Data Loss Prevention

I have Endpoint servers running on Windows Server 2012 R2 in the Americas, Europe and Asia.  Each server regularly scans all the workstations in their region for files violating a policy (it's the same policy in all three regions).  If a file is found in violation of the policy, the response rule is to move it to a quarantine area on a file server located in that same region.  I am puzzled by the timestamps I am seeing on the files in the quarantine directories.  In the Americas quarantine directory, all of the files retain their original creation, last modified and last accessed dates.  However, in the other two regions, the last accessed and the created dates get changed to the date the scan moved them from the workstations.  Since the policy is to delete any files that have not been accessed in the last two years, this results in the files staying in quarantine for too long before they are deleted as a result of aging out.

Any ideas why I would see different timestamp behaviors in Europe and Asia?  Does anyone know of any server settings that would cause this type of change?

When running a Discover scan, the scanner will touch the files, therefore resetting the last access date.  By default, Discover will restore the last access date back to the original value.

There is a directive that can change the default behavior, so that the last access date is modified. The directive is in the file \Vontu\Protect\config\Crawler.properties or \SymantecDLP\Protect\config\Crawler.properties.

Change the following values from "true" to "false":

# Should the file system crawler reset the last accessed date of scanned files? Mounter only filesystemcrawler.resetlastaccessed = true

NOTE: This does not apply to NFS and DFS shares.

Reference: http://www.symantec.com/docs/TECH218604

Hope this helps!