Data Loss Prevention

 View Only

  • 1.  Endpoint Protect and Data Identifiers

    Posted Jun 30, 2017 10:26 AM

    DLP v14.6.0.3

    I'm experiencing issues with Data Identifiers (DIs) when it comes to Endpoint policy detection rules.  Data Identifiers that work just fine in Email prevent and web prevent do not work with Endpoint prevent so I'm forced to use multiple version of DIs.

    I can understand this limitation when using DIs with many or complex validators but i run into this limitation with a simple DI using a find keywords validator with 5 values and an exclude prefix using just one value.  This results in a less than desirable endpoint DI because I can not efficiently adjust for unwanted detections.

    I have 24 Endpoint policies in total which i do not think is a lot. Some use DIs, others do not.  No EDM usage. Windows 7 clients

    Is this an issue others are experiencing?  

    If so any suggestions on how to work around it or correct it?

     

    Happy Independence day to my fellow U.S. citizens



  • 2.  RE: Endpoint Protect and Data Identifiers

    Posted Jul 05, 2017 05:27 AM

    Hi,

    • Are the DLP agents the same version as the Endpoint and Enforce servers? If they're behind, even a minor version, they won't receive policy or configuration updates.
    • Do your policies that use data identifiers match on more than 100 instances of the data you're detecting? Agents have a default of 100 max DI matches, so if the policy is set to requires more than this to generate an incident - you won't generate an incident.

    If none of these apply, pull the agent logs and look for the Data Identifiers being loaded when the agent connects back to the Endpoint Server and note any errors, then work with support or report back here.

    Agent and Detection Servers both use the same Data Identifier engine (unlike regex), so this shouldn't be a problem normally.

    Cheers,

    Dean



  • 3.  RE: Endpoint Protect and Data Identifiers

    Posted Jul 05, 2017 05:30 AM

    Endpoint does not like exclude prefix whereas the network detection servers (e-mail and net mon) do not mind it.

    I found a similar issue with version 14.5 previously.

    Try to remove the pre-fix and it will trigger, not great but you may have to modify your DI.

    Must have something to do with the way the data identifier detection engine on endpoint works.

     

    Happy 4th of July!

     

     



  • 4.  RE: Endpoint Protect and Data Identifiers

    Trusted Advisor
    Posted Jul 05, 2017 10:30 PM

    Post the Regex you are using in the Data Identifier.



  • 5.  RE: Endpoint Protect and Data Identifiers

    Posted Jul 06, 2017 08:50 AM

    Hi guys, thanks for the input.  Servers/Agents are all on the same version. The problem appears to affect all endpoint DIs.  

    For web/email prevent I typically make a copy of a Symantec DI and then add/update validators with company specific content like: exclude suffix, exclude prefix, and exclude exact match.  Data normalizer is "do nothing" per Symantec

    For endpoint it appears i'm restricted to just a "find keyword" and maybe one other .  Any more than that and the DI doesn't detect.