Data Loss Prevention

Hello,
I am running an Australian tax file number detection policy for Endpoint and Network.  It's currently doing too good of a job or stops completely.

The data identifier was a custom checksum before our upgrade to v.14 and I have since changed it to the built-in Symantec checksum instead hoping the incidents would quieten down and become more accurate.

A TFN is 8 or 9 numbers and we must exclude mobile numbers, australian business numbers, australian company numbers and other numbers that always seem to trigger false positives.

Is anyone able to share an export of their policy please? How do you add exclusions?

Thanks

Dan

Or is there a way to exclude keywords from before the match? Such as dont match if there is ABN, ACN, +61 etc at the start?

Thanks

hello,

 it is possible to add a custom script validator in your data identifier (especially using function which check characters before or after the matched pattern).

If you need more help please share some true and false positive TFN so i will be able to test a script and share it with you.

 regards.

Hi Stephane, thanks for the reply

Matches are:
\d{9}
\d{3}[ -]\d{3}[ -]\d{3}
\d{2}[ -]\d{3}[ -]\d{3}
e.g. 434 502 175 or 897456458
I'd preferabily like to add the words 'TFN or Tax' in proximity. Can this be done?

Matches that are false and I'd like to rule out are mainly the keywords preceding:
account number 456789123
ABN 456 789 123 (Australian Business number
A.C.N 45 678 891 234 (australian company number)
+61 419 123 456 (phone / mobile numbers and country code)
https matches with 9-digits

The validators im using is the built in and custom one gether but it doesnt seem to have made a difference.

I have sent a PM with the customer validation checksum.

Thank you for your help.

Dan

it should work to add these 2 lines at the end of your custom validator (i think there is no need to add symantec one as it should be same as yours)

#####

$tocheck=GetAsciiStringAt($matchPrefix, 0x6, 3);
assertTrue($tocheck != 'ABN');

#####

it should work for "A.C.N" too and "+" for phone code (just different offset and length)

for https or http binary stream it is quite impossible to use this kind of rule.

proximity check is not available in DI, so you could just add a validator "Find keywords" with (TFN, tax) or if proximity is lower than 10 you could use same rule as above (but as you dont know where string is it will be quite long)

Thanks for this, Stephane. Its removed some matches!

Is it possible to see some examples of additional lines to remove matches please?

• ABN \d{2}
• A.C.N
• +61
• account number
• (08)

Im slowly getting my mind around the code =)

Also, re the screenshot.  Can i use those fields to exclude? If so, is the input plain text or regexp?

Thanks again! Its really helpful
Dan

I cant PM or edit posts again.

ok. please tag this as solution if it helps so next users with same wuestions will be able to find it quickly.

A.C.N

####

$tocheck=GetAsciiStringAt($matchPrefix, 0x4, 5);
assertTrue($tocheck != 'A.C.N');

####

account number (so it will be "nt number" , as we have access to only 10 bytes precedings matches)

####

$tocheck=GetAsciiStringAt($matchPrefix, 0x0, 9);
assertTrue($tocheck != 'nt number');

####

+61 (only + if 61 is part of matching pattern (as $matchprefix only contains precedings of matched pattern)

####

$tocheck=GetAsciiStringAt($matchPrefix, 0x9, 1);
assertTrue($tocheck != '+');

####

i sent IM to you; did you get it ?