Do not create a policy that combines a server-side detection rule with an Endpoint Prevent response rule. For example, do not combine an EDM, IDM, or DGM rule with an Endpoint Block or Endpoint Notify response rule. If a server-side detection rule triggers an Endpoint Prevent response rule, Symantec Data Loss Prevention cannot execute the Endpoint Prevent response rule.
When creating an endpoint policy that includes a server-side detection rule, combine that detection rule with an agent-side detection rule in one compound rule. This practice helps Symantec Data Loss Prevention perform detection on the endpoint without sending the content to the Endpoint Server. Symantec Data Loss Prevention saves network bandwidth and improves performance by performing detection on the endpoint.
For example, you can couple an EDM detection rule with a Sender detection rule in one compound rule. In a compound rule, all conditions must be met before Symantec Data Loss Prevention registers a match. Conversely, if one condition is not met, Symantec Data Loss Prevention determines there is no match without having to check the second condition. For example, to register a match the content must meet the first condition AND all other conditions. When you set up the compound rule in this way, the Symantec DLP Agent checks the input content against the agent-side rule first. If there is no match, Symantec Data Loss Prevention does not need to send the content to the Endpoint Server. However, if you create a compound rule that involves a DCM or an EDM policy, the content is still sent to the Endpoint Server.
Before you combine a server-side detection rule (for example, an EDM, IDM, or DGM rule) with an All: Limit Incident Data Retention response rule that retains original files for endpoint incidents, consider the bandwidth implications of retaining original files. When it sends content to an Endpoint Server for analysis, the Symantec DLP Agent sends either text data or binary data according to detection requirements. Whenever possible, Symantec DLP Agents send text to cut down on bandwidth use. By default, Symantec Data Loss Prevention discards original files for endpoint incidents. If a response rule retains original files for endpoint incidents, Symantec DLP Agents must send binary data to the Endpoint Server. In this case, make sure that your network can handle the increased traffic between Symantec DLP Agents and Endpoint Servers without degrading performance.
Combine agent-side detection rules (for example, DCM) with an Endpoint Prevent response rule in the same policy. Symantec Data Loss Prevention can execute an Endpoint Prevent response rule only when a Symantec DLP Agent detection rule triggers the response.
Incompatible detection rules and response rules :
Do not combine these server-based detection rules =.with these Endpoint Prevent response rules.
Content Matches Exact Data (EDM) = Endpoint: Block
Content Matches Document Signature (IDM) = Endpoint: Notify
Sender/User Matches Directory (DGM) = Endpoint: User Cancel
Recipient Matches Directory (DGM) =