing that there are values in the body that are also matching when the policy is not configured to look at that to do the match on.  Is there something specific about the endpoint agent and its integration with Outlook in that regardless of what you select to match on, for outlook email messages being sent out it will always look at the body?  Is there a way to exclude the body from being included in the match on automatically, regardless of what is set in the policy condition?

     

    Example: Email sent to someone@domain.com with subject of test and body of another@domain.org.

    Policy is sent only to endpoint server and the rules look for email using a regular expression condition to only match on Envelope and count all matching and create an incident on at least 1 match

    This creates an incident that indicates 2 matches, one of someone@domain.com from the header and one of another@domain.org from the body.

    My understanding is that the envelope is the header of emails and with the checking of only envelope for the match on that the body should not identify a match.

    I appreciate any and all help in understanding why this is occuring and if there is a way for it to match as it is desired.

    Joe Schmidt



  • 2.  RE: Endpoint Agent - Match On Question
    Best Answer

    Posted Dec 21, 2016 09:35 PM

    Hi Joe,

    Envelope  refers to the entire email source message, which includes SMTP headers, subject and body. Though the body will include all formatting code/xml/etc to allow the email client to display it properly.

    If you're trying to just match on recipient domain, you're better off using the Sender/Recipient Pattern matching rules in the Groups tab in Policy screen - it will also be more efficient than regular expressions.



  • 3.  RE: Endpoint Agent - Match On Question

    Trusted Advisor
    Posted Dec 22, 2016 10:30 AM

    hello joe,

     You are right for DIM, enveloppe contains only SMTP headers (https://support.symantec.com/en_US/article.TECH218937.html) but for endpoint component is not use at all by policy engine (https://support.symantec.com/en_US/article.TECH220938.html)

    So if your main policy is to detect email sent to some specific domain, you may use sender/recipient pattern or groups. As dean wrote it will be more efficient and use less ressources on endpoint.

     regards



  • 4.  RE: Endpoint Agent - Match On Question

    Posted Dec 23, 2016 07:25 PM
    The envelope is used, its just the Match On checkboxes are ignored and it detects in all components. You could also include the To/CC/BCC fields in the regex pattern if Sender/Recipients pattern doesnt help with your use case.