Hey Jay,
Sorry for the delay.
Thanks for the answers. I've replied to some of the follow ups below.
Apologies if I’m not precisely with my instructions or questions; I’m not in front of an Enforce console at the moment. J
--------------------
- How is the policy setup? File type + File name? Or just File name?
[]the policy is setup by file type and file name
- Is this Endpoint or Network?
[]Endpoint
- What detection channel are you testing with?
[]what do you mean detection chanenel? sorry i am not yet that familliar with the system
Are you attempting to detect over HTTP(s), SMTP, USB, other?
- Have any other tests for different file name keywords worked?
[]yes, i tried "torrent"
When the “torrent” test worked, what “component” did the yellow highlighted match appear in within the Incident Match details in the Enforce console? I assume you’re using something akin to “*torrent*” and “*video*” – with wildcards in front and back of the keyword(s)…
Are you using separate detection policies for the “torrent” detection and the “video” detection? If so, that might indicate a difference in policy setup. If not and you’re simply switching out the keyword, then there’s something else going on.
- Does the keyword rule (“video”) work with other components or detection channels?
[]Not Sure with this one
This one might be an interesting item to test, to ensure that “video” detects if it’s in the body of an email or within the content of the file…especially, since “torrent” in the filename seemed to work.
- Does case sensitivity (or insensitivity) work on other detections channels or components?
[]Not familliar with this as well
We probably should first focus on getting just “video” to work without accounting for any changes in case sensitivity; we can circle back to this one.
Are your familiar with pulling logs from the Agent? I might also suggest opening a case with Symantec, as sometimes it can take them a bit of time to respond, and then they’ll likely ask some for logs and such.