Data Loss Prevention

I’m hoping someone can help me. I am working with a client and a policy they have works correctly 95% of the time, but 5% of the time it generates a false positive and blocks the file from being sent. I was wondering if there is a way to grant a user the rights to inspect and forward an email?

Scenario :

• A message is sent from a user via email.
• The message is blocked by DLP.
• The user’s manager is notified of the blocked message.
• The manager inspects the message, determines it is a false positive.
• Info Sec/DLP engineers inspects the message and determines the message is a false positive.
• The manager then forwards the message to the initial mail recipient.

Is it possible to give the manager rights to forward the email? If so, how?

I’ve read about Forward Mode, but I’m not sure about it’s real world application.

hi,

 First, there is two ways to block email with DLP :

- Email prevent : "blocking" email by DLP are just email rerouted to a specific mailbox defined in response rule.

- Endpoint : Email is block before it is send by user (so it does not really exist as an email)

 In both case this specific email is End Of Life so you cant resend it.

 If you want to be able to analyze email then transfer it to final destination if approved, you will have to quarantine this email (instead of blocking it). You have to use response rule dedicated to that (usually it just add a new header in email to inform next MTA that he must qurantine this email). DLP by it self does not manage quarantine so it has to be done by a MTA (DLP will just flagged email to be quarantined).

 Then if you use symantec mail gateway to do this, there is a plugin available to link DLP and gateway. This will allow you to release email from quarantine after analysis by someone and approval that this email is legitimate. If you use an other MTA to manage quarantine, you may have to use this MTA to unblock email and then send back this information to DLP (or opposite).

 Regards