Data Loss Prevention

We have been discovering a strange issue... Setup is a 12.5 Enforce and a single 12.5 NDP targeting a single fileshare with admin rights.

Policy is just one DCM-keyword-rule "test".

NDP scans the file (.xml) starting like:

<?xml version="1.0" encoding="ISO-8859-1"?>
<!-- *********************************************************** -->
<!-- * Notes for configuration item detail filter CIFilter.xml * -->
<!-- *********************************************************** -->
<!-- For referencing test CIs you always test have to use the test database field names in camel test code

...

but does fail to detect the keywords "test" placed in the file, Incident count stays 0.

Changing the file to:

test<?xml version="1.0" encoding="ISO-8859-1"?>
<!-- *********************************************************** -->
<!-- * Notes for configuration item detail filter CIFilter.xml * -->
<!-- *********************************************************** -->
<!-- For referencing test CIs you always test have to use the test database field names in camel test code

...

creates an Incident, and the policy finds the keyword "test" five times!!!

Ive CtrC and CtrA all the content to a different (.txt) file directly on the server (to pass possible encoding troubles), same result...

Could it be that the signs <?, <!-, etc confuse the scan engine?? Bug? Have you ever discovered something smilar?

Thanks for any hint in advance...... :)

Hello,

 never saw something similar.

Was it a full scan or an incremental one ?

in case it was an incremental, if your file was not modified since last scan, it could be normal that DLP does not rescan it.

 Regards

Hi Stephane,

thanks for your answer, we did a full scan and judging the logs the file was read. I just cant find any reason why its not detected. Will tray more cases with various ><<!# tags...

Would be pretty easy to leak data just by adding xml-tags to it!

Regards