Professional Documents
Culture Documents
Symantec Data Loss Prevention Help Center 16.0RU
Symantec Data Loss Prevention Help Center 16.0RU
Version 16.0.1
2
Known issues in 15.8 MP3....................................................................................................................................... 87
Installation and upgrade known issues in 15.8 MP3.........................................................................................88
Endpoint known issues in 15.8 MP3................................................................................................................. 88
Symantec Data Loss Prevention Release Types........................................................................................................ 88
Major Release........................................................................................................................................................... 89
Minor Release........................................................................................................................................................... 89
Release Update.........................................................................................................................................................89
Getting started....................................................................................................................................91
About updates to the Symantec Data Loss Prevention Help Center....................................................................... 91
News and Alerts............................................................................................................................................................. 91
Subscribing to Alerts................................................................................................................................................. 91
Introducing Symantec Data Loss Prevention............................................................................................................. 92
About the Enforce Server platform........................................................................................................................... 93
About Network Monitor and Prevent........................................................................................................................ 93
About Network Discover........................................................................................................................................... 94
About Network Protect.............................................................................................................................................. 94
About Endpoint Discover.......................................................................................................................................... 95
About Endpoint Prevent............................................................................................................................................ 95
Getting Started Administering Symantec Data Loss Prevention..............................................................................95
About Symantec Data Loss Prevention administration............................................................................................ 96
About the Enforce Server administration console.................................................................................................... 96
Logging On and Off the Enforce Server Administration Console.............................................................................97
About the administrator account............................................................................................................................... 98
Performing Initial Setup Tasks.................................................................................................................................. 98
Changing the Administrator Password..................................................................................................................... 98
Adding an administrator email account.................................................................................................................... 99
Editing a user profile.................................................................................................................................................99
Changing your password........................................................................................................................................ 100
About support for character sets, languages, and locales..................................................................................... 101
Supported languages for detection........................................................................................................................... 101
Working with international characters.......................................................................................................................103
About Symantec Data Loss Prevention language packs........................................................................................ 103
About locales................................................................................................................................................................ 104
Using a non-English language on the Enforce Server administration console.................................................... 104
Using the Language Pack Utility................................................................................................................................105
Add a language pack on Linux...............................................................................................................................106
Remove a language pack....................................................................................................................................... 106
DLP System Requirements............................................................................................................. 107
About system requirements........................................................................................................................................107
3
About updates to Symantec Data Loss Prevention system requirements............................................................. 107
About deprecated platforms....................................................................................................................................107
System requirements and recommendations........................................................................................................... 107
Deployment planning considerations...................................................................................................................... 108
The Effect of Scale on System Requirements....................................................................................................... 108
Minimum System Requirements for Symantec Data Loss Prevention Servers..................................................... 109
Minimum Supported Hardware Requirements for Enforce Servers....................................................................... 110
Single-tier Installation Minimum Hardware Requirements......................................................................................110
Small Installation Hardware Recommendations..................................................................................................... 111
Medium Installation Hardware Recommendations................................................................................................. 113
Large Enterprise Hardware Recommendations......................................................................................................115
Operating system requirements for servers........................................................................................................... 118
Enforce Server, Detection Server, and Network Discover Cluster Requirements........................................... 118
Operating system requirements for Single Server deployments.....................................................................118
Operating System Requirements for the Domain Controller Agent................................................................ 119
Installing patches for Windows Server 2012 R2............................................................................................. 119
Installing fonts on Linux servers......................................................................................................................119
Linux partition guidelines................................................................................................................................. 120
System Requirements for OCR Servers.................................................................................................................121
Endpoint computer requirements for the Symantec DLP Agent............................................................................ 121
Minimum Hardware Requirements for Endpoints............................................................................................121
Windows Operating System Requirements for Endpoint Systems................................................................. 122
macOS operating system requirements for endpoint systems........................................................................124
Linux Operating System Requirements for Endpoint Systems....................................................................... 126
Supported languages for detection.........................................................................................................................127
Available language packs....................................................................................................................................... 128
Oracle database requirements................................................................................................................................128
Running Oracle 19c Standard Edition 2 software on alternate platforms....................................................... 129
Browser requirements for accessing the Enforce Server administration console.................................................. 130
Deploying Data Loss Prevention on public cloud infrastructures........................................................................... 130
Deploying Symantec Data Loss Prevention on Amazon Web Services infrastructure....................................130
Deploying Symantec Data Loss Prevention on Microsoft Azure.....................................................................131
Deploying Symantec Data Loss Prevention on Oracle Cloud.........................................................................131
Virtual machine support.......................................................................................................................................... 132
Virtual Server Support..................................................................................................................................... 132
Virtual desktop and virtual application support with Endpoint Prevent............................................................133
Supported operating systems for the EMDI, EDM, and IDM Remote Indexers..................................................... 134
Third-party software requirements and recommendations..................................................................................... 135
Required third-party software.......................................................................................................................... 135
Required Linux RPMs......................................................................................................................................136
4
Required Linux dependencies......................................................................................................................... 137
Recommended third-party software.................................................................................................................137
Product compatibility...................................................................................................................................................138
Environment Compatibility and Requirements for Network Prevent for Email and Cloud Prevent for Email
Servers.................................................................................................................................................................... 138
Proxy Server Compatibility with Network Prevent for Web.................................................................................... 139
SSL monitoring with Network Monitor.................................................................................................................... 139
Secure ICAP support for Network Prevent for Web...............................................................................................139
High-speed packet capture card.............................................................................................................................140
Veritas Data Insight compatibility with Symantec Data Loss Prevention............................................................... 140
Integrations with other Symantec products............................................................................................................ 141
Support for IPv6 addresses.................................................................................................................................... 142
Network Discover compatibility............................................................................................................................... 142
Supported File System Targets....................................................................................................................... 142
Supported IBM (Lotus) Notes targets..............................................................................................................143
Supported SQL database targets.................................................................................................................... 143
Supported SharePoint server targets.............................................................................................................. 144
Supported Exchange Server targets............................................................................................................... 144
Supported File System Scanner Targets.........................................................................................................145
Supported web server scanner targets........................................................................................................... 145
Endpoint Prevent Supported Applications.............................................................................................................. 145
Applications Supported by Endpoint Prevent on Windows............................................................................. 146
Applications Supported by Endpoint Prevent on macOS................................................................................149
Browser Beta Compatibility and Testing..........................................................................................................151
Support for Monitoring Applications Protected by System Integrity Protection............................................... 154
Implementing the Database............................................................................................................ 155
About this content....................................................................................................................................................... 155
About updates to the Oracle database content......................................................................................................155
About using this content to migrate the Symantec Data Loss Prevention database to Oracle 19c........................155
Overview—preparing to migrate the database................................................................................................155
Overview—migrating the database..................................................................................................................156
Preparing Oracle 19c for use with Symantec Data Loss Prevention..................................................................... 156
Using Oracle 19c with Symantec Data Loss Prevention........................................................................................ 156
Applying the latest Oracle Release Update (RU)............................................................................................157
About Oracle Real Application Clusters................................................................................................................. 158
About the Oracle multitenant environment............................................................................................................. 158
About deploying Oracle to Amazon Web Services (AWS)..................................................................................... 158
Installing Oracle 19c on Windows..............................................................................................................................158
About Installing Oracle 19c on Windows................................................................................................................159
Oracle Client Requirement...............................................................................................................................159
5
Oracle 19c Database Templates..................................................................................................................... 159
Steps to install Oracle 19c on Windows.................................................................................................................159
Preparing the Windows environment......................................................................................................................160
Installing the Oracle 19c software on Windows..................................................................................................... 161
Creating the Symantec Data Loss Prevention database on Windows...................................................................162
Creating the Symantec Data Loss Prevention database on RAC with a multitenant environment on Windows.....164
Verifying and PDB database for RAC on Windows............................................................................................... 165
Configuring the database connection on Windows................................................................................................ 166
Configuring the TNS Listener and Net Service Name.................................................................................... 166
Verifying tnsnames.ora contents...................................................................................................................... 167
Modifying the listener.ora file............................................................................................................................168
Verifying that the PDB listener is created and registered on Windows.................................................................. 169
Setting the protect PDB to autostart on Windows..................................................................................................171
Adding required tablespaces to the PDB database on Windows...........................................................................172
Creating the Oracle user account for Symantec Data Loss Prevention on Windows............................................ 173
Verifying the Symantec Data Loss Prevention database on Windows...................................................................174
Installing Oracle 19c on Linux....................................................................................................................................174
About installing Oracle 19c on Linux......................................................................................................................175
Oracle Client requirement................................................................................................................................ 175
Oracle 19c database templates.......................................................................................................................175
Steps to install Oracle 19c on Linux...................................................................................................................... 176
Performing the Linux preinstallation steps..............................................................................................................176
Preparing the Linux environment.....................................................................................................................177
Installing the Oracle 19c software on Linux........................................................................................................... 178
Creating the Symantec Data Loss Prevention database on Linux.........................................................................180
Creating the Symantec Data Loss Prevention database on RAC with a multitenant environment on Linux.......... 182
Verifying the PDB database on Linux.....................................................................................................................183
Configuring the database connection on Linux...................................................................................................... 184
Configuring TNS Listener and Net Service Name.......................................................................................... 184
Verifying tnsnames.ora contents...................................................................................................................... 185
Modifying the listener.ora file............................................................................................................................186
Verifying that the PDB listener is created and registered on Linux........................................................................188
Setting the protect PDB to autostart on Linux........................................................................................................190
Adding required tablespaces to the PDB database on Linux.................................................................................190
Verifying the Symantec Data Loss Prevention database on Linux........................................................................ 191
Creating the Oracle user account for Symantec Data Loss Prevention on Linux.................................................. 192
Configuring automatic startup and shutdown of the database............................................................................... 193
Upgrading the database to Oracle 19c......................................................................................................................193
About upgrading the Symantec Data Loss Prevention database to Oracle 19c.................................................... 193
Steps to upgrade the Symantec Data Loss Prevention database to Oracle 19c................................................... 193
6
Setting Privileges for the Oracle User.............................................................................................................193
Upgrading to Oracle 19c................................................................................................................................. 194
Migrating the database to Oracle 19c........................................................................................................................195
About migrating the Symantec Data Loss Prevention database to Oracle 19c..................................................... 195
Steps to migrate the Symantec Data Loss Prevention database to Oracle 19c.................................................... 196
Confirm the schema row count before the export on Windows...................................................................... 197
Confirm the schema row count before the export on Linux............................................................................ 198
Confirm the DATA PUMP directory................................................................................................................. 198
Stop all Symantec Data Loss Prevention services......................................................................................... 199
Export the database from the Oracle source database system......................................................................199
Add data files for large databases.................................................................................................................. 200
Import the database to the Oracle 19c system...............................................................................................201
Connect the Enforce Server to the Oracle 19c database............................................................................... 202
Update the database server connection on Windows.....................................................................................202
Update the database server connection on Linux...........................................................................................203
Restart all Symantec Data Loss Prevention services..................................................................................... 203
Confirm the schema row count after the import on Windows......................................................................... 203
Confirm the schema row count after the import on Linux............................................................................... 204
Migrating to an Oracle multitenant environment on Windows................................................................................205
Migrating to an Oracle multitenant environment on Linux......................................................................................205
Installing DLP................................................................................................................................... 207
Planning the installation..............................................................................................................................................207
About installation tiers.............................................................................................................................................207
About single sign-on............................................................................................................................................... 208
About hosted Network Prevent deployments......................................................................................................... 209
About Symantec Data Loss Prevention system requirements............................................................................... 209
Symantec Data Loss Prevention Required Items...................................................................................................209
Standard ASCII characters required for all installation parameters....................................................................... 210
Performing a three-tier installation—high-level steps............................................................................................. 210
Performing a two-tier installation—high-level steps................................................................................................212
Performing a single-tier installation—high-level steps............................................................................................ 213
Symantec Data Loss Prevention Preinstallation Steps.......................................................................................... 214
Confirming the Oracle database user permissions................................................................................................ 215
About external storage for incident attachments.................................................................................................... 216
Verifying that servers are ready for Symantec Data Loss Prevention installation.................................................. 216
Installing an Enforce Server....................................................................................................................................... 218
Preparing for an Enforce Server installation.......................................................................................................... 218
Installing on Windows............................................................................................................................................. 219
Installing the Java Runtime Environment on the Enforce Server on Windows............................................... 219
Installing an Enforce Server on Windows........................................................................................................219
7
Installing on Linux................................................................................................................................................... 224
Installing the Java Runtime Environment on the Enforce Server on Linux..................................................... 224
Signing RPM Files for Server Components.....................................................................................................224
Installing an Enforce Server on Linux............................................................................................................. 225
Configuring a new Enforce Server installation on Linux................................................................................. 225
Verifying an Enforce Server installation..................................................................................................................230
Installing a New License File..................................................................................................................................231
Importing a solution pack........................................................................................................................................... 231
About Symantec Data Loss Prevention solution packs..........................................................................................231
Importing a Solution Pack.......................................................................................................................................232
Installing and registering detection servers............................................................................................................. 234
Detection Servers.................................................................................................................................................... 234
Network Discover Clusters......................................................................................................................................235
Preparing for a Detection Server Installation......................................................................................................... 236
Installing a detection server on Windows...............................................................................................................236
Install the Java Runtime Environment on a detection server on Windows..................................................... 237
Installing a detection server on Windows........................................................................................................237
Preparing Your Environment for Microsoft Rights Management File Monitoring.............................................240
Installing a Network Discover Cluster on Windows................................................................................................243
Before you Begin............................................................................................................................................. 243
Steps to Install a Network Discover Cluster on Windows............................................................................... 243
Installing a detection server on Linux.....................................................................................................................248
Installing the Java Runtime Environment on a Detection Server on Linux..................................................... 249
Installing a detection server on Linux..............................................................................................................249
Configuring a Detection Server....................................................................................................................... 250
Installing a Network Discover Cluster on Linux......................................................................................................251
Before you Begin............................................................................................................................................. 251
Steps to Install a Network Discover Cluster on Linux..................................................................................... 251
Verifying a Detection Server or Node Installation....................................................................................................257
Registering a detection server................................................................................................................................ 257
Configuring certificates for secure server communications...................................................................................259
About the sslkeytool utility and server certificates..................................................................................................259
About sslkeytool Command Line Options....................................................................................................... 259
Using sslkeytool to generate new Enforce Server and detection server certificates.......................................261
Using sslkeytool to add new detection server certificates...............................................................................262
Verifying server certificate usage.....................................................................................................................264
About securing communications between the Enforce Server and the database.................................................. 264
About orapki command line options................................................................................................................ 265
Using orapki to generate the server certificate on the Oracle database.........................................................265
Configuring communication on the Enforce Server.........................................................................................267
8
Configuring the Server Certificate on the Enforce Server...............................................................................269
Verifying the Enforce Server database certificate usage................................................................................ 270
About securing communications between the Enforce Server and Amazon RDS for Oracle................................ 270
Configuring Oracle RDS Option Group with SSL............................................................................................271
Configuring the Server Certificate on the Enforce Server...............................................................................271
Setting up an SSL connection over JDBC...................................................................................................... 272
Verifying the Enforce Server-Oracle RDS database certificate usage............................................................ 272
Installing the domain controller agent to identify users in incidents.................................................................... 273
About the domain controller agent......................................................................................................................... 273
Domain controller agent installation prerequisites..................................................................................................273
Installing the domain controller agent.....................................................................................................................274
Domain controller agent post-installation tasks...................................................................................................... 275
Exclude an IP address or IP range from event collection...............................................................................275
Updating configuration settings after installation.............................................................................................275
Troubleshooting the domain controller agent......................................................................................................... 276
Uninstalling the domain controller agent................................................................................................................ 277
Performing a single-tier installation...........................................................................................................................277
Preparing for a single-tier installation..................................................................................................................... 277
Install a single-tier system on Windows................................................................................................................. 277
Installing the Java Runtime Environment for a Single-tier Installation on Windows........................................277
Installing a single-tier server on Windows.......................................................................................................278
Install a single-tier server on Linux.........................................................................................................................282
Installing the Java Runtime Environment for a single-tier installation.............................................................283
Installing a single-tier server on Linux............................................................................................................. 283
Configuring a new single-tier installation.........................................................................................................283
Verifying a single-tier installation............................................................................................................................ 287
Policy authoring considerations.............................................................................................................................. 288
About migrating to a two-tier deployment...............................................................................................................288
Registering the Single Tier Monitor........................................................................................................................ 288
Installing Symantec DLP Agents................................................................................................................................289
About secure communications between DLP Agents and Endpoint Servers......................................................... 290
Generating agent installation packages.......................................................................................................... 291
Agent installation package contents................................................................................................................ 293
Identify security applications running on endpoints................................................................................................294
About Endpoint Server redundancy........................................................................................................................295
Installing the DLP Agent on Windows.....................................................................................................................295
Use the Elevated Command Prompt with Windows 10.................................................................................. 296
Install the DLP Agent for Windows Manually..................................................................................................297
Install the DLP Agent for Windows silently..................................................................................................... 297
Confirming that the Windows agent is running............................................................................................... 300
9
What gets installed for DLP Agents installed on Windows endpoints.............................................................300
Installing the DLP Agent for macOS.......................................................................................................................301
Understanding the DLP Agent Installation Process........................................................................................ 301
Before You Begin............................................................................................................................................. 302
Steps to Install the Agent on macOS Endpoints.............................................................................................302
Complete macOS Endpoint Agent Installation Prerequisites.......................................................................... 302
Install the DLP Agent for macOS.....................................................................................................................310
Confirm that the macOS agent is running.......................................................................................................316
Troubleshoot the macOS Agent Installation.................................................................................................... 316
Installing the DLP Agent on Linux.......................................................................................................................... 316
Before You Begin the Installation.................................................................................................................... 317
Steps to Install the Agent on Linux Endpoints.................................................................................................317
Complete the Linux Endpoint Agent Installation Prerequisites....................................................................... 317
Sign RPM Files for Linux Endpoints............................................................................................................... 318
Install the DLP Agent for Linux....................................................................................................................... 318
Confirm That the Linux Agent is Running....................................................................................................... 319
Endpoint Tools.........................................................................................................................................................319
Preparing to Use Endpoint Tools.....................................................................................................................321
Shutting Down the Agent and Watchdog Services on Endpoints................................................................... 322
Inspecting the Database Files Accessed by the Agent...................................................................................322
Viewing Extended Log Files............................................................................................................................ 323
Using the Device ID Utilities............................................................................................................................325
Generating Third-party Application Information Using the GetAppInfo Tool....................................................327
Starting Agents That Have Been Shutdown................................................................................................... 328
About uninstallation passwords.............................................................................................................................. 329
Using uninstallation passwords....................................................................................................................... 329
Upgrading agents and uninstallation passwords.............................................................................................330
About agent password management...............................................................................................................330
Installing language packs........................................................................................................................................... 330
About Symantec Data Loss Prevention language packs....................................................................................... 331
About locales...........................................................................................................................................................331
Using a non-English language on the Enforce Server administration console...................................................... 331
Using the Language Pack Utility............................................................................................................................ 332
Add a language pack on Windows..................................................................................................................333
Add a language pack on Linux....................................................................................................................... 333
Remove a language pack................................................................................................................................334
Post-installation tasks................................................................................................................................................. 334
About post-installation tasks................................................................................................................................... 335
Backing up your system after installation...............................................................................................................335
About post-installation security configuration......................................................................................................... 335
10
About server security and SSL/TLS certificates..............................................................................................335
About Symantec Data Loss Prevention and antivirus software...................................................................... 339
Corporate firewall configuration....................................................................................................................... 342
Windows security lockdown guidelines........................................................................................................... 342
Windows Administrative security settings........................................................................................................344
About System Events and Syslog Servers.............................................................................................................347
Enforce Servers and unused NICs.........................................................................................................................347
Performing initial setup tasks on the Enforce Server............................................................................................. 348
Set up Symantec Data Loss Prevention......................................................................................................... 348
Add SQL*Plus to the SymantecDLP user path............................................................................................... 349
About FIPS encryption............................................................................................................................................ 349
Configuring Internet Explorer when using FIPS..................................................................................................... 349
Upgrading DLP................................................................................................................................. 351
Preparing to upgrade...................................................................................................................................................351
About Updates to the Symantec Data Loss Prevention Upgrade Content.............................................................351
Preparing to Upgrade Symantec Data Loss Prevention........................................................................................ 351
Symantec Data Loss Prevention Upgrade Phases................................................................................................ 352
Minimum System Requirements for Upgrading to the Current Release................................................................ 353
Requirement for Language Pack Upgrades........................................................................................................... 354
Preparing the Oracle Database for a Symantec Data Loss Prevention Upgrade.................................................. 354
Checking the database update readiness....................................................................................................... 354
Setting ORACLE_HOME and PATH variables................................................................................................ 364
Confirming the Oracle database user permissions......................................................................................... 364
Enabling Network Detection Uptime Protection...................................................................................................... 365
Backward Compatibility for Agent Upgrades.......................................................................................................... 365
Upgrade Requirements and Restrictions................................................................................................................366
Preparing your system for the upgrade..................................................................................................................367
Deleting ICT Components Before Upgrading......................................................................................................... 368
Deleting ICE components from the Enforce Server............................................................................................... 368
Remove ICE response rules........................................................................................................................... 369
Remove ICE settings....................................................................................................................................... 369
Disable ICE settings in the agent configuration.............................................................................................. 369
Preparing Your Environment for Microsoft Rights Management File Monitoring....................................................369
Prepare the AD RMS Environment for RMS Monitoring................................................................................. 370
Prepare the Azure RMS environment for RMS monitoring............................................................................. 370
Enabling Microsoft Rights Management File Monitoring................................................................................. 370
Upgrading to a new release........................................................................................................................................372
Upgrading Symantec Data Loss Prevention...........................................................................................................372
Downloading and extracting the upgrade software................................................................................................ 373
Migrating on Windows.............................................................................................................................................374
11
Migrating the Previous Version to a New Enforce Server Installation on Windows........................................ 374
Migrating a Previous Version Detection Server or Cluster to the Latest Version on Windows........................ 379
Migrating previous version data to a new single-tier installation on Windows................................................ 389
Migrating on Linux...................................................................................................................................................394
Migrating the previous version to a new Enforce Server installation on Linux................................................394
Migrating a Previous Version Detection Server or Cluster to the Latest Version on Linux..............................398
Migrating Previous Version Data to a New Single-Tier Installation on Linux.................................................. 408
Parameters for install.sh.................................................................................................................................. 411
Backing up your system......................................................................................................................................... 411
Verifying that the Enforce Server and the detection servers are running...............................................................412
Applying the updated configuration to Endpoint Prevent servers.......................................................................... 412
Upgrading your scanners........................................................................................................................................412
Upgrading Endpoint Prevent group directory connections..................................................................................... 412
Upgrading or installing Npcap for Network Monitor................................................................................................412
Updating an appliance............................................................................................................................................ 413
Upgrading Symantec DLP Agents..............................................................................................................................413
About Symantec Data Loss Prevention Agent upgrades....................................................................................... 413
Secure Communications between DLP Agents and Endpoint Servers..................................................................414
Generating agent installation packages.......................................................................................................... 415
Agent installation package contents................................................................................................................ 417
Working with endpoint certificates................................................................................................................... 419
Process to upgrade the DLP Agent on Windows...................................................................................................419
Upgrading previous version DLP Agents with Windows Safe Mode monitoring enabled............................... 420
Upgrading the Windows agent manually.........................................................................................................420
Upgrading the Windows agent silently............................................................................................................ 420
Process to upgrade the DLP Agent on Mac........................................................................................................... 421
Packaging Mac agent upgrade files................................................................................................................ 422
Upgrading the DLP Agent for Mac manually.................................................................................................. 423
Upgrading DLP Agents on Mac endpoints silently.......................................................................................... 424
Confirming that the Mac agent is Running......................................................................................................424
What gets upgraded for DLP Agents on Mac endpoints................................................................................. 425
Upgrading the DLP Agent on Linux........................................................................................................................425
Before You Begin the Upgrade........................................................................................................................425
Steps to Install the Agent on Linux Endpoints.................................................................................................426
Completing the Linux Endpoint Agent Upgrade Prerequisites........................................................................ 426
Signing RPM Files for Linux Endpoints...........................................................................................................426
Performing the DLP Agent Upgrade for Linux................................................................................................ 427
Confirm That the Linux Agent is Running....................................................................................................... 428
Post-upgrade tasks...................................................................................................................................................... 428
Verifying Symantec Data Loss Prevention operations........................................................................................... 429
12
Updating Connections to the Cloud Detection Service.......................................................................................... 429
Syncing the Application Detection Configurations to Cloud Detectors............................................................429
Adding a Cloud Detector and Configuring Gatelets or Securlets....................................................................429
Migrating Plug-ins....................................................................................................................................................430
About securing communications between the Enforce Server and the database.................................................. 431
About orapki command line options................................................................................................................ 431
Using orapki to generate the server certificate on the Oracle database.........................................................432
Configuring communication on the Enforce Server.........................................................................................434
Configuring the Server Certificate on the Enforce Server...............................................................................436
Verifying the Enforce Server database certificate usage................................................................................ 437
About remote indexers............................................................................................................................................437
About updating the JRE to the latest version.........................................................................................................437
Steps to update the JRE................................................................................................................................. 437
Backing up the cacerts file.............................................................................................................................. 438
Installing the OpenJRE.................................................................................................................................... 438
Updating the JRE to the latest version on Windows.......................................................................................439
Updating the JRE to the latest version on Linux............................................................................................ 440
Reinstate CA certificates................................................................................................................................. 442
Reverting a JRE version to a previous release.............................................................................................. 442
Symantec Data Loss Prevention upgrade troubleshooting and recovery............................................................. 443
About troubleshooting Symantec Data Loss Prevention upgrade problems.......................................................... 443
Stop all Symantec Data Loss Prevention database sessions................................................................................ 444
Troubleshooting Enforce Server services............................................................................................................... 445
Rolling back to the previous Symantec Data Loss Prevention release..................................................................445
Reverting the Enforce Server to a Previous Release..................................................................................... 446
Reverting Detection Servers and Network Discover Clusters to the Previous Release.................................. 447
Creating the Enforce Reinstallation Resources file................................................................................................ 449
Creating the Enforce Reinstallation Resources file on Windows.....................................................................449
Creating the Enforce Reinstallation Resources file on Linux...........................................................................449
Maintaining the DLP System...........................................................................................................450
About the System Maintenance Schedule................................................................................................................ 450
Understanding Underlying System Resources.........................................................................................................451
Enforce Server Directory Structure.........................................................................................................................451
Detection Server and Network Discover Cluster Directory Structure..................................................................... 453
Detection Server.............................................................................................................................................. 453
Network Discover Cluster................................................................................................................................ 455
Incident Attachment External Storage Directory.....................................................................................................456
Configuring the Incident Attachment External Storage Directory after Installation or Upgrade....................... 457
Disable External Storage for Incident Attachments.........................................................................................457
Symantec Data Loss Prevention Services............................................................................................................. 457
13
Increase the Max Memory............................................................................................................................... 458
Starting and Stopping Services on Windows.................................................................................................. 458
Starting and Stopping Services on Linux........................................................................................................ 461
Using Log Files....................................................................................................................................................... 463
DLP Agent Logs......................................................................................................................................................464
Symantec Data Loss Prevention System Statistics................................................................................................464
Monitoring the Incident Count.................................................................................................................................464
Incident Hiding.........................................................................................................................................................465
System Event Reports and Alerts..............................................................................................................................466
System Events........................................................................................................................................................ 466
System Events Reports................................................................................................................................... 467
Server and Detectors Event Detail..................................................................................................................469
Working with Saved System Reports.............................................................................................................. 470
Configuring Event Thresholds and Triggers.................................................................................................... 471
About System Svent Responses..................................................................................................................... 472
Enabling a Syslog Server................................................................................................................................ 473
System Alerts.......................................................................................................................................................... 474
Configuring the Enforce Server to Send Email Alerts.....................................................................................475
Configuring System Alerts............................................................................................................................... 476
Using Diagnostic Tools................................................................................................................................................477
Diagnostic Tools...................................................................................................................................................... 478
System Information Review.................................................................................................................................... 478
Log Collection Utility............................................................................................................................................... 478
Working with the DLP database..................................................................................................................................479
Working with Symantec Data Loss Prevention database diagnostic tools.............................................................479
Viewing Tablespaces and Data File Allocations..................................................................................................... 479
Adjusting warning thresholds for tablespace usage in large databases................................................................ 480
Generating a Database Report...............................................................................................................................481
Viewing Table Details.............................................................................................................................................. 481
Recovering from Symantec Data Loss Prevention database connectivity issues.................................................. 482
Backing Up and Recovering on Windows.................................................................................................................482
About Backup and Recovery on Windows............................................................................................................. 483
About periodic system backups on Windows......................................................................................................... 483
About scheduling a system backup on Windows............................................................................................484
About partial backups on Windows........................................................................................................................ 484
Preparing the backup location on Windows........................................................................................................... 484
Determining the Size of the Backup on Windows...........................................................................................485
Identifying a backup location on Windows...................................................................................................... 486
Creating Backup Directories on Windows....................................................................................................... 487
Performing a cold backup of the Oracle database on Windows............................................................................ 487
14
Creating Recovery Aid Files on Windows.......................................................................................................488
Collecting a List of Files to be Backed up...................................................................................................... 489
Creating a Copy of the spfile on Windows................................................................................................. 489
Shutting Down the Symantec Data Loss Prevention System on Windows.....................................................490
Copying the database files to the backup location on Windows.....................................................................490
Restarting the system on Windows.................................................................................................................491
Backing up the server configuration files on Windows...........................................................................................491
Backing up files stored on the file system on Windows.........................................................................................492
Backing up custom configuration changes on Windows................................................................................. 492
Backing up system logs on Windows..............................................................................................................492
Backing up keystore files on Windows............................................................................................................493
Backing up the Network Discover incremental scan index on Windows.........................................................493
Backing up services on Windows....................................................................................................................494
Oracle hot backups on Windows platforms............................................................................................................494
About Windows System Recovery..........................................................................................................................494
Recovery Information Worksheet for Windows................................................................................................494
About recovering your system on Windows platforms.................................................................................... 495
Backing up and recovering on Linux........................................................................................................................ 500
About backup and recovery on Linux.....................................................................................................................501
About periodic system backups on Linux...............................................................................................................501
About Scheduling a System Backup on Linux................................................................................................ 501
About partial backups on Linux.............................................................................................................................. 502
Preparing the backup location on Linux................................................................................................................. 502
Determining the Size of the Backup on Linux.................................................................................................502
Identifying a backup location on Linux............................................................................................................ 504
Creating backup directories on Linux..............................................................................................................505
Performing a Cold Backup of the Oracle Database on Linux................................................................................ 505
Creating Recovery Aid Files on Linux.............................................................................................................506
Collecting a list of files to be backed up......................................................................................................... 507
Creating a Copy of the spfile on Linux....................................................................................................... 507
Shutting Down the Symantec Data Loss Prevention System on Linux...........................................................508
Copying the Database Files to the Backup Location on Linux....................................................................... 509
Restarting the System on Linux...................................................................................................................... 509
Backing up the server configuration files on Linux................................................................................................ 510
Backing up Files Stored on the File System on Linux........................................................................................... 510
Backing up custom configuration changes on Linux.......................................................................................511
Backing up System Logs on Linux..................................................................................................................511
Backing up Keystore Files on Linux................................................................................................................512
Backing up the Network Discover Incremental Scan Index on Linux............................................................. 512
Backing up Services on Linux......................................................................................................................... 513
15
Oracle hot backups on Linux platforms..................................................................................................................513
Recovering Your System on Linux......................................................................................................................... 513
Recovery Information Worksheet for Linux..................................................................................................... 513
About recovering the database on Linux........................................................................................................ 514
Restoring an Existing Database on Linux....................................................................................................... 515
Creating a New Database on Linux................................................................................................................ 516
Recovering the Enforce Server on Linux........................................................................................................ 517
Recovering a Detection Server on Linux........................................................................................................ 518
Log files.........................................................................................................................................................................518
Operational Log Files..............................................................................................................................................519
Debug Log Files......................................................................................................................................................520
Log collection and configuration screen................................................................................................................. 524
Configuring Server Logging Behavior.....................................................................................................................525
Change the Log Configuration for a Symantec Data Loss Prevention Server................................................527
Collecting Server Logs and Configuration Files..................................................................................................... 528
About log event codes............................................................................................................................................ 531
Network Prevent for Web Operational Log Files and Event Codes....................................................................... 531
Network Prevent for Web Access Log Files and Fields.........................................................................................532
Network Prevent for Web protocol debug log files.................................................................................................533
Network Prevent for Email Log Levels................................................................................................................... 534
Network Prevent for Email operational log codes.................................................................................................. 534
Network Prevent for Email Originated Responses and Codes.............................................................................. 536
Uninstalling Data Loss Prevention components...................................................................................................... 538
Uninstalling a server............................................................................................................................................... 538
Creating the Enforce Reinstallation Resources file................................................................................................ 539
Creating the Enforce Reinstallation Resources file on Windows.....................................................................539
Creating the Enforce Reinstallation Resources file on Linux...........................................................................539
Uninstalling a server from a Windows system....................................................................................................... 539
Uninstalling Using a Graphical User Interface.................................................................................................540
Uninstalling Silently.......................................................................................................................................... 540
Uninstalling a Server from a Linux system.............................................................................................................540
About Symantec DLP Agent removal..................................................................................................................... 541
Removing a DLP Agent from a Windows endpoint.........................................................................................541
Removing DLP Agents from Windows Endpoints Using System Management Software............................... 541
Removing DLP Agents from Mac endpoints Using System Management Software....................................... 542
Removing a DLP Agent from a Mac Endpoint................................................................................................543
Removing a DLP Agent from a Linux Endpoint.............................................................................................. 543
About High Availability and Disaster Recovery for Symantec Data Loss Prevention.......................................... 543
Testing and Qualification Disclaimer.......................................................................................................................544
Governance Considerations....................................................................................................................................544
16
General Considerations for DLP Data Flow and Incident Data Storage......................................................... 544
Best-Practice Considerations for Optimizing Symantec Data Loss Prevention for High Availability and Disaster
Recovery.......................................................................................................................................................... 545
Regulatory Requirements Affecting High Availability and Disaster Recovery................................................. 545
Cybersecurity Control Frameworks..................................................................................................................545
Control Categories........................................................................................................................................... 546
Architectural Considerations................................................................................................................................... 546
Oracle Architectural Considerations................................................................................................................ 547
Enforce Server Architectural Considerations...................................................................................................548
Detection Server Architectural Considerations................................................................................................ 549
Cloud Architectural Considerations................................................................................................................. 551
Best Practices......................................................................................................................................................... 551
Configure Oracle 19c Enterprise Edition for High Availability and Disaster Recovery.................................... 552
Configure Oracle 19c Standard Edition for High Availability and Disaster Recovery......................................553
Configure the Enforce Server for High Availability and Disaster Recovery.....................................................554
Configure Detection Servers for High Availability and Disaster Recovery...................................................... 561
Configure Network Discover Clusters for High Availability and Disaster Recovery........................................ 568
Configure Information Centric Analytics for High Availability and Disaster Recovery..................................... 570
Managing the Enforce Server......................................................................................................... 574
Managing Enforce Server services and settings......................................................................................................574
Symantec Data Loss Prevention Services............................................................................................................. 574
Increase the Max Memory............................................................................................................................... 575
Starting and Stopping Services on Windows......................................................................................................... 575
Starting an Enforce Server on Windows......................................................................................................... 575
Stopping an Enforce Server on Windows....................................................................................................... 576
Starting a Detection Server on Windows........................................................................................................ 576
Stopping a Detection Server on Windows...................................................................................................... 576
Starting Services on Single-tier Windows Installations................................................................................... 577
Stopping Services on Single-tier Windows Installations..................................................................................577
Starting and Stopping Services on Linux............................................................................................................... 577
Starting an Enforce Server on Linux............................................................................................................... 578
Stopping an Enforce Server on Linux............................................................................................................. 578
Starting a Detection Server on Linux.............................................................................................................. 578
Stopping a Detection Server on Linux............................................................................................................ 578
Starting services on single-tier Linux installations...........................................................................................579
Stopping Services on Single-tier Linux Installations....................................................................................... 579
Working with General Settings............................................................................................................................... 579
About protocol filtering............................................................................................................................................ 580
Traffic screen (Traffic report)........................................................................................................................... 580
Traffic screen (Traffic detail)............................................................................................................................ 581
17
Protocols screen.............................................................................................................................................. 582
Configure a protocol........................................................................................................................................ 583
Protocol configuration examples......................................................................................................................590
About Enforce Server screen load performance.................................................................................................... 592
Test platform and configurations......................................................................................................................592
About screen load performance testing.......................................................................................................... 592
Enforce Server screen load test results.......................................................................................................... 593
About the Endpoint and Network Discover communications settings.................................................................... 594
Managing roles and users...........................................................................................................................................595
About role-based access control............................................................................................................................ 595
About authenticating users..................................................................................................................................... 596
Configuring user authentication.............................................................................................................................. 598
About SAML authentication............................................................................................................................. 598
Setting up authentication................................................................................................................................. 598
Administrator Bypass URL...............................................................................................................................599
Set up and configure the authentication method............................................................................................ 599
Set up the SAML authentication configuration................................................................................................ 600
Set Up the IdP Authentication Method............................................................................................................601
Generate or download Enforce (service providers) SAML metadata..............................................................601
Configure the Enforce Server as a SAML service provider with the IdP (Create an application in your identity
provider)........................................................................................................................................................... 602
Export the IdP metadata to DLP..................................................................................................................... 602
Configuring Active Directory authentication.....................................................................................................602
Configuring forms-based authentication.......................................................................................................... 603
Configuring certificate authentication...............................................................................................................603
About configuring roles and users..........................................................................................................................603
About recommended roles for your organization................................................................................................... 603
Roles included with solution packs.........................................................................................................................604
Configuring Roles....................................................................................................................................................605
Configuring user accounts...................................................................................................................................... 610
Configuring user authentication and role assignment using Active Directory........................................................ 612
Steps to use AD to provide user access to the Enforce Server administration console................................. 612
Upgrading manually managed roles to AD-managed roles............................................................................ 615
Configuring password enforcement settings...........................................................................................................615
Resetting the Administrator Password....................................................................................................................615
Manage and add roles............................................................................................................................................616
Manage and add users...........................................................................................................................................616
Integrating Active Directory for user authentication................................................................................................617
Creating the Configuration File for Active Directory Integration...................................................................... 618
Verifying the Active Directory connection........................................................................................................ 619
18
Configuring the Enforce Server for Active Directory authentication................................................................ 619
About certificate authentication configuration......................................................................................................... 620
Configuring Certificate Authentication for the Enforce Server Administration Console................................... 621
Adding certificate authority (CA) certificates to the Tomcat trust store........................................................... 623
Mapping Common Name (CN) values to Symantec Data Loss Prevention user accounts.............................625
About certificate revocation checks................................................................................................................. 625
Troubleshooting Certificate Authentication...................................................................................................... 627
Disabling password authentication and forms-based logon............................................................................ 628
Connecting to group directories................................................................................................................................ 628
Creating connections to LDAP servers.................................................................................................................. 628
Configuring directory server connections............................................................................................................... 629
Scheduling Directory Server Indexing.................................................................................................................... 630
Credential Store............................................................................................................................................................631
Adding new credentials to the credential store...................................................................................................... 632
Configuring endpoint credentials............................................................................................................................ 632
Managing credentials in the credential store..........................................................................................................633
Managing Stored Credentials................................................................................................................................. 633
Add a Stored Credential.................................................................................................................................. 633
Delete a Stored Credential.............................................................................................................................. 634
Edit a Stored Credential.................................................................................................................................. 634
Managing System Events and Messages..................................................................................................................634
Using Audit Logs.....................................................................................................................................................634
System Events........................................................................................................................................................ 635
System Events Reports.......................................................................................................................................... 636
Filter the List of System Events by Date of Occurrence.................................................................................637
Apply Additional Advanced Filters................................................................................................................... 637
Working with Saved System Reports..................................................................................................................... 638
Server and Detectors Event Detail......................................................................................................................... 639
Configuring Event Thresholds and Triggers........................................................................................................... 640
About System Svent Responses............................................................................................................................ 641
Enabling a Syslog Server....................................................................................................................................... 642
System Alerts.......................................................................................................................................................... 643
Configuring the Enforce Server to Send Email Alerts............................................................................................ 644
Configuring System Alerts...................................................................................................................................... 645
About Log Review...................................................................................................................................................646
System event codes and messages.......................................................................................................................647
Managing the Symantec Data Loss Prevention database....................................................................................... 666
Working with Symantec Data Loss Prevention database diagnostic tools.............................................................666
Viewing Tablespaces and Data File Allocations..................................................................................................... 666
Adjusting warning thresholds for tablespace usage in large databases......................................................... 667
19
Generating a Database Report........................................................................................................................668
Viewing Table Details.............................................................................................................................................. 668
Secure Communications Between DLP Agents and Endpoint Servers................................................................. 669
Configuring Endpoint Prevent Servers to Use Custom Certificates....................................................................... 670
Configuring DLP Agents to Use Custom Certificates.............................................................................................671
Adding and Modifying Custom Keystores for Endpoint Prevent Servers............................................................... 672
Adding and Modifying Custom Truststores for Endpoints and Endpoint Prevent Servers......................................673
Deleting Custom Keystores and Truststores.......................................................................................................... 673
Using the agent_communication_updater utility..................................................................................................... 674
Limitations of DLP support for custom certificates................................................................................................. 675
Advanced Endpoint Prevent Server Settings That Support Custom Certificates................................................... 675
Revocation Checks For Custom Certificates..........................................................................................................676
Certificate Management.......................................................................................................................................... 676
Adding a new product module................................................................................................................................... 676
Installing a New License File..................................................................................................................................677
Deploy Symantec Data Loss Prevention servers on Amazon Web Services.........................................................677
What you should know.................................................................................................................................... 677
Introducing Symantec Data Loss Prevention on Amazon Web Services........................................................678
Considerations for deploying supported servers on Amazon Web Services...................................................681
Workflow for deploying a Data Loss Prevention detection server on AWS.....................................................685
Configuring certificates for securing communications between the Enforce Server and Amazon RDS for
Oracle............................................................................................................................................................... 689
Upgrading an Enforce Server running in AWS............................................................................................... 691
System Readiness and Appliances Update........................................................................................................... 696
Working with Microsoft Information Protection....................................................................................................... 696
About the Symantec integration with MIP for DLP..........................................................................................696
Implementing MIP capabilities for DLP Agents and on-premises detection servers....................................... 697
Authorizing Symantec Data Loss Prevention on the Microsoft Azure portal...................................................700
Enabling MIP on the Azure portal for detection servers................................................................................. 700
Configuring proxy server details for AIP Insight Deployment..........................................................................701
Managing MIP credential profiles for agents and on-premises detection servers...........................................702
Using the Content Matches MIP Tag rule....................................................................................................... 704
Configuring response rules using MIP Classification labels in the Enforce Server administration console..... 705
Integrating MIP classification labels in the Enforce Server administration console.........................................706
About MIP incident and matches behavior..................................................................................................... 706
Troubleshooting the Symantec integration with MIP for DLP..........................................................................708
Configuring the connection between the Enforce Server and Data Insight............................................................708
Generating Local Telemetry Reports......................................................................................................................... 709
Viewing Local Telemetry Reports...............................................................................................................................710
Telemetry Reporting..................................................................................................................................................... 710
20
Using ICA with Symantec Data Loss Prevention..................................................................................................... 711
Create an API user in ICA...................................................................................................................................... 712
Managing Detection Servers...........................................................................................................713
Installing and managing detection servers and cloud detectors........................................................................... 713
About managing Symantec Data Loss Prevention servers.................................................................................... 714
About Microsoft Rights Management file and email monitoring............................................................................. 714
Enabling Microsoft Rights Management file monitoring.................................................................................. 715
Enabling Advanced Process Control...................................................................................................................... 716
Server controls........................................................................................................................................................ 717
Server configuration—basic.................................................................................................................................... 718
Network Monitor Server—Basic Configuration................................................................................................ 719
Network Prevent for Web Server—Basic Configuration..................................................................................720
Network Discover Server and Network Protect—basic configuration............................................................. 722
Endpoint Prevent Server—Basic Configuration...............................................................................................722
Single Tier Monitor — basic configuration...................................................................................................... 723
Editing a detector.................................................................................................................................................... 724
Server and detector configuration—advanced....................................................................................................... 724
Adding a detection server....................................................................................................................................... 724
Adding a cloud detector..........................................................................................................................................726
Adding an appliance............................................................................................................................................... 727
Configuring an appliance........................................................................................................................................ 727
Configuring the API Detection for Developer Apps Appliance............................................................................... 728
Removing a server..................................................................................................................................................728
Importing SSL certificates to Enforce or Discover servers.....................................................................................729
About the Overview screen.................................................................................................................................... 729
Configuring the Enforce Server to use a proxy to connect to cloud services........................................................ 730
Safelisting Cloud Proxy Connections............................................................................................................... 731
Server and detector status overview...................................................................................................................... 731
Recent error and warning events list......................................................................................................................733
Server/Detector Detail screen................................................................................................................................. 733
Configure Server - Edit Protocol Filtering...............................................................................................................734
Advanced Server Settings...................................................................................................................................... 734
Advanced detector settings.....................................................................................................................................761
About using load balancers in an endpoint deployment........................................................................................ 763
Endpoint Prevent Server Support For Deploying An NGINX Server As A Reverse Proxy.....................................765
Managing Log Files......................................................................................................................................................765
Log files................................................................................................................................................................... 765
Operational Log Files.......................................................................................................................................766
Debug Log Files...............................................................................................................................................768
Log collection and configuration screen................................................................................................................. 772
21
Configuring Server Logging Behavior.....................................................................................................................772
Change the Log Configuration for a Symantec Data Loss Prevention Server................................................774
Collecting Server Logs and Configuration Files..................................................................................................... 775
About log event codes............................................................................................................................................ 778
Network Prevent for Web Operational Log Files and Event Codes................................................................ 778
Network Prevent for Web Access Log Files and Fields..................................................................................779
Network Prevent for Web protocol debug log files..........................................................................................781
Network Prevent for Email Log Levels............................................................................................................781
Network Prevent for Email operational log codes........................................................................................... 781
Network Prevent for Email Originated Responses and Codes....................................................................... 784
Using Symantec Data Loss Prevention utilities....................................................................................................... 785
About Symantec Data Loss Prevention utilities......................................................................................................785
About Endpoint utilities........................................................................................................................................... 786
DBPasswordChanger.............................................................................................................................................. 786
DBPasswordChanger Syntax...........................................................................................................................787
Example of using DBPasswordChanger......................................................................................................... 787
Increasing the inspection content size......................................................................................................................787
Guidelines for Increasing System Memory on Detection Servers..........................................................................790
About Data Loss Prevention Policy Authoring............................................................................ 793
Handling Non-BMP Unicode Characters in Data Loss Prevention 16.0.1.............................................................. 793
Policy components.......................................................................................................................................................794
Policy templates........................................................................................................................................................... 795
Solution packs.............................................................................................................................................................. 796
Policy groups................................................................................................................................................................796
Policy deployment........................................................................................................................................................797
Policy severity.............................................................................................................................................................. 797
Policy authoring privileges......................................................................................................................................... 798
Data Profiles..................................................................................................................................................................798
User Groups..................................................................................................................................................................799
Policy template import and export.............................................................................................................................800
Workflow for implementing policies.......................................................................................................................... 800
Viewing, printing, and downloading policy details.................................................................................................. 801
Detecting data loss...................................................................................................................................................... 801
Content that can be detected................................................................................................................................. 802
Files that can be detected...................................................................................................................................... 802
Protocols that can be monitored.............................................................................................................................802
Endpoint events that can be detected....................................................................................................................802
Identities that can be detected............................................................................................................................... 803
Languages that can be detected............................................................................................................................ 803
Data Loss Prevention policy detection technologies.............................................................................................. 803
22
Policy Evaluation Engine Details for DLP 16.0.........................................................................................................804
Changes in the 16.0 Policy Evaluation Engine.........................................................................................................805
Handling Large Policies for Legacy (pre-DLP 16.0) Agents.................................................................................... 805
Policy matching conditions........................................................................................................................................ 806
Content matching conditions...................................................................................................................................807
File property matching conditions........................................................................................................................... 808
Protocol matching condition for network.................................................................................................................808
Endpoint matching conditions................................................................................................................................. 808
Groups (identity) matching conditions.................................................................................................................... 809
Detection Messages and Message Components......................................................................................................810
Exception Conditions...................................................................................................................................................812
Compound rules........................................................................................................................................................... 813
Policy Detection Execution......................................................................................................................................... 813
Two-Tier Detection for DLP Agents........................................................................................................................... 814
Creating a policy from a template..............................................................................................................................815
US Regulatory Enforcement policy Templates......................................................................................................... 816
General Data Protection Regulation (GDPR) policy Templates.............................................................................. 817
International Regulatory Enforcement policy Templates.........................................................................................818
Customer and Employee Data Protection policy Templates................................................................................... 819
Confidential or Classified Data Protection policy Templates..................................................................................819
Network Security Enforcement policy Templates.....................................................................................................820
Acceptable Use Enforcement policy Templates....................................................................................................... 821
Columbia Personal Data Regulatory Enforcement Policy Template...................................................................... 821
Choosing an Exact Data Profile................................................................................................................................. 822
Choosing an Indexed Document Profile....................................................................................................................823
Adding a new policy or PolicyProfile Template........................................................................................................824
Configuring policies.....................................................................................................................................................824
Adding a Rule to a Policy............................................................................................................................................825
Configuring Policy Rules............................................................................................................................................ 827
Defining rule severity...................................................................................................................................................829
Configuring Match Counting.......................................................................................................................................829
Selecting components to match on........................................................................................................................... 831
Adding an Exception to a Policy................................................................................................................................ 831
Configuring Policy Exceptions................................................................................................................................... 833
Configuring compound rules...................................................................................................................................... 835
Input character limits for policy configuration......................................................................................................... 836
Manage and add policies............................................................................................................................................ 836
Manage and add policy groups..................................................................................................................................838
Creating and modifying policy groups...................................................................................................................... 838
Importing policies.........................................................................................................................................................839
23
About importing policies..........................................................................................................................................839
About Policy References.........................................................................................................................................840
Exporting policies........................................................................................................................................................ 841
About policy export................................................................................................................................................. 841
Cloning policies............................................................................................................................................................841
Importing Policy Templates.........................................................................................................................................842
Exporting policy detection as a template................................................................................................................. 842
Adding an automated response rule to a policy...................................................................................................... 843
Removing policies and policy groups....................................................................................................................... 843
Viewing and printing policy details............................................................................................................................844
Downloading policy details......................................................................................................................................... 844
Troubleshooting policies............................................................................................................................................. 845
Updating EDM and IDM profiles to the latest version............................................................................................. 845
Updating policies after upgrading to the latest version.......................................................................................... 846
About Installing Remote Indexers..............................................................................................................................847
Installing a remote indexer on Windows...................................................................................................................847
Installing a remote indexer on Linux.........................................................................................................................849
Configuring a Remote Indexer on Linux................................................................................................................... 849
Best practices for authoring policies........................................................................................................................ 850
Develop a policy strategy that supports your data security objectives................................................................ 851
Use a limited number of policies to get started.......................................................................................................851
Use policy templates but modify them to meet your requirements....................................................................... 851
Use the appropriate match condition for your data loss prevention objectives...................................................852
Test and tune policies to improve match accuracy................................................................................................. 852
Start with high match thresholds to reduce false positives................................................................................... 853
Use a limited number of exceptions to narrow detection scope............................................................................853
Use compound rules to improve match accuracy................................................................................................... 854
Author policies to limit the potential effect of two-tier detection...........................................................................854
Use policy groups to manage policy lifecycle......................................................................................................... 855
Follow detection-specific best practices...................................................................................................................855
Introducing Structured Data Identifiers..................................................................................................................... 855
Structured Data Identifiers Requirements and Options..........................................................................................856
Creating a Content Matches Structured Data Identifier Rule................................................................................. 861
Advanced Configuration Settings for Structured Data Matching............................................................................ 861
Introducing Exact Match Data Identifiers (EMDI)..................................................................................................... 862
About using EMDI to protect content..................................................................................................................... 862
About EMDI policy features.................................................................................................................................... 862
EMDI compared to EDM.........................................................................................................................................863
About the Exact Match Data Identifier profile and index........................................................................................864
About the Exact Match Data Identifier source file..................................................................................................865
24
About cleansing the Exact Match Data Identifier source file..................................................................................865
About EMDI and key columns................................................................................................................................ 866
About EMDI index scheduling.................................................................................................................................866
Configuring Exact Match Data Identifier profiles..................................................................................................... 867
Creating the Exact Match Data Identifier source file..............................................................................................868
Preparing the Exact Match Data Identifier source for indexing..............................................................................868
Uploading the Exact Match Data Identifier Source Files to the Enforce Server.....................................................869
Adding Exact Match Data Identifier Profiles........................................................................................................... 871
Creating and Modifying the Exact Match Data Identifier Profiles...........................................................................871
Scheduling EMDI profile indexing...........................................................................................................................873
Associating data identifiers with your data source (EMDI).....................................................................................874
Adding an EMDI check to a built-in or custom data identifier condition in a policy................................................875
Optimized Index Distribution to Endpoints for EMDI.............................................................................................. 875
Creating an incremental index for EMDI......................................................................................................... 876
Using keep_all_files=true for EMDI................................................................................................................. 876
Understanding the limitations of incremental indexing with EMDI.................................................................. 876
Configuring parameters for EMDI.............................................................................................................................. 877
Memory requirements for EMDI..................................................................................................................................877
EMDI memory configuration and limitations........................................................................................................... 877
Overview of configuring memory and indexing the data source for EMDI............................................................. 878
Determining requirements for both local indexers and remote indexers for EMDI.................................................878
Detection server memory requirements for EMDI.................................................................................................. 879
Increasing the memory for the detection server (File Reader) for EMDI............................................................... 880
Profile size limitations on the DLP Agent for EMDI............................................................................................... 881
EMDI memory configuration and limitations........................................................................................................... 881
Properties File Settings for EMDI...............................................................................................................................882
Best practices for using EMDI....................................................................................................................................883
Never use a personal identifier as an optional column in EMDI............................................................................ 884
Use three or more columns in a match for EMDI.................................................................................................. 884
Don’t use EMDI validators as both optional and required for a given data identifier in a policy.............................884
Use additional validators with EMDI where possible..............................................................................................884
Limit the required number of columns to two or three for EMDI............................................................................884
When matching with only a single optional column, avoid adding low-variability values as optional columns with
EMDI........................................................................................................................................................................ 885
Use full disk encryption on EMDI endpoint deployments.......................................................................................885
Cleanse the EMDI data source file of blank columns and duplicate rows............................................................. 885
Remove ambiguous character types from the EMDI data source file....................................................................885
Clean up your EMDI data source for multi-token matching................................................................................... 886
Do not use the comma delimiter if the EMDI data source has number fields........................................................ 886
Ensure that the EMDI data source is clean for indexing........................................................................................886
25
Include column headers as the first row of the EMDI data source file...................................................................887
Check the EMDI system alerts to tune profile accuracy........................................................................................ 887
Use scheduled indexing to automate EMDI profile updates.................................................................................. 887
Never use a personal identifier as an optional column in EMDI............................................................................ 887
Use three or more columns in a match for EMDI.................................................................................................. 888
Don’t use EMDI validators as both optional and required for a given data identifier in a policy.............................888
Use additional validators with EMDI where possible..............................................................................................888
Limit the required number of columns to two or three for EMDI............................................................................888
When matching with only a single optional column, avoid adding low-variability values as optional columns with
EMDI........................................................................................................................................................................ 888
Use full disk encryption on EMDI endpoint deployments.......................................................................................888
Remove ambiguous character types from the EMDI data source file....................................................................888
Clean up your EMDI data source for multi-token matching................................................................................... 889
Cleanse the EMDI data source file of blank columns and duplicate rows............................................................. 889
Do not use the comma delimiter if the EMDI data source has number fields........................................................ 890
Ensure that the EMDI data source is clean for indexing........................................................................................890
Include column headers as the first row of the EMDI data source file...................................................................890
Check the EMDI system alerts to tune profile accuracy........................................................................................ 890
Use scheduled indexing to automate EMDI profile updates.................................................................................. 890
Match on two or more optional columns in an EMDI condition to increase detection accuracy............................. 891
Use the minimum matches field to fine-tune EMDI rules.......................................................................................891
EMDI Troubleshooting................................................................................................................................................. 892
The EMDI index doesn’t get published to the Endpoint Agent.............................................................................. 892
The EMDI index doesn’t get published to the Endpoint Agent and the EnabledOnAgents setting is true.............. 892
A key column that is in an EMDI index doesn’t generate an incident....................................................................892
EMDI generates an unexpectedly high number of false positives......................................................................... 892
The EMDI index doesn’t get published to the Endpoint Agent.............................................................................. 892
The EMDI index doesn’t get published to the Endpoint Agent and the EnabledOnAgents setting is true.............. 892
A key column that is in an EMDI index doesn’t generate an incident....................................................................892
EMDI generates an unexpectedly high number of false positives......................................................................... 892
Introducing Exact Data Matching (EDM)................................................................................................................... 893
About using EDM to protect content...................................................................................................................... 893
EDM policy features................................................................................................................................................894
EDM policy Templates..................................................................................................................................... 894
About the Exact Data Profile and index................................................................................................................. 895
About the exact data source file.............................................................................................................................896
About cleansing the exact data source file for EDM.............................................................................................. 897
About EMDI and key columns................................................................................................................................ 897
About using System Fields for data source validation with EDM...........................................................................898
About index scheduling for EDM............................................................................................................................ 898
26
About the Content Matches Exact Data From condition for EDM..........................................................................899
About Data Owner Exception for EDM...................................................................................................................899
About profiled Directory Group Matching (DGM) for EDM..................................................................................... 899
About Two-tier Detection for EDM on the Endpoint............................................................................................... 900
About upgrading EDM deployments....................................................................................................................... 900
Configuring Exact Data profiles for EDM.................................................................................................................. 900
Creating the exact data source file for EDM.......................................................................................................... 901
Creating the exact data source file for Data Owner Exception for EDM................................................................902
Creating the Exact Data Source File for Profiled DGM..........................................................................................902
Preparing the exact data source file for indexing for EDM.................................................................................... 903
Uploading Exact Data Source Files for EDM to the Enforce Server......................................................................904
Creating and modifying Exact Data Profiles for EDM............................................................................................ 906
Mapping Exact Data Profile fields for EDM............................................................................................................909
Using system-provided pattern validators for EDM profiles................................................................................... 910
Scheduling Exact Data Profile indexing for EDM................................................................................................... 911
Managing and adding Exact Data Profiles for EDM...............................................................................................912
Configuring EDM policies........................................................................................................................................... 913
Configuring the Content Matches Exact Data policy condition for EDM................................................................ 913
Configuring the Data Owner Exception for EDM policy conditions........................................................................ 915
Configuring the Sender/User based on a Profiled Directory policy condition for EDM...........................................915
Configuring the Recipient based on a Profiled Directory policy condition for EDM................................................916
About configuring natural language processing for Chinese, Japanese, and Korean for EDM policies................. 916
Introducing EDM token matching.................................................................................................................... 917
EDM token matching examples for CJK languages........................................................................................917
Enabling and using CJK token verification for EDM....................................................................................... 917
Configuring Advanced Settings for EDM policies...................................................................................................918
Using multi-token matching with EDM...................................................................................................................... 919
Characteristics of multi-token cells (EDM)..............................................................................................................920
Multi-token with spaces (EDM)............................................................................................................................... 920
Multi-token with Stopwords (EDM)......................................................................................................................... 920
Multi-token with mixed language characters (EDM)...............................................................................................921
Multi-token with punctuation (EDM)........................................................................................................................921
Additional examples for multi-token cells with punctuation (EDM).........................................................................922
Some special use cases for system-recognized data patterns (EDM)...................................................................924
Multi-token punctuation characters (EDM)............................................................................................................. 925
Match count variant examples (EDM).................................................................................................................... 926
Proximity matching example for EDM.................................................................................................................... 927
Updating EDM indexes to the latest version............................................................................................................ 928
Update process using the Remote EDM Indexer...................................................................................................929
Update process using the Enforce Server for EDM............................................................................................... 930
27
EDM index out-of-date error codes........................................................................................................................ 931
Memory requirements for EDM...................................................................................................................................931
About memory requirements for EDM.................................................................................................................... 932
Determining requirements for both local and remote indexers for EDM................................................................ 932
Overview of configuring memory and indexing the data source for EDM.............................................................. 933
Increasing the memory for the Enforce Server EDM indexer................................................................................ 934
Increasing the Memory for the Remote EDM Indexer............................................................................................934
Detection server memory requirements for EDM................................................................................................... 935
Increasing the memory for the detection server (File Reader) for EDM................................................................ 936
Using the EDM Memory Requirements Spreadsheet............................................................................................ 937
Remote EDM indexing................................................................................................................................................. 937
About the Remote EDM Indexer............................................................................................................................ 938
About the SQL Preindexer for EDM....................................................................................................................... 938
System requirements for remote EDM indexing.....................................................................................................938
Workflow for Remote EDM Indexing...................................................................................................................... 938
About installing and running the Remote EDM Indexer and SQL Preindexer utilities............................................939
Creating an EDM profile template for remote indexing.......................................................................................... 940
Downloading and copying the EDM profile file to a remote system.......................................................................941
Generating remote index files for EDM.................................................................................................................. 942
Remote indexing examples using data source file (EDM)..................................................................................... 942
Remote indexing examples using SQL Preindexer (EDM).................................................................................... 943
Copying and loading remote EDM index files to the Enforce Server.....................................................................944
SQL Preindexer command options (EDM)............................................................................................................. 944
Remote EDM Indexer command options................................................................................................................945
Troubleshooting preindexing errors for EDM..........................................................................................................946
Troubleshooting remote indexing errors for EDM.................................................................................................. 947
Installing the Remote EDM Indexer........................................................................................................................948
Permissions for users to run the remote indexers (EDM)...............................................................................948
Best practices for using EDM.....................................................................................................................................948
Ensure data source has at least one column of unique data (EDM)..................................................................... 949
Cleanse the data source file of blank columns and duplicate rows (EDM)............................................................950
Remove ambiguous character types from the data source file (EDM).................................................................. 950
Understand how multi-token cell matching functions (EDM)..................................................................................951
Do not use the comma delimiter if the data source has number fields (EDM).......................................................951
Map data source column to system fields to leverage validation (EDM)............................................................... 951
Ensure that the data source is clean for indexing (EDM)...................................................................................... 952
Leverage EDM policy templates when possible.....................................................................................................952
Include column headers as the first row of the data source file (EDM)................................................................. 952
Check the system alerts to tune profile accuracy (EDM).......................................................................................953
Use stopwords to exclude common words from detection (EDM)......................................................................... 953
28
Use scheduled indexing to automate profile updates (EDM)................................................................................. 953
Match on 3 columns in an EDM condition to increase detection accuracy............................................................954
Leverage exception tuples to avoid false positives (EDM).................................................................................... 954
Use a WHERE clause to detect records that meet specific criteria (EDM)............................................................955
Use the minimum matches field to fine tune EDM rules........................................................................................955
Combine Data Identifiers with EDM rules to limit the impact of two-tier detection................................................. 955
Include an email address field in the Exact Data Profile for profiled DGM (EDM)................................................. 955
Use profiled DGM for Network Prevent for Web identity detection (EDM).............................................................955
Introducing Indexed Document Matching (IDM)....................................................................................................... 955
About using IDM..................................................................................................................................................... 956
Supported forms of matching for IDM.................................................................................................................... 956
Types of IDM detection...........................................................................................................................................957
Agent IDM detection........................................................................................................................................ 957
Server IDM detection....................................................................................................................................... 957
Two-tier IDM detection.....................................................................................................................................957
About the Indexed Document Profile......................................................................................................................958
About the document data source........................................................................................................................... 958
About the indexing process.................................................................................................................................... 958
About indexing remote documents......................................................................................................................... 959
About the server index files and the agent index files........................................................................................... 959
About index deployment and logging..................................................................................................................... 960
Using IDM to detect exact files.............................................................................................................................. 961
Using IDM to Detect Exact and Partial File Contents............................................................................................ 962
About using the Content Matches Document Signature policy condition...............................................................963
About Safe Listing Partial File Contents.................................................................................................................964
Configuring IDM Profiles and Policy Conditions......................................................................................................964
Preparing the document data source for indexing................................................................................................. 965
Safe Listing File Contents to Exclude from Partial Matching................................................................................. 965
Manage and add Indexed Document Profiles........................................................................................................ 966
Creating and modifying Indexed Document Profiles.............................................................................................. 967
Configure endpoint partial content matching.......................................................................................................... 969
Uploading a document archive to the Enforce Server........................................................................................... 969
Referencing a document archive on the Enforce Server....................................................................................... 970
Using local path on Enforce Server........................................................................................................................971
Using the remote SMB share option to index file shares.......................................................................................972
Using the remote SMB share option to index SharePoint documents................................................................... 972
Enabling WebDAV for Microsoft IIS.................................................................................................................973
Troubleshooting SharePoint document indexing............................................................................................. 974
Filtering documents by file name............................................................................................................................974
Filtering documents by file size.............................................................................................................................. 976
29
Scheduling Document Profile Indexing...................................................................................................................976
Changing the Default Indexer Properties............................................................................................................... 977
Enabling Agent IDM................................................................................................................................................ 978
Estimating endpoint memory use for agent IDM.................................................................................................... 978
Configuring the Content Matches Document Signature policy condition............................................................... 979
Best Practices for Using IDM..................................................................................................................................... 979
Reindex IDM profiles after upgrade........................................................................................................................980
Do not compress files in the document source......................................................................................................980
Do not index empty documents..............................................................................................................................981
Prefer partial matching over exact matching on the DLP Agent............................................................................ 981
Understanding the Limitations of Exact Matching.................................................................................................. 981
Use Safe Listing to Exclude Non-Sensitive Content from Partial Matching........................................................... 982
Filter documents from indexing to reduce false positives...................................................................................... 982
Distinguish IDM Exceptions from Safe Listing and Filtering...................................................................................983
Create separate profiles to index large document sources....................................................................................983
Use WebDAV or CIFS to index remote document data sources........................................................................... 983
Use scheduled indexing to keep profiles up to date.............................................................................................. 983
Use parallel IDM rules to tune match thresholds................................................................................................... 984
About the Remote IDM Indexer.................................................................................................................................. 984
Installing the Remote IDM Indexer......................................................................................................................... 985
Setting up permissions for users to run the remote indexers......................................................................... 986
Indexing the Document Data Source Using the GUI Edition (Windows only)........................................................ 986
Indexing the document data source using the properties file.................................................................................988
Indexing the Document Data Source Using the CLI.............................................................................................. 989
Scheduling remote indexing....................................................................................................................................990
Scheduling remote indexing with the Remote IDM Indexer app for Windows....................................................... 991
Incremental indexing for IDM..................................................................................................................................992
Always keep files for IDM................................................................................................................................993
Logging and Troubleshooting..................................................................................................................................993
Copying the preindex file to the Enforce Server host............................................................................................ 993
Loading the Remote Index File on to the Enforce Server......................................................................................993
Using a Password File with Remote Indexing................................................................................................ 994
Introducing Vector Machine Learning (VML)............................................................................................................ 994
About the Vector Machine Learning Profile............................................................................................................995
About the content you train.................................................................................................................................... 995
About the base accuracy from training percentage rates...................................................................................... 996
About the Similarity Threshold and Similarity Score.............................................................................................. 996
About using unaccepted VML profiles in policies...................................................................................................997
Configuring VML profiles and policy conditions......................................................................................................997
Creating new VML profiles..................................................................................................................................... 998
30
Working with the Current Profile and Temporary Workspace tabs.........................................................................999
Uploading example documents for training............................................................................................................ 999
Training VML profiles............................................................................................................................................ 1000
Adjusting the memory allocation...........................................................................................................................1002
Managing training set documents.........................................................................................................................1003
Managing VML profiles......................................................................................................................................... 1003
Changing names and descriptions for VML profiles.............................................................................................1005
Configuring the Detect using Vector Machine Learning Profile condition.............................................................1005
Configuring VML policy exceptions.......................................................................................................................1006
Adjusting the Similarity Threshold........................................................................................................................ 1007
Testing and tuning VML profiles........................................................................................................................... 1007
Properties for configuring training.........................................................................................................................1008
Log files for troubleshooting VML training and policy detection...........................................................................1010
Best practices for using VML................................................................................................................................... 1010
When to use VML................................................................................................................................................. 1011
When not to use VML...........................................................................................................................................1012
Recommendations for training set definition........................................................................................................ 1012
Guidelines for training set sizing.......................................................................................................................... 1013
Recommendations for uploading documents for training..................................................................................... 1014
Guidelines for profile sizing...................................................................................................................................1014
Recommendations for accepting or rejecting a profile......................................................................................... 1014
Guidelines for Accepting or Rejecting Training Results....................................................................................... 1015
Recommendations for deploying profiles..............................................................................................................1016
About Form Recognition detection..........................................................................................................................1016
How Form Recognition works...............................................................................................................................1016
Configuring Form Recognition detection................................................................................................................ 1017
Preparing a Form Recognition Gallery Archive.................................................................................................... 1017
Configuring a Form Recognition profile................................................................................................................ 1018
Configuring the Form Recognition detection rule................................................................................................. 1018
Configuring the Form Recognition exception rule................................................................................................ 1019
Managing Form Recognition profiles...................................................................................................................... 1019
Advanced server settings for Form Recognition.................................................................................................. 1021
Viewing a Form Recognition incident......................................................................................................................1021
About Content Detection with On Premises OCR..................................................................................................1021
Installing an On Premises OCR Sensitive Image Recognition License............................................................... 1022
Setting Up On-Premises OCR Servers.................................................................................................................... 1022
Exporting Private Keys, Certificates, and Trusted Certificates from a 15.x OCR Server....................................1024
Using Diagnostics for Sizing OCR Server Deployments....................................................................................... 1025
Creating a null policy to assist in OCR diagnostics for Discover Servers..........................................................1026
Using the OCR Server Sizing Estimator..................................................................................................................1026
31
OCR Server System Requirements.......................................................................................................................... 1029
File Types Supported for On Premises OCR Extraction........................................................................................1029
Detection Types Supported for On Premises OCR Extraction..............................................................................1029
More About Languages and Dictionaries................................................................................................................1030
Adding or Editing an On Premises OCR Configuration........................................................................................ 1030
Creating an OCR Configuration................................................................................................................................1030
Viewing OCR Incidents in Reports...........................................................................................................................1032
Setting Up TLS Trust................................................................................................................................................. 1032
Introducing User Risk Based Detection.................................................................................................................. 1033
Data Identifiers............................................................................................................................................................ 1034
System-defined data identifiers.............................................................................................................................1035
Personal identity data identifiers....................................................................................................................1035
Financial data identifiers................................................................................................................................ 1043
Healthcare data identifiers............................................................................................................................. 1043
Information technology data identifiers..........................................................................................................1044
International keywords for PII data identifiers............................................................................................... 1044
Extending and customizing data identifiers.......................................................................................................... 1044
About data identifier configuration........................................................................................................................ 1044
About data identifier breadths...............................................................................................................................1045
About optional validators for data identifiers........................................................................................................ 1045
About data identifier patterns................................................................................................................................1045
About pattern validators........................................................................................................................................ 1046
About data normalizers......................................................................................................................................... 1046
About cross-component matching........................................................................................................................ 1046
About unique match counting............................................................................................................................... 1047
Configuring data identifier policy conditions......................................................................................................... 1047
Workflow for configuring data identifier policies............................................................................................ 1047
Managing and Adding Data Identifiers.......................................................................................................... 1047
Editing data identifiers................................................................................................................................... 1048
Configuring the Content Matches data identifier condition............................................................................1049
Using data identifier breadths........................................................................................................................1050
Selecting a data identifier breadth.................................................................................................................1050
Using optional validators................................................................................................................................1066
Configuring optional validators...................................................................................................................... 1067
Acceptable characters for optional validators................................................................................................1067
Using unique match counting........................................................................................................................ 1075
Configuring unique match counting............................................................................................................... 1076
Modifying system data identifiers..........................................................................................................................1076
Cloning a system data identifier before modifying it..................................................................................... 1077
Editing pattern validator input........................................................................................................................ 1077
32
List of pattern validators that accept input data............................................................................................ 1078
Editing keywords for international PII data identifiers................................................................................... 1079
List of keywords for international system data identifiers..............................................................................1079
Updating policies to use the US Randomized SSN data identifier............................................................... 1102
Creating custom data identifiers........................................................................................................................... 1103
Workflow for creating custom data identifiers............................................................................................... 1104
Custom Data Identifier Configuration............................................................................................................ 1105
Using the legacy data identifier pattern language.........................................................................................1106
Writing data identifier patterns to match data............................................................................................... 1108
Using pattern validators................................................................................................................................. 1109
Selecting pattern validators........................................................................................................................... 1116
Selecting a data normalizer........................................................................................................................... 1117
Creating custom script validators.................................................................................................................. 1117
Configuring pre- and post-validators............................................................................................................. 1118
Best practices for using data identifiers............................................................................................................... 1119
Use data identifiers instead of regular expressions to improve accuracy..................................................... 1120
Clone system-defined data identifiers before modifying to preserve original state....................................... 1120
Modify data identifier definitions when you want tuning to apply globally..................................................... 1120
Consider using multiple breadths in parallel to detect different severities of confidential data......................1121
Avoid matching on the Envelope over HTTP to reduce false positives........................................................ 1121
Use the US Randomized SSN data identifier to detect SSNs...................................................................... 1121
Use unique match counting to improve accuracy and ease remediation......................................................1121
Introducing keyword matching................................................................................................................................. 1122
About keyword matching for Chinese, Japanese, and Korean (CJK) languages.................................................1122
About keyword proximity.......................................................................................................................................1123
Keyword matching syntax..................................................................................................................................... 1123
Keyword matching examples................................................................................................................................ 1124
Keyword matching examples for CJK languages.................................................................................................1125
About updates to the Drug, Disease, and Treatment keyword lists..................................................................... 1125
Configuring keyword matching................................................................................................................................ 1126
Configuring the Content Matches Keyword condition.......................................................................................... 1126
Enabling and using CJK token verification for server keyword matching.............................................................1128
Updating the Drug, Disease, and Treatment keyword lists for your HIPAA and Caldicott policies....................... 1129
Best practices for using keyword matching........................................................................................................... 1129
Enable token verification on the server to reduce false positives for CJK keyword detection..............................1130
Keep the keyword lists for your HIPAA and Caldicott policies up to date............................................................ 1130
Tune keywords lists for data identifiers to improve match accuracy.................................................................... 1130
Use keyword matching to detect document metadata......................................................................................... 1131
Use VML to generate and maintain large keyword dictionaries...........................................................................1131
Introducing regular expression matching............................................................................................................... 1131
33
About the updated regular expression engine....................................................................................................... 1131
About writing regular expressions for policy condition matching....................................................................... 1131
Configuring the Content Matches Regular Expression condition........................................................................ 1132
Best practices for using regular expression matching......................................................................................... 1133
When to use regular expression matching...........................................................................................................1133
Use look ahead and look behind characters to improve regular expression accuracy........................................ 1134
Use regular expressions sparingly to support efficient performance....................................................................1134
Test regular expressions before deployment to improve accuracy...................................................................... 1134
Detecting non-English language content................................................................................................................ 1134
Best practices for detecting non-English language content................................................................................. 1134
Use international policy templates for policy creation.......................................................................................... 1135
Use custom keywords for system data identifiers................................................................................................ 1135
Enable token validation to match Chinese, Japanese, and Korean keywords on the server............................... 1159
Introducing file property detection.......................................................................................................................... 1160
About file type matching....................................................................................................................................... 1160
About file format support for file type matching................................................................................................... 1160
About custom file type identification..................................................................................................................... 1160
About file size matching........................................................................................................................................1161
About file name matching..................................................................................................................................... 1162
Configuring file property matching..........................................................................................................................1162
Configuring the Message Attachment or File Type Match condition.................................................................... 1162
Configuring the Message Attachment or File Size Match condition.....................................................................1163
Configuring the Message Attachment or File Name Match condition.................................................................. 1164
File name matching syntax................................................................................................................................... 1165
File name matching examples.............................................................................................................................. 1165
Enabling the Custom File Type Signature Condition in the Policy Console......................................................... 1166
Configuring the Custom File Type Signature condition........................................................................................ 1166
Best practices for using file property matching.....................................................................................................1167
Use compound file property rules to protect design and multimedia files............................................................1167
Do Not Use File Type Matching to Detect Content.............................................................................................. 1167
Calculate file size properly to improve match accuracy....................................................................................... 1167
Use expression patterns to match file names...................................................................................................... 1167
Use scripts and plugins to detect custom file types............................................................................................. 1168
About detection customization.................................................................................................................................1168
About the scripting language................................................................................................................................ 1168
About the scripting language syntax............................................................................................................. 1169
System variables............................................................................................................................................1169
Assert statement............................................................................................................................................ 1170
If/Else statements...........................................................................................................................................1170
Evaluate statement........................................................................................................................................ 1171
34
Evaluate statement functions.........................................................................................................................1172
Example scripts for custom file type detection..............................................................................................1174
Example scripts for custom validators...........................................................................................................1175
About the File Type Analyzer utility...................................................................................................................... 1177
Installing the File Type Analyzer utility.......................................................................................................... 1177
Launching the File Type Analyzer utility........................................................................................................1178
Creating the data set..................................................................................................................................... 1178
Analyzing data set results............................................................................................................................. 1179
Testing the script solution.............................................................................................................................. 1180
Saving, opening, editing a data set...............................................................................................................1180
Increasing the Java heap size for large or recursive data sets.................................................................... 1181
Increasing the number of bytes that are analyzed........................................................................................1181
Detection Customization Tutorials........................................................................................................................ 1181
Workflow for detecting custom file types.......................................................................................................1182
Tutorial 1: Detecting Java class files.............................................................................................................1182
Tutorial 2: Detecting an encrypted ZIP file format........................................................................................ 1184
Implementing custom script validators.......................................................................................................... 1186
Introducing protocol monitoring for network......................................................................................................... 1186
Configuring the Protocol Monitoring condition for network detection................................................................ 1186
Best practices for using network protocol matching............................................................................................ 1187
Use separate policies for specific protocols......................................................................................................... 1187
Consider detection server network placement to support IP address matching.................................................. 1187
Introducing endpoint event detection......................................................................................................................1187
About endpoint protocol monitoring...................................................................................................................... 1188
About endpoint destination monitoring................................................................................................................. 1188
About endpoint global application monitoring.......................................................................................................1188
About endpoint location detection.........................................................................................................................1189
About endpoint device detection...........................................................................................................................1189
Configuring endpoint event detection conditions..................................................................................................1189
Configuring the Endpoint Monitoring condition.....................................................................................................1190
Configuring the Endpoint Location condition........................................................................................................ 1190
Configuring the Endpoint Device Class or ID condition....................................................................................... 1191
Gathering endpoint device IDs for removable devices.........................................................................................1192
Creating and modifying endpoint device configurations....................................................................................... 1192
Best practices for using endpoint detection.......................................................................................................... 1193
Introducing described identity matching................................................................................................................ 1194
Described identity matching examples................................................................................................................... 1194
Configuring described identity matching policy conditions................................................................................. 1195
About Reusable Sender/Recipient Patterns......................................................................................................... 1195
Configuring the Sender/User Matches Pattern condition..................................................................................... 1195
35
Configuring a Reusable Sender Pattern...............................................................................................................1196
Configuring the Recipient Matches Pattern condition.......................................................................................... 1197
Configuring a Reusable Recipient Pattern........................................................................................................... 1198
Best practices for using described identity matching...........................................................................................1199
Define precise identity patterns to match users................................................................................................... 1199
Specify email addresses exactly to improve accuracy.........................................................................................1199
Match domains instead of IP addresses to improve accuracy.............................................................................1200
Introducing Synchronized Directory Group Matching (DGM)............................................................................... 1200
Use Synchronized DGM for Network Prevent for Web Identity Detection........................................................... 1200
About Two-tier Detection for Synchronized DGM.................................................................................................. 1200
Configuring User Groups.......................................................................................................................................... 1201
Configuring synchronized DGM policy conditions................................................................................................ 1202
Configuring the Sender/User based on a Directory Server Group condition....................................................... 1203
Configuring the Recipient based on a Directory Server Group condition.............................................................1203
Best Practices for Using Synchronized DGM......................................................................................................... 1204
Refresh the directory on initial save of the User Group.......................................................................................1204
Distinguish Synchronized DGM from Other Types of Endpoint Detection........................................................... 1204
Introducing Profiled Directory Group Matching (DGM)......................................................................................... 1204
About two-tier detection for profiled DGM..............................................................................................................1205
Configuring Exact Data profiles for DGM................................................................................................................1205
Configuring profiled DGM policy conditions.......................................................................................................... 1206
Configuring the Sender/User Based on a Profiled Directory Condition................................................................1206
Configuring the Recipient based on a Profiled Directory condition...................................................................... 1207
Best practices for using profiled DGM....................................................................................................................1207
Follow EDM best practices when implementing profiled DGM............................................................................ 1207
Include an email address field in the Exact Data Profile for profiled DGM.......................................................... 1207
Use Profiled DGM for Network Prevent for Web Identity Detection..................................................................... 1207
Introducing Contextual Attributes for User Risk Scores.......................................................................................1208
Introducing contextual attributes for cloud applications...................................................................................... 1208
Configuring contextual attribute conditions........................................................................................................... 1208
Contextual attribute categories............................................................................................................................. 1209
Overview of detection file format support.............................................................................................................. 1216
Supported formats for file type identification.........................................................................................................1217
Supported formats for content extraction...............................................................................................................1227
Supported word-processing formats for content extraction.................................................................................. 1228
Supported presentation formats for content extraction........................................................................................ 1229
Supported spreadsheet formats for content extraction........................................................................................ 1229
Supported text and markup formats for content extraction.................................................................................. 1230
Supported email formats for content extraction....................................................................................................1231
Supported CAD formats for content extraction.....................................................................................................1231
36
Supported graphics formats for content extraction...............................................................................................1231
Supported database formats for content extraction............................................................................................. 1232
Other File Formats Supported for Content Extraction..........................................................................................1232
Supported encapsulation formats for subfile extraction.......................................................................................1233
Supported file formats for metadata extraction..................................................................................................... 1233
About document metadata detection.................................................................................................................... 1234
Enabling server metadata detection..................................................................................................................... 1234
Enabling endpoint metadata detection................................................................................................................. 1235
Best practices for using metadata detection........................................................................................................ 1235
Always Use the Filter Utility to Verify File Format Metadata Support........................................................... 1235
Distinguish Metadata from File Content and Application Data......................................................................1237
Use and tune keyword lists to avoid false positives on metadata................................................................ 1238
Understand performance implications of enabling endpoint metadata detection.......................................... 1238
Create a separate endpoint configuration for metadata detection................................................................ 1238
Use response rules to tag incidents with metadata...................................................................................... 1238
About high-performance content extraction for Office Open XML formats.........................................................1238
Enabling High-performance Content Extraction for Office Open XML Files....................................................... 1239
About metadata extraction for Office Open XML files...........................................................................................1240
About Subfile Extraction for Office Open XML files.............................................................................................. 1241
Library of Policy Templates...................................................................................................................................... 1243
Caldicott Report Policy Template..........................................................................................................................1243
California Consumer Privacy Act Policy Template............................................................................................... 1245
Canadian Social Insurance Numbers Policy Template.........................................................................................1245
CAN-SPAM Act Policy Templates.........................................................................................................................1246
Colombian Personal Data Protection Law 1581 Policy Template........................................................................ 1247
Common Spyware Upload Sites Policy Template................................................................................................ 1247
Confidential Documents Policy Template............................................................................................................. 1247
Competitor Communications Policy Template...................................................................................................... 1248
Credit Card Numbers Policy Template................................................................................................................. 1249
Customer Data Protection Policy Template.......................................................................................................... 1249
Data Protection Act 1998 Policy Template........................................................................................................... 1250
Data Protection Directives (EU) Policy Template................................................................................................. 1251
Defense Message System (DMS) GENSER Classification Policy Template........................................................1252
Design Documents Policy Template..................................................................................................................... 1253
Developer Keys and Secrets Policy Template......................................................................................................1254
Employee Data Protection Policy Template..........................................................................................................1255
Encrypted Data Policy Template...........................................................................................................................1255
Enhanced Credit Card Numbers with Individual Users PolicyProfile Template.................................................... 1256
Export Administration Regulations (EAR) Policy Template.................................................................................. 1257
FACTA 2003 (Red Flag Rules) Policy Template.................................................................................................. 1257
37
Financial Information Policy Template.................................................................................................................. 1260
Forbidden Websites Policy Template....................................................................................................................1261
Gambling Policy Template.................................................................................................................................... 1261
General Data Protection Regulation (Banking and Finance)............................................................................... 1262
General Data Protection Regulation (Digital Identity)...........................................................................................1277
General Data Protection Regulation (Government Identification)........................................................................ 1277
General Data Protection Regulation (Healthcare and Insurance)........................................................................ 1292
General Data Protection Regulation (Personal Profile) Policy Template..............................................................1299
General Data Protection Regulation (Travel)........................................................................................................1301
Gramm-Leach-Bliley Policy Template................................................................................................................... 1306
HIPAA and HITECH (including PHI) Policy Template.......................................................................................... 1307
Human Rights Act 1998 policy Template............................................................................................................. 1310
Illegal Drugs Policy Template................................................................................................................................1311
Individual Taxpayer Identification Numbers (ITIN) Policy Template......................................................................1311
International Traffic in Arms Regulations (ITAR) Policy Template........................................................................ 1311
Media Files Policy template.................................................................................................................................. 1312
Medicare and Medicaid (including PHI)................................................................................................................1312
Merger and Acquisition Agreements Policy Template.......................................................................................... 1313
NASD Rule 2711 and NYSE Rules 351 and 472 Policy Template...................................................................... 1314
NASD Rule 3010 and NYSE Rule 342 Policy Template...................................................................................... 1315
NERC Security Guidelines for Electric Utilities policy template........................................................................... 1316
Network Diagrams Policy Template...................................................................................................................... 1318
Network Security Policy Template........................................................................................................................ 1318
Offensive Language Policy Template................................................................................................................... 1318
Office of Foreign Assets Control (OFAC) Policy Template...................................................................................1318
OMB Memo 06-16 and FIPS 199 Regulations Policy Template.......................................................................... 1320
Passwords Policy Template.................................................................................................................................. 1321
Password Files Policy Template........................................................................................................................... 1323
Payment Card Industry (PCI) Data Security Standard Policy Template...............................................................1323
PIPEDA Policy Template.......................................................................................................................................1324
Price Information Policy Template........................................................................................................................ 1325
Project Data Policy Template................................................................................................................................1326
Proprietary Media Files Policy Template.............................................................................................................. 1326
Publishing Documents Policy Template................................................................................................................1327
Racist Language Policy Template.........................................................................................................................1327
Restricted Files Policy Template...........................................................................................................................1327
Restricted Recipients Policy Template..................................................................................................................1328
Resumes Policy Template.....................................................................................................................................1328
Russian Federal Law on Personal Data (No. 152-FZ) PolicyProfile Template.....................................................1328
Sarbanes-Oxley Policy Template.......................................................................................................................... 1330
38
SEC Fair Disclosure Regulation PolicyProfile Template.......................................................................................1331
Sexually Explicit Language Policy Template........................................................................................................ 1333
Source Code Policy Template...............................................................................................................................1333
State Data Privacy Policy Template..................................................................................................................... 1334
SWIFT Codes Policy Template............................................................................................................................. 1336
Turkish Personal Data Protection Law 6698 policy Templates............................................................................ 1336
Symantec DLP Awareness and Avoidance Policy Template................................................................................1337
UK Drivers License Numbers Policy Template.....................................................................................................1337
UK Electoral Roll Numbers Policy Template........................................................................................................ 1338
UK National Health Service (NHS) Number Policy Template...............................................................................1338
UK National Insurance Numbers Policy Template................................................................................................1338
UK Passport Numbers Policy Template................................................................................................................1338
UK Tax ID Numbers Policy Template................................................................................................................... 1339
US Intelligence Control Markings (CAPCO) and DCID 1/7 Policy Template........................................................1339
US Social Security Numbers Policy Template......................................................................................................1340
US States Driver's License Number Policy Template...........................................................................................1340
Violence and Weapons Policy Template.............................................................................................................. 1344
Virginia Consumer Data Protection Act Policy Template......................................................................................1345
Webmail Policy Template...................................................................................................................................... 1345
Yahoo Message Board Activity Policy Template.................................................................................................. 1346
Yahoo and MSN Messengers on Port 80 Policy Template.................................................................................. 1347
Response Rules............................................................................................................................. 1350
About response rule actions.................................................................................................................................... 1350
Response rule actions for all detection servers.................................................................................................... 1351
Response rule actions for endpoint detection....................................................................................................... 1351
Response rule actions for Network Prevent detection.......................................................................................... 1352
Response rule actions for Network Protect detection...........................................................................................1352
Response rule actions for Cloud Applications and API appliance detectors..................................................... 1353
About response rule execution types......................................................................................................................1357
About Automated Response rules........................................................................................................................... 1357
About Smart Response rules....................................................................................................................................1357
Response Rule Conditions........................................................................................................................................ 1358
About response rule action execution priority.......................................................................................................1359
About response rule authoring privileges.............................................................................................................. 1361
Implementing response rules................................................................................................................................... 1361
Response rule best practices................................................................................................................................... 1362
Manage response rules............................................................................................................................................. 1363
Adding a new response rule.....................................................................................................................................1364
Configuring response rules...................................................................................................................................... 1364
About configuring Smart Response rules...............................................................................................................1365
39
Configuring response rule conditions.....................................................................................................................1365
Configuring Response Rule Actions....................................................................................................................... 1366
Modifying response rule ordering............................................................................................................................1368
About removing response rules...............................................................................................................................1368
Configuring the Endpoint Location response condition....................................................................................... 1369
Configuring the Endpoint Device response condition...........................................................................................1369
Configuring the Incident Type response condition................................................................................................1370
Configuring the Incident Match Count response condition.................................................................................. 1371
Configuring the Protocol or Endpoint Monitoring response condition............................................................... 1372
Configuring the Severity response condition.........................................................................................................1373
Configuring the Add Note action............................................................................................................................. 1374
Configuring the Encrypt Smart Response action.................................................................................................. 1374
Configuring the Limit Incident Data Retention action........................................................................................... 1374
Retaining data for endpoint incidents................................................................................................................... 1375
Discarding data for network incidents.................................................................................................................. 1376
Configuring the Log to a Syslog Server action......................................................................................................1376
Configuring the Send Email Notification action..................................................................................................... 1377
Configuring the Server FlexResponse action.........................................................................................................1378
Configuring the Set Attribute action........................................................................................................................1379
Configuring the Set Status action............................................................................................................................1380
Configuring the Quarantine Smart Response action............................................................................................. 1380
Configuring the Network Protect: SharePoint Quarantine smart response action............................................. 1381
Configuring the Network Protect: SharePoint Release from Quarantine smart response action......................1382
Configuring the Remove Collaborator Access Smart Response action.............................................................. 1383
Configuring the Remove Shared Links Smart Response action.......................................................................... 1383
Configuring the Restore File Smart Response action........................................................................................... 1384
Configuring the Remove Shared Links in Data-at-Rest action............................................................................. 1384
Configuring the Custom Action on Data-at-Rest action........................................................................................ 1385
Configuring the Delete Data-at-Rest action............................................................................................................ 1385
Configuring the Encrypt Data-at-Rest action..........................................................................................................1386
Configuring the Perform DRM on Data-at-Rest action...........................................................................................1386
Configuring the Quarantine Data-at-Rest action.................................................................................................... 1387
Configuring the Tag Data-at-Rest action................................................................................................................. 1388
Configuring the Prevent download, copy, print action.......................................................................................... 1388
Configuring the Remove Collaborator Access action........................................................................................... 1389
Configuring the Set Collaborator Access to 'Edit' action..................................................................................... 1389
Configuring the Set Collaborator Access to 'Preview' action...............................................................................1390
Configuring the Set Collaborator Access to 'Read' action................................................................................... 1390
Configuring the Set File Access to 'All Read' action.............................................................................................1390
Configuring the Set File Access to 'Internal Edit'.................................................................................................. 1391
40
Configuring the Set File Access to 'Internal Read' action.................................................................................... 1391
Configuring the Add two-factor authentication action.......................................................................................... 1392
Configuring the Block Data-in-Motion action......................................................................................................... 1392
Configuring the Custom Action on Data-in-Motion action.................................................................................... 1393
Configuring the Encrypt Data-in-Motion action...................................................................................................... 1393
Configuring the Perform DRM on Data-in-Motion action.......................................................................................1394
Configuring the Quarantine Data-in-Motion action................................................................................................ 1395
Configuring the Redact Data-in-Motion action....................................................................................................... 1395
Configuring the Endpoint: FlexResponse action................................................................................................... 1396
Configuring the Endpoint Discover: Quarantine File action................................................................................. 1396
Configuring the Endpoint Prevent: Block action................................................................................................... 1398
Configuring the Endpoint Prevent: Encrypt action................................................................................................ 1400
Configuring the Endpoint Prevent: Notify action................................................................................................... 1402
Configuring the Endpoint Prevent: User Cancel action........................................................................................ 1404
Configuring the Network Prevent for Web: Block FTP Request action............................................................... 1406
Configuring the Network Prevent for Web: Block HTTP/S action........................................................................ 1407
Configuring the Network Prevent: Block SMTP Message action..........................................................................1407
Configuring the Network Prevent: Modify SMTP Message action........................................................................1408
Configuring the Network Prevent for Web: Remove HTTP/S Content action...................................................... 1409
Configuring the Network Protect: Copy File action............................................................................................... 1410
Configuring the Network Protect: Quarantine File action..................................................................................... 1410
Configuring the Endpoint: MIP Classification action.............................................................................................1411
Configuring the User Risk Response Condition.................................................................................................... 1413
Incidents.......................................................................................................................................... 1415
Remediating incidents............................................................................................................................................... 1415
About incident remediation................................................................................................................................... 1415
Remediating incidents........................................................................................................................................... 1417
Overview of End User Remediation..................................................................................................................... 1418
About End User Remediation........................................................................................................................ 1418
Applications of End User Remediation..........................................................................................................1420
About the End User Remediation architecture..............................................................................................1420
About remediating incidents using End User Remediation........................................................................... 1421
Overview of steps to implement End User Remediation...............................................................................1422
Configurations for End User Remediation............................................................................................................ 1423
Configurations for End User Remediation on ServiceNow........................................................................... 1424
Configurations for End User Remediation on Enforce.................................................................................. 1427
Working with the DLP incidents in ServiceNow................................................................................................... 1434
Remediating incidents using the EUR application.........................................................................................1436
Reassigning incidents using the EUR application.........................................................................................1437
Desyncing incidents using the EUR application............................................................................................ 1437
41
Customizations in ServiceNow when using End User Remediation.................................................................... 1438
About workflows in ServiceNow.................................................................................................................... 1438
About Customizing Email Templates............................................................................................................. 1445
Security guidelines for selecting incident attributes when using End User Remediation..................................... 1449
Security Aspects in ServiceNow....................................................................................................................1449
About Troubleshooting Incidents...........................................................................................................................1451
Troubleshooting incidents.............................................................................................................................. 1452
Performance guidelines for End User Remediation............................................................................................. 1453
Executing Smart response rules...........................................................................................................................1454
Incident remediation action commands................................................................................................................ 1454
Response action variables....................................................................................................................................1455
General incident variables............................................................................................................................. 1456
Network Monitor and Network Prevent incident variables........................................................................... 1456
Discover incident variables............................................................................................................................ 1457
Endpoint incident variables............................................................................................................................1457
Application incident variables........................................................................................................................ 1457
Remediating Network incidents................................................................................................................................1457
Network incident list.............................................................................................................................................. 1458
Network incident list—Actions...............................................................................................................................1460
Network incident list—Columns............................................................................................................................ 1461
Network Incident Snapshots................................................................................................................................. 1462
Network incident snapshot—Heading and navigation.......................................................................................... 1462
Network Incident Snapshot—General Information............................................................................................... 1462
Network incident snapshot—Matches...................................................................................................................1464
Network incident snapshot—Attributes................................................................................................................. 1464
Network summary report.......................................................................................................................................1464
Remediating Endpoint incidents.............................................................................................................................. 1465
About endpoint incident lists................................................................................................................................. 1465
Endpoint incident snapshot...................................................................................................................................1467
Reporting on Endpoint Prevent response rules............................................................................................ 1471
Endpoint incident destination or protocol-specific information...................................................................... 1471
Reporting on Endpoint Prevent response rules............................................................................................ 1472
Endpoint incident destination or protocol-specific information...................................................................... 1473
Endpoint incident summary reports...................................................................................................................... 1474
Remediating Discover incidents...............................................................................................................................1475
About reports for Network Discover..................................................................................................................... 1475
About incident reports for Network Discover........................................................................................................ 1476
Discover incident reports...................................................................................................................................... 1477
Discover incident lists........................................................................................................................................... 1477
Discover incident actions...................................................................................................................................... 1477
42
Discover incident entries..................................................................................................................................... 1478
Discover incident snapshot................................................................................................................................... 1480
Discover summary reports.................................................................................................................................... 1482
Working with Application incidents......................................................................................................................... 1482
About Applications incident reports...................................................................................................................... 1482
Applications incident list........................................................................................................................................1483
Applications incident entries................................................................................................................................. 1484
Applications incident actions.................................................................................................................................1485
Applications incident snapshot..............................................................................................................................1486
Applications summary reports...............................................................................................................................1488
Viewing, managing, and reporting incidents.......................................................................................................... 1489
Viewing Incidents.................................................................................................................................................. 1491
Incident List Control Features Overview...............................................................................................................1491
Incident Masking Overview................................................................................................................................... 1495
Setting Up Masking for Roles...............................................................................................................................1496
Setting Up Masking for Data Identifiers................................................................................................................1496
About Symantec Data Loss Prevention Reports.................................................................................................. 1497
About Strategies for Using Reports...................................................................................................................... 1498
Setting Report Preferences...................................................................................................................................1498
About Incident Reports......................................................................................................................................... 1499
About dashboard reports and executive summaries............................................................................................ 1500
Viewing dashboards.............................................................................................................................................. 1501
Creating dashboard reports.................................................................................................................................. 1502
Configuring dashboard reports............................................................................................................................. 1503
Choosing reports to include in a dashboard........................................................................................................ 1504
About summary reports.........................................................................................................................................1504
Viewing summary reports......................................................................................................................................1504
Creating summary reports.................................................................................................................................... 1505
About custom reports and dashboards................................................................................................................ 1505
Using IT Analytics to manage incidents............................................................................................................... 1506
Filtering Incident Lists and Reports using the Filter By controls.......................................................................... 1506
Saving custom incident reports.............................................................................................................................1507
Scheduling Custom Incident Reports................................................................................................................... 1508
Delivery Schedule Options for Incident and System Reports.............................................................................. 1509
Delivery schedule options for dashboard reports................................................................................................. 1510
Using the date widget to schedule reports...........................................................................................................1511
Editing custom dashboards and reports............................................................................................................... 1512
Exporting Incident Reports....................................................................................................................................1512
Exported fields for Network Monitor..................................................................................................................... 1513
Exported fields for Network Discover................................................................................................................... 1513
43
Exported fields for Endpoint Discover.................................................................................................................. 1514
Deleting incidents.................................................................................................................................................. 1514
About the incident deletion process.............................................................................................................. 1515
Configuring the incident deletion job schedule..............................................................................................1516
Starting and stopping incident deletion jobs................................................................................................. 1516
Working with the deletion jobs history...........................................................................................................1517
About automatically flagging incidents for deletion....................................................................................... 1517
About creating incident reports for automatic incident deletion flagging....................................................... 1518
Configuring automatic incident deletion flagging...........................................................................................1518
Managing automatic incident deletion flagging............................................................................................. 1519
Troubleshooting automatic incident deletion flagging....................................................................................1519
Deleting custom dashboards and reports.............................................................................................................1520
Common incident report features......................................................................................................................... 1520
Page navigation in incident reports...................................................................................................................... 1521
Incident report filter and summary options........................................................................................................... 1521
Sending incident reports by email........................................................................................................................ 1522
Printing incident reports........................................................................................................................................ 1522
Incident snapshot history tab................................................................................................................................ 1522
Incident snapshot notes tab..................................................................................................................................1523
Incident snapshot attributes section..................................................................................................................... 1523
Incident snapshot correlations tab........................................................................................................................ 1523
Incident snapshot policy section........................................................................................................................... 1523
Incident snapshot matches section.......................................................................................................................1523
Incident snapshot access information section...................................................................................................... 1524
Customizing incident snapshot pages.................................................................................................................. 1524
About filters and summary options for reports..................................................................................................... 1524
General filters for reports...................................................................................................................................... 1525
Summary options for incident reports...................................................................................................................1527
Advanced filter options for reports........................................................................................................................1530
Hiding incidents..........................................................................................................................................................1535
Incident Hiding.......................................................................................................................................................1535
Hiding incidents..................................................................................................................................................... 1536
Unhiding hidden incidents.....................................................................................................................................1536
Preventing incidents from being hidden............................................................................................................... 1537
Deleting hidden incidents......................................................................................................................................1537
Working with incident data....................................................................................................................................... 1538
About incident status attributes.............................................................................................................................1538
Configuring status attributes and values.............................................................................................................. 1539
Configuring status groups..................................................................................................................................... 1540
Export Web Archive.............................................................................................................................................. 1541
44
Export web archive—Create Archive....................................................................................................................1542
Export web archive—All Recent Events............................................................................................................... 1542
About custom attributes........................................................................................................................................ 1542
About using custom attributes.............................................................................................................................. 1544
How custom attributes are populated................................................................................................................... 1544
Configuring custom attributes............................................................................................................................... 1544
Setting the values of custom attributes manually.................................................................................................1545
Working with user risk.............................................................................................................................................. 1545
User Data Sources................................................................................................................................................1545
Defining custom attributes for user data....................................................................................................... 1546
Bringing in User Data..................................................................................................................................... 1547
About identifying users in web incidents....................................................................................................... 1551
Viewing the User List.....................................................................................................................................1553
Viewing user details....................................................................................................................................... 1554
Working with the User Risk Summary.......................................................................................................... 1554
Reviewing the User Risk in Incidents............................................................................................................ 1555
About End User Remediation................................................................................................................................... 1555
Implementing lookup plug-ins.................................................................................................................................. 1557
About lookup plug-ins........................................................................................................................................... 1557
Types of lookup plug-ins................................................................................................................................1558
About lookup parameters...............................................................................................................................1559
About plug-in deployment.............................................................................................................................. 1560
About plug-in chaining................................................................................................................................... 1560
About upgrading lookup plug-ins................................................................................................................... 1561
Implementing and testing lookup plug-ins............................................................................................................ 1561
Managing and configuring lookup plug-ins....................................................................................................1562
Creating new lookup plug-ins........................................................................................................................ 1563
Selecting lookup parameters......................................................................................................................... 1564
Enabling lookup plug-ins................................................................................................................................1567
Chaining lookup plug-ins............................................................................................................................... 1568
Reloading lookup plug-ins............................................................................................................................. 1568
Troubleshooting lookup plug-ins.................................................................................................................... 1568
Configuring detailed logging for lookup plug-ins........................................................................................... 1569
Configuring advanced plug-in properties.......................................................................................................1570
Configuring the CSV Lookup Plug-In................................................................................................................... 1571
Requirements for creating the CSV file.........................................................................................................1572
Specifying the CSV File Path........................................................................................................................ 1573
Choosing the CSV file delimiter.................................................................................................................... 1573
Selecting the CSV file character set............................................................................................................. 1574
Mapping attributes and parameter keys to CSV fields..................................................................................1574
45
CSV attribute mapping example....................................................................................................................1575
Testing and troubleshooting the CSV Lookup Plug-In.................................................................................. 1576
CSV Lookup Plug-In Tutorial......................................................................................................................... 1576
Configuring LDAP Lookup Plug-Ins...................................................................................................................... 1578
Requirements for LDAP server connections................................................................................................. 1578
Mapping attributes to LDAP data.................................................................................................................. 1579
Attribute mapping examples for LDAP.......................................................................................................... 1579
Testing and troubleshooting LDAP Lookup Plug-ins..................................................................................... 1580
LDAP Lookup Plug-In tutorial........................................................................................................................ 1580
Configuring Script Lookup Plug-Ins...................................................................................................................... 1581
Writing scripts for Script Lookup Plug-Ins..................................................................................................... 1582
Specifying the Script Command.................................................................................................................... 1583
Specifying the Arguments..............................................................................................................................1583
Enabling the stdin and stdout options........................................................................................................... 1584
Enabling incident protocol filtering for scripts................................................................................................1584
Enabling and Encrypting Script Credentials.................................................................................................. 1585
Chaining multiple Script Lookup Plug-Ins......................................................................................................1586
Script Lookup Plug-In tutorial........................................................................................................................ 1586
Example script................................................................................................................................................1587
Configuring migrated Custom (Legacy) Lookup Plug-Ins.....................................................................................1589
DLP REST APIs.............................................................................................................................. 1590
Accessing the Symantec Data Loss Prevention APIs........................................................................................... 1590
Creating a User and Role for the Symantec Data Loss Prevention API client.................................................... 1595
Code Samples for the Symantec Data Loss Prevention REST API......................................................................1596
Managing Discover Scan Targets................................................................................................ 1597
Configuring Network Discover and Endpoint Discover targets............................................................................1600
How Network Discover works...................................................................................................................................1600
How Network Discover scanners work....................................................................................................................1601
Setting up and configuring Network Discover....................................................................................................... 1602
About Discover and Endpoint Discover Servers.................................................................................................. 1602
Modifying the Network Discover Server configuration..........................................................................................1603
Adding a new Network Discover target................................................................................................................ 1604
Adding items to scan............................................................................................................................................ 1604
Editing scan target items...................................................................................................................................... 1605
Editing an existing Network Discover target.........................................................................................................1607
Network Discover scan target configuration options............................................................................................ 1607
Configuring the required fields for Network Discover targets...............................................................................1608
Scheduling Network Discover scans.................................................................................................................... 1609
Providing credentials for Network Discover scanned content...............................................................................1610
46
Encrypting passwords in configuration files..........................................................................................................1611
Setting up Network Discover filters to include or exclude items from the scan....................................................1611
Recommended file types to exclude............................................................................................................. 1613
Filtering Discover targets by item size................................................................................................................. 1613
Filtering Discover targets by date last accessed or modified...............................................................................1614
Optimizing resources with Network Discover scan throttling................................................................................1615
Inventory Scanning for a content root of unprotected sensitive data................................................................... 1616
Managing Network Discover target scans.............................................................................................................. 1618
Managing Network Discover targets.....................................................................................................................1618
About the Network Discover scan target list................................................................................................. 1618
Working with Network Discover scan targets................................................................................................1619
Removing Network Discover scan targets.................................................................................................... 1619
Managing Network Discover scan histories..........................................................................................................1620
About Discover and Endpoint Discover scan histories................................................................................. 1620
Working with Network Discover scan histories............................................................................................. 1621
Deleting Network Discover scans..................................................................................................................1622
About Discover scan details.......................................................................................................................... 1622
Working with Network Discover scan details................................................................................................ 1626
Managing Network Discover Servers................................................................................................................... 1627
Viewing Network Discover server status....................................................................................................... 1627
About Network Discover scan optimization.......................................................................................................... 1627
About Network Discover incremental scans......................................................................................................... 1629
About re-using incremental index for file system target incremental scans......................................................... 1630
About Network Discover differential scans........................................................................................................... 1630
About the difference between Network Discover incremental scans and differential scans................................. 1631
Configuring parallel scanning of Network Discover targets..................................................................................1631
Troubleshooting Network Discover content extraction errors............................................................................... 1632
About grid scanning.............................................................................................................................................. 1633
Configuring grid scanning..................................................................................................................................... 1634
Renewing grid communication certificates for Discover detection servers...........................................................1636
Migrating a Discover scan from a single server to a grid.................................................................................... 1638
Grid scanning performance guidelines................................................................................................................. 1638
Understanding and using grid scan performance feedback................................................................................. 1640
Troubleshooting grid scans................................................................................................................................... 1641
Need help sizing your grid?..................................................................................................................................1642
Overview of Network Discover Cluster....................................................................................................................1642
Network Discover Cluster..................................................................................................................................... 1642
Architecture of the Network Discover Cluster.......................................................................................................1643
Summary of Tasks for Network Discover Cluster to Work................................................................................... 1645
View Information on the Discover Cluster Details Screen....................................................................................1645
47
Setting up Server Scans of File System - High Speed Discovery........................................................................ 1650
File System - High Speed Discovery Target Scan.............................................................................................. 1650
Configuring the File System - High Speed Discovery Target Scans.................................................................... 1651
Configuring File System - High Speed Discovery Scans of Microsoft Outlook Personal Folders..................1660
Internal Pause and Resume Functionality for a File System - High Speed Discovery Scan........................1660
Configuring Parallel Scanning for the File System - High Speed Discovery Target Scan............................. 1662
View Information on the File System - High Speed Discovery Scan Details Screen........................................... 1662
Best Practices for the File System - High Speed Discovery Scan.......................................................................1666
Troubleshooting the File System - High Speed Discovery Scans........................................................................1666
Setting up server scans of file systems..................................................................................................................1669
Supported File System Targets.............................................................................................................................1670
Automatically discovering servers and shares before configuring a file system target........................................ 1671
Working with Content Root Enumeration scans............................................................................................1671
Troubleshooting Content Root Enumeration scans.......................................................................................1674
About automatically tracking incident remediation status.....................................................................................1674
Configuration options for Automated Incident Remediation Tracking........................................................... 1675
Troubleshooting automated incident remediation tracking............................................................................ 1677
Excluding internal DFS folders............................................................................................................................. 1678
Configuring scans of Microsoft Outlook Personal Folders (.pst files) for file system target scan......................... 1678
Configuring the file system target scans.............................................................................................................. 1678
Configuring Network Protect for file shares..........................................................................................................1688
Priority of credentials for file shares..................................................................................................................... 1689
Setting up server scans of IBM (Lotus) Notes databases.....................................................................................1690
Supported IBM (Lotus) Notes targets................................................................................................................... 1690
Configuring and running IBM (Lotus) Notes scans.............................................................................................. 1690
Configuring IBM (Lotus) Notes DIIOP mode configuration scan options............................................................. 1692
Setting up server scans of SQL databases............................................................................................................ 1693
Supported SQL database targets......................................................................................................................... 1694
Required JDBC drivers for SQL database targets........................................................................................ 1694
Configuring and running SQL database scans.....................................................................................................1694
Installing the JDBC driver for SQL database targets........................................................................................... 1696
SQL database scan configuration properties....................................................................................................... 1697
Setting up server scans of SharePoint servers......................................................................................................1698
About scans of SharePoint servers...................................................................................................................... 1699
Supported SharePoint server targets................................................................................................................... 1699
Access privileges for SharePoint scans............................................................................................................... 1700
About Alternate Access Mapping Collections.......................................................................................................1700
Configuring and running SharePoint server scans...............................................................................................1700
Configuring Network Protect for SharePoint servers............................................................................................1703
Installing the SharePoint solution on the Web Front Ends in a farm................................................................... 1705
48
Enabling SharePoint scanning without installing the SharePoint solution............................................................1706
Setting up SharePoint scans to use Kerberos authentication.............................................................................. 1706
Troubleshooting SharePoint scans....................................................................................................................... 1707
Setting up server scans of Exchange repositories................................................................................................1708
About scans of Exchange servers........................................................................................................................1709
Configuring Exchange Server scans.................................................................................................................... 1709
Setting up Exchange scans to use Kerberos authentication................................................................................1712
Example configurations and use cases for Exchange scans............................................................................... 1712
Troubleshooting Exchange scans......................................................................................................................... 1713
Client Access Throttling in Exchange scans................................................................................................. 1713
Client Access Throttling in Exchange scans................................................................................................. 1713
About Network Discover scanners.......................................................................................................................... 1714
How Network Discover scanners work................................................................................................................. 1714
Troubleshooting scanners..................................................................................................................................... 1714
Scanner processes................................................................................................................................................1715
Scanner installation directory structure.................................................................................................................1716
Scanner configuration files....................................................................................................................................1717
Scanner controller configuration options.............................................................................................................. 1717
Setting up remote scanning of file systems........................................................................................................... 1718
Supported File System Scanner Targets.............................................................................................................. 1719
Installing file system scanners.............................................................................................................................. 1719
Starting file system scans..................................................................................................................................... 1721
Installing file system scanners silently from the command line............................................................................1722
Configuration options for file system scanners.....................................................................................................1722
Example configuration for scanning the C drive on a Windows computer...........................................................1723
Example configuration for scanning the /usr directory on UNIX...........................................................................1723
Example configuration for scanning with include filters........................................................................................1724
Example configuration for scanning with exclude filters.......................................................................................1724
Example configuration for scanning with include and exclude filters................................................................... 1724
Example configuration for scanning with date filtering......................................................................................... 1725
Example configuration for scanning with file size filtering.................................................................................... 1725
Example configuration for scanning that skips symbolic links on UNIX systems................................................. 1725
Setting up Scanning of Web Server Scanners....................................................................................................... 1726
About Web Server Scanners................................................................................................................................ 1726
Web server scanner requirements........................................................................................................................1727
Configuring the Web Server Scanner Target Type...............................................................................................1727
Configuration Options for Web Server Scanners................................................................................................. 1730
Configure the Web Server Scanner Configuration File................................................................................. 1730
Complete Additional Configuration Tasks......................................................................................................1733
Configuring the Web Server Scanner to Use Form-Based Authentication...........................................................1733
49
Starting web server scans.................................................................................................................................... 1735
Best Practices for Web Server Scanning............................................................................................................. 1735
Troubleshooting the Web Server Scanner............................................................................................................1736
Generic Network Discover scanner targets for future support............................................................................ 1737
Setting up Web Services for custom scan targets................................................................................................ 1738
About setting up the Web Services Definition Language (WSDL)....................................................................... 1738
Example of a Web Services Java client...............................................................................................................1739
Sample Java code for the Web Services example.............................................................................................. 1739
Web Services WSDL............................................................................................................................................ 1742
Web Services SOAP request................................................................................................................................1744
Using Data Insight......................................................................................................................................................1745
About Data Insight................................................................................................................................................ 1745
Components of the Symantec Data Loss Prevention integration with Veritas Data Insight.......................... 1746
How Data Insight works with Data Loss Prevention..................................................................................... 1747
What you can do with Veritas Data Insight and Symantec Data Loss Prevention........................................ 1747
Where to get more information about Veritas Data Insight........................................................................... 1748
Locating and managing data at risk.............................................................................................................. 1749
Implementing Data Insight for Data Loss Prevention to manage data at risk............................................... 1749
Configuring the connection between the Enforce Server and Data Insight...................................................1751
Introducing the Data Insight lookup plug-in...................................................................................................1752
Configuring Data Loss Prevention to retrieve attribute values from Data Insight..........................................1753
Mapping attributes to Data Insight data fields...............................................................................................1754
Enabling the Data Insight lookup plug-in...................................................................................................... 1756
Chaining the Data Insight lookup plug-in...................................................................................................... 1756
Enabling lookup plug-in parameter keys....................................................................................................... 1756
Testing the Data Insight lookup plug-in configuration................................................................................... 1757
Troubleshooting the Data Insight lookup plug-in........................................................................................... 1758
Changing Data Insight refresh intervals........................................................................................................ 1759
Best practices for finding and reporting on data at risk................................................................................ 1759
Accessing reports of folders at risk............................................................................................................... 1760
Configuring the risk score and timeframes for the report of folders at risk................................................... 1760
Viewing folders ranked by risk, path, or folder exposure.............................................................................. 1761
Viewing details of a folder at risk.................................................................................................................. 1762
Filtering the information in the report of folders at risk................................................................................. 1763
Saving a report of folders at risk...................................................................................................................1765
Finding data users and accesses in incident reports....................................................................................1765
Viewing Data Insight incident details.............................................................................................................1766
Accessing the history of a file in the Veritas Data Insight console............................................................... 1767
Selecting custom attributes for data user details.......................................................................................... 1767
Creating summary reports for Data Insight................................................................................................... 1768
50
Creating and distributing aggregated incident reports to data owners..........................................................1769
Guidelines for Tuning Network Discover................................................................................................................ 1770
Using DLP Tuning Tests....................................................................................................................................... 1770
Tuning Guidelines for Network Discover scans....................................................................................................1771
About Tuning Network Discover Scans.........................................................................................................1771
Overview of Implementing the Guidelines for Tuning Network Discover Scans........................................... 1772
Factors that Affect Network Discover Scan Performance............................................................................. 1772
Best Practices for Configuring File System Scan Targets.............................................................................1772
Best Practices for Configuring Microsoft SharePoint Scan Targets.............................................................. 1772
Tuning Network Discover Scans................................................................................................................... 1773
Sample Tuning Configuration for Network Discover Scans.......................................................................... 1775
Tuning Guidelines for Network Discover Cluster.................................................................................................. 1775
Factors Affecting the File System - High Speed Discovery Scan Throughput.............................................. 1775
Prerequisites for Deploying a Network Discover Cluster...............................................................................1775
Deployment Guidelines for a Network Discover Cluster............................................................................... 1776
Best Practices to Configure a File System - High Speed Discovery Scan in a Network Discover Cluster.... 1777
DLP Parameters that Impact the File System - High Speed Discovery Scan Throughput............................ 1777
Guidelines for Sizing a Network Discover Cluster........................................................................................ 1778
Implementing Network Monitor.................................................................................................... 1779
About IPv6 support for Network Monitor................................................................................................................ 1780
Choosing a network packet capture method..........................................................................................................1780
About packet capture software installation and configuration.............................................................................1781
Installing Npcap on a Windows platform.............................................................................................................. 1781
Installing and Updating the Napatech Network Adapter and Driver Software......................................................1781
Sample Napatech Capture Configuration File...............................................................................................1783
About Network Performance Tests.......................................................................................................................... 1784
About network performance sizing guidelines...................................................................................................... 1784
About the Network Monitor performance test environment with Napatech cards......................................... 1785
About the Network Monitor performance test methodology for an environment with Napatech cards.......... 1786
Network Monitor performance test results and sizing guidelines for environments with Napatech cards......1787
About the Network Prevent for Email performance test environment.................................................................. 1788
About the Network Prevent for Email performance test methodology.......................................................... 1788
Network Prevent for Email Performance Test Results and Sizing Guidelines.............................................. 1789
About the Network Prevent for Web performance test environment....................................................................1790
About the Network Prevent for Web performance test methodology............................................................ 1791
Network Prevent for Web performance test results and sizing guidelines.................................................... 1791
Configuring the Network Monitor Server................................................................................................................ 1793
Enabling GET processing with Network Monitor................................................................................................... 1794
Creating a policy for Network Monitor.................................................................................................................... 1795
Implementing Network Prevent for Email................................................................................................................1795
51
About Mail Transfer Agent (MTA) integration......................................................................................................... 1796
About the Network Prevent for Email Server......................................................................................................... 1796
Operating modes for Network Prevent for Email Server......................................................................................1797
About hosted Network Prevent deployments....................................................................................................... 1797
Environment Compatibility and Requirements for Network Prevent for Email..................................................... 1798
About selecting an integration architecture.......................................................................................................... 1798
About Network Prevent for Email response rules..................................................................................................1798
About message blocking.......................................................................................................................................1798
About messages redirecting................................................................................................................................. 1799
About downstream message tagging................................................................................................................... 1799
About integration architectures................................................................................................................................1800
About the Network Prevent for Email Server message chain.............................................................................. 1800
Integration architectures for reflecting mode........................................................................................................ 1802
About second SMTP listener-based routing..................................................................................................1802
About SMTP client IP address-based routing............................................................................................... 1803
About HELO identification string-based routing............................................................................................ 1804
About message header-based routing.......................................................................................................... 1805
About the integration architecture for forwarding mode....................................................................................... 1806
About next-hop MTA selection.......................................................................................................................1807
About TLS authentication......................................................................................................................................1807
Configuring keys and certificates for TLS..................................................................................................... 1808
Changing the Network Prevent for Email Server Keystore Password.......................................................... 1809
Generating Network Prevent for Email Server Keys.....................................................................................1810
Exporting the Network Prevent for Email Server public key certificate......................................................... 1811
Importing Public Key Certificates to the Network Prevent for Email Server Keystore...................................1811
Configuring Network Prevent for Email Server for reflecting or forwarding mode.........................................1813
About capacity and fault tolerance................................................................................................................ 1816
About fault tolerance planning....................................................................................................................... 1819
About MX-based bypass................................................................................................................................1819
About MTA-based queue management.........................................................................................................1820
About Network Prevent for Email Server integration testing................................................................................ 1820
About functional tests.................................................................................................................................... 1820
About basic failover tests.............................................................................................................................. 1821
About store and forward email systems............................................................................................................... 1821
About the DNS system.................................................................................................................................. 1822
About the MTA integration checklist..................................................................................................................... 1822
Completing the Network Prevent for Email Server integration prerequisites................................................ 1822
Selecting an integration architecture............................................................................................................. 1823
Evaluating message stream component capacity......................................................................................... 1823
Integrating Network Prevent for Email with MTAs.........................................................................................1823
52
Configuring Network Prevent for Email Server for reflecting or forwarding mode.............................................1825
Specifying one or more upstream mail transfer agents (MTAs)........................................................................... 1827
Creating a policy for Network Prevent for Email....................................................................................................1827
About policy violation data headers........................................................................................................................ 1828
Enabling policy violation data headers................................................................................................................... 1829
Testing Network Prevent for Email.......................................................................................................................... 1829
Implementing Network Prevent for Web..................................................................................................................1830
Configuring Network Prevent for Web Server........................................................................................................ 1830
Configuring a Secure ICAP keystore for Network Prevent for Web..................................................................... 1832
About Proxy Server Configuration...........................................................................................................................1834
Configuring request and response mode services............................................................................................... 1834
Specifying One or More Proxy Servers...................................................................................................................1835
Enabling GET processing for Network Prevent for Web....................................................................................... 1836
Creating policies for Network Prevent for Web......................................................................................................1836
Testing Network Prevent for Web............................................................................................................................ 1837
Troubleshooting information for Network Prevent for Web Server...................................................................... 1837
About discovering and preventing data loss on endpoints......................................................1838
Secure Communications Between DLP Agents and Endpoint Servers............................................................... 1839
Generating agent installation packages.................................................................................................................. 1839
Agent installation package contents....................................................................................................................... 1842
Windows Agent Package Contents...................................................................................................................... 1842
macOS Agent Package Contents......................................................................................................................... 1842
Linux Agent Package Contents............................................................................................................................ 1843
Guidelines for authoring Endpoint policies............................................................................................................ 1843
DLP Agent Version 16.0.1 Monitoring Support.......................................................................................................1844
DLP Agent feature-level support for Mac endpoints............................................................................................ 1845
Mac agent installation and tools feature details............................................................................................ 1846
Mac agent management features..................................................................................................................1847
Overview of Mac agent detection technologies and policy authoring features............................................. 1847
Mac agent monitoring support....................................................................................................................... 1850
Endpoint Prevent for Mac agent advanced agent settings features............................................................. 1857
Endpoint Discover for Mac targets features.................................................................................................. 1857
Endpoint Discover for Mac file system support.............................................................................................1858
Endpoint Discover for Mac advanced agent settings....................................................................................1858
DLP Agent feature-level support for Linux endpoints...........................................................................................1858
Linux agent installation support..................................................................................................................... 1858
Linux agent detection technologies............................................................................................................... 1859
Linux agent groups features.......................................................................................................................... 1861
Endpoint Discover for Linux targets features................................................................................................ 1862
Endpoint discover for Linux file system support............................................................................................1862
53
Linux endpoint tools features.........................................................................................................................1862
Endpoint Discover for Linux Advanced Agent Settings.................................................................................1863
About Endpoint Prevent monitoring........................................................................................................................ 1863
About removable storage monitoring....................................................................................................................1864
About endpoint network monitoring...................................................................................................................... 1864
About CD/DVD monitoring.................................................................................................................................... 1866
About print/fax monitoring..................................................................................................................................... 1866
About network share monitoring........................................................................................................................... 1867
Supported network share monitoring protocols on Windows endpoints....................................................... 1868
Supported network share monitoring protocols on Mac endpoints............................................................... 1868
About clipboard monitoring................................................................................................................................... 1868
About global application monitoring......................................................................................................................1868
About group-specific application monitoring: using overrides.............................................................................. 1869
About cloud storage application monitoring..........................................................................................................1869
About virtual desktop support with Endpoint Prevent...........................................................................................1871
About Azure Virtual Desktop support............................................................................................................ 1871
About Citrix XenDesktop and Citrix XenApp support....................................................................................1873
About VMware Fusion implementation..........................................................................................................1874
About rules results caching (RRC)....................................................................................................................... 1874
About policy creation for Endpoint Prevent........................................................................................................... 1874
About monitoring policies with response rules for Endpoint Servers................................................................... 1875
About Endpoint Block.................................................................................................................................... 1875
About Endpoint Notify.................................................................................................................................... 1875
Endpoint User Cancel....................................................................................................................................1876
How to implement Endpoint Prevent....................................................................................................................... 1877
Setting the endpoint location................................................................................................................................ 1878
About Endpoint Prevent response rules in different locales.................................................................................1879
Setting Endpoint Prevent response rules for different locales...................................................................... 1879
About Endpoint Discover.......................................................................................................................................... 1880
About Endpoint Discover Scanning.........................................................................................................................1880
About scanning targeted endpoints...................................................................................................................... 1880
About Endpoint Discover full scanning................................................................................................................. 1881
About Endpoint Discover incremental scanning................................................................................................... 1881
How incremental scan for Endpoint Discover works.....................................................................................1881
About parallel scans on targeted endpoints......................................................................................................... 1882
Optimizing the scan for endpoint performance.....................................................................................................1883
Preparing to set up Endpoint Discover................................................................................................................... 1883
Creating a policy group for Endpoint Discover.....................................................................................................1884
Creating a policy for Endpoint Discover............................................................................................................... 1884
Adding a rule for Endpoint Discover.....................................................................................................................1885
54
About Endpoint Quarantine........................................................................................................................... 1885
Setting up and configuring Endpoint Discover...................................................................................................... 1886
Creating an Endpoint Discover scan....................................................................................................................... 1886
Creating a new Endpoint Discover target.............................................................................................................1887
Selecting multiple servers for an Endpoint Discover scan................................................................................... 1889
About Endpoint Discover filters.............................................................................................................................1890
Using include and exclude filters...................................................................................................................1890
Setting up Endpoint Discover filters to include or exclude items from the scan............................................1892
Using environment variables in Endpoint Discover scans............................................................................ 1892
Configuring Endpoint Discover scan timeout settings.......................................................................................... 1895
Managing Endpoint Discover target scans............................................................................................................. 1895
About managing Endpoint Discover scans...........................................................................................................1896
About Endpoint Discover targeted endpoints scan details................................................................................... 1896
About remediating Endpoint Discover incidents................................................................................................... 1897
About Endpoint reports......................................................................................................................................... 1898
About agent configurations...................................................................................................................................... 1898
About cloning agent configurations.......................................................................................................................1899
Adding and editing agent configurations................................................................................................................1899
Channel settings....................................................................................................................................................1900
Enable monitoring settings............................................................................................................................ 1900
Channel Filters settings........................................................................................................................................ 1905
Filter by File Properties settings....................................................................................................................1906
Filter by Network Properties settings............................................................................................................ 1909
Ignore User Identities for Cloud Storage Applications settings..................................................................... 1911
Filter by Printer Properties settings............................................................................................................... 1912
Application Monitoring settings............................................................................................................................. 1912
Selecting applications to monitor (override global settings).......................................................................... 1913
Classification settings............................................................................................................................................1913
Device Control settings......................................................................................................................................... 1914
Agent settings........................................................................................................................................................1914
Server Communication settings.....................................................................................................................1915
Browser Extension Enablement Reminder....................................................................................................1915
Resource Consumption on the Endpoint Host settings................................................................................ 1916
Resource Consumption for Endpoint Discover Scans settings.....................................................................1916
File Recovery Area Location settings............................................................................................................1917
LiveUpdate for Data Loss Prevention........................................................................................................... 1918
Safe Mode settings........................................................................................................................................ 1925
Cloud Storage settings.................................................................................................................................. 1925
Printer/Fax settings........................................................................................................................................ 1926
Agent proxy settings...................................................................................................................................... 1928
55
Microsoft Information Protection settings...................................................................................................... 1928
Advanced agent settings.......................................................................................................................................1929
Setting specific channels to monitor based on the endpoint location.................................................................. 1954
Applying agent configurations to an agent group................................................................................................. 1954
Configuring the agent connection status................................................................................................................1955
About agent groups................................................................................................................................................... 1955
Developing a Strategy for Deploying Agent Groups............................................................................................. 1956
Overview of the Agent Group Deployment Process.............................................................................................. 1956
Creating and managing agent attributes.................................................................................................................1957
Creating an Agent Attribute.................................................................................................................................. 1957
Defining a search filter for creating user-defined attributes..................................................................................1958
Verifying attribute queries with the Attribute Query Resolver tool........................................................................ 1958
Applying a new attribute or changed attribute to agents......................................................................................1959
Undoing changes to agent attributes....................................................................................................................1959
Editing user-defined agent attributes.................................................................................................................... 1960
Defining a search filter for creating user-defined attributes..................................................................................1960
Verifying attribute queries with the Attribute Query Resolver tool........................................................................ 1960
Applying a new attribute or changed attribute to agents......................................................................................1961
Undoing changes to agent attributes....................................................................................................................1961
Editing user-defined agent attributes.................................................................................................................... 1961
Manage and add endpoint devices.......................................................................................................................... 1961
Creating and modifying endpoint device configurations....................................................................................... 1962
Viewing and managing agent groups...................................................................................................................... 1963
Agent group conditions......................................................................................................................................... 1964
Creating a new agent group................................................................................................................................. 1964
Assigning configurations to deploy groups........................................................................................................... 1965
Updating outdated agent configurations............................................................................................................... 1965
Verify that group assignments are correct............................................................................................................1965
Agent group conditions......................................................................................................................................... 1965
Assigning configurations to deploy groups........................................................................................................... 1966
Updating outdated agent configurations............................................................................................................... 1966
Verify that group assignments are correct............................................................................................................1966
Viewing Group Conflicts............................................................................................................................................1966
How to resolve group conflicts................................................................................................................................ 1967
Changing groups........................................................................................................................................................1967
About Symantec DLP Agent administration........................................................................................................... 1968
Agent Overview screen.........................................................................................................................................1968
Using the Agent List screen.......................................................................................................................... 1969
Using the Summary Reports screen............................................................................................................. 1974
Agent task confirmation screen..................................................................................................................... 1978
56
Changing the Endpoint Prevent Server.........................................................................................................1980
About agent events............................................................................................................................................... 1981
Summarizing agent events............................................................................................................................ 1981
Agent Event Detail screen............................................................................................................................. 1982
Troubleshooting Agent Alerts.........................................................................................................................1982
About Symantec DLP Agent removal................................................................................................................... 1987
Removing DLP Agents from Windows Endpoints Using System Management Software............................. 1987
Removing a DLP Agent from a Windows endpoint.......................................................................................1988
Removing DLP Agents from Mac endpoints Using System Management Software..................................... 1988
Removing a DLP Agent from a Mac Endpoint..............................................................................................1989
DLP Agent Logs......................................................................................................................................................... 1989
Setting the log levels for an Endpoint Agent........................................................................................................1989
About agent password management....................................................................................................................... 1990
Create a new agent uninstall or Endpoint tools password................................................................................... 1991
Change an existing agent uninstall or Endpoint tools password..........................................................................1991
Retain existing agent uninstall or Endpoint tools passwords............................................................................... 1992
About global application monitoring....................................................................................................................... 1992
Changing global application monitoring settings.................................................................................................. 1993
Monitoring instant messenger applications on Mac endpoints.............................................................................1994
List of CD/DVD applications................................................................................................................................. 1994
About adding applications........................................................................................................................................ 1995
Adding a Windows application.................................................................................................................................1996
Generating Third-party Application Information Using the GetAppInfo Tool.........................................................1997
Adding a macOS application.................................................................................................................................... 1998
Defining macOS application binary names...........................................................................................................1999
Ignoring macOS applications....................................................................................................................................2000
About Application File Access monitoring............................................................................................................. 2000
Implementing Application File Access monitoring................................................................................................ 2001
About Endpoint FlexResponse................................................................................................................................. 2001
Deploying Endpoint FlexResponse.......................................................................................................................... 2002
About deploying Endpoint FlexResponse plug-ins on endpoints........................................................................2003
Deploying Endpoint FlexResponse plug-ins using a silent installation process................................................2003
About the Endpoint FlexResponse utility............................................................................................................... 2004
Deploying an Endpoint FlexResponse plug-in using the Endpoint FlexResponse utility.................................. 2005
Enabling Endpoint FlexResponse on the Enforce Server..................................................................................... 2006
Uninstalling an Endpoint FlexResponse plug-in using the Endpoint FlexResponse utility...............................2006
Retrieving an Endpoint FlexResponse plug-in from a specific endpoint............................................................ 2007
Retrieving a list of Endpoint FlexResponse plug-ins from an endpoint.............................................................. 2007
About the SEP Intensive Protection file reputation service..................................................................................2007
Enabling SEP Intensive Protection.......................................................................................................................... 2008
57
Setting the SEP Intensity Level................................................................................................................................2009
Adding a SEP Intensive Protection response rule.................................................................................................2009
Monitoring Google Chrome using the Chrome Content Analysis Connector Agent SDK on Windows endpoints
(Feature Preview)........................................................................................................................................................2010
Configuring Google Chrome Monitoring for Windows Endpoints Using the Google Chrome Content Analysis
Connector Agent SDK...........................................................................................................................................2010
About Endpoint Notifications....................................................................................................................................2011
Customizing Endpoint Notification Strings............................................................................................................2012
Adding Non-English Endpoint Notification Strings................................................................................................2012
Removing Non-English Endpoint Notification Strings...........................................................................................2013
Language Support for Endpoint Notification Strings............................................................................................ 2013
Customizing Endpoint Notification Strings for Agents Earlier than DLP 16.0.......................................................2014
Endpoint Notifications............................................................................................................................................2015
AIPBlockAuthentication endpoint notification category..................................................................................2016
AIPSuggestAuthentication endpoint notification category............................................................................. 2017
Browser.Extension.Notifications endpoint notification category.....................................................................2017
Common.Messages endpoint notification category....................................................................................... 2018
Device.Control endpoint notification category............................................................................................... 2019
Response.Rule.Common.Messages endpoint notification category............................................................. 2019
Response.Rule.Variable.Text endpoint notification category.........................................................................2019
Using cloud services to prevent data loss................................................................................. 2022
About the Cloud Management Portal (CMP)........................................................................................................... 2022
Accessing the Cloud Management Portal from the Enforce Server administration console.................................2022
Using the Cloud Management Portal................................................................................................................... 2022
About Application Detection..................................................................................................................................... 2023
Managing Application Detection...............................................................................................................................2023
About Symantec Data Loss Prevention Cloud Service for Email.........................................................................2027
Customer roles for Cloud Service for Email......................................................................................................... 2027
About Symantec Email Security.cloud and Symantec Cloud Service for Email................................................... 2028
About the enrollment bundle.................................................................................................................................2028
Support for Symantec Cloud Service for Email....................................................................................................2029
Cloud Service for Email components and workflow............................................................................................. 2029
System requirements for Symantec Cloud Service for Email............................................................................. 2030
Preparing to implement Cloud Service for Email................................................................................................. 2030
Symantec Cloud Service for Email Implementation overview.............................................................................. 2030
Saving the enrollment bundle............................................................................................................................... 2031
Opening a port for communication with the cloud service................................................................................... 2032
Enabling incident reconciliation.............................................................................................................................2032
Configuring on-premises Microsoft Exchange to use Symantec Email Security.cloud for delivery (Forwarding
Mode).....................................................................................................................................................................2033
58
Configuring Microsoft 365 to use Symantec Email Security.cloud for email delivery (Forwarding mode)............ 2036
Configuring Microsoft 365 to use Microsoft 365 for email delivery (Reflecting mode)......................................... 2038
Detecting emails from a subset of Microsoft 365 Exchange Online users...........................................................2041
Configuring Google Workspace Gmail to send outbound emails to Cloud Service for Email.............................. 2041
Detecting emails from a subset of Google Workspace Gmail users.................................................................... 2042
About updating email domains in the Enforce Server administration console..................................................... 2043
Viewing Cloud Service for Email detector details......................................................................................... 2043
Adding the unique TXT record to your DNS settings....................................................................................2044
Updating Email Domains............................................................................................................................... 2044
Update override by the Broadcom Symantec Cloud Service........................................................................2045
Upgrading from Data Loss Prevention 15.8 if you use reflecting mode........................................................2045
Testing Symantec Cloud Service for Email.......................................................................................................... 2046
Creating and Publishing a Policy Group for Symantec Cloud Service for Email..................................................2046
Modifying SPF records in Email Security.cloud to ensure email delivery.............................................................2047
Deleting the Cloud Detector to reset the cloud service........................................................................................2047
Requesting a new Cloud certificate......................................................................................................................2047
Installing cloud certificates for detectors...............................................................................................................2048
Understanding size limits for profiles....................................................................................................................2048
Using Symantec Email Security.cloud Data Protection........................................................................................ 2048
Configuring the Enforce Server to sync with Email Security.cloud Email Quarantine.......................................... 2049
Setting up the Enforce Server to work with Email Security.cloud to quarantine messages and remediate email
incidents.................................................................................................................................................................2049
About the Cloud Detection Service for Web Security Service (WSS).................................................................. 2050
About roles for implementing the Cloud Detection Service for Web Security Services (WSS)............................ 2050
Cloud Detection Service solution architecture and process flow........................................................................ 2050
System and deployment requirements................................................................................................................. 2051
Process for deploying the Cloud Detection Service............................................................................................. 2051
Saving the enrollment bundle............................................................................................................................... 2052
Registering the Cloud Detection Service..............................................................................................................2053
About Integrating the Symantec Web Security Service with Symantec Data Loss Prevention............................ 2053
Configuring the Symantec Web Security Service integration with Symantec Data Loss Prevention....................2054
Working with Symantec Web Security Services incidents................................................................................... 2054
About the Symantec integration with MIP for DLP Cloud..................................................................................... 2054
About your Microsoft MIP credentials...................................................................................................................2055
Enabling MIP for DLP Cloud on the Azure portal................................................................................................ 2055
Configuring DLP cloud detectors with MIP access credentials............................................................................ 2056
Deleting MIP Insight credential profiles................................................................................................................ 2056
About content detection with OCR in the Cloud....................................................................................................2057
Language support for OCR in the Cloud content extraction................................................................................ 2057
Detection types supported for OCR in the Cloud content extraction................................................................... 2059
59
File types supported for OCR in the cloud extraction......................................................................................... 2059
About DLP Appliances.................................................................................................................. 2060
Obtaining License Files for the API Detection for Developer Apps Appliance or Virtual Appliance................. 2060
Deployment overview for the virtual appliance...................................................................................................... 2061
Setting up the virtual appliance............................................................................................................................... 2062
Unbinding or resetting a DLP appliance................................................................................................................. 2064
Updating appliance software.................................................................................................................................... 2064
Log Files and Logging for Appliances.................................................................................................................... 2065
Introducing and deploying the API Detection for Developer Apps Appliance.................................................... 2065
About the API Detection for Developer Apps Appliance...................................................................................... 2065
About the Command Line Interface (CLI)............................................................................................................ 2066
Deployment overview for the API Detection for Developer Apps Appliance........................................................ 2066
Setting up the API Detection for Developer Apps Appliance............................................................................... 2067
Upload the Symantec license file......................................................................................................................... 2069
Adding the API Detection for Developer Apps Appliance.................................................................................... 2069
Configuring the API Detection for Developer Apps Appliance............................................................................. 2069
Post-deployment tasks.......................................................................................................................................... 2070
Updating to a new release from the Enforce Server administration console....................................................... 2070
About the Symantec Data Loss Prevention Detection REST API.........................................................................2071
About the Detection REST API 2.0 Topics...........................................................................................................2071
Overview of the Symantec Data Loss Prevention Detection REST API 2.0........................................................ 2072
Detection Requests for the DLP Detection REST API 2.0..................................................................................... 2072
URL........................................................................................................................................................................2073
HTTP Method........................................................................................................................................................ 2073
HTTP Request Headers........................................................................................................................................2073
HTTP Body............................................................................................................................................................2073
Detection Request Format and Definitions...........................................................................................................2073
Context Entries...............................................................................................................................................2074
Content Blocks............................................................................................................................................... 2078
Option Entry................................................................................................................................................... 2079
Sample Request....................................................................................................................................................2080
Input Validation...........................................................................................................................................................2081
Detection Results....................................................................................................................................................... 2082
HTTP Response Headers.....................................................................................................................................2082
HTTP Response Codes........................................................................................................................................ 2082
Detection Result Format and Definitions.............................................................................................................. 2083
Policy.............................................................................................................................................................. 2083
Response Action............................................................................................................................................ 2084
Response Action Parameters........................................................................................................................ 2085
Warning..................................................................................................................................................................2086
60
Content Detail........................................................................................................................................................2086
Error Messages..................................................................................................................................................... 2086
Sample Response................................................................................................................................................. 2087
Action Acknowledgment Requests.......................................................................................................................... 2087
URL........................................................................................................................................................................2088
HTTP Method........................................................................................................................................................ 2088
HTTP Body............................................................................................................................................................2088
Action Acknowledgment Request Format and Descriptions.................................................................................2088
Actions Taken.................................................................................................................................................2088
Sample Action Acknowledgment Request............................................................................................................2089
Supported File Types for DLP REST API 2.0 Detection.........................................................................................2089
Word Processing File Types Supported for REST API 2.0 Detection.................................................................. 2090
Multimedia File Types Supported for REST API 2.0 Detection............................................................................2091
Spreadsheet File Types Supported for REST API 2.0 Detection......................................................................... 2091
Presentation File Types Supported for REST API 2.0 Detection......................................................................... 2091
Image File Types Supported for REST API 2.0 Detection................................................................................... 2092
Encapsulation File Types Supported for REST API 2.0 Detection.......................................................................2093
Encryption File Types Supported for REST API 2.0 Detection............................................................................ 2093
Other File Types Supported for REST API 2.0 Detection.................................................................................... 2094
Product Usage License Data (Telemetry)....................................................................................2095
Related Documents........................................................................................................................2099
Documentation Legal Notice........................................................................................................ 2100
61
About What's New in Data Loss Prevention 16.0.1
What's New and What's Changed topics describe new and changed features and capabilities in Symantec Data Loss
Prevention 16.0.1.
Significant changes relative to previous releases are highlighted, including removal of features or supported platforms.
This content provides enough detail to help you understand the features. Feature descriptions provide links to detailed
deployment information, where applicable. Specific implementation or configuration details for these new features are not
provided.
NOTE
The Symantec Data Loss Prevention 16.0.1 release represents the first release update (RU). See Symantec
Data Loss Prevention Release Types.
Click the links for descriptions of the new and changed features.
• Enforce Server Features in Data Loss Prevention 16.0.1
• Platform Features in Data Loss Prevention 16.0.1
• Endpoint Features in Data Loss Prevention 16.0.1
• Discover Features in Data Loss Prevention 16.0.1
• Detection Features in Data Loss Prevention 16.0.1
• Removed and Deprecated Features and Platforms in Data Loss Prevention 16.0.1
Ability to View and Manage Audit Logs in the Enforce Server Administration Console
You can now filter and view log information at System > Servers and Detectors > Audit Logs in the Enforce Server
administration console.
You can filter the logs by date, IP address, user name, role, entity, and action.
You can view event details such as time, user IP address, user name, user ID, user status, role, entity, action, and detail.
See Using Audit Logs .
62
• The column selection dropdown on Incident Report pages is changed to a modal dialog box.
• More Summary Attributes, Select Columns, and Filter Attributes are available for the Incident Report page
• Ability to expand and collapse all rows and individual rows in the Incident Report
• Ability to expand or to collapse the Applied Filters section in the Incident Report
See About Incident Reports.
63
Endpoint Features in Data Loss Prevention 16.0.1
New and changed features for Endpoint include platform support for Ubuntu 20.04LTS and 22.04LTS, support for the User
Cancel response rule on macOS endpoints, and more Chrome monitor support.
The following sections provide detailed descriptions of the new and changed features for Endpoint.
• Support for Ubuntu Endpoints
• Support for upgrading to the 16.0.1 agent using LiveUpdate on Windows and macOS endpoints
• Support for User Cancel response rule on macOS Endpoints
• Monitoring Google Chrome using the Chrome Content Analysis Connector Agent SDK on Windows endpoints (Feature
Preview)
• Increased Domain Filter Character Limit
Support for upgrading to the 16.0.1 agent using LiveUpdate on Windows and macOS endpoints
Symantec Data Loss Prevention 16.0.1 supports upgrading to the DLP Agent using LiveUpdate on Windows and macOS
endpoints.
To upgrade to the 16.0.1 agent, you must have version 16.0 installed. You cannot upgrade from a version earlier than 16.0
using LiveUpdate.
Monitoring Google Chrome using the Chrome Content Analysis Connector Agent SDK on Windows endpoints
(Feature Preview)
The Chrome Content Analysis Connector Agent SDK provides an alternate mechanism for the DLP Agent to interface with
Google Chrome (starting with version 117) for data loss monitoring on Windows endpoints. You can enable this integration
as an alternative to deploying the Symantec Extension.
NOTE
Support for this feature preview covers monitoring scenarios as described below. Work is underway to stabilize
support for browser print monitoring and Broadcom invites customer feedback about the feature preview in your
testing environments.
Broadcom will announce the General Availability (GA) of this feature for deployment in production environments
at a future date.
64
The integration between the DLP Agent and the Chrome Content Analysis Connector Agent SDK supports the following
monitoring scenarios:
• File uploads
• Clipboard actions
• Print actions
To configure Chrome monitoring through the Chrome Content Analysis Connector Agent SDK, you must configure a
Chrome Browser Cloud Management policy and must enroll the browsers that you want to manage.
You do not need to remove the Symantec extension from the browsers on the Endpoint to enable the Chrome SDK setting
and configure a CBCM policy. The advanced agent setting, not the presence of the extension, drives the behavior.
In addition, this integration introduces the following new agent responses in Endpoint incidents:
For more information, see Configuring Google Chrome Monitoring for Windows Endpoints Using the Google Chrome
Content Analysis Connector Agent SDK.
65
Detection Features in Data Loss Prevention 16.0.1
New and changed detection features in Symantec DLP 16.0.1 include new logging and other tools to identify non-BMP
characters, new and modified data identifiers and policy templates, and quicker uploading of EDM indexes.
The following sections provide detailed descriptions of each new and changed feature for Data Loss Prevention 16.0.1
detection.
• Handling Non-BMP Characters in Content Scanned in DLP
• OCR Library Upgrade
• New Structured Data Identifiers
• New Data Identifiers
• Modified Structured Data Identifier
• Modified Data Identifiers
• New Policy Templates
• Modified Policy Templates
• Quicker Loading of EDM Indexes After Re-indexing
• MIP SDK Upgrade
66
– Japanese first and last names
– credit card number
– Japan My Number
– Japan Driver License number
• US Social Security Number is used to detect information such as
– first and last names
– email addresses
– US Social Security numbers
67
PII (Structured Data Identifier) Modified by excluding the US SSN Data Identifier from the
national ID numbers.
68
New Policy Templates
The following policy templates are added:
Feature Notes
The previous Incident Reporting page is no longer supported. Use the new Incident Reporting page.
This page will not appear in the next release.
Incident Reports page sizes of 5000 and 10000 are removed. Incident Reports now offer page sizes of 10, 20, 50 (default), 100,
500, and 1000.
69
Removed Features for Detection
Feature Notes
Email Quarantine Connect FlexResponse plug-in The installer for the Email Quarantine Connect FlexResponse
plugin
Symantec_DLP_Plugin_Email_Quarantine_Connect.exe
is not shipped with Symantec Data Loss Prevention. Previous
versions of the plug-in are compatible with DLP 16.0.1.
SOAP APIs for incident reporting and update The SOAP APIs for Incident Reporting and Update are deprecated
starting with version 15.7 and will not be supported in a
subsequent release.
Removed Features for the Symantec Data Loss Prevention REST API
Table 3: Removed Features for the Symantec Data Loss Prevention REST API
Feature Notes
Feature Notes
Feature Notes
Deprecated Support
When a feature is “deprecated” it is supported in the current release, but Symantec plans to remove support in an
upcoming release. If your Symantec Data Loss Prevention environment includes a deprecated feature, you should plan on
updating it to a later supported version or a different supported feature as soon as possible.
70
Table 6: Deprecated Platform Support
Enforce Server The Export as XML feature is deprecated Reports that are exported to XML in DLP
in DLP 16.0 and will be removed in a future 16.0 are limited to the hard-coded DLP 15.8
release. format. They are not customizable.
Endpoint macOS 11.x
71
Release Notes
Review fixed issues and known issues.
The release notes list fixed issues for a given release, platforms that are no longer supported or that are deprecated, other
important information, and late-breaking updates.
Issue ID Description
72
Issue ID Description
Issue ID Description
73
Issue ID Description
DLP-72065 Incident report filtering by Incident History Issuer "Is None Of"
is correct and does not include incidents that should be filtered
out.
DLP-72066 Double Summary reports including Status as primary variable no
longer generate an empty incident list when the user drills down
from one summary line item.
DLP-72196 The Enforce Server administration console now allows passwords
that are 30 characters or longer.
DLP-72389 Profile report preferences change the delimiter for CSV Exported
Reports.
DLP-72398 Cyrillic characters in summarization values work in summarized
reports.
DLP-72433 Reports summarized by a custom attribute display the attribute
label in the pending/applied filters list.
DLP-73151 In DLP 16.0 the Application MD5 Hash, Application SHA-256
Hash, and Application user columns are no longer missing.
DLP-73272 When users have an unsupported language set as their locale on
the Enforce Server administration console, the default language
context-sensitive help now displays when the user clicks the
Help (?) icon.
DLP-73344 Pressing the Apply button while an incident report is loading
no longer resubmits the report for processing in parallel, so
performance is not impacted.
DLP-73474 Scheduled reports summarized by a custom incident attribute are
sent on schedule.
DLP-73641 The incident reports no longer execute slowly.
DLP-73650 TheBlobExternalization folder no longer fills up with
orphaned message folders from failed incident persistence.
DLP-73652 When you implement an Enforce Server without detection servers
and only CDS connections, you can now access the Logs screen
successfully.
DLP-73695 The RSOD no longer displays after you attempt to delete a user
with a scheduled, saved report.
DLP-73899 Endpoint Servers that include illegal characters in the name field
can now start and report to the Enforce Server.
DLP-73920 Sorting summarized reports works successfully for more than one
column.
DLP-73949 After a user changes the Summarization field, the page loads
without errors.
DLP-74063 After an Active Directory import to create protect users, the DLP
Manager Service starts without errors.
DLP-74096 When a user sends an email to guest email accounts (external
users from a trusted domain) selected from the first instance of the
Offline Global Address List in the Outlook Address Book list,
the recipient email address is no longer shown as null in incident
reports and empty in incident snapshots.
DLP-74110 A user who has two assigned roles can edit the role that has the
All Channels report associated with that role.
74
Issue ID Description
DLP-74115 Scheduled dashboard reports that are sent through email now
contain the details of the dashboard report. The report is sent with
data in the displayed message and the email contains the body of
the report.
Issue ID Description
DLP-65290 User Risk Score conditions are not evaluated when ANDed with
an EDM condition.
DLP-67079 There is now a valid value for the "Device Inside Office" on the
Application incident list page.
DLP-71743 Sensitive data inserted in a text box, or a shape added to a
Microsoft Excel file are now detected.
DLP-71744 Exported Google Sheets .xlsx files now generate DLP Endpoint
incidents.
DLP-73467 Excessive logging of Regex matching, which caused logs to
roll over, no longer occurs. Logs are now moved from INFO to
FINEST.
DLP-73550 Detection servers no longer take an extended period to connect
to the Enforce Server when many data identifiers are used in a
policy.
DLP-73552 Endpoint detection works when there are empty data identifier pre-
or post-validator characters.
DLP-73839 The Custom script error logging Print() advanced function now
works.
DLP-74117 Improved handling of non-BMP characters in DLP. For more
information on non-BMP characters in DLP 16.0.1, see Detection
Features in Data Loss Prevention 16.0.1.
Issue ID Description
DLP-71435 The Get Discover Targets API is optimized to quickly list many
Network Discover scan targets on the Discover Targets screen.
There is a performance improvement in the time to load the
Discover Targets screen with many targets configured.
DLP-72079 The longer content root paths for Network Discover
scan targets are displayed completely in the Scan
Detail > Download Scan Statistics report.
75
Endpoint Fixed Issues
Issue ID Description
76
Issue ID Description
DLP-16787 On macOS endpoints, domain filters stop Don't switch browser tabs until you've
working after users navigate to a different finished uploading all desired files to the
browser tab and then return to the original filtered domain.
tab.
DLP-71824 On Windows endpoints, the DLP Agent This issue is a result of recent changes in
fails to detect existing MIP encryption on Microsoft 365. Symantec will provide an
emails in Microsoft 365. As a result the update when new information is available.
Endpoint: MIP Classification response rule
incorrectly suggests or enforces new labels
for these emails.
77
Issue ID Description Workaround
DLP-74239 On Linux endpoints, after upgrading the You can ignore this warning message.
DLP Agent, the agent service generates the
following warning message at startup:
symantec-dpl-agent.service
changed on disk
78
Issue ID Description Workaround
79
Issue ID Description Workaround
DLP-74144 An Unknown result is shown twice with There are two reasons for two rows
different counts in the Summary Report. showing as Unknown:
1. A string text literal Unknown is in the
database for the attribute that is used in
the summarization.
2. There are NULLs in the database
for the attribute that is used in the
summarization.
The Unknown resulting from NULLs is
found toward the bottom of the result set
displayed on the screen.
You can add a filter and can use an
appropriate operator. The Is
Unassigned operator reports the
rows with NULL . You can use Equality
comparison operators for the string literal
Unknown .
DLP-74377 When a negation filter operand (for None. The XML exported data is not the
example, "does not contain") is used in same as the XML data seen in the user
an incident report and you export the interface. XML export was deprecated
report as XML, the report does not list the in DLP 16.0 and is not supported in the next
same number of incidents as listed on the major DLP release.
Incidents screen. The Incidents screen lists
the correct number of incidents.
80
Table 15: Discover Known Issues in 16.0.1
DLP-74673 The JREMigrationUtility does not upgrade Uninstall the affected indexer then reinstall
the JRE for indexers that are installed in it and point it to the new OpenJRE location.
standalone mode.
81
Table 18: Enforce Platform Known Issues in 16.0
CDM-101117 Use of a keyboard to navigate and send controls Use of the mouse is required on these pages.
DLP-66625 is not available in the new data grid tables that are
used on the Incident List and Discover Target pages.
DLP-65826 The ICD Response Rule was removed from Data Remove all ICD response rules before migration to
Loss Prevention 16.0. ICD has also been removed 16.0. See the Symantec Data Loss Prevention Help Center
as a configuration option on the Enforce Server for more information.
administration console. Legacy policies with ICD
response rules (that were created and exported in
previous versions) do not process.
DLP-67049 The DAG plugin automatic flex response requires The manual flex response plugin for DAG works out of the
that you copy jars from the tomcat library. box. But for automatic flex response, you must copy the
following five jersey jars to serverplatformcommon
from the tomcat library:
• jersey-client-2.26.jar
• jersey-common-2.26.jar
• jersey-entity-filtering-2.26.jar
• jersey-hk2-2.26.jar
• jersey-media-json-jackson-2.26.jar
82
Issue Description Workaround
83
Issue Description Workaround
DLP-66961 When remote users connect to Azure Virtual Refer to the Microsoft Remote Desktop Services
Desktop endpoints using the Remote Desktop web documentation for information about securing or disabling
client, DLP cannot monitor file transfers and file the the Remote Desktop Virtual Drive.
acess on the virtual hard drive. See https://learn.microsoft.com/en-us/windows-server/
remote/remote-desktop-services/clients/remote-desktop-
web-client.
DLP-67006 The Microsoft Edge Startup boost feature must be None.
disabled to get a DLP Edge Extension event.
DLP-67016 On Windows endpoints: None.
After MIP Classification labels are enforced for
Office documents that are synced to Microsoft
OneDrive, temporary backup files are not deleted
from OneDrive.
DLP-67275 When a user prints a document from an application None.
such as Google Drive or Firefox, the application
converts the document to an image or gibberish
text, and then print monitoring does not work.
84
Table 21: Detection Known Issues in 16.0
This table lists the Enforce Server known issues in 16.0 MP1.
85
Known issues in 15.8 MP1
This section lists the known issues that were discovered in version 15.8 after it was released.
DLP-36269 After Data Loss Prevention added To perform detection on the body of the
support for S/MIME .p7m files, new S/ original S/MIME email, you must select
MIME encrypted emails were sent as Attachment for all Policy conditions.
attachments.
86
Installation and upgrade known issues in 15.8 MP2
DLP-61433 If you upgrade to 15.8 MP2 from a 15.8 1. To uninstall the 15.8 MP1 hotfix and
MP1 hotfix, you cannot uninstall 15.8 MP2. 15.8 MP2 simultaneously, run the
following command:
msiexec /i <product
code or path of
the DLP 15.8 installer>
MSIPATCHREMOVE=<PATCHGUID
of the 15.8 MP1 hotfix or
file path of
the 15.8 MP2 MSP
file>;<PATCHGUID of 18.5
MP2 or file path of the
15.8 MP2 MSP file> /qb
2. To complete the downgrade, re-
apply the 15.8 MP1 hotfix.
87
Installation and upgrade known issues in 15.8 MP3
DLP-61433 If you upgrade to a Maintenance Pack from 1. To uninstall the Maintenance Pack and
an earlier hotfix, you cannot uninstall the the earlier hotfix simultaneously, run the
Maintenance Pack to downgrade to the following command:
earlier hotfix. msiexec /i <product
code or path of
the DLP 15.8 installer>
MSIPATCHREMOVE=<PATCHGUID
of the hotfix or file path
of the Maintenance Pack
MSP file>;<PATCHGUID of
Maintenance Pack or file
path of the Maintenance
Pack MSP file> /qb
2. To complete the downgrade, re-apply
the earlier hotfix.
DLP-16787 On macOS endpoints, the domain filter Don't switch browser tabs until you've
does not work properly when browser tabs finished uploading all of the desired files to
are switched in Google Chrome and Mozille the filtered domain.
Firefox.
DLP-30011 On macOS endpoints, after disabling or This is a known issue in the Chrome
enabling the Chrome extension, file upload extension API. It works differently for
monitoring stops working. published and non-published extensions.
Symantec has filed the following issue
with the Chrome team: Issue 1133121:
chrome.runtime.onInstalled not fired for
published extension.
DLP-30012 On macOS endpoints, when you Symantec recommends that you
use Google Chrome in incognito mode or disable Incognito mode and guest mode
guest mode or Mozilla Firefox in private in Google Chrome and private mode
mode, monitoring is unavailable. in Mozilla Firefox using MDM settings.
This behavior is expected as third-party
browser extensions, such as the Symantec
extension, are not loaded in Incognito mode
and private mode.
88
Symantec Data Loss Prevention includes the following release types:
• Major release
• Minor release
• Release update (RU)
Major Release
A major release incorporates all updates since the last release. You can install a major release for the first time, or can
upgrade to a major release from a previous release.
A major release can include all or some of the following programmatic updates:
• New features and enhancements, such as architectural changes, major feature changes, or new platform or operating
system support.
• Bug fixes
• Database schema changes (typically)
• New SKUs.
A major release version number reads XX.0, where XX is the major release version. For example, Symantec Data Loss
Prevention version 16.0 is a major release.
Minor Release
A minor release incorporates all updates since the last major or minor release. You can install a minor release for the first
time, or can upgrade to a major release from a previous release.
A minor release can include all or some of the following programmatic updates:
• Minor features and enhancements, such as architectural changes, feature changes, or new platform or operating
system support
• Bug fixes
• Database schema changes (typically)
• New SKUs
A minor release version number reads XX.YY, where XX is the preceding major release version and YY is the minor
release number. For example, Symantec Data Loss Prevention version 15.8 is a minor release.
Release Update
A release update incorporates all updates since the last major or minor release. You can install a release update for the
first time, or you can upgrade to a release update from the previous major release.
A release update (RU) can include all or some of the following programmatic updates:
• Customer-reported bug fixes
• Security fixes
• Database schema changes (occasionally)
A release update version number reads XX.YY.ZZ, where variables are defined in the following list:
• XX is the preceding major release version
• YY is the minor release number, if applicable
• ZZ is the RU version
For example, Symantec Data Loss Prevention version 16.0.1 is a release update.
89
Related Links
Planning the installation on page 207
Preparing to upgrade on page 351
Applying a server Maintenance Pack
90
Getting started
Learn about getting started with Symantec Data Loss Prevention.
About updates to the Symantec Data Loss Prevention Help Center
News and Alerts
Introducing Symantec Data Loss Prevention
Getting Started Administering Symantec Data Loss Prevention
Working with languages and locales
Table 28: Change history for the Symantec Data Loss Prevention system requirements
Date Description
13 September 2023 Added support for Chrome 117 on both Windows and macOS.
12 September 2023 Added support for DLP Agents on macOS 11.7.10 and 12.6.9.
Subscribing to Alerts
You can also subscribe to proactive notifications to receive updates by email.
Complete the following steps to subscribe to notifications or update existing notifications:
1. Go to https://support.broadcom.com/, click Login, and enter credentials.
2. Click the bell icon, then the gear icon to display the Notification Settings page.
3. Enter Data Loss Prevention in the Search by Product Name field.
4. Select Symantec Data Loss Prevention components for which you want to be notified and the notification type to
receive. Your changes are saved as you make selections.
91
Introducing Symantec Data Loss Prevention
Symantec Data Loss Prevention enables you to:
• Discover and locate confidential information in repositories, on file and web servers, in databases, and on endpoints
(desk and laptop systems)
• Protect confidential information through quarantine
• Monitor network traffic for transmission of confidential data
• Monitor the use of sensitive data on endpoints
• Prevent transmission of confidential data to outside locations
• Automatically enforce data security and encryption policies
Symantec Data Loss Prevention includes the following components:
• Enforce Server
About the Enforce Server platform
About Symantec Data Loss Prevention administration
About the Enforce Server administration console
• Network Discover
About Network Discover
• Network Protect
About Network Protect
• Network Monitor
About Network Monitor and Prevent
• Network Prevent
About Network Monitor and Prevent
• Endpoint Discover
About Endpoint Discover
• Endpoint Prevent
About Endpoint Prevent
The Discover, Protect, Monitor, and Prevent modules can be deployed as stand-alone products or in combination.
Regardless of which stand-alone products you deploy, the Enforce Server is always provided for central management.
Note that the Network Protect module requires the Network Discover module.
Associated with each product module are corresponding detection servers and cloud detectors:
• Network Discover Server locates the exposed confidential data on a broad range of enterprise data repositories
including:
– File servers
– Databases
– Microsoft SharePoint
– IBM/Lotus Notes
– EMC Documentum
– Livelink
– Microsoft Exchange
– Web servers
– Other data repositories
If you are licensed for Network Protect, this server also copies and quarantines sensitive data on file servers as
specified in your policies.
About Network Discover
• Network Monitor Server monitors the traffic on your network.
92
About Network Monitor and Prevent
• Network Prevent for Email Server blocks emails that contain sensitive data.
About Network Monitor and Prevent
• Network Prevent for Web Server blocks HTTP postings and FTP transfers that contain sensitive data.
About Network Monitor and Prevent
• Endpoint Server monitors and prevents the misuse of confidential data on endpoints.
About Endpoint Discover
About Endpoint Prevent
The distributed architecture of Symantec Data Loss Prevention allows organizations to:
• Perform centralized management and reporting.
• Centrally manage data security policies once and deploy immediately across the entire Symantec Data Loss
Prevention suite.
• Scale data loss prevention according to the size of your organization.
About the Enforce Server platform
The Symantec Data Loss Prevention Enforce Server is the central management platform that enables you to define,
deploy, and enforce data loss prevention and security policies. The Enforce Server administration console provides a
centralized, web-based interface for deploying detection servers, authoring policies, remediating incidents, and managing
the system.
Introducing Symantec Data Loss Prevention
The Enforce platform provides you with the following capabilities:
• Build and deploy accurate data loss prevention policies. You can choose among various detection technologies, define
rules, and specify actions to include in your data loss prevention policies. Using provided regulatory and best-practice
policy templates, you can meet your regulatory compliance, data protection and acceptable-use requirements, and
address specific security threats.
• Automatically deploy and enforce data loss prevention policies. You can automate policy enforcement options for
notification, remediation workflow, blocking, and encryption.
• Measure risk reduction and demonstrate compliance. The reporting features of the Enforce Server enables you to
create actionable reports identifying risk reduction trends over time. You can also create compliance reports to address
conformance with regulatory requirements.
• Empower rapid remediation. Based on incident severity, you can automate the entire remediation process using
detailed incident reporting and workflow automation. Role-based access controls empower individual business units
and departments to review and remediate those incidents that are relevant to their business or employees.
• Safeguard employee privacy. You can use the Enforce Server to review incidents without revealing the sender identity
or message content. In this way, multi-national companies can meet legal requirements on monitoring European Union
employees and transferring personal data across national boundaries.
About role-based access control
93
configure a Network Monitor Server to monitor custom protocols and to use a variety of filters (per protocol) to filter out
low-risk traffic.
• Network Prevent for Email
Network Prevent for Email integrates with standard MTAs and hosted email services to provide in-line active SMTP
email management. Policies that are deployed on in-line Network Prevent for Email Server direct the next-hop mail
server to block, reroute, or tag email messages. These blocks are based on specific content and other message
attributes. Communication between MTAs and Network Prevent for Email Server can be secured as necessary using
TLS.
Implement Network Monitor, review the incidents it captures, and refine your policies accordingly before you implement
Network Prevent for Email.
• Network Prevent for Web
For in-line active web request management, Network Prevent for Web integrates with an HTTP, HTTPS, or FTP proxy
server. This integration uses the Internet Content Adaptation Protocol (ICAP). The Network Prevent for Web Server
detects confidential data in HTTP, HTTPS, or FTP content. When it does, it causes the proxy to reject requests or
remove HTML content as specified by the governing policies.
94
marker text file in the original location of the offending file. The marker file can explain why and where the original file
was quarantined.
• Copy exposed or suspicious files. Network Protect can automatically copy those files that violate policies to a
quarantine area. The quarantine area can re-create the source file structure for easy location, and leave the original file
in place.
• Quarantine file restoration. Network Protect can easily restore quarantined files to their original or a new location.
• Enforce access control and encryption policies. Network Protect proactively ensures workforce compliance with
existing access control and encryption policies.
About Symantec Data Loss Prevention
95
• About Symantec Data Loss Prevention administration
• About the Enforce Server administration console
• Logging On and Off the Enforce Server Administration Console
• About the administrator account
• Performing Initial Setup Tasks
• Changing the Administrator Password
• Adding an administrator email account
• Editing a user profile
• Changing your password
Related Links
Installing DLP on page 207
Install the Enforce Server, detection servers, and DLP Agents.
About the Enforce Server administration console on page 96
Performing Initial Setup Tasks on page 98
96
Table 29: Administration console navigation and operation icons
Icon Description
Help. Click this icon to access the context-sensitive online help for your current page.
Select this page as your Home page. If the current screen cannot be selected as your Home page, this icon is
unavailable.
Back to previous screen. Symantec recommends using this Back button rather than your browser Back button. Use
of your browser Back button may lead to unpredictable behavior and is not recommended.
Screen refresh. Symantec recommends using this Refresh button rather than your browser Reload or Refresh
button. Use of your browser buttons may lead to unpredictable behavior and is not recommended.
Print the current report. If the current screen contents cannot be sent to the printer, this icon is unavailable.
Email the current report to one or more recipients. If the current screen contents cannot be sent as an email, this icon
is unavailable.
97
About the administrator account
The Symantec Data Loss Prevention system is preconfigured with a permanent administrator account. Note that the name
is case sensitive and cannot be changed. You configured a password for the administrator account during installation.
See Installing DLP for more information.
Only the administrator can see or modify the administrator account. Role options do not appear on the administrator
configure screen, because the administrator always has access to every part of the system.
Related Links
Changing the Administrator Password on page 98
Adding an administrator email account on page 99
Related Links
Installing DLP on page 207
Install the Enforce Server, detection servers, and DLP Agents.
98
Configuring user accounts
1. Log on as administrator.
2. Click Profile in the upper-right corner of the administration console.
3. On the Edit Profile screen:
• Enter your new password in the New Password field.
• Re-enter your new password in the Re-enter New Password field. The two new passwords must be identical.
Note that passwords are case-sensitive.
4. Click Save.
Related Links
About the administrator account on page 98
About the Enforce Server administration console on page 96
on page 729
99
1. Enter your new password in the New Password field.
2. Re-enter your new password in the Re-enter New Password field.
3. Click Save.
To use certificate authentication
4. If certificate authentication is available to you, select Use Certificate authentication.
5. Enter your LDAP common name (CN) in the Common Name (CN) field.
6. Click Save.
7. In the Email Address field enter your personal email address.
8. Click Save.
9. Click the option next to your language choice.
10. Click Save.
The Enforce Server administration console is re-displayed in the new language.
11. Select a text encoding option:
• Use browser default encoding. Check this box to specify that text files use the same encoding as your browser.
• Pull down menu. Click on an encoding option in the pull down menu to select it.
12. Click Save.
The new text encoding is applied to CSV exported files. This encoding lets you select a text encoding that matches the
encoding that is expected by CSV applications.
To select a CSV delimiter
13. Choose one of the delimiters from the pull-down menu.
14. Click Save.
The new delimiter is applied to the next comma-separated values (CSV) list that you export.
15. Include Incident Violations in XML Export. If this box is checked, reports exported to XML include the highlighted
matches on each incident snapshot.
16. Include Incident History in XML Export. If this box is checked, reports exported to XML include the incident history
data that is contained in the History tab of each incident snapshot.
17. Click Save.
Your selections are applied to the next report you export to XML.
If neither box is checked, the exported XML report contains only the basic incident information.
100
1. Enter your old password in the Old password field of the Password Renewal window.
2. Enter your new password in the New Password field of the Password Renewal window.
3. Re-enter your new password in the Re-enter New Password field of the Password Renewal window.
The next time you log on, you must use your new password.
You can also change your password at any time from the Profile screen.
Editing a user profile
About the administrator account
Logging On and Off the Enforce Server Administration Console
101
• Arabic
• Brazilian Portuguese
• Chinese (traditional)
• Chinese (simplified)
• Czech
• Danish
• Dutch
• English
• Finnish
• French
• German
• Greek
• Hebrew
• Hungarian
• Italian
• Japanese
• Korean
• Norwegian
• Polish
• Portuguese
• Romanian
• Russian
• Spanish
• Swedish
• Turkish
NOTE
Symantec Data Loss Prevention cannot be installed on a Windows operating system that is localized for the
Turkish language, and you cannot choose Turkish as an alternate locale.
A number of capabilities are not implied by this support:
• Technical support provided in a non-English language. Because Symantec Data Loss Prevention supports a particular
language does not imply that technical support is delivered in that language.
• Localized administrative user interface (UI) and documentation. Support for a language does not imply that the UI
or product documentation has been localized into that language. However, even without a localized UI, user-defined
portions of the UI such as pop-up notification messages on the endpoint can still be localized into any language by
entering the appropriate text in the UI.
• Localized content. Keywords are used in a number of areas of the product, including policy templates and data
identifiers. Support for a language does not imply that these keywords have been translated into that language. Users
may, however, add keywords in the new language through the Enforce Server administration console.
• New file types, protocols, applications, or encodings. Support for a language does not imply support for any new file
types, protocols, applications, or encodings that may be prevalent in that language or region other than what is already
supported in the product.
• Language-specific normalization. An example of normalization is to treat accented and unaccented versions of
a character as the same. The product already performs a number of normalizations, including standard Unicode
normalization that should cover the vast majority of cases. However, it does not mean that all potential normalizations
are included.
• Region-specific normalization and validation. An example of this is the awareness that the product has of the format
of North American phone numbers, which allows it to treat different versions of a number as the same, and to identify
102
invalid numbers in EDM source files. Support for a language does not imply this kind of functionality for that language
or region.
Items in these excluded categories are tracked as individual product enhancements on a language- or region-specific
basis. Contact Symantec Technical Support for additional information on language-related enhancements or plans for the
languages not listed.
About support for character sets, languages, and locales
103
CAUTION
When you install a new version of Symantec Data Loss Prevention, any language packs you have installed are
deleted. For a new, localized version of Symantec Data Loss Prevention, you must upgrade to a new version of
the language pack.
Related Links
About locales on page 331
About support for character sets, languages, and locales on page 101
About locales
Locales are installed as part of a language pack.
A locale provides the following:
• Displays dates and numbers in formats appropriate for that locale.
• Sorts lists and reports based on text columns, such as "policy name" or "file owner," alphabetically according to the
rules of the locale.
An administrator can also configure an additional locale for use by individual users. This additional locale need only be
supported by the required version of Java.
For a list of these locales, see https://www.oracle.com/technetwork/java/javase/java8locales-2095355.html.
You use the Language Pack Utility to specify a locale if one is not specified at product installation time.
Using a non-English language on the Enforce Server administration console
About support for character sets, languages, and locales
104
2. Scroll to the Language section of the Edit General Settings screen, and click the button next to the language you
want to use as the system-wide default.
3. Click Save.
Individual Symantec Data Loss Prevention users can choose which of the available languages and locales they want to
use by updating their profiles.
Editing a user profile
Administrators can use the Language Pack Utility to update the available languages.
Using the Language Pack Utility
About support for character sets, languages, and locales
NOTE
If the Enforce Server runs on a Linux host, you must install language fonts on the host machine using the Linux
Package Manager application. Language font packages begin with fonts-<language_name>. For example,
fonts-japanese-0.20061016-4.el5.noarch
NOTE
Administrators can only make one other locale available for users that is not based on a previously installed
Symantec Data Loss Prevention language pack.
About support for character sets, languages, and locales
105
Add a language pack on Linux
1. Advise other users that anyone currently using the Enforce Server administration console must save their work and log
off.
2. Open a terminal session to the Enforce Server host and switch to the DLP_system_account by running the following
command:
su - DLP_system_account
3. Run the following command:
DLP_home/Protect/bin/LanguagePackUtility -a <path to language pack zip file>
4. Log on to the Enforce Server administration console and confirm that the new language option is available on the Edit
General Settings screen. To do this, go to System > Settings > General > Configure > Edit General Settings.
Where locale is a valid Java locale code corresponding to a Symantec Data Loss Prevention language pack.
For example, to remove the French language pack enter:
LanguagePackUtility -r fr_FR
To remove multiple language packs during the same session, specify multiple file names, which are separated by
spaces.
3. Log on to the Enforce Server administration console and confirm that the language pack is no longer available on the
Edit General Settings screen. To do this, go to System > Settings > General > Configure > Edit General Settings.
4. Advise users that anyone currently using the Enforce Server administration console must save their work and log off.
5. Run the Language Pack Utility using the -c flag followed by the Java locale code for the locale that you want to
change or add. Enter:
LanguagePackUtility -c locale
Where locale is a valid locale code that is recognized by Java, such as pt_PT for Portuguese.
For example, to change the locale to Brazilian Portuguese enter:
LanguagePackUtility -c pt_BR
6. Log on to the Enforce Server administration console and confirm that the new alternate locale is now available on the
Edit General Settings screen. To confirm the local, go to System > Settings > General > Configure > Edit General
Settings.
If you specify a locale for which there is no language pack, "Translations not available" appears next to
the locale name. This means that formatting and sort order are appropriate for the locale, but the Enforce Server
administration console screens and online Help are not translated.
Related Links
About Symantec Data Loss Prevention language packs on page 331
106
DLP System Requirements
System requirements, recommendations, and deprecations.
About system requirements
System requirements and recommendations
Product compatibility
107
Virtual machine support
Supported operating systems for the EMDI, EDM, and IDM Remote Indexers
Third-party software requirements and recommendations
108
Variable Single tier Small Medium Large
Number of Network Not supported • A single Network • A single Network • Three or more
Discover clusters Discover cluster Discover cluster Network Discover
• Up to ten detection • Up to ten detection clusters with up to
servers servers forty-four worker
• A single scan target • Up to ten scan targets nodes in each cluster
• Minimal policies • Up to fifty policies • One hundred
detection servers
• Ten scan targets
• One hundred policies
Daily incident volume N/A 10,000 50,000 100,000
Volume of network traffic 30-40 Mbps 30-40 Mbps 30-40 Mbps >40 Mbps
to monitor
EDM/EMDI/IDM index EDM 4 million cells See Data Loss See Data Loss See Data Loss
size or IDM 250 MB (1400 Prevention policy Prevention policy Prevention policy
files). See Data Loss detection technologies for detection technologies for detection technologies for
Prevention policy information about EDM, information about EDM, information about EDM,
detection technologies for IDM, and EMDI impact IDM, and EMDI impact IDM, and EMDI impact
information about EDM, on sizing for enterprise on sizing for enterprise on sizing for enterprise
IDM, and EMDI impact deployments. deployments. deployments.
on sizing for enterprise
deployments.
Form Recognition profile See Form Recognition See Form Recognition See Form Recognition See Form Recognition
size sizing and performance sizing and performance sizing and performance sizing and performance
for information about for information about for information about for information about
Form Recognition sizing. Form Recognition sizing. Form Recognition sizing. Form Recognition sizing.
Hardware requirements Single-tier Installation Small Installation Medium Installation Large Enterprise
Minimum Hardware Hardware Recommendations
Hardware Hardware
Requirements Recommendations Recommendations
109
Minimum Supported Hardware Requirements for Enforce Servers
The following table lists minimum supported hardware requirements for Enforce Servers.
Meet minimum hardware requirements to ensure prior to installing the Enforce Server on your hardware.
Four-core CPU 8 GB RAM 500 GB hard drive storage One copper or fiber 1
The following DLP services For Network Discover deployments, Gb/100 Mb Ethernet NIC to
should have 8 GB allocated approximately 150 MB of disk space is communicate with detection
of the total available RAM required to maintain incremental scan servers.
(minimum RAM requirements indexes. This is based on an overhead of
are listed individually): 5 MB per incremental scan target and 50
bytes per item in the target.
• Symantec DLP Manager (minimum
2 GB)
• Symantec DLP Detection
Server Controller (minimum
1 GB)
• Symantec DLP Incident
Persister (minimum 2 GB)
Allocate 1 GB of the total RAM
to the Symantec DLP Notifier
service and a minimum 256
MB.
110
Small Installation Hardware Recommendations
The following table provides the system recommendations for a small installation of Symantec Data Loss Prevention.
A small installation can be a three-tier installation, in which the Enforce Server and Oracle database are hosted on
separate computers.
Ensure optimal performance for the Network Discover cluster deployment by setting the max memory setting for the
SymantecDetectionServerController process on the cluster server to 6 GB.
Symantec recommends that you plan to meet hardware recommendations to ensure optimal performance.
NOTE
The default content size for detection is 30 MB. If you plan to scan files larger than 30 MB, see Symantec Data
Loss Prevention Tuning Guidelines for Inspecting Large Files for information about tuning your system for large
file inspection.
Eight-core CPU 32 GB RAM 500 GB hard drive storage One copper or fiber 1
The following DLP services For Network Discover deployments, Gb/100 Mb Ethernet NIC to
should have 8 GB allocated approximately 150 MB of disk space is communicate with detection
of the total available RAM required to maintain incremental scan servers.
(minimum RAM requirements indexes. This is based on an overhead of
are listed individually): 5 MB per incremental scan target and 50
bytes per item in the target.
• Symantec DLP Manager (minimum
2 GB)
• Symantec DLP Detection
Server Controller (minimum
1 GB)
• Symantec DLP Incident
Persister (minimum 2 GB)
Allocate 1 GB of the total RAM
to the Symantec DLP Notifier
service and a minimum 256
MB.
Table 34: Oracle database minimum hardware requirements for a small installation
111
Table 35: Network Monitor minimum hardware requirements for a small installation
Four-core CPU 6–8 GB RAM 140 GB 1 copper or fiber 1 Gb/100 Generic: 1 copper or fiber 1
For information MB Ethernet NIC to GB/100 MB Ethernet NIC.
about EDM, IDM, communicate with the
and EMDI impact Enforce Server.
on sizing, see the
following topics:
• About memory
requirements for
EDM
• Memory
requirements for
EMDI
• Estimating
endpoint memory
use for agent IDM
See Form Recognition
sizing and
performance at the
Tech Docs Portal for
information about
Form Recognition
sizing.
Table 36: Network Discover Network Prevent, Cloud Prevent for Email, or Endpoint Prevent small installation
minimum hardware requirements
112
Table 37: Network Discover cluster small installation minimum hardware requirements
Twelve-core CPU 64 GB RAM 500 GB hard drive storage (SSD 1 copper or fiber 1 Gb/100 Mb
The following DLP services recommended) Ethernet NIC to communicate
should have 16 GB allocated of For Network Discover deployments, with detection servers.
the total available RAM: approximately 150 MB of disk space is
required to maintain incremental scan
• Symantec DLP Manager indexes. This requirment is based on an
• Symantec DLP Detection overhead of 5 MB per incremental scan
Server Controller target and 50 bytes per item in the target.
• Symantec DLP Incident
Persister
Allocate 1 GB of the total RAM
to the Symantec DLP Notifier
service.
For information about EDM,
IDM, and EMDI impact on
sizing, see the following topics:
• About memory
requirements for EDM
• Memory requirements for
EMDI
• Estimating endpoint
memory use for agent IDM
See Form Recognition
sizing and performance
for information about Form
Recognition sizing.
113
Table 39: Oracle database hardware recommendations for a medium installation
Four-core CPU 6–8 GB RAM 140 GB 1 copper or fiber 1 Gb/100 Generic: 1 copper or fiber 1
For information Mb Ethernet NIC to Gb/100 MB Ethernet NIC.
about EDM, IDM, communicate with the
and EMDI impact Enforce Server.
on sizing, see the
following topics:
• About memory
requirements for
EDM
• Memory
requirements for
EMDI
• Estimating
endpoint memory
use for agent IDM
See Form Recognition
sizing and
performance for
information about
Form Recognition
sizing.
114
Table 41: Network Discover, Network Prevent, Cloud Prevent for Email, or Endpoint Prevent medium installation
hardware recommendations
115
Table 43: Enforce Server hardware recommendations for a large installation
Sixteen-core CPU 128 GB RAM 1 TB storage (SSD or SAN) To communicate with detection
The following DLP services For Network Discover deployments, servers:
should have 24 GB allocatedapproximately 1 GB of disk space 1 copper or fiber 1 Gb/100 Mb
of the total RAM for each: is required to maintain incremental Ethernet NIC
scan indexes. This is based on an
• Symantec DLP Manager
overhead of 5 MB per incremental
• Symantec DLP Detection scan target and 50 bytes per item in
Server Controller the target.
• Symantec DLP Incident
Persister
Allocate 1 GB of the total
RAM to the Symantec
DLP Notifier service
For information about EDM,
IDM, and EMDI impact on
sizing, see the following
topics:
• About memory
requirements for EDM
• Memory requirements for
EMDI
• Estimating endpoint
memory use for agent
IDM
See Form Recognition
sizing and performance
for information about Form
Recognition sizing.)
116
Table 45: Network Monitor hardware recommendations for a large installation
High-speed packet
Processor Memory Disk NICs
capture cards
Eight-core CPU 8–16 GB RAM 140 GB 1 copper or fiber 1 Gb/100 High-speed packet capture card
For information Mb Ethernet NIC to
about EDM, IDM, communicate with the
and EMDI impact Enforce Server.
on sizing, see the
following topics:
• About memory
requirements for
EDM
• Memory
requirements for
EMDI
• Estimating
endpoint memory
use for agent IDM
See Form Recognition
sizing and
performance for
information about
Form Recognition
sizing.
Table 46: Network Discover Network Prevent, Cloud Prevent for Email, or Endpoint Prevent large installation
hardware recommendations
Eight-core CPU 8–16 GB RAM 140 GB To communicate with the Enforce Server:
For information about EDM, For Network Discover 1 copper or fiber 1 Gb/100 Mb Ethernet
IDM, and EMDI impact on deployments, approximately NIC
sizing, see the following 1 GB of disk space is
topics: required to maintain
incremental scan indexes.
• About memory
This is based on an
requirements for EDM
overhead of 5 MB per
• Memory requirements for incremental scan target
EMDI and 50 bytes per item in the
• Estimating endpoint target.
memory use for agent
IDM
See Form Recognition
sizing and performance
for information about Form
Recognition sizing.
117
Table 47: Network Discover cluster large installation hardware recommendations
Related Links
The Effect of Scale on System Requirements on page 108
Oracle database requirements on page 128
118
Installing patches for Windows Server 2012 R2
• Microsoft Windows Server 2016, Standard Edition
• Microsoft Windows Server 2016, Datacenter Edition
• Microsoft Windows Server 2019, Datacenter and Standard
• Red Hat Enterprise Linux 7.5 through 7.9
Installing fonts on Linux servers
NOTE
Red Hat Enterprise Linux 7.x is deprecated in Symantec Data Loss Prevention 16.0.1.
• Red Hat Enterprise Linux 8.0, 8.3 through 8.4, 8.6, and 8.8
Installing fonts on Linux servers
• Oracle Linux 7.5 through 7.9 and 8.3
Installing fonts on Linux servers
English language and localized versions of both Linux and Windows operating systems are supported. See Supported
languages for detection for detailed information about supported languages and character sets.
The domain controller agent enables you to resolve user names from IPv4 addresses in HTTP/S and FTP incidents. See
Installing DLP for domain controller agent installation details.
Symantec Data Loss Prevention supports the following operating systems for the domain controller agent:
• Microsoft Windows Server 2012, Datacenter Edition (64-bit)
• Microsoft Windows Server 2012, Standard Edition (64-bit)
• Microsoft Windows Server 2012 R2, Datacenter Edition with patches
Installing patches for Windows Server 2012 R2
• Microsoft Windows Server 2012 R2, Standard Edition with patches
Installing patches for Windows Server 2012 R2
• Microsoft Windows Server 2016, Standard Edition
• Microsoft Windows Server 2016, Datacenter Edition
• Microsoft Windows Server 2019, Datacenter and Standard
119
Linux partition guidelines
Minimum free space requirements for Linux partitions vary according to the specific details of your Symantec Data
Loss Prevention installation. The table below provides general guidelines that should be adapted to your installation as
circumstances warrant. Symantec recommends using separate partitions for the different file systems, as indicated in the
table. If you combine multiple file systems onto fewer partitions, or onto a single root partition, make sure the partition has
enough free space to hold the combined sizes of the file systems listed in the table.
NOTE
Partition size guidelines for detection servers are similar to those for Enforce Server without an Oracle database.
Linux partition minimum size guidelines—Enforce Server without a database, or detection server
Table 48: Linux partition minimum size guidelines—Enforce Server with Oracle database
/boot 100 MB This must be in its own ext2 or ext3 partition, not part of
soft RAID (hardware RAID is supported).
swap Equal to RAM If you need to have the memory dump in case of system
crash (for debugging), you may want to increase these
amounts.
120
Table 49: Linux partition minimum size guidelines—Enforce Server without a database, or detection server
/boot 100 MB This must be in its own ext2 or ext3 partition, not part of
soft RAID (hardware RAID is supported).
swap Equal to RAM If you need to have the memory dump in case of system
crash (for debugging), you may want to increase these
amounts.
All endpoints where the DLP Agent is installed must meet or exceed the minimum hardware specifications.
The following table provides the minimum hardware requirements for supported endpoint platforms.
NOTE
RAM and disk requirements vary based on the number and complexity of DLP policies, detection load,
connection period to the Endpoint Server, and so on.
121
Table 50: Endpoint minimum hardware requirements
Related Links
Windows Operating System Requirements for Endpoint Systems on page 122
macOS operating system requirements for endpoint systems on page 124
Linux Operating System Requirements for Endpoint Systems on page 126
Windows Server
Version DLP version 15.8 DLP version 16.0 DLP version 16.0.1
122
Windows 10 Enterprise Edition (64-bit)
Symantec supports major versions of the Windows 10 21H2 and 22H2. Symantec does not support each minor version.
If you opt to install DLP Agents on a minor version, Symantec Support will make a reasonable effort to provide support
when all system requirements are met.
Version DLP version 15.8 DLP version 16.0 DLP version 16.0.1
See Supported languages for detection for detailed information about supported languages and character sets.
Windows 11
Symantec supports major versions of Windows 11 21H2 and 22H2. Symantec does not support each minor version. If you
opt to install DLP Agents on a minor version, Symantec Support will make a reasonable effort to provide support when all
system requirements are met.
DLP version
Version DLP version 15.8 DLP version 16.0
16.0.1
Version 21H2 Yes Yes Yes
(OS build
22000)
Version 22H2 No Yes Yes
OS build
22621
Symantec tests the DLP Agent for compatibility with Microsoft Windows 10 and 11 Beta and Insider Preview builds.
The information on this page is updated approximately every two weeks or as needed, and indicates whether critical
issues have been observed.
The following tables list the results of testing for each build that Microsoft released.
a. The version 16.0 MP1 DLP Agent supports running Hypervisor-protected Code Integrity (HVCI) on Windows 10, Version 22H2.
123
Release date Build number Test result
Table 53: Endpoint Data Loss Prevention supported macOS operating systems
Operating system DLP version 15.8 DLP version 16.0 DLP version 16.0.1
a. See Configuring MDM profiles for Full Disk Access for macOS 10.15 and DLP Agent support
124
Operating system DLP version 15.8 DLP version 16.0 DLP version 16.0.1
Symantec DLP Agents can also be installed on supported localized versions of these macOS operating systems.
Symantec tests the DLP Agent for compatibility with macOS beta builds. The following table lists the results of testing with
various builds with Data Loss Prevention 16.0.
The information on this page is updated approximately every two weeks or as needed, and indicates whether critical
issues have been observed.
The following tables list the results of testing for each build that Apple released.
b. The macOS version listed on the Agent List screen appears as macOS 11 for DLP Agent versions 15.7 and 15.8.
125
Table 54: macOS 14 beta compatibility testing results
August 22, 2023 macOS 14 beta 6 (23A5328b) • Cloud storage monitoring failed
• Folder upload monitoring failed in Safari
• A recurring pop-up requesting
permission to use the Symantec
Extension appears for every website
visted in Safari
July 11, 2023 macOS 14 beta 3 (23a5286i) • Cloud storage monitoring failed
• Folder upload monitoring failed in Safari
• A recurring pop-up requesting
permission to use the Symantec
Extension appears for every website
visted in Safari
Table 57: Endpoint Data Loss Prevention supported Linux operating systems
126
Supported languages for detection
Symantec Data Loss Prevention supports a large number of languages for detection. Policies can be defined that
accurately detect and report on the violations that are found in content in these languages:
• Arabic
• Brazilian Portuguese
• Chinese (traditional)
• Chinese (simplified)
• Czech
• Danish
• Dutch
• English
• Finnish
• French
• German
• Greek
• Hebrew
• Hungarian
• Italian
• Japanese
• Korean
• Norwegian
• Polish
• Portuguese
• Romanian
• Russian
• Spanish
• Swedish
• Turkish
NOTE
Symantec Data Loss Prevention cannot be installed on a Windows operating system that is localized for the
Turkish language, and you cannot choose Turkish as an alternate locale.
A number of capabilities are not implied by this support:
• Technical support provided in a non-English language. Because Symantec Data Loss Prevention supports a particular
language does not imply that technical support is delivered in that language.
• Localized administrative user interface (UI) and documentation. Support for a language does not imply that the UI
or product documentation has been localized into that language. However, even without a localized UI, user-defined
portions of the UI such as pop-up notification messages on the endpoint can still be localized into any language by
entering the appropriate text in the UI.
• Localized content. Keywords are used in a number of areas of the product, including policy templates and data
identifiers. Support for a language does not imply that these keywords have been translated into that language. Users
may, however, add keywords in the new language through the Enforce Server administration console.
• New file types, protocols, applications, or encodings. Support for a language does not imply support for any new file
types, protocols, applications, or encodings that may be prevalent in that language or region other than what is already
supported in the product.
• Language-specific normalization. An example of normalization is to treat accented and unaccented versions of
a character as the same. The product already performs a number of normalizations, including standard Unicode
127
normalization that should cover the vast majority of cases. However, it does not mean that all potential normalizations
are included.
• Region-specific normalization and validation. An example of this is the awareness that the product has of the format
of North American phone numbers, which allows it to treat different versions of a number as the same, and to identify
invalid numbers in EDM source files. Support for a language does not imply this kind of functionality for that language
or region.
Items in these excluded categories are tracked as individual product enhancements on a language- or region-specific
basis. Contact Symantec Technical Support for additional information on language-related enhancements or plans for the
languages not listed.
About support for character sets, languages, and locales
NOTE
Not all language packs are available when a product is first released.
128
NOTE
Oracle RU 19.6.0.0.0 is only supported on Linux servers.
You can obtain the software from Symantec. For implementation details, see Implementing the Database.
NOTE
Symantec recommends that you run the Oracle 19c Standard Edition 2 database on a supported version
of Windows or Linux. Symantec Data Loss Prevention supports running the Oracle 19c Standard Edition
2 database on platforms that Oracle supports. See Running Oracle 19c Standard Edition 2 software on
alternate platforms.
The Symantec Data Loss Prevention database schema is supported on all editions of Oracle.
Symantec Data Loss Prevention requires the Oracle database to use the AL32UTF8 character set. If your database is
configured for a different character set, the installer notifies you and cancels the installation.
You can install Oracle on a dedicated server (a three-tier deployment) or on the same computer as the Enforce Server (a
two-tier or single-tier deployment):
• Three-tier deployment.
System requirements for a dedicated Oracle server are listed below.
NOTE
Dedicated Oracle server deployments require that you install the Oracle Client on the Enforce Server
computer if the database is running on a separate server. The Oracle Client version must match the Oracle
database version.
• Single- and two-tier deployments.
When installed on the Enforce Server computer, the Oracle system requirements are the same as those of the Enforce
Server.
Single-tier Installation Minimum Hardware Requirements
Small Installation Hardware Recommendations
If you install Oracle on a dedicated server, that computer must meet the following minimum system requirements for
Symantec Data Loss Prevention:
• One of the following operating systems:
– Microsoft Windows Server 2012 R2 Standard, Enterprise, or Datacenter (64-bit)
– Microsoft Windows Server 2016 Standard or Datacenter (64-bit)
– Red Hat Enterprise Linux 7.5 through 7.9 (64-bit)
– Red Hat Enterprise Linux 8.0, 8.3 through 8.4, 8.6, and 8.8 (only with Oracle 19.8.0.0).
– Oracle Linux 7.5 through 7.9 or Oracle Linux 7.3 with RHCK (Red Hat compatible kernel)
– Oracle Linux 8.3
• 8 – 32 GB of RAM
• 8 – 16 GB of swap space (equal to RAM up to 16 GB)
• 500 GB – 1 TB of disk space for the Enforce database
The exact amount of disk space that is required for the Enforce Server database depends on variables such as:
• The number of policies you plan to initially deploy
• The number of policies you plan to add over time
You can run the Oracle 19c Standard Edition 2 software on platforms supported by the Oracle database software. See the
Oracle documentation for a list of supported platforms and information on installing the database software:
https://docs.oracle.com/en/database/oracle/oracle-database/19/install-and-upgrade.html
129
Obtain the installation files, CPUs, and RUs for your particular platform from Oracle.
If you run the database software on an alternate platform you can use the database templates that Symantec provides.
However, you must update paths in the template to be compatible with your platform and database software. Symantec
recommends that you use the Linux version of the database template. The Linux template uses elements (for example,
backslashes [/] for directories) most similar to alternate platforms.
Enforce Server with Oracle database on the same computer (two-tier deployments)
Oracle database with Amazon RDS (three-tier deployments)
Cloud Prevent for Email
Network Prevent for Web
Network Prevent for Email
Endpoint Prevent
Network Discover
API Detection for Developer Apps Appliance
For more information, see Deploy Symantec Data Loss Prevention servers on Amazon Web Services .
130
Deploying Symantec Data Loss Prevention on Microsoft Azure
Symantec Data Loss Prevention supports running Microsoft Azure in a three-tier environment.
NOTE
Ensure that the the Oracle database server can communicate with the Enforce Server and that communications
are encrypted using TLS.
The following table lists the servers that are supported for deployment of Data Loss Prevention on Microsoft Azure. See
Minimum system requirements for Symantec Data Loss Prevention servers for a list of the supported operating systems
where you can run Microsoft Azure.
Symantec supports SIR (Symantec Image Recognition) including OCR and Form Recognition with Cloud Prevent for
Email on Azure.
Symantec supports the use of the Azure load balancer to balance the endpoint client connections to the Endpoint Server.
Table 61: Deploying Symantec Data Loss Prevention on Oracle Cloud Infrastructure as a Service
Enforce Server with Oracle database on the same computer (two-tier deployments)
Network Prevent for Email
Endpoint Prevent
Network Discover
NOTE
Three-tier Symantec Data Loss Prevention deployments are not supported on Oracle.
131
Virtual machine support
The following lists virtual machine support:
• Virtual server support
Virtual server support
• Virtual desktop and virtual application support with Endpoint Prevent
Virtual desktop and virtual application support with Endpoint Prevent
Related Links
Operating system requirements for servers on page 118
Minimum System Requirements for Symantec Data Loss Prevention Servers on page 109
132
Virtual desktop and virtual application support with Endpoint Prevent
You can deploy the DLP Agent on Microsoft Azure, Citrix, and VMware virtual machines to monitor virtual desktops and
prevent remote users from copying sensitive data that is accessible through a virtual desktop.
The DLP Agent is supported to run on the following operating systems in Azure Virtual Desktop:
• Microsoft Windows 10 Enterprise Edition (Single session)
• Microsoft Windows 10 Enterprise Edition (Multi-session)
• Microsoft Windows 11 Enterprise Edition (Single session)
• Microsoft Windows 11 Enterprise Edition (Multi-session)
For more information, see About Azure Virtual Desktop support.
The DLP Agent is supported to run on the following Citrix Virtual Desktop virtual workstations and Citrix Virtual Apps
server configurations:
NOTE
Support listed for Long Term Service Release (LTSR) versions includes Cumulative Updates (CU) released
under the listed LTSR version.
133
Citrix Virtual Desktop Version Platform
NOTE
Files saved from Microsoft Office (using Save As) to client drives hosted on Citrix Virtual Desktop 7.13 through
7.18 and Citrix Virtual Desktop 7 2003 are not monitored. However, if you are running Citrix Virtual Desktop
7.13 or later with version 7.12 Virtual Delivery Agent (VDA), files saved to client drives (using Save As) are
monitored. See Known issue running Citrix Virtual Apps and Virtual Desktop versions 7.13 through 7.18 at the
Tech Docs Portal.
Supported operating systems for the EMDI, EDM, and IDM Remote Indexers
You can install the Remote EMDI Indexer, the Remote EDM Indexer, and the Remote IDM Indexer on all Windows and
Linux platforms that are supported for installing the Enforce Server and detection servers.
See Operating system requirements for servers.
In addition, you can install the indexers on the following Windows endpoint operating systems:
• Windows:
134
– Windows 8.1 (64-bit) Enterprise, Professional
– Windows 8.1 Update 1 (64-bit) Enterprise, Professional
– Windows 8.1 Update 2 (64-bit) Enterprise, Professional
– Windows 8.1 Update 3 (64-bit) Enterprise, Professional
– Windows 10 Update [1511] (64-bit] Enterprise, Professional
– Windows 10 Red Stone Update [1607 - RS1] (64-bit] Enterprise, Professional
– Windows 10 Red Stone Update [1607 - RS1] (64-bit] Enterprise, Professional
– Microsoft Windows 10 Creators Update (RS2 v1703)
– Microsoft Windows 10 Creators Update (RS3 v1709)
– Microsoft Windows 10 Creators Update (RS4 v1803
• Linux:
– Red Hat Enterprise Linux 7.3 through 7.7
– Red Hat Enterprise Linux 8.x
– Oracle Linux 7.3 and 7.6
Adobe Reader All systems Adobe Reader is required for reading the Symantec Data Loss
Prevention documentation.
Download from http://www.adobe.com.
Apache Tomcat version 9 Enforce Server Required to support the reporting system.
The correct version of Tomcat is automatically installed on the
Enforce Server by the Symantec DLP Installation Wizard and does
not need to be obtained or installed separately.
OpenJRE 1.8.0_322 – All servers Obtain the JRE from the DLPDownloadHome directory.
a
OpenJRE 1.8.0_372 See About updating the JRE to the latest version for information
on migrating to the latest JRE version.
OpenJRE 1.8.0_372 is supported starting with Symantec Data
Loss Prevention version 16.0 MP1.
a. OpenJRE 1.8.0_352 and later use TLS 1.3, which is not currently supported with Symantec Data Loss Prevention. See Network Prevent for Email
Servers not running with OpenJRE 1.8.0_352 for information on using TLS 1.2 with OpenJRE.
135
Software Required for Description
136
Table 65: Required Linux RPMs
137
Table 66: Recommended third-party software
Product compatibility
Environment Compatibility and Requirements for Network Prevent for Email and Cloud Prevent for Email Servers
Proxy Server Compatibility with Network Prevent for Web
SSL monitoring with Network Monitor
Secure ICAP support for Network Prevent for Web
High-speed packet capture card
Veritas Data Insight compatibility with Symantec Data Loss Prevention
Integrations with other Symantec products
Network Discover compatibility
Support for IPv6 addresses
Endpoint Prevent Supported Applications
Environment Compatibility and Requirements for Network Prevent for Email and
Cloud Prevent for Email Servers
The Network Prevent for Email Server is compatible with a wide range of enterprise-grade third-party SMTP-
compliant MTAs and hosted email services. Consult your MTA vendor or hosted email service for specific support
questions.
The Network Prevent for Email Server can integrate with an MTA or hosted email service that meets the following
requirements:
138
• The MTA or hosted email service needs the capability of strict SMTP compliance and of sending and receiving mail
using only the following command verbs: HELO (or EHLO), RCPT TO, MAIL FROM, QUIT, NOOP, and DATA.
• When running the Network Prevent for Email Server in reflecting mode, the upstream MTA must be able to route
messages to the Server once and only once for each message.
In practice, these requirements mean that you can use an SMTP-compliant MTA that can route outbound messages from
your internal mail infrastructure to the Network Prevent for Email Server. For reflecting mode compatibility, the MTA must
also be able to route messages that are returned from the Network Prevent for Email Server out to their intended
recipients.
Both the Cloud Prevent for Email and the Network Prevent for Email Servers attempt to initiate a TLS connection with
a downstream MTA only when the upstream MTA issues the STARTTLS command. The TLS connection succeeds only
if the downstream MTA or hosted email service supports TLS and can authenticate itself to the Cloud Prevent for Email
Server. Successful authentication requires that the appropriate keys and X509 certificates are available for each mail
server in the proxied message chain.
For more information about configuring TLS support for Network Prevent Servers operating in forwarding mode or
reflecting mode, see Configuring keys and certificates for TLS.
For information about configuring Cloud Prevent for Email see Symantec™ Data Loss Prevention Cloud Prevent for
Microsoft 365 Implementation Guide.
139
High-speed packet capture card
Symantec Data Loss Prevention supports the Napatech high-speed packed capture card for Network Monitor. The
following table lists support details.
Napatech NT20E2, NT20E3, NT4E, NT40A01, and NT40E3 Symantec Data Loss Prevention supports the
following driver packages and software:
• Driver package 8.0.3 (driver version 3.5.1)
and 11.8.1 (driver version 3.15.x) for Windows
• Driver package 8.1.0 (driver version 3.5.0)
and 12.1 (driver version 3.19.x) for Linux
• Link Capture Software 12.7.x for Windows and
Linux
Symantec Data Loss Prevention supports the
following:
• Multiple capture ports per Napatech Network
capture card
• NT40A01 Napatech Network Accelerator
• Multi-threaded packet capture
• Napatech hardware filtering
• Napatech third-generation card drivers for
Windows and RHEL platforms
• 10 gigabit adapters
• Virtualized Data Loss Prevention Network
Monitor with capture cards as PCI pass-
through devices in the VMware ESXi platform
Table 68: Supported versions of Veritas Data Insight and Symantec Data Loss Prevention
Data Insight version DLP version 15.8 DLP version 16.0 DLP version 16.0.1
6.1.5 Yes No No
a
6.1.6 Yes No No
6.2 Yes No No
6.3 Yes No No
6.3.1 Yes No No
6.4.1 No Yes Yes
140
Integrations with other Symantec products
This section describes compatibility of various integrations of Symantec Data Loss Prevention with the following Symantec
products:
• Symantec Information Centric Analytics
• Symantec PGP Universal Gateway Email
• Symantec Messaging Gateway (SMG) (8200 and 8300 Series)
• Symantec Web Gateway (SWG)
• Symantec Endpoint Protection
• Symantec Data Loss Prevention Data Access Governance
Version DLP version 15.8 DLP version 16.0 DLP version 16.0.1
Table 70: Symantec Messaging Gateway (SMG) (8200 and 8300 Series)
Version DLP version 15.8 DLP version 16.0 DLP version 16.0.1
Version DLP version 15.8 DLP version 16.0 DLP version 16.0.1
141
Symantec Endpoint Protection
Version DLP version 15.8 DLP version 16.0 DLP version 16.0.1
Version DLP version 15.8 DLP version 16.0 DLP version 16.0.1
9.0 Yes No No
11.5 Yes Yes Yes
File System target supports scanning of the network file systems listed in the following table.
142
Table 74: Supported file system targets
NOTE
You can use SSHFS to scan File System targets on UNIX systems. Ensure that you use Fuse components and
packages that are validated and adhere to your organization's security policies. Technical support is available
only for Symantec components.
Configuring scans of Microsoft Outlook Personal Folders (.pst files)
Setting up server scans of file systems
143
NOTE
Oracle 12c (12.1.x) is deprecated in Symantec Data Loss Prevention 16.0.1.
• SQL Server 2014 SP3, 2016 SP2, 2017 (only on Windows), and 2019 (only on Windows) (the vendor_name is
sqlserver)
• DB2 10.5 (the vendor_name is db2), 11.1, and 11.5
NOTE
DB2 10.5 is deprecated in Symantec Data Loss Prevention 16.0.1.
Contact Symantec Data Loss Prevention Support for information about scanning any other SQL databases.
Setting up server scans of SQL databases
Install a JDBC driver on each Network Discover detection server for each SQL database type to be scanned. The
following table lists the latest supported driver versions.
144
To use the Exchange Web Services connector, Exchange Web Services and the Autodiscover Service must be enabled
on your Exchange server and are accessible to the Network Discover server.
You can scan the data objects that are stored within Public Folders, such as:
• Email messages
• Message attachments
• Microsoft Word documents
• Excel spreadsheets
The Exchange scan also targets mail stored in Exchange 2013, 2016, and 2019 Personal Archives.
145
Applications Supported by Endpoint Prevent on Windows
This section describes individual applications that can be monitored using Endpoint Prevent on Windows.
IMPORTANT
You must install the latest maintenance pack and hotfix for Symantec Data Loss Prevention to ensure that you
have the platform support as indicated in the following tables. In some cases, platform support as indicated is
enabled only when you apply the latest maintenance pack and hotfix.
Support is listed for the following items:
• HTTP support
• Secure HTTP (HTTPS)
• Instant messaging
• Email
• FTP
• CD/DVD
• Cloud Sync Apps
• Misc.
HTTP support
146
Instant messaging
FTP
CD/DVD
147
Software version DLP 15.8 DLP 16.0 DLP 16.0.1
Misc.
148
Software version DLP 15.8 DLP 16.0 DLP 16.0.1
Click-to-Run Yes No No
Microsoft Pro 2013
Roxio_Central Yes Yes Yes
WebEx Communications Yes Yes Yes
Module
149
Software Version DLP 15.8 DLP 16.0 DLP 16.0.1
Outlook 2011 No No No
Outlook 2016 Yes Yes Yes
No for macOS 11 No for macOS 11 No for macOS 11
Outlook 2019 Yes Yes Yes
For macOS 11, Outlook 2019 For macOS 11, Outlook For macOS 11, Outlook
supported with Exchange online 2019 supported with 2019 supported with
or Office 365) Exchange online or Office 365) Exchange online or Office 365)
Microsoft 365 (16.30 and later) Yes Yes Yes
Office 2021 Yes Yes Yes
Instant Messaging
150
Software version DLP 15.8 DLP 16.0 DLP 16.0.1
Table 76: Browser beta test results; Updated on July 5, 2023. DLP version tested: 16.0
Table 77: Browser beta test results; Updated on June 20, 2023. DLP version tested: 16.0
Table 78: Browser beta test results; Updated on June 5, 2023. DLP version tested: 16.0
151
Table 79: Browser beta test results; Updated on May 22, 2023. DLP version tested: 16.0
Table 80: Browser beta test results; Updated on May 5, 2023. DLP version tested: 16.0
Table 81: Browser beta test results; Updated on April 21, 2023. DLP version tested: 16.0
Table 82: Browser beta test results; Updated on April 5, 2023. DLP version tested: 16.0
Table 83: Browser beta test results; Updated on March 24, 2023. DLP version tested: 16.0
152
Browser Beta build Platform Result
Table 84: Browser beta test results; Updated on March 08, 2023. DLP version tested: 16.0
Table 85: Browser beta test results; Updated on Februrary 23, 2023. DLP version tested: 16.0
Table 86: Browser beta test results; Updated on Februrary 6, 2023. DLP version tested: 16.0
Table 87: Browser beta test results; Updated on January 24, 2023. DLP version tested: 16.0
153
Browser Beta build Platform Result
Table 88: Browser beta test results; Updated on January 5, 2023. DLP version tested: 16.0
The DLP Agent monitors macOS applications protected by System Integrity Protection (SIP). The table below lists
the DLP Agent and macOS versions where SIP monitoring is supported for a given Symantec Data Loss Prevention
release.
DLP Agent
SIP monitoring supported by default
version
16.0.1 macOS 10.15 through 10.15.7
16.0 macOS 10.15 through 10.15.7
15.8 macOS 10.14 through 10.15.7
macOS 11.1
154
Implementing the Database
Learn about implementing the Oracle database in your environment.
About this content
Preparing Oracle 19c for use with Symantec Data Loss Prevention
Installing Oracle 19c on Windows
Installing Oracle 19c on Linux
Upgrading the database to Oracle 19c
About migrating the Symantec Data Loss Prevention database to Oracle 19c
About using this content to migrate the Symantec Data Loss Prevention
database to Oracle 19c
The high-level steps that you complete to migrate your existing Symantec Data Loss Prevention database to Oracle 19c
are provided in Steps to migrate the Symantec Data Loss Prevention database to Oracle 19c. You must complete each
step to complete the migration successfully.
155
4. Run the latest version of the Update Readiness Tool.
Preparing Oracle 19c for use with Symantec Data Loss Prevention
This section includes the following topics:
Using Oracle 19c with Symantec Data Loss Prevention
About Oracle Real Application Clusters
About the Oracle multitenant environment
About deploying Oracle to Amazon Web Services (AWS)
156
You can purchase a Symantec-licensed version of Oracle 19c Standard Edition. After you purchase the software
download the file from Product Downloads at the Broadcom Support Portal.
Download the file that correlates with your server platform:
• Windows: WINDOWS.X64_193000_db_home.zip and WINDOWS.X64_193000_client.zip
• Linux: LINUX.X64_193000_db_home.zip and LINUX.X64_193000_client.zip
You can refer to the following Oracle documentation for details on installing the Oracle 19c software:
https://docs.oracle.com/en/database/oracle/oracle-database/19/install-and-upgrade.html
If you implement a three-tier installation, you must install the Oracle 19c Client (Administrator installation type) on the
Enforce Server. Installation of the Oracle Client enables database communications between the Oracle database server
and the Enforce Server. The Symantec Data Loss Prevention installer needs SQL*Plus to create tables and views on the
Enforce Server. For this reason, the Windows or Linux user account that is used to install Symantec Data Loss Prevention
needs access to SQL*Plus.
Symantec provides Oracle 19c database installation tools. The installation tools include response files, templates, and
SQL scripts for each supported database version. You use the installation tools during the installation and configuration of
Oracle 19c on either the Windows or the Red Hat Enterprise Linux platforms.
About Installing Oracle 19c on Windows
About installing Oracle 19c on Linux
NOTE
Run the latest version of the Update Readiness Tool if you are currently running a previous version Oracle
database. Running the Update Readiness Tool before you migrate the database to the Oracle 19c software
ensures that migrated data is compatible and no errors occur.
See Preparing to Run the Update Readiness Tool.
157
5. Shut down Symantec Data Loss Prevention services before applying the RU.
See the Symantec Data Loss Prevention Help Center for steps to shut down services.
6. Apply the RU.
See the readme that is provided by Oracle located in the RU folder for steps to apply the RU.
7. Restart DLP services after you apply the RU.
See Restart all Symantec Data Loss Prevention services.
Related Links
on page 677
Learn about deploying Symantec Data Loss Prevention servers on Amazon Web Services.
158
Adding required tablespaces to the PDB database on Windows
Creating the Oracle user account for Symantec Data Loss Prevention on Windows
Verifying the Symantec Data Loss Prevention database on Windows
159
Table 90: Oracle 19c installation overview
160
b. Copy the Oracle 19c software file to C:\oracle\product\19.3.0.0\db_1.
c. Extract the Oracle 19c software to the directory C:\oracle\product\19.3.0.0\db_1.
Allow approximately 15 minutes for the extraction process to complete.
• If you are upgrading from a previous version Oracle database, create the 19.3.0.0\db_1 directory under the
existing \product\ directory. For example, if Oracle 12c is installed under c:\oracle\product\12.2.0.0
then create the Oracle 19c directory at c:\oracle\product\19.3.0.0.
5. Install the Oracle Database Client using the Administratoroption if you implement a three-tier system.
The Symantec Data Loss Prevention installer needs SQL*Plus to create tables and views on the Enforce Server.
Therefore, the Windows user account that is used to install Symantec Data Loss Prevention must be able to access
SQL*Plus.
Oracle Client Requirement
6. Set the ORACLE_HOME environment variable by completing the following steps:
a) Go to Control Panel > System and Security > System > Advanced System Settings to display the System
Properties dialog.
b) Click the Advanced tab.
c) Click Environment Variables and click New under System Variables to display the New System Variable dialog.
d) Enter ORACLE_HOME in the Variable name field.
e) Enter C:\oracle\product\19.3.0.0\db_1.
f) Click OK.
g) Select the existing Path variable and click Edit.
h) Enter the value in the Path variable: %ORACLE_HOME%\bin
i) Click New, enter C:\oracle\product\19.3.0.0\db_1 for the path variable, and click OK.
7. Extract the 19.3.0.0_64_bit_Installation_Tools_Win.zip file into a temporary directory, such as C:\temp
\Oracle\tools.
161
Substitute Oracle_19.3.0.0_Standard_Edition_Installation_PDB_WIN.rsp if you are running Oracle
19c Standard Edition.
The installation wizard appears with pre-selected values that are drawn from the installation response file. You can
confirm these values and click through the panels without needing to enter information where noted.
2. Refer to Table 91: Installation wizard options for information on what to enter on each screen of the installation wizard.
Screen Action
162
Creating the Symantec Data Loss Prevention database on RAC with a multitenant environment on Windows
1. Navigate to the C:\temp\Oracle\tools folder where you extracted the
19.3.0.0_64_bit_Installation_Tools_Win.zip file.
2. Copy a database template file to the database server. Copy the database template file that matches your database
environment:
• Single tenant: Oracle_19.3.0.0_Template_for_64_bit_WIN.dbt
From To
C:\temp\Oracle\tools\templates c:\oracle\product\19.3.0.0\db_1\assistants
\singleinstance \dbca\templates
• RAC in a single tenant: Oracle_19.3.0.0_Template_for_64_bit_WIN.dbt
From To
C:\temp\Oracle\tools\templates\rac c:\oracle\product\19.3.0.0\db_1\assistants
\dbca\templates
• Multitenant: Oracle_19.3.0.0_Template_for_64_bit_PDB_WIN.dbt
From To
C:\temp\Oracle\tools\templates\multitenant c:\oracle\product\19.3.0.0\db_1\assistants
\dbca\templates
3. Open a command prompt, and execute one of the following commands for your database environment:
NOTE
Line breaks added for legibility.
• Run the following command for a single tenant environment:
%ORACLE_HOME%\bin\dbca
-createDatabase
-progressOnly
-responseFile C:\temp\Oracle\tools\responsefiles\singleinstance
\Oracle_19.3.0.0_DBCA_WIN.rsp
• Run the following command for a multitenant environment:
%ORACLE_HOME%\bin\dbca
-createDatabase
-progressOnly
-responseFile C:\temp\Oracle\tools\responsefiles\multitenant
\Oracle_19.3.0.0_DBCA_PDB_WIN.rsp
• Run the following command for a RAC environment:
%ORACLE_HOME%\bin\dbca
-createDatabase -progressOnly -nodelist <list of RAC node names>
-responseFile C:\temp\Oracle\tools\responsefiles\rac\Oracle_19.3.0.0_DBCA_WIN.rsp
Replace <list of RAC node names> with each node name, which is separated by a comma, in your RAC
environment.
4. Enter the SYS user password at the prompt.
5. Enter the SYSTEM user password at the prompt.
Follow these guidelines to create acceptable passwords:
163
• Passwords cannot contain more than 30 characters.
• Passwords cannot contain double quotation marks, commas, or backslashes.
• Avoid using the & character.
• Passwords are case-sensitive by default. You can change the case sensitivity through an Oracle configuration
setting.
• If your password uses special characters other than _, #, or $, or if your password begins with a number, you must
enclose the password in double quotes when you configure it.
The database creation process appears on the terminal window and can take up to 30 minutes to complete.
6. If you are creating the database in a multitenant environment, you are prompted to enter the PDBAdmin user and
password. Enter the user account and password you used when you created the PDB.
7. If the database services OracleServicePROTECT and Distributed Transaction Coordinator are down, start them
using Windows Services: Start > Control Panel > Administrative Tools > Computer Management > Services and
Applications > Services.
3. Refer to Table 92: Database Configuration Assistant for Oracle 19c for information on what to enter on each screen of
the Database Configuration Assistant.
164
Database Operation Select Create Database and click Next.
Storage Option Select Use the following for the database storage attributes.
Enter information and select items for the following:
• Select Automatic Storage Management (ASM) in the Database files storage type
list.
• Enter +DATA/{DB_UNIQUE_NAME} in the Database files location field.
• Select User Oracle-Managed Files (OMF).
Click Next.
Fast Recovery Option Use the default setting and click Next.
Database Options Use the default setting and click Next.
Configuration Options Update the SGA and PGA size based on your system requirements and click Next.
Management Options Use the default settings and click Next.
User Credentials Select an item and passwords applicable for your implementation and click Next.
Creation Options Use the default settings and click Next.
Prerequisite Checks The prerequisite check process can take ten minutes to complete. After the process
completes, review warnings and confirm that all expected nodes are running.
Click Next.
Summary Parameters Review the information to confirm RAC and PDB settings.
Click Next.
Progress The database creation process can take about an hour to complete.
Click Next.
Finish Record the CDB name (dlpcdb), and click Close to complete the process.
The command output should display a message similar to the following message:
CON_NAME
------------------------------
CDB$ROOT
The command output should display a message similar to the following message:
CON_ID CON_NAME OPEN MODE RESTRICTED
---------- ------------------------------ ---------- ----------
2 PDB$SEED READ ONLY NO
165
3 PROTECT READ WRITE NO
To set the sqlnet.ora file SQLNET.AUTHENTICATION_SERVICES=() value, perform the following steps:
a) Open sqlnet.ora, located in the %ORACLE_HOME%\network\admin folder, using a text editor.
b) Change the SQLNET.AUTHENTICATION_SERVICES=(NTS) value to none.
SQLNET.AUTHENTICATION_SERVICES=(none)
c) Save and close the sqlnet.ora file.
2. Start the Oracle Net Configuration Assistant by running the following command:
%ORACLE_HOME%\bin\netca
Screen Action
Listener Configuration, Select Protocols Select the TCP protocol and click Next.
Listener Configuration, TCP/IP Protocol Select Use the standard port number of 1521 and click Next.
Listener Configuration, More Listeners? Select No and click Next.
Listener Configuration Done Click Next and select Local Net Service Name configuration.
166
4. Configure the Net Service Name.
Refer to Table 94: Configuring the Net Service Name for information on what to enter on each screen of the Database
Configuration Assistant.
Screen Action
Net Service Name Configuration, Net Service Name Select accept the default name of "protect" and click Next.
Net Service Name Configuration, Another Net Service Name? Select No and click Next.
Net Service Name Configuration Done Click Next and click Finish.
If these lines do not exist, add them to the file, replacing <ip_address> and <port_number> with the correct values
for your system.
NOTE
Do not copy and paste information to the tnsnames.ora file. Pasting can introduce hidden characters that
cannot be parsed.
3. Add the following lines if you are installing a multitenant database, replacing <host_name> with the correct value for
your system:
DLPCDB =
167
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = <hostname>)(PORT = 1521))
(CONNECT_DATA =
(SERVER = DEDICATED)
(SERVICE_NAME = DLPCDB)
)
)
PROTECT =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = <hostname>)(PORT = 1521))
(CONNECT_DATA =
(SERVER = DEDICATED)
(SERVICE_NAME = PROTECT)
)
)
168
)
)
10. Run the following commands to connect to the database using SQL*Plus:
sqlplus sys/<password> as sysdba
15. If you are installing a single tenant system, run the following command to verify the change:
lsnrctl services
The command output should display a message similar to the following message:
Services Summary...
Service "protect" has 1 instance(s).
Instance "protect", status READY, has 1 handler(s) for this service...
Handler(s):
"DEDICATED" established:0 refused:0 state:ready
LOCAL SERVER
The command completed successfully
3. Run the following commands to confirm that the PDB service is accessible:
a) sqlplus sys/<password> as sysdba
b) show parameter service
The command output should display a message similar to the following message:
NAME TYPE VALUE
169
-------------------------- ------- ------------------------------
service_names string dlpcdb
c) show parameter local_listener
The command output should display a message similar to the following message:
NAME TYPE VALUE
------------------------- ----------- ------------------------------
local_listener string (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=protect)))
d) Run the following command to format output:
COLUMN SERVICE_ID FORMAT 9
COLUMN NAME FORMAT A20
COLUMN PDB FORMAT A20
e) select service_id, name, pdb from v$services;
Confirm that protect is listed in the output.
SERVICE_ID NAME PDB
------------------ ------------------------------ ------------------------------
1 SYS$BACKGROUND CDB$ROOT
2 SYS$USERS CDB$ROOT
3 dlpcdbXDB CDB$ROOT
4 dlpcdb CDB$ROOT
7 protect PROTECT
NOTE
The SERVICE_ID number may differ from those listed on your system.
4. Confirm the active services that are running under cdb$root by running the following command:
alter session set container=cdb$root;
The command output should display a message similar to the following message:
NAME
----------------------------------------------------------------
dlpcdb
SYS$BACKGROUND
SYS$USERS
protect
dlpcdbXDB
Confirm that the dlpcdb and protect services are listed in the output.
5. Run the following commands if the protect service is missing from the output in the preceding step:
a) Run the following command:
Alter session set container=protect;
exec dbms_service.CREATE_SERVICE('PROTECT', 'PROTECT');
exec dbms_service.START_SERVICE(SERVICE_NAME=>'PROTECT');
b) Run the following command to register the listener:
ALTER SYSTEM REGISTER;
c) Exit SQL*Plus by running the following command:
exit
170
6. Restart the listener by running the following commands:
lsnrctl stop
lsnrctl start
The command output should display a message similar to the following message:
Service "DLPCDB" has 1 instance(s).
Instance "dlpcdb", status READY, has 1 handler(s) for this service...
Service "PROTECT" has 1 instance(s).
Instance "dlpcdb", status READY , has 1 handler(s) for this service...
7. Confirm that the PDB service is accessible by running the following commands:
a) sqlplus sys/<password>@protect as sysdba
b) show con_name
to return the following message:
CON_NAME
------------------------------
PROTECT
c) show pdbs
to return the following message:
CON_ID CON_NAME OPEN MODE RESTRICTED
---------- ------------------------------ ---------- ----------
3 PROTECT READ WRITE NO
8. Run the following command if the show pdbs command returns PROTECT listed without Read Write:
select inst_id, con_id, name, open_mode from gv$pdbs where name='PROTECT';
171
Adding required tablespaces to the PDB database on Windows
If you are running the database in a multitenant environment, add tablespaces to the PDB database.
1. Navigate to the C:\temp\Oracle\tools folder.
2. Start SQL*Plus and run the add_pdb_tablespace_WIN.sql script.
sqlplus /nolog @add_pdb_tablespace_WIN.sql
3. At the Please enter the password for sys user prompt, enter the password for the SYS user.
4. At the Please enter Service Name prompt, enter protect.
5. Confirm that all required tablespaces are added for the PDB by running the following command:
sqlplus sys/<password>@protect as sysdba
SELECT tablespace_name FROM dba_tablespaces;
For example, if you are using Oracle 19.3.0.0, the output information should read:
TABLESPACE_NAME
------------------------------
SYSTEM
SYSAUX
UNDOTBS1
TEMP
USERS
LOB_TABLESPACE
6. Confirm the summary of tablespaces and that the data file paths are consistent by completing the following steps:
a) Start SQL*Plus by running the following command:
sqlplus sys/<password>@protect as sysdba
b) Run the following query:
COLUMN Tablespace_Name FORMAT A20
COLUMN File_Name FORMAT A50
COLUMN Size_Mb FORMAT 9999
SELECT substr(tablespace_name,1,20) as Tablespace_Name,
substr(file_name,1,50) as File_Name,
bytes/1024/1024 as Size_MB
FROM dba_data_files
union
SELECT 'TEMP' as Tablespace_Name,
name as File_Name,
bytes/1024/1024 as Size_MB
FROM v$tempfile;
Confirm that the data file paths are consistently located in the same location under the PROTECT folder. For
example, if you are using Oracle 19c, the output information should read:
TABLESPACE_NAME FILE_NAME SIZE_MB
172
LOB_TABLESPACE C:\ORACLE\ORADATA\DLPCDB\PROTECT\LOB03.DBF 1024
Creating the Oracle user account for Symantec Data Loss Prevention on
Windows
Perform the following procedure to create an Oracle user account and name it “protect.”
1. Navigate to the C:\temp\Oracle\tools folder.
2. Run the following command using SQL*Plus to run the oracle_create_user.sql script:
sqlplus /nolog @oracle_create_user.sql
3. At the Please enter the password for sys user prompt, enter the password for the SYS user.
4. At the Please enter SID prompt, enter protect.
5. At the Please enter required username to be created prompt, enter protect for the user name.
6. At the Please enter a password for the new username prompt, enter a new password.
Follow these guidelines to create acceptable passwords:
• Passwords cannot contain more than 30 characters.
• Passwords cannot contain double quotation marks, commas, or backslashes.
• Avoid using the & character.
• Passwords are case-sensitive by default. You can change the case sensitivity through an Oracle configuration
setting.
• If your password uses special characters other than _, #, or $, or if your password begins with a number, you must
enclose the password in double quotes when you configure it.
Store the password in a secure location for future use. Use this password to install Symantec Data Loss Prevention.
If you must change the password after you install Symantec Data Loss Prevention, see the Symantec Data Loss
Prevention Help Center for instructions.
7. Confirm that tablespaces are available for the Oracle user you created by running the following SQL*Plus commands
in the listed order:
a) sqlplus protect/<password>@protect
b) SELECT tablespace_name FROM user_tablespaces;
The command returns the following message:
TABLESPACE_NAME
------------------------------
173
SYSTEM
SYSAUX
UNDOTBS1
TEMP
USERS
LOB_TABLESPACE
c) Exit SQL*Plus.
3. Confirm that the output from the query contains information that correctly identifies the software components for the
installed version of Oracle 19c.
For example, if you are running Oracle 19c Standard Edition, the output information should read:
BANNER
--------------------------------------------------------------------------------
Oracle Database 19c Standard Edition 2 Release 19.0.0.0.0 - Production Version 19.3.0.0.0
4. Exit SQL*Plus:
exit
174
Verifying that the PDB listener is created and registered on Linux
Setting the protect PDB to autostart on Linux
Adding required tablespaces to the PDB database on Linux
Verifying the Symantec Data Loss Prevention database on Linux
Creating the Oracle user account for Symantec Data Loss Prevention on Linux
Configuring automatic startup and shutdown of the database
175
• Oracle_19.3.0.0_Standard_Edition_PDB_Installation_Linux.rsp
• Oracle_19.3.0.0_Enterprise_Edition_PDB_Installation_Linux.rsp
• Oracle_19.3.0.0_DBCA_PDB_Linux.rsp
– RAC:
• Oracle_19.3.0.0_DBCA_RAC_Linux.rsp
About Oracle Real Application Clusters
176
Preparing the Linux environment
The following Linux environment preparation steps assume that you are logged on as the root user.
NOTE
These steps assume that you have obtained the Oracle database software from Oracle or downloaded a
licensed version from Product Downloads at the Symantec Enterprise Security Support Portal.
1. Run the following command to copy the file 19.3.0.0_64_bit_Installation_Tools_Lin.tar.gz to the Linux
server and extract its contents into the temporary directory (/tmp):
tar xvfz 19.3.0.0_64_bit_Installation_Tools_Lin.tar.gz -C /tmp
Extracting creates a subdirectory that is named oracle_install in the /tmp directory and extracts the files into that
subdirectory.
2. Prepare the Oracle installation location by completing one of the following steps based on your Oracle database
installation status:
• If you are installing the Oracle database software for the first time, run the following Oracle preparation script in the
oracle_install directory:
cd /tmp/oracle_install
./scripts/oracle_prepare.sh
The script creates the Oracle user directory and provides permissions to the /opt/oracle/19.3.0.0 location.
• If you are upgrading from a previous version Oracle database, create the 19.3.0.0/db_1 directory under the
existing /opt/oracle/product directory.
3. Install the Oracle Database Client using the Administrator option if you implement a three-tier system.
The Symantec Data Loss Prevention installer needs SQL*Plus to create tables and views on the Enforce Server.
Therefore, the root user account that is used to install Symantec Data Loss Prevention must be able to access
SQL*Plus.
Oracle Client requirement
4. If you are installing Oracle 19c for the first time, provide read and write access to the /opt directory for the Oracle
user.
5. After the preparation script has run to completion, switch to the /home/oracle/oracle_install/scripts
directory and run the verification script:
cd /home/oracle/oracle_install/scripts
./oracle_verify.py
The verification script displays settings (such as RAM, swap space, shared memory, /tmp disc space) that do not
meet the requirements for Oracle. Adjust any settings to the required values.
a) Run the oracle_config_kernel_parameters.py script in the /home/oracle/oracle_install/scripts
directory. This script sets the kernel parameters to the required settings.
b) Restart the server to apply the updated kernel parameters.
6. Verify that there is enough space under /var. For a small to medium enterprise, /var should have at least 15 GB.
For a large enterprise, /var should have at least 30 GB. For a very large enterprise, /var should have at least 45 GB
177
of free space. As the traffic of your organization expands, these figures should increase, and you must allocate more
free space.
7. Verify that the /opt and /boot file systems have the required free space for your Symantec Data Loss Prevention
installation. See #unique_138/unique_138_Connect_42_v33230447
NOTE
Refer to the configuration information in the X server management program for the IP address and display
number. Typically, the display number is 0.
As you run the GUI tools later, you might get a response similar to the following example:
X connection to localhost:10.0 broken (explicit kill or server shutdown)
6. Provide read and write access to the /opt directory for the Oracle user.
7. Log in as the Oracle user. In the Oracle user terminal, execute one of the following commands for your database
installation type (line breaks are added for legibility):
• Single-tenant:
/opt/oracle/product/19.3.0.0/db_1/runInstaller
-noconfig
-responseFile /home/oracle/oracle_install/responsefiles/
singleinstance/Oracle_19.3.0.0_Enterprise_Edition_Installation_Linux.rsp
178
Substitute Oracle_19.3.0.0_Standard_Edition_Installation_Linux.rsp if you are running Oracle 19c
Standard Edition.
• Multitenant:
/opt/oracle/product/19.3.0.0/db_1/runInstaller
-noconfig
-responseFile /home/oracle/oracle_install/responsefiles/
multitenant/Oracle_19.3.0.0_Enterprise_Edition_PDB_Installation_Linux.rsp
Screen Action
179
Screen Action
Execute Configuration scripts The window directs you to execute two scripts as the root user. From the root
xterm window, complete the following steps:
1. Run the script:/opt/oracle/product/19.3.0.0/db_1/root.sh
2. Enter the full pathname to the local binary directory when prompted.
3. Accept the default /usr/local/bin directory and press Enter.
4. Enter Y if the script asks for confirmation to overwrite the following files:
dbhome, oraenv and coraenv.
Execute Configuration scripts Return to this screen and click OK.
Finish Click Close to exit the installer application. You can safely ignore the
configuration note that appears on this panel.
1. Set the ORACLE_HOME and ORACLE_SERVICE_NAME environment variables for your new installation. Open a
command prompt as the Oracle user and enter:
export ORACLE_HOME=/opt/oracle/product/19.3.0.0/db_1
export ORACLE_SERVICE_NAME=protect
If you installed Oracle 19c into a different location, substitute the correct directory in this command.
Add these commands to your user profile configuration to define the ORACLE_HOME and
ORACLE_SERVICE_NAME environment variables each time you log on. See your Linux documentation for details
about setting environment variables.
180
2. Navigate to /home/oracle/oracle_install where you extracted the
19.3.0.0_64_bit_Installation_Tools_Linux.tar.gz file.
3. Copy one of the following database template files based on your database environment:
• Single tenant: Oracle_19.3.0.0_Template_for_64_bit_Linux.dbt
From To
/home/oracle/oracle_install/templates/ $ORACLE_HOME/assistants/dbca/templates
singleinstance/
• RAC in a single tenant: Oracle_19.3.0.0_Template_for_64_bit_Linux.dbt
From To
/home/oracle/oracle_install/templates/rac/ $ORACLE_HOME/assistants/dbca/templates
• Multitenant: Oracle_19.3.0.0_Template_for_64_bit_PDB_Linux.dbt
From To
/home/oracle/oracle_install/responsefiles/ $ORACLE_HOME/assistants/dbca/templates
templates
4. Open a command prompt, and execute one of the following commands. Run the command for your database
environment:
• Single tenant environment:
$ORACLE_HOME/bin/dbca
-createDatabase
-progressOnly
-responseFile /home/oracle/oracle_install/responsefiles/singleinstance
Oracle_19.3.0.0_DBCA_Linux.rsp
• Multitenant environment:
$ORACLE_HOME/bin/dbca
-createDatabase
-progressOnly
-responseFile /home/oracle/oracle_install/responsefiles/multitenant/
Oracle_19.3.0.0_DBCA_PDB_Linux.rsp
• RAC environment:
$ORACLE_HOME/bin/dbca
-createDatabase
-progressOnly -nodelist <list of RAC node names>
-responseFile /home/oracle/oracle_install/responsefiles/rac
Oracle_19.3.0.0_DBCA_RAC_Linux.rsp
Replace <list of RAC node names> with each node name, which is separated by a comma, in your RAC
environment.
NOTE
Line breaks added for legibility.
181
5. Enter the SYS password when prompted.
6. Enter the SYSTEM password when prompted.
Follow these guidelines to create acceptable passwords:
• Passwords cannot contain more than 30 characters.
• Passwords cannot contain double quotation marks, commas, or backslashes.
• Avoid using the & character.
• Passwords are case-sensitive by default. You can change the case sensitivity through an Oracle configuration
setting.
• If your password uses special characters other than _, #, or $, or if your password begins with a number, you must
enclose the password in double quotes when you configure it.
7. If you are creating the database in a multitenant environment, a dialog appears that prompts you to enter the
PDBAdmin user and password. Enter the user account and password you used when you created the PDB.
The progress of the Symantec Data Loss Prevention database creation appears on the terminal window.
3. See Table 97: Database Configuration Assistant for information on what to enter on each screen of the Database
Configuration Assistant.
182
Storage Option Select Use the following for the database storage attributes.
Enter information and select items for the following:
• Select Automatic Storage Management (ASM) in the Database files storage type list.
• Enter +DATA/{DB_UNIQUE_NAME} in the Database files location field.
• Select User Oracle-Managed Files (OMF).
Click Next.
Fast Recovery Option Use the default setting and click Next.
Database Options Use the default setting and click Next.
Configuration Options Update the SGA and PGA size based on your system requirements and click Next.
Management Options Use the default settings and click Next.
User Credentials Select an item and passwords applicable for your implementation and click Next.
Creation Options Use the default settings and click Next.
Prerequisite Checks The prerequisite check process can take ten minutes to complete. After the process completes, review
warnings and confirm that all expected nodes are running.
Click Next.
Summary Parameters Review the information to confirm RAC and PDB settings.
Click Next.
Progress The database creation process can take about an hour to complete.
Click Next.
Finish Record the CDB name (dlpcdb), and click Close to complete the process.
The command output should display a message similar to the following message:
CON_NAME
------------------------------
CDB$ROOT
The command output should display a message similar to the following message:
CON_ID CON_NAME OPEN MODE RESTRICTED
183
---------- ------------------------------ ---------- ----------
2 PDB$SEED READ ONLY NO
3 PROTECT READ WRITE NO
184
Table 98: Configuring the Local Net Service Name
Screen Action
Listener Configuration, Select Protocols Select the TCP protocol and click Next.
Listener Configuration, TCP/IP Protocol Select Use the standard port number of 1521 and click Next.
Listener Configuration, More Listeners? Select No and click Next.
Listener Configuration Done Click Next.
Oracle Net Configuration Assistant Configure the Local Net Service Name.
Screen Action
Welcome Select Local Net Service Name configuration and click Next.
Net Service Name Configuration Select Add and click Next.
Net Service Name Configuration, Service Name Enter protect in the Service Name field, and click Next.
Net Service Name Configuration Select the TCP protocol and click Next.
Net Service Name Configuration, TCP/IP Protocol 1. Enter the host name of the Oracle server computer in the
Host name field.
2. Select Use the standard port number of 1521 (the default
value).
3. Click Next.
Net Service Name Configuration, Test Select No, do not test and click Next.
Do not test the service configuration because the listener has not
yet started.
Net Service Name Configuration, Net Service Name Accept the default net service name (protect) and click Next.
Net Service Name Configuration, Another Net Service Name? Select No and click Next.
Net Service Name Configuration Done Click Next and click Finish to exit the Oracle Net Configuration
Assistant.
185
If you are preparing the database for a multitenant environment, you modify the tnsnames.ora file contents.
1. Using a text editor, open the tnsnames.ora file, which is located in the $ORACLE_HOME/network/admin directory.
2. Verify that the following lines are present in the file:
PROTECT =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = TCP)(HOST = host_name)(PORT = port_number))
)
(CONNECT_DATA =
(SERVICE_NAME = protect)
)
)
If these lines do not exist, add them to the file, replacing host_name and port_number with the correct values for
your system.
NOTE
Do not copy and paste information to the tnsnames.ora file. Pasting information to the file can introduce
hidden characters that cannot be parsed.
3. Add the following lines if you are installing a multitenant database, replacing <host_name> with the correct value for
your system:
• DLPCDB =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = <host_name>)(PORT = 1521))
(CONNECT_DATA =
(SERVER = DEDICATED)
(SERVICE_NAME = DLPCDB)
)
)
• PROTECT =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = <host_name>)(PORT = 1521))
(CONNECT_DATA =
(SERVER = DEDICATED)
(SERVICE_NAME = PROTECT)
)
)
186
3. Change key_value to PROTECT in the following line:
(ADDRESS = (PROTOCOL = IPC)(KEY = <key_value>))
4. Add the following line to the end of the file:
SECURE_REGISTER_LISTENER = (IPC)
5. Add the following lines if you are installing a multitenant database:
SID_LIST_LISTENER =
(SID_LIST =
(SID_DESC =
(GLOBAL_DBNAME = DLPCDB)
(SID_NAME = DLPCDB)
(ORACLE_HOME = /opt/oracle/product/19.3.0.0/db_1)
)
(SID_DESC =
(GLOBAL_DBNAME = PROTECT)
(SID_NAME = DLPCDB)
(ORACLE_HOME = /opt/oracle/product/19.3.0.0/db_1)
)
)
The command output for a single tenant environment appears a message similar to the following message:
Services Summary...
Service "protect" has 1 instance(s).
Instance "protect", status READY, has 1 handler(s) for this service...
187
Handler(s):
"DEDICATED" established:0 refused:0 state:ready
LOCAL SERVER
The command completed successfully
NOTE
For a multitenant environment, confirm that at least one instance of DLPCDB and PROTECT appears.
The command output should display a message similar to the following message:
188
NAME
----------------------------------------------------------------
dlpcdb
SYS$BACKGROUND
SYS$USERS
protect
dlpcdbXDB
Confirm that the dlpcdb and protect services are listed in the output.
5. Complete the following steps if the protect service is missing from the output in step 4:
a) Run the following commands:
Alter session set container=protect;
exec dbms_service.START_SERVICE(SERVICE_NAME=>'PROTECT');
lsnrctl start;
lsnrctl status
The command output should display a message similar to the following message:
Service "DLPCDB" has 1 instance(s).
6. Confirm that the PDB service is accessible by running the following commands:
a) sqlplus sys/<password>@protect as sysdba
b) show con_name
Returns the following message:
CON_NAME
------------------------------
PROTECT
c) show pdbs
Returns the following message:
CON_ID CON_NAME OPEN MODE RESTRICTED
---------- ------------------------------ ---------- ----------
3 PROTECT READ WRITE NO
7. Run the following command if the show pdbs command returns protect listed without Read Write:
sqlplus sys/<password>@protect as sysdba
189
Setting the protect PDB to autostart on Linux
If you are running the database in a multitenant environment, configure the protect PDB to autostart when the Oracle
database restarts. You can set the PDB to autostart by saving the state of the PDB when it is open.
1. Open a command prompt as the Oracle user.
2. Start SQL*Plus by running the following command:
sqlplus sys/<password> as sysdba
For example, if you are using Oracle 19.3.0.0, the output information should read:
TABLESPACE_NAME
------------------------------
SYSTEM
SYSAUX
UNDOTBS1
TEMP
USERS
LOB_TABLESPACE
6. Confirm the summary of tablespaces and that the data file paths are consistent by running the following steps:
a) Run the following query:
sqlplus sys/<password>@protect as sysdba
b) Run the following commands:
COLUMN Tablespace_Name FORMAT A20
COLUMN File_Name FORMAT A50
COLUMN Size_Mb FORMAT 9999
SELECT substr(tablespace_name,1,20) as Tablespace_Name,
substr(file_name,1,50) as File_Name,
bytes/1024/1024 as Size_MB
FROM dba_data_files
union
SELECT 'TEMP' as Tablespace_Name,
name as File_Name,
190
bytes/1024/1024 as Size_MB
FROM v$tempfile;
c) Confirm that the data file paths are consistently located in the same location under the PROTECT folder. For
example, if you are using Oracle 19c, the output information should read:
TABLESPACE_NAME FILE_NAME SIZE_MB
3. Confirm that the output from the query contains information that correctly identifies the software components for the
installed version of the Oracle database.
For example, if you are using Oracle 19c Enterprise Edition, the output information should read:
Oracle Database 19c Enterprise Edition Release 19.0.0.0.0
Version 19.3.0.0.0
191
4. Exit SQL*Plus:
exit
Creating the Oracle user account for Symantec Data Loss Prevention on Linux
Perform the following procedure to create an Oracle user account and name it “protect.”
1. Copy the oracle_create_user.sql file from /home/oracle/oracle_install/scripts to a local directory.
2. Run the following command using SQL*Plus to run the oracle_create_user.sql script:
sqlplus /nolog @oracle_create_user.sql
3. At the Please enter the password for sys user prompt, enter the password for the SYS user.
4. At the Please enter SID prompt, enter protect.
5. At the Please enter required username to be created prompt, enter protect.
6. At the Please enter a password for the new username prompt, enter a new password.
Follow these guidelines to create acceptable passwords:
• Passwords cannot contain more than 30 characters.
• Passwords cannot contain double quotation marks, commas, or backslashes.
• Avoid using the & character.
• Passwords are case-sensitive by default. You can change the case sensitivity through an Oracle configuration
setting.
• If your password uses special characters other than _, #, or $, or if your password begins with a number, you must
enclose the password in double quotes when you configure it.
Store the password in a secure location for future use. You use this password to install Symantec Data Loss
Prevention. If you must change the password after you install Symantec Data Loss Prevention, see the Symantec
Data Loss Prevention Help Center for instructions.
NOTE
If you have not already created the protect account, an error message displays indicating that it does not
exist. You can safely ignore this message and continue the process.
7. Confirm that tablespaces are available for the Oracle user you created by running the following commands in the listed
order:
a) sqlplus protect/<password>@protect
b) SELECT tablespace_name FROM user_tablespaces;
The command returns the following message:
TABLESPACE_NAME
------------------------------
SYSTEM
SYSAUX
TEMP
USERS
LOB_TABLESPACE
192
Configuring automatic startup and shutdown of the database
To configure automatic startup and shutdown of the database, follow this procedure:
1. Switch to the root user.
2. Go to the oracle_install directory.
cd /home/oracle/oracle_install
4. Verify that the script completed successfully by confirming that the last line of the output is:
dbora 0:off 1:off 2:off 3:on 4:on 5:on 6:off
You may see errors before the last line (for example, cannot access /var/log/dbora). You can ignore these errors.
Validate that the settings were applied by viewing the file /etc/oratab and confirming that Y appears in the final line:
protect:/opt/oracle/product/19.3.0.0/db_1:Y. If N appears, change it to Y and save your changes.
About upgrading the Symantec Data Loss Prevention database to Oracle 19c
You can use the Database Upgrade Assistant (DBUA) to upgrade to the Oracle 19c database software. Using the DBUA
allows you to upgrade the database on the same server where the previous database resides.
Steps to upgrade the Symantec Data Loss Prevention database to Oracle 19c
The Table 100: Steps to upgrade the Symantec Data Loss Prevention database to Oracle 19c table provides a high-level
view of the database migration process. You can find more detail for each step of the process as indicated in the table.
Table 100: Steps to upgrade the Symantec Data Loss Prevention database to Oracle 19c
1 Set privileges for the "protect" user. Setting Privileges for the Oracle User
2 Upgrade to Oracle 19c. Upgrading to Oracle 19c
193
GRANT read, write ON directory data_pump_dir TO protect;
GRANT SELECT ON dba_registry_history TO protect;
GRANT SELECT ON dba_temp_free_space TO protect;
GRANT SELECT ON v_$version TO protect;
GRANT EXECUTE ON dbms_lob TO protect;
GRANT create job TO protect;
c) Exit SQL*Plus:
exit
If the Database Upgrade Assistant does not launch and an error message displays, complete the following items in
order:
1. Open the command prompt window.
2. Set ORACLE_HOME depending on your database server OS:
set ORACLE_HOME=c:\oracle\product\19.3.0.0\db_1 for Windows
export ORACLE_HOME=/opt/oracle/product/19.3.0.0/db1 for Linux
3. Set the path:
set PATH=%PATH%:%ORACLE_HOME%\bin for Windows
export PATH=$PATH:$ORACLE_HOME/bin for Linux
4. Restart the Database Upgrade Assistant:
%ORACLE_HOME%\bin\dbua for Windows
$ORACLE_HOME/bin/dbua for Linux
194
6. Refer to the following table for information on what to enter on each screen of the Database Upgrade Assistant.
Screen Description
About migrating the Symantec Data Loss Prevention database to Oracle 19c
The following sections list the process to migrate the Symantec Data Loss Prevention database from a previous Oracle
database version (including Oracle 11g and 12c) to supported versions of Oracle 19c.
Under ideal conditions, the migration process can take about two-and-a-half hours to complete. However, factors such
as the size of your database and the hardware in your environment may extend the time to complete considerably. Table
101: Estimated processing time for migration tasks provides a breakdown of how long each part of the process takes.
195
NOTE
Times were recorded in a lab environment under ideal conditions. The time to complete the database migration
process varies based on environment hardware performance and other factors.
Process Time
Exporting the data from Oracle 12c consisting of a 25-GB file ~20 minutes
Importing the data into Oracle 19c ~2 hours
Steps to migrate the Symantec Data Loss Prevention database to Oracle 19c
The Table 102: Steps to migrate the Symantec Data Loss Prevention database to Oracle 19c table provides a high-level
view of the database migration process. You can find more detail for each step of the process as indicated in the table.
Table 102: Steps to migrate the Symantec Data Loss Prevention database to Oracle 19c
196
Step Action Information
13 Add data files for large databases. Add data files for large databases
This step is only required for databases with
tablespaces that exceed 98 MB.
14 Import the database into Oracle 19c. Import the database to the Oracle 19c system
15 Connect the Enforce Server. Connect the Enforce Server to the Oracle 19c database
16 Update the Enforce Server to use the database • Update the database server connection on Windows
server credentials for the Oracle 19c database. • Update the database server connection on Linux
17 Restart all Symantec Data Loss Prevention Restart all Symantec Data Loss Prevention services
services.
18 Confirm the schema row count after the import. Confirm the schema row count after the import on Windows
Confirm the schema row count after the import on Linux
return number
as
l_count number;
'select count(*)
into l_count;
return l_count;
end;
/
3. Run the following query to generate the row count for each table in your schema:
spool rowCount_before_export.txt
spool off
197
4. Save the rowCount_before_export.txt file for future use.
2. After receiving the Connected message, at the SQL> command prompt, enter the following command to create a PL
\SQL function to generate the row count:
create or replace function
return number
as
l_count number;
into l_count;
return l_count;
end;
3. Run the following query to generate the row count for each table in your schema:
spool rowCount_before_export.txt
spool off
The command output should display a message similar to the following message:
DIRECTORY_NAME DIRECTORY_PATH
------------------------------------
DATA_PUMP_DIR /opt/oracle/admin/dpdump/
198
2. Run the following command on the Oracle source system to grant read and write permission to the newly created
directory object to your db schema user.
sqlplus sys/<password>@<service name> as sysdba
The command output should display a message similar to the following message:
DIRECTORY_NAME DIRECTORY_PATH
------------------------------------
DATA_PUMP_DIR /opt/oracle/admin/dpdump/
4. Run the following command on the Oracle 19c system to grant read and write permission to the newly created
directory object for the db schema user.
sqlplus sys/<password>@<service name> as sysdb
199
Estimating the database dump file size helps you to confirm whether your new system has sufficient disc space. The
size of the database dump file also indicates whether the new database has sufficient data files to accommodate the
import.
To accommodate both the database dump file and the imported database, the server where the Oracle 19c database
is running should have at least 150 GB or 2.5 times the estimated number (whichever is greater) in free disk space.
NOTE
If the estimated database dump file size exceeds 98 GB, refer to Add data files for large databases.
2. Create the database dump file by running the following command:
expdp protect/<password>@protect dumpfile=fullexport.dmp schemas=protect directory=DATA_PUMP_DIR
logfile=fullexport.log EXCLUDE=STATISTICS
3. Copy the database dump file. Copy the file from the DATA_PUMP_DIR on the Oracle source database system to the
DATA_PUMP_DIR directory location on the Oracle 19c system.
Related Links
Confirm the DATA PUMP directory on page 198
3. Run a command based on your database configuration to add data files (line breaks added for legibility):
• Single-tenant on Linux
ALTER TABLESPACE LOB_TABLESPACE ADD DATAFILE
'/opt/oracle/oradata/protect/LOB04.DBF'
SIZE 1024M AUTOEXTEND ON NEXT 100M MAXSIZE 32767M;
• Multitenant on Linux
ALTER TABLESPACE LOB_TABLESPACE ADD DATAFILE
'/opt/oracle/oradata/dlpcdb/protect/LOB04.DBF'
SIZE 1024M AUTOEXTEND ON NEXT 100M MAXSIZE 32767M;
• Single-tenant on Windows
200
ALTER TABLESPACE LOB_TABLESPACE ADD DATAFILE
'C:\ORACLE\ORADATA\PROTECT\LOB04.DBF'
SIZE 1024M AUTOEXTEND ON NEXT 100M MAXSIZE 32767M;
• Multitenant on Windows
ALTER TABLESPACE LOB_TABLESPACE ADD DATAFILE
'C:\ORACLE\ORADATA\DLPCDB\PROTECT\LOB04.DBF'
SIZE 1024M AUTOEXTEND ON NEXT 100M MAXSIZE 32767M;
4. Repeat step 3 for each new data file you must add. Each time that you run the command, increase the numeral in the
LOB04.DBF file name sequentially by one. For example, if you are adding 13 new data files, the first data file name is
LOB04.DBF and the last is LOB16.DBF.
Related Links
Export the database from the Oracle source database system on page 199
Import the database to the Oracle 19c system on page 201
2. Verify that the LOB tables use SecureFile storage on the target system by running the following query:
Sqlplus protect/<password>@<service name>
SELECT table_name as "tableName", column_name as "columnName", securefile as "isSecureFile", in_row as
"isInRow"
FROM user_lobs
WHERE table_name IN ('MESSAGELOB', 'MESSAGECOMPONENTLOB', 'CONDITIONVIOLATIONLOB')
ORDER BY table_name, column_name;
3. Confirm that the IsSecureFile column in the output is set to YES in each of the three tables.
IsSecureFile indicates that the LOB uses SecureFile.
201
Connect the Enforce Server to the Oracle 19c database
After you finish the import process, you can connect the Enforce Server to the Oracle 19c database.
1. Confirm that the database host IP is accessible to the Enforce Server and is up and running.
2. Change the jdbc.properties file on the Enforce Server to refer to the host name on the target database system by
completing the following steps:
a) Locate the jdbc.properties file.
Refer to the following list to locate the file on your particular platform and version:
• Windows: \Program Files\Symantec\DataLossPrevention\EnforceServer\vv.u\Protect
\config
• Linux: /opt/Symantec/DataLossPrevention/EnforceServer/vv.u/Protect/config
Replace vv.u with the Symantec Data Loss Prevention version number.
b) Open the file and locate the line where the jdbc.dbalias.oracle-thin value displays the hostname.
c) Enter the IP of the Oracle 19c server.
d) If the database connects using SID, update connection strings to use service_name.
3. Save the file.
OracleHost Enter the host name (IP or FQDN) of the Oracle 19c server computer.
OraclePort Enter the port used for the Oracle 19c server computer. The default is 1521.
Configuring the TNS Listener and Net Service Name
OracleSID Enter the service name of the Oracle 19c database. The default is protect.
Configuring the TNS Listener and Net Service Name
OracleUsername Enter the Oracle user for Symantec Data Loss Prevention. The default Oracle user name for Symantec
Data Loss Prevention is protect.
Installing the Oracle 19c software on Windows
3. Validate the registry updates by opening a command prompt and running the following command:
tnsping //<hostname>:<port>/<serviceuser>
Replace the values in brackets with the details from the Oracle 19c configuration, including the following:
• <hostname> is the Oracle 19c server host name (IP or FQDN).
• <port> is the port that is used for the Oracle 19c server computer.
• <serviceuser> is the service name of the Oracle 19c database.
202
Update the database server connection on Linux
Migrating the database to Oracle 19c requires that you update the Enforce Server to use the new credentials and
configuration for the Oracle 19c database. In general, you update the hostname of the new server hosting the Oracle 19c
database. If you are migrating the Oracle 19c database to the same server, you update the service user to the Oracle 19c
database.
1. Go to the following location on the Enforce Server:
/etc/Symantec/DataLossPrevention/EnforceServer/vv.u/Installation/
Replace vv.u with the Symantec Data Loss Prevention version you are running.
2. Update files that do not match the Oracle 19c database configuration:
oracleHost Enter the host name (IP or FQDN) of the Oracle 19c server computer.
oraclePort Enter the port used for the Oracle 19c server computer. The default is 1521.
Configuring TNS Listener and Net Service Name
oracleServiceName Enter the service name of the Oracle 19c database. The default is protect.
Configuring TNS Listener and Net Service Name
oracleUsername Enter the Oracle user for DLP. The default Oracle user name for DLP is protect.
Installing the Oracle 19c software on Windows
2. Run the following command to create a PL\SQL function to generate the row count:
SQL>create or replace function
203
row_count (p_tablename in varchar2)
return number
as
l_count number;
begin
execute immediate
'select count(*)
into l_count;
return l_count;
end;
3. Run the following query to generate a row count for each table in the schema:
SQL>spool rowCount_after_import.txt
SQL>select table_name, row_count(table_name) num_of_rows
from user_tables;
SQL>spool off
2. Run the following command to create a PL\SQL function to generate the row count:
SQL>create or replace function
return number
as
l_count number;
begin
execute immediate
'select count(*)
204
from ' || p_tablename
into l_count;
return l_count;
end;
/
3. Run the following query to generate a row count for each table in the schema:
SQL>spool rowCount_ater_import.txt
from user_tables;
SQL>spool off
1 Install the Oracle database. Installing the Oracle 19c software on Windows
2 Create the PDB database.
3 Confirm the following: Verifying and PDB database for RAC on Windows
• Confirm that the Container Database name is
'dlpcdb'.
• Confirm that the Pluggable Database name is
'protect'.
4 Verify that the CDB/PDB is created. Verifying and PDB database for RAC on Windows
5 Configure the Oracle listeners. Configuring the database connection on Windows
6 Verify that the PDB listener is created and registered. Verifying that the PDB listener is created and registered on
Windows
7 Set the PDB to autostart (for Windows only). Setting the protect PDB to autostart on Windows
8 Add required tablespaces to the PDB database. Adding required tablespaces to the PDB database on Windows
9 Create the Oracle user account. Creating the Oracle user account for Symantec Data Loss
Prevention on Windows
205
Table 104: Steps to set up Oracle multitenant environment on Linux
206
Installing DLP
Install the Enforce Server, detection servers, and DLP Agents.
Planning the installation
Installing an Enforce Server
Importing a solution pack
Installing and registering detection servers
Configuring certificates for secure server communications
Installing the domain controller agent to identify users in incidents
Performing a single-tier installation
Installing Symantec DLP Agents
Installing language packs
Post-installation tasks
207
depending on available resources and organization size. Single-tier installations are recommended for branch offices,
small organizations, or for testing purposes.
Single-tier To implement the single-tier installation, you install the database, the Enforce Server, and a detection server all on
the same computer. Typically, this installation is implemented for testing purposes.
A Symantec Data Loss Prevention Single Server deployment is a single-tier deployment that includes the Single
Tier Monitor detection server. The Single Tier Monitor is a detection server that includes the detection capabilities
of the Network Monitor, Network Discover, Network Prevent for Email, Network Prevent for Web, and the Endpoint
Prevent and Endpoint Discover detection servers. Each of these detection server types is associated with one or
more detection "channels." The Single Server deployment simplifies Symantec Data Loss Prevention administration
and reduces maintenance and hardware costs for small organizations, or for branch offices of larger enterprises that
would benefit from on-site deployments of Symantec Data Loss Prevention.
If you choose either of these types of installation, the Symantec Data Loss Prevention administrator needs to be
able to perform database maintenance tasks, such as database backups.
Performing a single-tier installation—high-level steps
Two-tier To implement the two-tier installation, you install the Oracle database and the Enforce Server on the same computer.
You then install detection servers on separate computers.
Typically, this installation is implemented when an organization, or the group responsible for data loss prevention,
does not have a separate database administration team. If you choose this type of installation, the Symantec Data
Loss Prevention administrator needs to be able to perform database maintenance tasks, such as database backups.
Performing a two-tier installation—high-level steps
Three-tier To implement the three-tier installation, you install the Oracle database, the Enforce Server, and a detection server
on separate computers. Symantec recommends implementing the three-tier installation architecture as it enables
your database administration team to control the database. In this way you can use all of your corporate standard
tools for database backup, recovery, monitoring, performance, and maintenance. Three-tier installations require
that you install the Oracle Client (SQL*Plus and Database Utilities) on the Enforce Server to communicate with the
Oracle server.
Performing a three-tier installation—high-level steps
208
If you want to use password authentication, no additional information is required during the Symantec Data Loss
Prevention installation.
See About authenticating users for more information about all of the authentication and sign-on mechanisms that
Symantec Data Loss Prevention supports.
209
See Implementing the Database.
• The following third-party components, if required:
– Network Monitor servers require either a dedicated NIC or a high-speed packet capture adapter. See Minimum
System Requirements for Symantec Data Loss Prevention Servers for requirements.
– Windows-based Network Monitor servers require WinPcap or Npcap software.
Locate the WinPcap software at the following URL:
http://www.winpcap.org/
Locate the Npcap software at the following URL:
http://nmap.org/npcap
See Minimum System Requirements for Symantec Data Loss Prevention Servers for requirements.
– Wireshark, available from http://www.wireshark.org. During the Wireshark installation process on Windows
platforms, do not install a version of WinPcap lower than 4.1.2 or a version of Npcap lower than 0.995.
– For two-tier or three-tier installations, a remote access utility may be required (for example, Remote Desktop for
Windows systems, or PuTTY or a similar SSH client for Linux systems).
– Windows-based Discover servers that are scanning targets on UNIX machines must have the NFS Client feature
enabled. You can enable the NFS Client on your Windows Server 2012, 2016, or 2019 computer from the Windows
Server Manager.
To enable the NFS client on your Windows-based Discover server, take one of the following actions:
• Windows Server 2012, 2016, or 2019: In the Windows Server Manager, use the Add Roles and Features
wizard to select and install the Client for NFS.
https://docs.microsoft.com/en-us/windows-server/administration/server-manager/install-or-uninstall-roles-role-
services-or-features#BKMK_installarfw
• Adobe Reader (for reading Symantec Data Loss Prevention documentation).
1 Perform the preinstallation steps. Symantec Data Loss Prevention Preinstallation Steps
2 Verify that your servers are ready for installation. Verifying that servers are ready for Symantec Data Loss
Prevention installation
210
Step Action Description
3 Install Oracle and create the Symantec Data Loss In a three-tier installation your organization’s database
Prevention database. administration team installs, creates, and maintains the
Symantec Data Loss Prevention database.
See Implementing the Database for information about
installing Oracle.
4 Install the Oracle Client (SQL*Plus and Database The user account that is used to install Symantec Data
Utilities) on the Enforce Server computer to enable Loss Prevention requires access to SQL*Plus to create
communication with the Oracle server. tables and views.
5 Install the Java Runtime Environment on the Enforce Installing the Java Runtime Environment on the Enforce
Server. Server on Windows
Installing the Java Runtime Environment on the Enforce
Server on Linux
6 Install and configure (only on Linux platforms) the Installing an Enforce Server on Windows
Enforce Server. Installing an Enforce Server on Linux
7 Verify that the Enforce Server is correctly installed. Verifying an Enforce Server installation
8 Install one or more Symantec Data Loss Prevention Installing a New License File
license files.
9 Import a solution pack. Importing a Solution Pack
10 Generate server certificates for secure communication. If you are installing Network Prevent in a hosted
environment, you must create user-generated certificates
for the Enforce Server and all detection servers in your
deployment. This ensures that communication between
the Enforce Server and all detection servers is secure.
Symantec recommends that you generate new
certificates for any multi-tier deployment. If you do not
generate new certificates, Enforce and detection servers
use a default, built-in certificate that is shared by all
Symantec Data Loss Prevention installations.
Using sslkeytool to generate new Enforce Server and
detection server certificates
11 Generate certificates to secure communications between About securing communications between the Enforce
the Enforce Server and Oracle Database. Server and the database
12 Install the Java Runtime Environment on the detection Install the Java Runtime Environment on a detection
server. server on Windows
Installing the Java Runtime Environment on a Detection
Server on Linux
13 Install and configure (only on Linux platforms) a detection Installing a detection server on Windows
server. Installing a detection server on Linux
14 Register a detection server. Registering a detection server
15 Perform the post-installation tasks. Symantec recommends that you create a backup of
your system after completing the installation. Other
recommended post-installation tasks include configuring
security settings and perform initial setup tasks.
About post-installation tasks
16 Start using Symantec Data Loss Prevention to perform About post-installation security configuration
initial setup tasks; for example, change the Administrator For more detailed administration topics (including how
password, and create user accounts and roles. to configure a specific detection server) see Server
configuration—basic.
211
Performing a two-tier installation—high-level steps
The computer on which you install Symantec Data Loss Prevention must only contain the software that is required to
run the product. Symantec does not support installing Symantec Data Loss Prevention on a computer with unrelated
applications.
See Third-party software requirements and recommendations for a list of required and recommended third-party software.
1 Perform the preinstallation steps. Symantec Data Loss Prevention Preinstallation Steps
2 Verify that your servers are ready for installation. Verifying that servers are ready for Symantec Data Loss
Prevention installation
3 Install Oracle and create the Symantec Data Loss See Implementing the Database for information about
Prevention database. installing Oracle.
4 Install the Java Runtime Environment on the Enforce Installing the Java Runtime Environment on the Enforce
Server. Server on Windows
Installing the Java Runtime Environment on the Enforce
Server on Linux
5 Install and configure (only on Linux platforms) the Installing an Enforce Server on Windows
Enforce Server. Installing an Enforce Server on Linux
6 Verify that the Enforce Server is correctly installed. Verifying an Enforce Server installation
7 Install one or more Symantec Data Loss Prevention Installing a New License File
license files.
8 Import a solution pack. Importing a solution pack
9 Generate server certificates for secure communication. If you are installing Network Prevent in a hosted
environment, you must create user-generated certificates
for the Enforce Server and all detection servers in your
deployment. This ensures that communication between
the Enforce Server and all detection servers is secure.
Symantec recommends that you generate new
certificates for any multi-tier deployment. If you do not
generate new certificates, Enforce and detection servers
use a default, built-in certificate that is shared by all
Symantec Data Loss Prevention installations.
Using sslkeytool to generate new Enforce Server and
detection server certificates
10 Generate certificates to secure communications between About securing communications between the Enforce
the Enforce Server and Oracle Database. Server and the database
11 Install the Java Runtime Environment on the detection Installing the Java Runtime Environment on the Enforce
server. Server on Windows
Installing the Java Runtime Environment on the Enforce
Server on Linux
12 Install and configure (only on Linux platforms) a detection Installing a detection server on Windows
server. Installing a detection server on Linux
Configuring a Detection Server
13 Register a detection server. Registering a detection server
212
Step Action Description
14 Perform the post-installation tasks. Symantec recommends that you create a backup of
your system after completing the installation. Other
recommended post-installation tasks include configuring
security settings and perform initial setup tasks.
About post-installation tasks
15 Start using Symantec Data Loss Prevention to perform About post-installation security configuration
initial setup tasks; for example, change the Administrator For more detailed administration topics (including how
password, and create user accounts and roles. to configure a specific detection server) see Server
configuration—basic.
1 Perform the preinstallation steps. Symantec Data Loss Prevention Preinstallation Steps
2 Verify that the server is ready for installation. Verifying that servers are ready for Symantec Data Loss
Prevention installation
3 Install Oracle and create the Symantec Data Loss See Implementing the Database for information about
Prevention database. installing Oracle.
4 Install the Java Runtime Environment. Installing the Java Runtime Environment on the Enforce
Server on Windows
Installing the Java Runtime Environment on the Enforce
Server on Linux
5 Install the Enforce Server and a detection server on the Installing a single-tier server on Windows
same computer. Installing a single-tier server on Linux
Configure the Enforce Server and the detection server on Configuring a new single-tier installation
Linux platforms.
7 Verify that the system is correctly installed. Verifying a single-tier installation
8 Install one or more Symantec Data Loss Prevention Installing a New License File
license files.
9 Import a solution pack. Importing a solution pack
10 Register the detection server. Registering a detection server
Registering the Single Tier Monitor
11 Perform the post-installation tasks. Symantec recommends that you create a backup of
your system after completing the installation. Other
recommended post-installation tasks include configuring
security settings and perform initial setup tasks.
About post-installation tasks
213
Step Action Reference
12 Start using Symantec Data Loss Prevention to perform About post-installation security configuration
initial setup tasks; for example, change the Administrator For more detailed administration topics (including how
password, and create user accounts and roles. to configure a specific detection server) see Server
configuration—basic.
2. Make sure your server is up to date with the latest security patches.
3. Obtain the Administrator user name and password (for Windows) or root password (for Linux) for each system on
which Symantec Data Loss Prevention is to be installed.
4. Obtain the static IP address(es) for each system on which Symantec Data Loss Prevention is to be installed.
5. Verify that each server host name that you will specify has a valid DNS entry.
6. Verify that you have access to all remote computers that you will use during the installation (for example, by using
Terminal Services, Remote Desktop, or an SSH client).
7. Confirm the database user has permissions to connect to the Enforce Server.
10. If you want to store your incident attachments on an external file system rather than in the Oracle database, ensure
that you have set up your external storage directory and know the path to that location.
11. Copy files from DLPDownloadHome to an easily accessible directory on the Enforce Server:
• Choose from the following installer files based on the system you plan to deploy.
a b
Installer Windows details Linux details
214
a b
Installer Windows details Linux details
215
3. If you are running Oracle 19c, run the following command:
GRANT create job TO protect;
4. Exit SQL*Plus:
exit
Verifying that servers are ready for Symantec Data Loss Prevention installation
Before installing Symantec Data Loss Prevention, you must verify that the server computers are ready.
1. Verify that all systems are racked and set up in the data center.
2. Verify that the network cables are plugged into the appropriate ports as follows:
• Enforce Server NIC Port 1.
Standard network access for Administration.
216
If the Enforce Server has multiple NICs, disable the unused NIC if possible. This task can only be completed once
you have installed the Enforce Server.
• Detection servers NIC Port 1.
Standard network access for Administration.
• Network Monitor detection servers NIC Port 2.
SPAN port or tap should be plugged into this port for detection. (Does not need an IP address.)
If you use a high-speed packet capture card (such as Endace or Napatech), then do not set this port for SPAN or
tap.
3. Log on as the Administrator user (on Windows) or superuser (on Linux).
217
For Napatech cards, there is a "statistics" tool with option -bch=0xf to observe the "Hardware counters" for all
channels/ports.
15. Ensure that all Windows servers are synchronized with the same time (to the minute). Ensure that the servers are
updated with the correct Daylight Saving Time patches.
16. Confirm that the designated Enforce Server has at least 1 GB of free space.
17. Set the Enforce Server to boot into the Xorg display server if you are running Red Hat Enterprise Linux 8.
Complete the following steps on the Enforce Server system on which you intend to install Enforce:
a) Locate the file custom.conf file at /etc/gdm/.
b) Change the WaylandEnable value to false and save your changes.
c) Reboot the server.
18. Install the Microsoft Visual C++ Redistributable for Visual Studio 2015, 2017, and 2019 to all servers where you plan to
run the Enforce Server, detection servers, and indexers on Windows.
Download the VC_redist.x64.exe file from The latest supported Visual C++ downloads. After you complete the
installation, restart the server.
19. For Network Prevent for Email detection server installations, verify the following:
• Use an SSH client to verify that you can access the Mail Transfer Agent (MTA).
• Verify that the firewall permits you to Telnet from the Network Prevent for Email Server computer to the MTA on port
25. Also ensure that you can Telnet from the MTA to the Network Prevent for Email detection server computer on
port 10026.
218
See Implementing the Database for information about installing Oracle 19c.
• Before you begin, make sure that you have access and permission to run the Symantec Data Loss Prevention installer
software: EnforceServer.msi.
• Install the Java Runtime Environment.
Installing the Java Runtime Environment on the Enforce Server on Windows
Installing the Java Runtime Environment on the Enforce Server on Linux
If you intend to run Symantec Data Loss Prevention using Federal Information Processing Standards (FIPS) encryption,
you must first prepare for FIPS encryption. You enable FIPS encryption during the installation process.
Related Links
About FIPS encryption on page 349
Installing on Windows
The following sections include steps to install the Enforce Server on Windows:
• Installing the Java Runtime Environment on the Enforce Server on Windows
• Installing an Enforce Server on Windows
219
The installation process automatically generates log information saved to a file MSI*.log (* is replaced with random
characters) in the %TEMP% folder. You can change log file name and location by starting the installation from the command
line by running the /L*v option. See the example below:
msiexec /i EnforceServer.msi /L*v c:\temp\enforce_install.log
You can complete the installation silently or using a graphical user interface.
Installing silently
Enter values with information specific to your installation for the following:
Command Description
INSTALLATION_DIRECTORY Specifies where the Enforce Server is installed. The default location is C:\Program
Files\Symantec\DataLossPrevention.
DATA_DIRECTORY Defines where Symantec Data Loss Prevention stores files that are updated while the
Enforce Server is running (for example, logs and licenses). The default location is c:
\ProgramData\Symantec\DataLossPrevention\EnforceServer\.
Note: If you do not use the default location, you must indicate a folder name for the data
directory. If you set the data directory to the drive root (for example c:\ or e:\) you
cannot successfully uninstall the program.
220
Command Description
ENFORCE_ADMINISTRATOR_PASSWORD Defines the Enforce Server administration console password. The Enforce Server
administration console passport must be at least eight characters long.
REINSTALLATION_RESOURCE_FILE Defines the location of the Reinstallation Resource File.
INITIALIZE_DATABASE_OPTION Defines whether you create a new database (Initialize) or connect to an existing
one (Preserve).
The default is Preserve.
The following is an example of what the completed command might look like. The command you use differs based on your
implementation requirements. Using the following command as-is may cause the installation to fail.
1. Symantec recommends that you disable any antivirus, pop-up blocker, and registry protection software before you
begin the Symantec Data Loss Prevention installation process.
2. Go to the folder where you copied the EnforceServer.msi file (c:\temp).
3. Double-click EnforceServer.msi to start the installation wizard.
NOTE
The installation process automatically generates log information saved to a file MSI*.log (replace * with
random characters) in the %TEMP% folder. You can change log file name and location by starting the
installation from the command line by running the /L*v option.
msiexec /i EnforceServer.msi /L*v c:\temp\enforce_install.log
Symantec recommends that you use the default destination directory. References to the "installation directory" in
Symantec Data Loss Prevention documentation are to this default location.
221
7. In the Data Directory panel, accept the default data directory, or enter an alternate directory, and click Next. The
default data directory is:
c:\ProgramData\Symantec\DataLossPrevention\
NOTE
If you do not use the default location, you must indicate a folder name for the data directory (for example,
c:\enforcedata). If you set the data directory to the drive root (for example c:\ or e:\) you cannot
successfully uninstall the program.
8. In the JRE Directory panel, click Browse to locate the JRE, and click Next.
9. In the FIPS Cryptography Mode panel, select whether to disable or enable FIPS encryption.
About FIPS encryption
10. In the Service User panel, select one of the following options.
• New Users: Select this option to create the Symantec Data Loss Prevention system account user name and
password and confirm the password. This account is used to manage Symantec Data Loss Prevention services.
The default user name is “SymantecDLP.”
NOTE
The password you enter for the System Account must conform to the password policy of the server. For
example, the server may require all passwords to include special characters.
• Existing Users: Select this option to use an existing local or domain user account.
Click Next.
11. (Optional) If you opted to create a new service user, enter the new account name and password. Confirm the
password, then click Next.
12. (Optional) If you opted to use an existing domain user account, enter the account name and password. The user name
must be in DOMAIN\username format.
13. In the Oracle Database panel, enter details about the Oracle database server. Specify one of the following options in
the Oracle Database Server field:
Host Enter host information based on your Symantec Data Loss Prevention installation:
• Single- and two-tier installation (Enforce and Oracle servers on the same system): The Oracle Server
location is 127.0.0.1.
• Three-tier installation (Enforce Server and Oracle server on different systems): Specify the Oracle server
host name or IP address.
If you are running the Oracle database in a RAC environment, use the scan host IP address for the host,
not the database IP address. Confirm that the scan host IP for RAC is accessible and that all of the nodes
associated with it are running during the installation process.
Port Enter the Oracle Listener Port, or accept the default.
Service Name Enter the database service name (typically “protect”).
Username Enter the Symantec Data Loss Prevention database user name.
Password Enter the Symantec Data Loss Prevention database password.
If your Oracle database is not a supported version, you are warned and offered the choice of continuing or canceling
the installation. You can continue and upgrade the Oracle database later.
222
NOTE
Symantec Data Loss Prevention requires the Oracle database to use the AL32UTF8 character set. If your
database is configured for a different character set, you are notified and the installation is canceled. Correct
the problem and re-run the installer.
14. Click Next.
If you are performing a new installation, go to step 17. If you are installing to a database where you have previously
installed Symantec Data Loss Prevention, the Initialize Database panel displays.
15. In the Initialize Database panel, select one of the following options:
• Select Initialize Database if you are performing a new Symantec Data Loss Prevention installation.
Select this option if you are reinstalling and want to overwrite the existing Enforce schema and all data. Note
that this action cannot be undone. If this check box is selected, the data in your existing Symantec Data Loss
Prevention database is destroyed when you begin the installation.
Click Next.
In the Enforce Administrator Password panel, enter and confirm a password you use to access the Enforce
Server administration console. The Enforce Server administration console passport must be at least eight
characters long.
• Select Preserve Database Data if you want to connect to an existing database.
Selecting this option skips the database initialization process.
Click Next.
In the Enforce Reinstallation Resources panel, specify the unique Enforce Reinstallation Resources file for the
existing database that you want to use.
16. Click Next.
17. Select one of the following incident storage locations on the Incident Storage Location panel:
• Database stores incidents in the Oracle database.
• External Storage stores your incident attachments externally.
About external storage for incident attachments
18. Click Next and enter the path or browse to your external storage directory (if you selected External Storage), or go to
21 if you selected Database.
19. In the Additional Locale panel, select an alternate locale, or accept the default of None, and click Next.
Locale controls the format of numbers and dates, and how lists and reports are alphabetically sorted. If you accept
the default choice of None, English is the locale for this Symantec Data Loss Prevention installation. If you choose an
alternate locale, that locale becomes the default for this installation, but individual users can select English as a locale
for their use.
See About locales for more information on locales.
20. Click Install.
The installation process can take a few minutes. The installation program window may persist for a while during the
startup of the services. After a successful installation, a completion notice displays.
21. Restart any antivirus, pop-up blocker, or other protection software that you disabled before starting the Symantec Data
Loss Prevention installation process.
22. Verify that the Enforce Server is properly installed.
See Verifying an Enforce Server installation.
223
23. Import a Symantec Data Loss Prevention solution pack immediately after installing the Enforce Server, and before
installing any detection servers.
See About Symantec Data Loss Prevention solution packs.
24. Create a backup of your system after completing the installation.
See Backing up your system.
Installing on Linux
The following sections include steps to install the Enforce Server on Linux:
• Installing the Java Runtime Environment on the Enforce Server on Linux
• Installing an Enforce Server on Linux
• Configuring a new Enforce Server installation on Linux
You install the Java Runtime Environment (JRE) on the Enforce Server before you install the Enforce Server.
1. Log on as root to the Enforce Server system on which you intend to install Enforce.
2. Copy OpenJDK8U-jre_x64_linux_hotspot_<version>.tar.gz from your DLPDownloadHome/DLP/16.0.1/
New_Installs/Release directory to the computer where you plan to install the Enforce Server.
Where <version> represents the latest supported version.
3. Unzip the file contents (for example, unzip to opt/AdoptOpenJRE).
Signing RPM Files for Server Components
224
5. Display the imported key by running the following command:
rpm -qi gpg-pubkey-b891399b-59c04bd7
6. Verify the signature of files before installing them by running the following command:
rpm -K *rpm
Installing an Enforce Server on Linux
5. Confirm file dependencies for RPM files by running the following command:
rpm -qpR *.rpm
You can also specify a file to confirm by running the following command:
rpm -qpR .rpm-file
If the command indicates that dependencies are missing, you can use YUM repositories to install them. Use the
following command:
yum install repo
225
NOTE
If you are running the database in a RAC environment, confirm that the SCAN HOST IP for RAC is accessible
and the nodes associated with it are all up and running during the install process.
You can complete the installation silently or using a graphical user interface.
Configure silently
The following table lists the installation parameters you use during the Enforce Server silent installation.
Command Description
226
Command Description
The following is an example of what the completed command might look like. The command you use differs based on your
implementation requirements. Using the following command as-is may cause the installation to fail.
./EnforceServerConfigurationUtility -silent
-jreDirectory=opt/AdoptOpenJRE/jdk8u322-b06-jre
-serviceUserOption=NewUser
-serviceUserUsername=protect
-oracleHome=/opt/oracle/product/19.3.0.0/db_1
-oracleHost=127.0.0.1
-oracleUsername=protect
-oraclePassword=password
-oraclePort=1521
-oracleServiceName=protect
-initializeDatabaseOption=Preserve
-reinstallationResourceFile=/opt/temp/EnforceReinstallationResources.zip
-fipsOption=Disabled
-externalStorageOption=Database
Configure using a graphical user interface
227
3. Enter the following information in the Enforce Server Configuration Utility:
228
NOTE
If any configuration steps fail, the Enforce Server Configuration Utility does not roll back the changes that
were made. You must rollback changes before you re-attempt the installation.
Rolling back a failed Enforce Server installation
Setting the ownership and permission of Symantec Data Loss Prevention files may take several minutes. The
installation program may persist for a while during the startup of the services.
If you re-use a database that was created for an earlier Symantec Data Loss Prevention installation, the Symantec
Data Loss Prevention database user ("protect" user by default) may not have sufficient privileges to install the product.
In this case, you must manually add the necessary privileges using SQL*Plus.
NOTE
Symantec Data Loss Prevention requires the Oracle database to use the AL32UTF8 character set. If your
database is configured for a different character set, you are notified and the installation is canceled. Correct
the problem and re-run the installer.
4. Verify that the Enforce Server is properly configured.
Verifying an Enforce Server installation
5. Import a Symantec Data Loss Prevention solution pack immediately after installing the Enforce Server, and before
installing any detection servers.
Importing a Solution Pack
6. Create a backup of your system after completing the installation.
Backing up your system
Rolling back a failed Enforce Server installation
While installing the Enforce Server on Linux, if any configuration steps fail, the Enforce Server Configuration Utility does
not roll back the changes that were made.
1. Stop all the SymantecDLP services and uninstall the Enforce Server by running the following command.
rpm -e $(rpm -qa "symantec-dlp-16-0*")
2. Confirm that the following folders and their contents are removed from the Enforce Server:
• /opt/Symantec/DataLossPrevention
• /var/Symantec/DataLossPrevention
• /var/log/Symantec/DataLossPrevention
• /var/run/Symantec/DataLossPrevention
If the folders and their contents are not removed, delete them.
3. Re-install the Java Runtime Environment and the Enforce Server.
Parameters for install.sh
You can use the following parameters when using install.sh. If you do not change parameters, a default installation is
completed.
229
Table 110: Parameters for install.sh
-t N/A This required parameter defines the installation type. Enter one of the
following, depending on what you plan to install:
• enforce
• detection
• singletier
• indexers
-i /opt/Symantec/ Defines the path to the installation directory. You can indicate a path
DataLossPrevention where you want to relocate the installation type.
-d /var/Symantec/ Defines the path to the data directory.
DataLossPrevention
-l /var/log/Symantec/ Defines the path to the logs directory.
DataLossPrevention
-r /var/run/Symantec/ Defines the path to the run directory.
DataLossPrevention
-s /var/spool/Symantec/ Defines the path to the spool directory.
DataLossPrevention
3. If the Symantec Data Loss Prevention services do not start, check the log files for possible issues (for example,
connectivity, password, or database access issues).
• For Windows, the Symantec Data Loss Prevention installation log is at c:\ProgramData\Symantec
\DataLossPrevention\EnforceServer\16.0.10000\logs.
You may also need to install the Update for Universal C Runtime in Windows. See https://support.microsoft.com/
en-us/kb/2999226.
• For Linux, the Symantec Data Loss Prevention operational logs are in /var/log/Symantec/
DataLossPrevention/EnforceServer/16.0.10000/logs.
230
4. Once you have verified the Enforce Server installation, you can log on to the Enforce Server to view the administration
console. After you log on, you accept the EULA, enter your company information, and add all of your licenses.
The Current License list displays the following information for each product license:
• Product – The individual Symantec Data Loss Prevention product name
• Count – The number of users licensed to use the product
• Status – The current state of the product
• Expiration – The expiration date of license for the product
A month before Expiration of the license, warning messages appear on the System > Servers > Overview screen.
When you see a message about the expiration of your license, contact Symantec to purchase a new license key before
the current license expires.
Unzip the solution pack Symantec_DLP_16.0.1_Solution_Packs.zip file contents to a directory based on your
platform:
• Windows: DLPDownloadHome\DLP\16.0.1\Solution_Packs\
• Linux: DLPDownloadHome/DLP/16.0.1/Solution_Packs/
Symantec provides the solution packs listed in the following table.
231
Table 111: Symantec Data Loss Prevention solution packs
See the solution pack documentation for a description of the contents of each solution pack.
Solution pack documentation can be found in one of the following directories (based on your platform):
• WIndows: DLPDownloadHome\DLP\16.0.1\Docs\Solution_Packs\
• Linux: DLPDownloadHome/DLP/16.0.1/Docs/Solution_Packs
The directory was created when you unzipped either the entire software download file or the documentation ZIP file.
You must choose and import a solution pack immediately after installing the Enforce Server and before installing any
detection servers. You only import a single solution pack. You cannot change the imported solution pack at a later time.
Importing a solution pack
232
NOTE
Use a version 16.0.1 solution pack; earlier versions are not supported.
2. Log on (or remote log-on) as Administrator (on Windows) or root (on Linux) to the Enforce Server computer.
3. Copy the solution pack file from the Solution_Packs folder to an easily accessible local directory.
The Solution_Packs folder location is based on your platform:
• Windows: DLPDownloadHome\DLP\16.0.10000\Solution_Packs\
• Linux: DLPDownloadHome/DLP/16.0.10000/Solution_Packs/
4. Import the solution pack. Use the steps that match your platform.
Import the solution pack on Windows by completing the following steps:
a) In Windows Services, stop the SymantecDLPManagerService service.
Stopping an Enforce Server on Windows
b) From the command-line prompt, change to the c:\Program Files\Symantec\DataLossPrevention
\EnforceServer\16.0.10000\protect\bin directory on the Enforce Server. This directory contains the
SolutionPackInstaller.exe application. For example:
cd C:\Program Files\Symantec\DataLossPrevention\EnforceServer\16.0.10000\protect\bin
c) Import the solution pack by running SolutionPackInstaller.exe from the command line and specifying the
solution pack directory path and file name. The solution pack directory must not contain spaces.
For example, if you placed a copy of the Financial_v16.0.1.vsp solution pack in the \Program Files
\Symantec\DataLossPrevention directory of the Enforce Server, you enter:
SolutionPackInstaller.exe import
c:\Program Files\Symantec\DataLossPrevention\Financial_v16.0.1.vsp
Import the solution pack on Linux by completing the following steps:
a) From the command-line prompt, change the directory to /opt/Symantec/DataLossPrevention/
EnforceServer/16.0.10000/Protect/bin. For example:
cd /opt/Symantec/DataLossPrevention/EnforceServer/16.0.10000/Protect/bin
b) Stop the SymantecDLPManagerService service by entering the following command:
service SymantecDLPManagerService stop
233
5. Check the solution pack installer messages to be sure that the installation succeeded without error.
6. Restart the SymantecDLPManagerService service.
7. After you have imported the solution pack, install or register a detection server based on the type of installation:
• On three-tier or two-tier installations, install one or more detection servers.
• On a single-tier installation, register a detection server.
Related Links
Installing and registering detection servers on page 234
Detection Servers
Learn about the types of Symantec Data Loss Prevention detection servers you can register.
The Symantec Data Loss Prevention suite includes the types of detection servers that are described in the following table.
The Enforce Server manages all of these detection servers.
For information about registering cloud detectors, see Adding a cloud detector or the documentation that accompanies
your cloud detector.
Network Monitor Network Monitor inspects the network communications for confidential data, accurately detects policy
violations, and precisely qualifies and quantifies the risk of data loss. Data loss can include intellectual
property or customer data.
Network Discover Network Discover identifies unsecured confidential data that is exposed on open file shares, web servers,
Microsoft Exchange servers, and Microsoft SharePoint platforms.
Install a Network Discover cluster to perform high speed file system scanning with Network Discover. See
Network Discover Clusters.
The Network Protect product module adds protection functionality to the Network Discover Server.Network
Protect reduces your risk by removing exposed confidential data, intellectual property, and classified
information from open file shares on network servers or desktop computers.
234
Server Name Description
Network Prevent for Network Prevent for Email prevents data security violations by blocking the email communications that
Email contain confidential data. It can also conditionally route traffic with confidential data to an encryption
gateway for secure delivery and encryption-policy enforcement.
Note: You can optionally deploy Network Prevent for Email in a hosted service provider network, or in a
network location that requires communication across a Wide Area Network (WAN) to reach the Enforce
Server. See About hosted Network Prevent deployments.
Network Prevent for Web Network Prevent for Web prevents data security violations for data that is transmitted by web
communications and file-transfer protocols.
Note: You can optionally deploy Network Prevent for Web in a hosted service provider network, or in a
network location that requires communication across a Wide Area Network (WAN) to reach the Enforce
Server. See About hosted Network Prevent deployments.
Endpoint Prevent Endpoint Prevent monitors the use of sensitive data on endpoint systems and detects endpoint policy
violations. Endpoint Prevent also identifies unsecured confidential data that is exposed on endpoints.
Single Tier Monitor The Single Tier Monitor enables the detection servers that you have licensed on the same host as the
Enforce Server. The single-tier server performs detection for the following products (you must have a
license for each): Network Monitor, Network Discover, Network Prevent for Email, Network Prevent for
Web, and Endpoint Prevent.
Related Links
Preparing for a Detection Server Installation on page 236
Data Node
The data node acts as an intermediary between the Monitor Controller and the worker nodes. The data node receives and
stores all policies, settings, and scan requests from the Monitor Controller. The data node then sends this information to
each of the worker nodes, and caches the information that is required for the cluster to function during the scan execution.
The data node also manages the scans and sends incidents, scan status, scan statistics, and worker node inventories to
the Monitor Controller.
NOTE
You must install only one data node server per cluster.
Worker Nodes
Worker nodes are Network Discover detection servers that do the scanning. A worker node does not communicate with
the Monitor Controller directly. However, the worker node does connect to the data node to receive policies, settings, and
scan requests.
Worker nodes crawl, download, and perform detection on the content roots or repositories that are specified in the target.
When a violation is detected, an incident is created. Worker nodes send all of the incidents and scan details to the data
node. The data node sends the incident details, and scan status and statistics to the Enforce Server.
For more information about cluster services, see About Symantec Data Loss Prevention services.
235
Related Links
Preparing for a Detection Server Installation on page 236
Related Links
Installing a detection server on Windows on page 236
Installing a detection server on Linux on page 248
236
Install the Java Runtime Environment on a detection server on Windows
You install the Java Runtime Environment (JRE) on the server computer before you install the detection server.
1. Log on (or remote logon) as Administrator to the Enforce Server system on which you intend to install Enforce.
2. Copy OpenJDK8U-jre_x64_windows_hotspot_<version>.zip from your DLPDownloadHome\DLP
\16.0.1\New_Installs\x64\Release directory to the computer where you plan to install the detection server.
For example, move the file to c:\temp).
3. Unzip the file to C:\Program Files\AdoptOpenJRE\<version>-jre.
Replace <version> with the JRE version.
See Installing a detection server on Windows.
You can complete the installation silently from the command line or from a graphical user interface.
Before you begin
Copy the DetectionServer.msi file into the c:\temp directory on the server computer.
Installing silently
Enter values with information specific to your installation for the following:
Command Description
INSTALLATION_DIRECTORY Specifies where the detection server is installed. The default location is C:\Program Files
\Symantec\DataLossPrevention.
DATA_DIRECTORY Defines where Symantec Data Loss Prevention stores files that are updated while the Enforce
Server is running (for example, logs and licenses). The default location is \ProgramData
\Symantec\DataLossPrevention\DetectionServer\.
Note: If you do not use the default location, you must indicate a folder name for the data
directory. If you set the data directory to the drive root (for example c:\ or e:\) you cannot
successfully uninstall the program.
237
Command Description
SERVICE_USER_OPTION Defines whether to create a new service user by entering NewUser or using an existing one by
entering ExistingUser.
The default is ExistingUser.
SERVICE_USER_USERNAME Defines a name for the account that is used to manage Symantec Data Loss Prevention
services. The default user name is “SymantecDLP.”
SERVICE_USER_PASSWORD Defines the password for the account that is used to manage Symantec Data Loss Prevention
services.
BIND_HOST Defines the host name or IP address of the detection server.
BIND_PORT Defines the port on which the detection server should accept connections from the Enforce
Server. If you cannot use the default port (8100), you can enter any port higher than port 1024, in
the range of 1024–65535.
The following is an example of what the completed command might look like. The command you use differs based on your
implementation requirements. Using the following command as-is may cause the installation to fail.
msiexec /i DetectionServer.msi /qn /norestart
INSTALLATION_DIRECTORY="C:\Program Files\Symantec\DataLossPrevention"
DATA_DIRECTORY="C:\ProgramData\Symantec\DataLossPrevention\DetectionServer"
JRE_DIRECTORY="C:\Program Files\AdoptOpenJRE\jdk8u322-b06-jre"
FIPS_OPTION=Disabled
SERVICE_USER_OPTION=ExistingUser
238
msiexec /i EnforceServer.msi /L*v c:\temp\detectionserver_install.log
7. Click Next.
The End-User License Agreement panel displays.
8. After reviewing the license agreement, select I accept the terms in the License Agreement, and click Next.
9. In the Destination Folder panel, accept the default destination directory, or enter an alternate directory, and click
Next.
For example: c:\Program Files\Symantec\DataLossPrevention\
Symantec recommends that you use the default destination directory. However, you can click Change to navigate to a
different installation location instead.
NOTE
Directory names, IP addresses, and port numbers created or specified during the installation process must
be entered in standard 7-bit ASCII characters only. Extended (hi-ASCII) and double-byte characters are not
supported.
10. In the Data Directory panel, accept the default data directory, or enter an alternate directory, and click Next. The
default data directory is:
c:\ProgramData\Symantec\DataLossPrevention\
NOTE
If you do not use the default location, you must indicate a folder name for the data directory. If you set the
data directory to the drive root (for example c:\ or e:\) you cannot successfully uninstall the program.
11. In the JRE Directory panel, click Browse to locate the JRE, and click Next.
12. In the FIPS Cryptography Mode panel, select whether to disable or enable FIPS encryption.
About FIPS encryption
13. In the Service User panel, select one of the following options, then click Next.
• New Users: Select this option to create the Symantec Data Loss Prevention system account user name and
password and confirm the password. This account is used to manage Symantec Data Loss Prevention services.
The default user name is “SymantecDLP.” New service user accounts are local accounts.
NOTE
To use the RMS detection feature, you must enable it after installing the detection server.
Enabling Microsoft Rights Management file monitoring
The password you enter for the System Account must conform to the password policy of the server. For example,
the server may require all passwords to include special characters.
• Existing Users: Select this option to use an existing local or domain user account.
Enter a domain service user name and password if you plan to manage the detection server with a domain user. If
you want to use the RMS detection feature, ensure that the domain user that you enter has access to the RMS AD
system (and is a member of the selected AD RMS Super Users group) or the Azure RMS system.
Click Next.
239
14. (Optional) If you opted to create a new service user, enter the new account name and password. Confirm the
password, then click Next.
15. (Optional) If you opted to use an existing local or domain user account, enter the account name and password. The
user name for a domain users must be in DOMAIN\username format.
16. In the Detection Server Default Certificates panel, select one of the following options:
• Enable Default Certificates: Select if the detection server runs on a secure network or if it is only accessible by
trusted traffic.
• Disable Default Certificates: Select if you plan to generate unique, self-signed certificates for your organization’s
installation.
About the sslkeytool utility and server certificates
Click Next.
17. In the Server Bindings panel, enter the following settings:
• Host. Enter the host name or IP address of the detection server.
• Port. Accept the default port number (8100) on which the detection server should accept connections from the
Enforce Server. If you cannot use the default port, you can change it to any port higher than port 1024, in the range
of 1024–65535.
18. Click Install to begin the installation process.
The Installing panel appears, and displays a progress bar. After a successful installation, the Completed panel
appears. Click Finish.
19. Restart any antivirus, pop-up blocker, or other protection software that you disabled before starting the detection
server installation process.
20. Verify that the detection server is properly installed.
Verifying a Detection Server or Node Installation
21. Create a backup of your system after completing the installation.
Backing up your system
240
Prepare the AD RMS Environment for RMS Monitoring
Complete the following steps to prepare your AD RMS environment for monitoring.
1. Confirm that the latest AD RMS client is installed.
2. Confirm that the AD RMS account has Read and Execute permissions to access ServerCertification.asmx.
For additional details, refer to the Microsoft Developer Network article: https://msdn.microsoft.com/en-us/library/
mt433203.aspx.
3. Confirm that the AD RMS superuser group and Service Group both have Read and Execute permissions.
4. Add each detection server to the AD RMS domain.
5. Complete the following to change the previous Symantec Data Loss Prevention version service user to a domain user
that has access to the AD RMS superuser group.
• Shut down all services on the detection server before updating the service user.
• Run the ChangeServiceUser.exe utility to change the service user:
C:\Program Files\Symantec\DataLossPrevention\ServerPlatformCommon
\16.0.10000\Protect\bin\ChangeServiceUser.exe
USAGE: ChangeServiceUser.exe [installation directory]
[new service user username] [new service user password]
Parameters:
[new service user password] is optional.
C:\Program Files\Symantec\DataLossPrevention\ServerPlatformCommon
\16.0.10000\Protect\bin\ChangeServiceUser.exe
C:\Program Files\Symantec\DataLossPrevention\ [AD RMS domain name]\[super user
username]
[super user password]
After running the script, the command prompt displays the change status, including the service user change status.
6. Start all services after updating the service user.
Prepare the Azure RMS Environment for RMS Monitoring
Complete the following steps to prepare your Azure RMS environment for RMS monitoring:
1. Confirm that the latest Azure RMS client is installed.
2. Create a local or domain user on each detection server that can access the Azure RMS.
After you upgrade the detection server, you enable the Microsoft Rights Management plug-in to complete the process to
monitor Microsoft Rights Management files.
See Enabling Microsoft Rights Management File Monitoring.
Enabling Microsoft Rights Management file monitoring
Symantec Data Loss Prevention can detect files that are encrypted using Microsoft Rights Management (RMS)
administered by Azure or Active Directory (AD).
Before you enable Microsoft Rights Management file monitoring, confirm that prerequisites for the RMS environment and
the detection server have been completed.
241
Enabling RMS detection for Azure-managed RMS
For Azure RMS, complete the following on each detection server to enable RMS file monitoring:
1. Locate the plugin Enable-Plugin.ps1 located on the detection server at the following path:
C:\Program Files\Symantec\DataLossPrevention\ContentExtractionService
\16.0.10000\Plugins\Protect\plugins\contentextraction
2. Run the plugin by executing the following command:
C:\Program Files\Symantec\DataLossPrevention\ContentExtractionService
\16.0.10000\Plugins\Protect\plugins\contentextraction\MicrosoftRightsManagementPlugin
\ConfigurationCreator.exe
Do you want to configure ADAL authentication [y/n]: n
Do you want to configure symmetric key authentication [y/n]: y
Enter your symmetric key (base-64): [user's Azure RMS symmetric key]
Enter your app principal ID: [user's Azure RMS app principal ID]
Enter your BPOS tenant ID: [user's Azure RMS BPOS tenant ID]
After running this script, the following files are created in the MicrosoftRightsManagementPlugin at \Program
Files\Symantec\DataLossPrevention\ContentExtractionService\16.0.10000\Plugins\Protect
\plugins\contentextraction:
• rightsManagementConfiguration
• rightsManagementConfigurationProtection
4. Restart each detection server to complete the process.
NOTE
You can confirm that Symantec Data Loss Prevention is monitoring RMS content by reviewing
the ContentExtractionHost_FileReader.log file (located at \ProgramData\Symantec
\DataLossPrevention\DetectionServer\16.0.10000\logs\debug). Error messages that display
for the MicrosoftRightsManagementPlugin.cpp item indicate that the plugin is not monitoring RMS
content.
Enabling RMS detection for AD-managed RMS
For AD RMS, complete the following on each detection server to enable RMS file monitoring:
1. Run the plugin, Enable-Plugin.ps1, which is located at located at \Program Files\Symantec
\DataLossPrevention\Protect\bin on the Enforce Server.
powershell.exe -ExecutionPolicy RemoteSigned -File
"C:\Program Files\Symantec\DataLossPrevention\ContentExtractionService
\16.0.10000\Plugins\Protect\plugins\contentextraction\MicrosoftRightsManagementPlugin
\Enable-Plugin.ps1"
242
2. Restart each detection server to complete the process.
NOTE
You can confirm that Symantec Data Loss Prevention is monitoring RMS content by reviewing
the ContentExtractionHost_FileReader.log file (located at \ProgramData\Symantec
\DataLossPrevention\DetectionServer\16.0.10000\logs\debug). Error messages that display
for the MicrosoftRightsManagementPlugin.cpp item indicate that the plugin is not monitoring RMS
content.
Create an authentication package using the DiscoverClusterKeyTool before installing worker and data nodes. The
authentication package enables encrypted communication between nodes.
1. Locate the DiscoverClusterKeyTool at C:\Program Files\Symantec\DataLossPrevention\EnforceServer
\16.0.10000\Protect\bin\DiscoverClusterKeyTool.exe.
2. Prepare to run the authentication package.
Enter values that are specific to your installation. See the following table for a list of parameters and descriptions.
Command Description
generate-package-type Refer to the following list when defining the type of node for
which the authentication is used:
• WN for worker nodes.
• DN for a data node.
• All for both worker and data nodes.
enforce-url (Optional) Enter the Enforce Server host name or IP.
If you do not enter a value, the tool assigns the URL
https://<localhost>/.
enforce-username Enter an Enforce Server username with administrator rights.
enforce-password Enter the password for the user specified in enforce-
username.
keystore-password (Optional) Enter a password for the keystore.
If you do not specify a password, the tool assigns a randomly
generated password.
243
Command Description
truststore-password (Optional) Enter a password for the truststore.
If you do not specify a password, the tool assigns a randomly
generated truststore password.
disable-ssl-verification (Optional) Indicate whether to disable SSL verification while
connecting to the Enforce Server.
This parameter controls client side SSL validation between the
cluster and the Enforce Server during the process to generate
the authentication package.
You can enter one of the following values:
• true disables SSL verification at client side
• false (default) keeps SSL verification that is enabled at
client side
output-dir (Optional) Define the directory where the tool creates the
authentication package ZIP.
By default, the tool creates the package at the current directory.
244
Step 2: Install the JRE
Complete the following procedure to install the node software on a server computer. You specify the node type during the
installation process.
Install a data node before installing worker nodes. Installing the data node first defines where worker nodes communicate
once they are installed.
See Detection Servers for details on nodes.
The installation process automatically generates log information that is saved to a file MSI*.log (* is replaced with
random characters) in the %TEMP% folder. You can change log file name and location by starting the installation from the
command line by running the /L*vexampl option. See the e below:
msiexec /i DetectionServer.msi /L*v c:\temp\detectionserver_install.log
You can complete the installation silently from the command line or from a graphical user interface.
Install Nodes Silently
Enter values with information specific to your installation for the following parameters:
Command Description
INSTALLATION_DIRECTORY Specifies where the node is installed. The default location is C:\Program
Files\Symantec\DataLossPrevention.
DATA_DIRECTORY Defines where Symantec Data Loss Prevention stores files that are updated
while the Enforce Server is running (for example, logs and licenses). The
default location is \ProgramData\Symantec\DataLossPrevention
\DetectionServer\.
Note: If you do not use the default location, you must indicate a folder
name for the data directory. If you set the data directory to the drive root (for
example, c:\ or e:\) you cannot successfully uninstall the program.
245
Command Description
BIND_PORT Defines the port on which the data node should accept connections from the
Enforce Server. If you cannot use the default port (8100), you can enter any
port higher than port 1024, in the range of 1024–65535.
DISCOVER_CLUSTER_ROLE_OPTION Defines the type of server that you are installing, which includes the following
values:
• DN for data node
• WN for worker node
DISCOVER_CLUSTER_IP Defines the data node IP address.
If you are installing the data node, enter the internal IP address of the server
where you plan to install the data node.
DISCOVER_CLUSTER_DISCOVERY_PORT_RANGE Used with the cluster IP to discover data nodes in a cluster.
This parameter is required for the data node installation.
The default value is 47500..47520.
Defines the range of ports used for communication between worker and data
DISCOVER_CLUSTER_CLIENT_CONNECTION_PORT_RANGE
nodes in a cluster.
This parameter is required for the data node and worker node installation.
The default value is 10800..10820.
DISCOVER_CLUSTER_AUTH_PACKAGE Defines the authentication package location.
Target the file based on the node type that you are installing:
• Worker node: dlp_discover_cluster_workernode_auth.zip
• Data node: dlp_discover_cluster_datanode_auth.zip
The following examples list completed commands for worker nodes and data nodes. The commands that you use differ
based on your implementation requirements. Using the following commands as-is may cause the installation to fail.
• Data node example command:
msiexec /i "DetectionServer.msi" /qn /norestart /log "package_det_install.log"
JRE_DIRECTORY="C:\Program Files\AdoptOpenJDK\jre-8.0.262.10-hotspot"
FIPS_OPTION="Disabled"
SERVICE_USER_USERNAME="SymantecDLP"
SERVICE_USER_PASSWORD=<password>
DISCOVER_CLUSTER_ROLE_OPTION=DN
DISCOVER_CLUSTER_IP=0.0.0.0
INSTALLATION_DIRECTORY="C:\Program Files\Symantec\DataLossPrevention"
DISCOVER_CLUSTER_AUTH_PACKAGE="C:\temp\dlp_discover_cluster_datanode_auth.zip"
DISCOVER_CLUSTER_CLIENT_CONNECTION_PORT_RANGE=<StartPort>..<EndPort>
DISCOVER_CLUSTER_DISCOVERY_PORT_RANGE=<StartPort>..<EndPort>
• Worker node example command:
msiexec /i "DetectionServer.msi" /qn /norestart /log "package_det_install.log"
JRE_DIRECTORY="C:\Program Files\AdoptOpenJDK\jre-8.0.262.10-hotspot"
FIPS_OPTION="Disabled"
SERVICE_USER_USERNAME="SymantecDLP"
SERVICE_USER_PASSWORD=<password>
DISCOVER_CLUSTER_ROLE_OPTION=WN
DISCOVER_CLUSTER_IP=0.0.0.0
INSTALLATION_DIRECTORY="C:\Program Files\Symantec\DataLossPrevention"
DISCOVER_CLUSTER_AUTH_PACKAGE="C:\temp\dlp_discover_cluster_workernode_auth.zip"
DISCOVER_CLUSTER_CLIENT_CONNECTION_PORT_RANGE=<StartPort>..<EndPort>
246
Install Nodes Using a Graphical User Interface
1. Ensure that installation preparations are complete.
Preparing for a Detection Server Installation
2. Log on as Administrator to the computer on which you plan to install the node.
3. Copy the detection server installer (DetectionServer.msi) from the Enforce Server to a local directory on the
node.
DetectionServer.msi is included in your software download (DLPDownloadHome) directory.
4. Click Start > Run > Browse to navigate to the folder where you copied the DetectionServer.msi file.
5. Double-click DetectionServer.msi to start the installation wizard.
The Welcome panel of the Installation Wizard appears.
NOTE
The installation process automatically generates log information that is saved to a file MSI*.log (replace *
with random characters) in the %TEMP% folder. You can change log file name and location by starting the
installation from the command line by running the /L*v option. See the example bellow:
msiexec /i EnforceServer.msi /L*v c:\temp\detectionserver_install.log
6. Click Next.
The End-User License Agreement panel displays.
7. After reviewing the license agreement, select I accept the terms in the License Agreement, and click Next.
8. In the Destination Folder panel, accept the default destination directory, or enter an alternate directory, and click
Next.
For example: c:\Program Files\Symantec\DataLossPrevention\
Symantec recommends that you use the default destination directory. However, you can click Change to navigate to a
different installation location instead.
NOTE
Directory names, IP addresses, and port numbers that are created or specified during the installation
process must be entered in standard 7-bit ASCII characters only. Extended (hi-ASCII) and double-byte
characters are not supported.
9. In the Data Directory panel, accept the default data directory, or enter an alternate directory, and click Next. The
default data directory is:
c:\ProgramData\Symantec\DataLossPrevention\
NOTE
If you do not use the default location, you must indicate a folder name for the data directory. If you set the
data directory to the drive root (for example, c:\ or e:\) you cannot successfully uninstall the program.
10. In the JRE Directory panel, click Browse to locate the JRE, and click Next.
11. In the FIPS Cryptography Mode panel, select whether to disable or enable FIPS encryption.
About FIPS encryption
12. In the Service User panel, create the system account user name and password and confirm the password.
This account is used to manage Symantec Data Loss Prevention services. The default user name is “SymantecDLP.”
New service user accounts are local accounts.
247
The password that you enter for the System Account must conform to the password policy of the server. For example,
the server may require all passwords to include special characters.
Click Next.
13. In the Server Bindings panel, enter the following settings:
• Host: Enter the host name or IP address of the data node.
• Port: Accept the default port number (8100) on which the data node should accept connections from the Enforce
Server. If you cannot use the default port, you can change it to any port higher than port 1024, in the range of
1024–65535.
Click Next.
14. Server Role panel, select the node type you plan to install.
Install a data node before installing worker nodes. Installing the data node first defines where worker nodes
communicate once they are installed.
15. In the Network Discover Cluster Settings panel, enter the following settings:
• Cluster Discovery Port Range:
Enter the starting and ending ports to use for discovering data nodes in a cluster. This parameter is required for the
data node installation. The default values of the start port and end port are 47500 and 47520, respectively.
• Client Connection Port Range:
Enter the starting and ending ports used for communication between the worker and data nodes in a cluster. This
parameter is required for the data node and worker node installation. The default values of the start port and end
port are 10800 and 10820 respectively.
Click Next.
16. In the Network Discover Cluster Authentication Package panel, select the authentication package for the node type
you are installing:
• Worker node: dlp_discover_cluster_workernode_auth.zip
• Data node: dlp_discover_cluster_datanode_auth.zip
Click Next.
17. Click Install to begin the installation process.
The Installing panel appears, and displays a progress bar. After a successful installation, the Completed panel
appears. Click Finish.
18. Restart any antivirus, pop-up blocker, or other protection software that you disabled before starting the node
installation process.
19. Verify that the node is properly installed.
Verifying a Detection Server or Node Installation
20. Create a backup of your system after completing the installation.
Backing up your system
248
Installing the Java Runtime Environment on a Detection Server on Linux
You install the Java Runtime Environment (JRE) on the server computer before you install the detection server.
1. Log on as root to the Enforce Server system on which you intend to install Enforce.
2. Copy OpenJDK8U-jre_x64_linux_hotspot_8u322-b06.tar.gz from your DLPDownloadHome/DLP/16.0.1/
New_Installs/Release directory to the computer where you plan to install the Enforce Server.
3. Unzip the file contents (for example, unzip to opt/AdoptOpenJRE).
Installing a detection server on Linux
Follow this procedure to install the detection server software on a server computer. You specify the type of detection
server during the server registration process that follows this installation process.
NOTE
The following instructions assume that the DetectionServer.zip file has been copied into the /opt/temp/
directory on the server computer.
1. Log on as root to the computer on which you intend to install the detection server.
2. Copy the detection server installer (DetectionServer.zip) from the Enforce Server to a local directory on the
detection server. The DetectionServer.zip file is included in your software download (DLPDownloadHome)
directory. It should have been copied to a local directory on the Enforce Server during the Enforce Server installation
process.
3. Navigate to the directory where you copied the DetectionServer.zip file (/opt/temp/).
4. Unzip the file contents (for example, unzip to /opt/temp).
5. Confirm file dependencies for RPM files by running the following command:
rpm -qpR *.rpm
You can also specify a file to confirm by running the following command:
rpm -qpR .rpm-file
249
7. Start the Symantec Data Loss Prevention configuration process.
Configuring a Detection Server
Command Description
The following is an example of what the completed command might look like:
./DetectionServerConfigurationUtility -silent
-jreDirectory=/opt/AdoptOpenJRE/jdk8u322-b06-jre
-serviceUserOption=NewUser
-serviceUserUsername=SymantecDLP
-bindHost=[IP or host name]
-bindPort=8100
-fipsOption=Disabled
-detectionCommunicationDefaultCertificates=Enabled
250
NOTE
The command you use differs based on your implementation requirements. Using the following command as-is
may cause the installation to fail.
1. Navigate to the installation directory. Go to the default directory at /opt/Symantec/DataLossPrevention/
DetectionServer/16.0.10000/Protect/install or to the path you used if you selected a non-default
installation.
2. Run the Detection Server Configuration Utility. Use the following command to launch the utility:
./DetectionServerConfigurationUtility
Network port Accept the default port number (8100) on which the detection server should accept connections from the
Enforce Server. If you cannot use the default port, you can change it to any port higher than port 1024, in
the range of 1024–65535.
Network interface Enter the detection server network interface (bind address) to use to communicate with the Enforce
Server. If there is only one network interface, leave this field blank.
251
Step 1: Secure the Communications between Nodes
Create an authentication package using the DiscoverClusterKeyTool before installing worker and data nodes. The
authentication package enables encrypted communication between nodes and the Enforce Server.
1. Locate the DiscoverClusterKeyTool at /opt/Symantec/DataLossPrevention/EnforceServer/16.0.10000/
Protect/bin/DiscoverClusterKeyTool
2. Prepare to run the authentication package.
Enter values that include information specific to your installation. See the following table for a list of parameters and
descriptions.
Command Description
generate-package-type Defines the type of node for which the authentication is used,
including the following:
• WN for worker nodes.
• DN for a data node.
• All for both worker and data nodes.
enforce-url (Optional) Enter the Enforce Server host name or IP.
If you do not enter a value, the tool assigns the URL https://
<localhost>/.
enforce-username Enter an Enforce Server username with administrator rights.
enforce-password Enter the password for the user specified in enforce-username.
keystore-password (Optional) Enter a password for the keystore.
If you do not specify a password, the tool assigns a randomly
generated password.
truststore-password (Optional) Enter a password for the truststore.
If you do not specify a password, the tool assigns a randomly
generated truststore password.
disable-ssl-verification (Optional) Indicate whether to disable SSL verification while
connecting to the Enforce Server.
You can enter one of the following values:
• true disables SSL verification at the client side
• false (default) keeps SSL verification that is enabled at the
client side
output-dir (Optional) Define the directory where the tool creates the
authentication package zip.
By default, the tool creates the package at the current directory.
252
-truststore-password=<password>
-disable-ssl-verification=true
-output-dir=/opt/Symantec/DataLossPrevention/DataLossPreventionDetectionServer
/16.0.10000/Protect/keystore/discovercluster
WN dlp_discover_cluster_workernode_auth.zip
Use during the worker node installation.
DN dlp_discover_cluster_datanode_auth.zip
Use during the data node installation.
All dlp_discover_cluster_auth.zip
The file contains dlp_discover_cluster_workernode_auth.zip and
dlp_discover_cluster_datanode_auth.zip in it.
Extract the individual ZIP files for access during worker node and data node installation.
Complete the following procedure to install the node software on a server computer. You specify the node type during the
configuration process.
Install a data node before installing worker nodes. Installing the data node first defines where worker nodes communicate
once they are installed.
1. Complete the preinstallation steps.
See Preparing for a Detection Server Installation.
2. Log on as root to the computer on which you intend to install the detection server software.
3. Copy the detection server installer (DetectionServer.zip) from the Enforce Server to a local directory on the
detection server. The DetectionServer.zip file is included in your software download (DLPDownloadHome)
directory. It should have been copied to a local directory on the Enforce Server during the Enforce Server installation
process.
4. Navigate to the directory where you copied the DetectionServer.zip file (/opt/temp/).
5. Unzip the file contents (for example, unzip to /opt/temp).
6. Confirm file dependencies for RPM files by running the following command:
rpm -qpR *.rpm
You can also specify a file to confirm by running the following command:
rpm -qpR .rpm-file
253
If the command indicates that dependencies are missing, you can use YUM repositories to install them. Use the
following command:
yum install repo
After you install a detection server, you configure it by running the Detection Server Configuration Utility.
You can complete the installation silently or interactively from the command line. The following table lists the installation
parameters that you use during the installation.
Command Description
254
Command Description
discoverClusterRoleOption Defines the type of server that you are installing, which includes
the following:
• DN for data node
• WN for worker node
If a worker node is installed, the CAP_NET_BIND_SERVICE is
set for java processes during the installation. This capability is
removes if the worker node is uninstalled.
discoverClusterIP Defines the data node IP.
If you are installing the data node, enter the internal IP of the
server where you plan to install the data node.
discoverClusterDiscoveryPortRange Used with the cluster IP to discover data nodes in a cluster.
This parameter is required for the data node installation.
The default value is 47500..47520.
discoverClusterClientConnectionPortRange Defines the range of ports used for communication between
worker and data nodes in a cluster.
This parameter is required for the data node and worker node
installation.
The default value is 10800..10820.
discoverClusterAuthPackage Defines the authentication package location.
Target the file based on the node type that you are installing:
• Worker node:
dlp_discover_cluster_workernode_auth.zip
• Data node:
dlp_discover_cluster_datanode_auth.zip
The following examples list completed commands for worker nodes and data nodes. The commands that you use differ
based on your implementation requirements. Using the following commands as-is may cause the installation to fail.
• Data node example command:
./DetectionServerConfigurationUtility -silent
-jreDirectory=/usr/lib/jvm/adoptopenjdk-8-hotspot-jre/
-serviceUserOption=SymantecDLP
-serviceUserUsername=protect
-bindHost=[IP or host name]
-bindPort=8100
-fipsOption=Disabled
-detectionCommunicationDefaultCertificates=Enabled
-discoverClusterRoleOption=DN
-discoverClusterIP=0.0.0.0
-discoverClusterAuthPackage=/opt/dlp_discover_cluster_datanode_auth.zip
-discoverClusterClientConnectionPortRange=<StartPort>..<EndPort>
-discoverClusterDiscoveryPortRange=<StartPort>..<EndPort>
255
-bindPort=8100
-fipsOption=Disabled
-detectionCommunicationDefaultCertificates=Enabled
-discoverClusterRoleOption=WN
-discoverClusterIP=0.0.0.0
-discoverClusterAuthPackage=/home/bishnu/Desktop/dlp_discover_cluster_workernode_auth.zip
-discoverClusterClientConnectionPortRange=<StartPort>..<EndPort>
Network port Accept the default port number (8100) on which the detection server should accept connections from the
Enforce Server. If you cannot use the default port, you can change it to any port higher than port 1024, in
the range of 1024–65535.
Network interface Enter the detection server network interface (bind address) to use to communicate with the Enforce
Server. If there is only one network interface, leave this field blank.
Node type Define the type of server that you are installing, which includes the following:
• DN for data node
• WN for worker node
Data node IP If you are installing the data node, enter the IP of the server where you plan to install the data node.
Network Discover cluster Used with the cluster IP to discover data nodes in a cluster.
discovery port range This parameter is required for the data node installation.
The default value is 47500..47520.
Network Discover cluster Defines the range of ports used for communication between worker and data nodes in a cluster.
client connection port This parameter is required for the data node and worker node installation.
range The default value is 10800..10820.
Cluster authentication Define the authentication package location.
package Target the file based on the node type that you are installing:
• Worker node: dlp_discover_cluster_workernode_auth.zip
• Data node: dlp_discover_cluster_datanode_auth.zip
256
5. Create a backup of your system after completing the installation.
Backing up your system
257
Selection Server to Register
option. Network Protect provides additional protection features
to Network Discover.
Network Prevent for Email Network Prevent for Email Server
Network Prevent for Web Network Prevent for Web Server
Endpoint Prevent Endpoint Prevent and Endpoint Discover
Single Tier Monitor Single-Tier Servers
Network Discover Cluster Network Discover cluster
Detection Servers
The Configure Server screen appears.
5. Enter the General information. This information defines how the server communicates with the Enforce Server.
Field Description
Name Enter a unique name for the detection server.
Host Enter the detection server’s host name or IP address. For a
single-tier installation, click the Same as Enforce check box
to autofill the host information. For a Single Tier Monitor, the
local host is pre-selected.
Port Enter the port number the detection server uses to communicate
with the Enforce Server. If you chose the default port when you
installed the detection server, then enter 8100. However, if you
changed the default port, then enter the same port number here
(it can be any port higher than 1024).
The additional configuration options displayed on the Configure Server page vary according to the type of server you
selected.
6. Specify the remaining configuration options as appropriate.
See Server configuration—basic for details on how to configure each type of server.
7. Click Save.
The Server Detail screen for that server appears.
8. If necessary, click Server Settings or other configuration tabs to specify additional configuration parameters.
9. If necessary, restart the server by clicking Recycle on the Server Detail screen. Or you can start the Symantec DLP
services manually on the server itself.
Symantec Data Loss Prevention Services
10. To verify that the server was registered, return to the System Overview page. Verify that the detection server appears
in the server list, and that the server status is Running.
11. To verify the type of certificates that the server uses, select System > Servers > Alerts. Examine the list of alerts to
determine the type certificates that Symantec Data Loss Prevention servers use:
• If servers use the built-in certificate, the Enforce Server shows a warning event with code 2709: Using built-in
certificate.
• If servers use unique, generated certificates, the Enforce Server shows an info event with code 2710: Using user
generated certificate.
258
Configuring certificates for secure server communications
Learn about configuring certificates.
About the sslkeytool utility and server certificates
About securing communications between the Enforce Server and the database
About securing communications between the Enforce Server and Amazon RDS for Oracle
Related Links
About sslkeytool Command Line Options on page 259
Using sslkeytool to generate new Enforce Server and detection server certificates on page 261
Using sslkeytool to add new detection server certificates on page 262
About server security and SSL/TLS certificates on page 335
259
Table 119: sslKeyTool Command Forms and Options
sslKeyTool -genkey [-dir=<directory> - You use this command form the first time you generate unique
alias=<aliasFile>] certificates for your Symantec Data Loss Prevention installation.
This command generates two unique certificates (keystore files)
by default: one for the Enforce Server and one for other detection
servers. The optional -dir argument specifies the directory
where the keystore files are placed.
The optional -alias argument generates additional keystore files
for each alias specified in the aliasFile. You can use the alias file
to generate unique certificates for each detection server in your
system (rather than using a same certificate on each detection
server).
sslKeyTool -list=<file> This command lists the content of the specified keystore file.
sslKeyTool -alias=<aliasFile> - You use this command form to add new detection server
enforce=<enforceKeystoreFile> [-dir=<directory>] certificates to an existing Symantec Data Loss Prevention
installation.
This command generates multiple certificate files for detection
servers using the aliases you define in aliasFile. You must specify
an existing Enforce Server keystore file to use when generating
the new detection server keystore files. The optional -dir
argument specifies the directory where the keystore files are
placed.
If you do not specify the -dir option, the Enforce Server keystore
file must be in the current directory, and the monitor certificates
will appear in the current directory. If you do specify the -dir
argument, you must also place the Enforce Server keystore file in
the specified directory.
The following table provides examples that demonstrate the usage of the sslkeytool command forms and options.
Example Description
260
Related Links
About the sslkeytool utility and server certificates on page 259
Using sslkeytool to generate new Enforce Server and detection server certificates on page 261
Using sslkeytool to add new detection server certificates on page 262
About server security and SSL/TLS certificates on page 335
Using sslkeytool to generate new Enforce Server and detection server certificates
After installing Symantec Data Loss Prevention, use the -genkey argument with sslkeytool to generate new certificates for
the Enforce Server and detection servers. Symantec recommends that you replace the default certificate used to secure
communication between servers with unique, self-signed certificates. The -genkey argument automatically generates two
certificate files. You store one certificate on the Enforce Server, and the second certificate on each detection server. The
optional -alias command lets you generate a unique certificate file for each detection server in your system. To use the -
alias you must first create an alias file that lists the name of each alias create.
NOTE
The steps that follow are for generating unique certificates for the Enforce Server and detection servers at the
same time. If you need to generate one or more detection server certificates after the Enforce Server certificate
is generated, the procedure is different. Using sslkeytool to add new detection server certificates
1. Log on to the Enforce Server computer using the "SymantecDLP" user account you created during Symantec Data
Loss Prevention installation.
2. From a command window, go to the directory where the sslkeytool utility is stored:
On Windows this directory is c:\Program Files\Symantec\DataLossPrevention\EnforceServer
\16.0.10000\Protect\bin.
On Linux this directory is /opt/Symantec/DataLossPrevention/EnforceServer/16.0.10000/protect/
bin.
3. If you want to create a dedicated certificate file for each detection server, first create a text file to list the alias names
you want to create. Place each alias on a separate line. For example:
net_monitor01
protect01
endpoint01
smtp_prevent01
web_prevent01
NOTE
The -genkey argument automatically creates certificates for the "enforce" and "monitor" aliases. Do not add
these aliases to your custom alias file.
4. Run the sslkeytool utility with the -genkey argument and optional -dir argument to specify the output directory. If you
created a custom alias file, also specify the optional -alias argument, as in the following example:
• Windows:
sslkeytool -genkey -alias=.\aliases.txt -dir=.\generated_keys
• Linux:
sslkeytool -genkey -alias=./aliases.txt -dir=./generated_keys
261
This generates new certificates (keystore files) in the specified directory. Two files are automatically generated with the
-genkey argument:
• enforce.timestamp.sslKeyStore
• monitor.timestamp.sslKeyStore
The sslkeytool also generates individual files for any aliases that are defined in the alias file. For example:
• net_monitor01.timestamp.sslKeyStore
• protect01.timestamp.sslKeyStore
• endpoint01.timestamp.sslKeyStore
• smtp_prevent01.timestamp.sslKeyStore
• web_prevent01.timestamp.sslKeyStore
5. Copy the certificate file whose name begins with enforce to the following directory on the Enforce Server, based on
your platform:
• Windows: c:\ProgramData\Symantec\DataLossPrevention\EnforceServer\16.0.10000\keystore
• Linux: /var/Symantec/DataLossPrevention/EnforceServer/16.0.10000/keystore
6. If you want to use the same certificate file with all detection servers, copy the certificate file whose name begins with
monitor to the keystore directory of each detection server in your system.
When you install a Symantec Data Loss Prevention server, the installation program creates a default keystore in the
keystore directory. When you copy a generated certificate file into this directory, the generated file overrides the default
certificate. If you later remove the certificate file from the keystore directory, Symantec Data Loss Prevention reverts to
the default keystore file embedded within the application. This behavior ensures that data traffic is always protected. Note,
however, that you cannot use the built-in certificate with certain servers and a generated certificate with other servers. All
servers in the Symantec Data Loss Prevention system must use either the built-in certificate or a custom certificate.
NOTE
If more than one keystore file is placed in the keystore directory, the server does not start.
Related Links
Using sslkeytool to add new detection server certificates on page 262
About sslkeytool Command Line Options on page 259
About the sslkeytool utility and server certificates on page 259
About server security and SSL/TLS certificates on page 335
262
Using sslkeytool to add new detection server certificates provides instructions for generating one or more new detection
server certificates.
To generate new detection server certificates
1. Log on to the Enforce Server computer using the "SymantecDLP" user account that you created during Symantec
Data Loss Prevention installation.
2. From a command window, go to the bin directory where the sslkeytool utility is stored.
• Windows: C:\Program Files\Symantec\DataLossPrevention\EnforceServer\16.0.10000\protect
\bin
• Linux: /opt/Symantec/DataLossPrevention/EnforceServer/16.0.10000/protect/bin
3. Create a directory in which you will store the new detection server certificate files. For example:
mkdir new_certificates
5. Create a text file that lists the new server alias names that you want to create. Place each alias on a separate line. For
example:
network02
smtp_prevent02
6. Run the sslkeytool utility with the -alias argument and -dir argument to specify the output directory. Also specify the
name of the Enforce Server certificate file that you copied into the certificate directory.
Example commands are listed below:
• Windows command:
sslkeytool -alias=.\aliases.txt
-enforce=enforce.Fri_Jun_10_11_24_20_PDT_2016.sslkeyStore
-dir=.\new_certificates
• Linux command:
sslkeytool -alias=./aliases.txt
-enforce=enforce.Fri_Jun_10_11_24_20_PDT_2016.sslkeyStore
-dir=./new_certificates
The command generates a new certificate file for each alias, and stores the new files in the specified directory. Each
certificate file also includes the Enforce Server certificate from the Enforce Server keystore that you specify.
7. Copy each new certificate file to the keystore directory on the appropriate detection server computer.
• Windows: c:\ProgramData\Symantec\DataLossPrevention\DetectionServer
\16.0.10000\keystore.
• Linux: /opt/Symantec/DataLossPrevention/EnforceServer/16.0.10000/keystore.
NOTE
After creating a new certificate for a detection server (monitor.date.sslkeystore), the Enforce Server
certificate file (enforce.date.sslkeystore) is updated with the context of each new detection server.
263
You need to copy and replace the updated Enforce Server certificate to the keystore directory and repeat the
process for each new detection server certificate you generate.
8. Delete or secure any additional copies of the certificate files to prevent unauthorized access to the generated keys.
9. Restart the SymantecDLPDetectionServerService service on each detection server to use the new certificate file.
About securing communications between the Enforce Server and the database
You can use Transport Layer Security (TLS) to encrypt all data that is transmitted between the Enforce Server and the
database server in a three-tier environment. You create unique, self-signed certificates that you store on the Enforce
Server.
Table 121: Steps to secure communications between the Enforce Server and the database describes the process to
secure communications between the Enforce Server and the database.
Table 121: Steps to secure communications between the Enforce Server and the database
1 Generate the self-signed certificates using the orapki About orapki command line options
command-line utility that is provided with the Oracle database. Using orapki to generate the server certificate on the
Oracle database
2 Configure the JDBC driver on the Enforce Server to use the Configuring communication on the Enforce Server
TLS connection and port.
3 Configure the server certificate on the Enforce Server. Configuring the Server Certificate on the Enforce Server
4 Verify the database certificate usage on the Enforce Server. Verifying the Enforce Server database certificate usage
264
About orapki command line options
You use the orapki command-line utility to create a wallet where certificates are stored. You then use the utility to generate
a unique pair of TLS self-signed certificates that are used to secure communication between the Enforce Server and the
Oracle database.
The orapki utility can be found in one of the following folders folder where the Oracle database is located:
• Windows: $ORACLE_HOME/bin
• Linux: %ORACLE_HOME%\bin
You run the orapki utility on the computer where the Oracle database is located.
The following table lists the command forms and options that you use when generating a unique pair of TLS self-signed
certificates.
Windows: orapki wallet create -wallet c:\oracle You use this command to create a wallet where certificates are
\wallet\server_wallet -auto_login -pwd password stored.
Linux: orapki wallet create -wallet ./ This command also creates the server_wallet directory.
server_wallet -auto_login -pwd password
Windows: orapki wallet add -wallet c:\oracle You use this command to add a self-signed certificate and a pair
\wallet\server_wallet -dn "CN=oracleserver" - of private/public keys to the wallet.
keysize 2048 -self_signed -validity 3650 -pwd
password -sign_alg sha256
Linux: orapki wallet add -wallet /opt/oracle/
wallet/server_wallet -dn "CN=oracleserver" -
keysize 2048 -self_signed -validity 3650 -pwd
password -sign_alg sha256
Windows: orapki wallet display -wallet c:\oracle You use this command to view the contents of the wallet to
\wallet\server_wallet confirm that the self-signed certificate was created successfully.
Linux: orapki wallet display -wallet /opt/oracle/
wallet/server_wallet
Windows: orapki wallet export -wallet c:\oracle You use this command to export the self-signed certificate.
\wallet\server_wallet -dn "CN=oracleserver" -cert In addition to exporting the certificate files, the command creates
c:\oracle\wallet\server_wallet\cert.txt the file cert.txt in a location based on your platform:
Linux: orapki wallet export -wallet /opt/oracle/
wallet/server_wallet -dn "CN=oracleserver" -
• Windows: c:\oracle\wallet\server_wallet
cert /opt/oracle/wallet/server_wallet/cert.txt • Linux: /opt/oracle/wallet/server_wallet
Related Links
Using orapki to generate the server certificate on the Oracle database on page 265
265
b. View the services by going to Start > Control Panel > Administrative Tools > Computer Management,
expanding Services and Applications, and clicking Services.
• Linux:
a. Stop the Oracle database.
Stop the database by running the following command as a root user:
$ sh /etc/init.d/dbora stop
b. Log on as the Oracle User by running the following command:
su - oracle
2. Go to the oracle directory by running the following command (based on your platform):
• Windows: cd c:\oracle
• Linux: cd /opt/oracle
3. Create the wallet directory by running the following command:
mkdir wallet
cd wallet
4. Create a wallet on the Oracle server with auto login enabled by running the following command (based on your
platform):
• Windows: At the directory c:\oracle\wallet, run orapki wallet create -wallet .\server_wallet -
auto_login -pwd walletpassword
• Linux: At the directory /opt/oracle/wallet, run orapki wallet create -wallet ./server_wallet -
auto_login -pwd walletpassword
NOTE
Use a wallet password that adheres to the password policy. Passwords must have a minimum length of eight
characters and contain alphabetic characters combined with numbers or special characters.
On Oracle 12c systems, the Operation is successfully completed message displays when the command completes.
The following two files are created under the server_wallet directory (among similarly named .lck files):
• cwallet.sso
• ewallet.p12
5. Generate the self-signed certificate and add it to the wallet by running the following command (based on your
platform):
• Windows:
orapki wallet add -wallet c:\oracle\wallet\server_wallet -dn "CN=oracleserver" -keysize 2048 -
self_signed -validity 3650 -pwd walletpassword -sign_alg sha256
• Linux:
orapki wallet add -wallet /opt/oracle/wallet/server_wallet -dn "CN=oracleserver" -keysize 2048
-self_signed -validity 3650 -pwd walletpassword -sign_alg sha256
Replace oracleserver with the name of the computer where Oracle is running.
6. View the wallet to confirm that the certificate was created successfully by running the following command (based on
your platform):
• Windows:
orapki wallet display -wallet c:\oracle\wallet\server_wallet
• Linux:
orapki wallet display -wallet /opt/oracle/wallet/server_wallet
266
When the certificate is created successfully, the command returns information in the following form:
Requested Certificates:
User Certificates:
Subject: CN=oracleserver
Trusted Certificates:
Subject: CN=oracleserver
7. Export the certificate by running the following command (based on your platform):
• Windows:
orapki wallet export -wallet c:\oracle\wallet\server_wallet -dn "CN=oracleserver" -cert c:
\oracle\wallet\server_wallet\cert.txt
• Linux:
orapki wallet export -wallet /opt/oracle/wallet/server_wallet -dn "CN=oracleserver" -cert /
opt/oracle/wallet/server_wallet/cert.txt
8. Confirm that cert.txt is created at the following location (based on your platform):
• Windows: c:\oracle\wallet\server_wallet
• Linux: /opt/oracle/wallet/server_wallet
267
6. Add the following section to follow the Listener section:
NOTE
Confirm that the directory points to the server_wallet location.
• Windows:
SSL_CLIENT_AUTHENTICATION = FALSE
WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = c:\oracle
\wallet\server_wallet)))
• Linux:
SSL_CLIENT_AUTHENTICATION = FALSE
WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = /opt/
oracle/wallet/server_wallet)))
LISTENER_PROTECT =
(ADDRESS = (PROTOCOL = TCPS)(HOST = [oracle host name])(PORT = 2484))
268
13. Start the Oracle database by running the following command:
Linux: $ sh /etc/init.d/dbora start
14. Confirm that the Oracle listener is operating by running the following command:
lsnrctl status
The listener status displays in the command prompt. If the command prompt indicates that the listener is running but
no services are running on the database, run the following commands:
su - oracle (Only required for Linux)
export ORACLE_SERVICE_NAME=protect
sqlplus /nolog
SQL> exit
lsnrctl status
NOTE
If the server certificate on the Oracle database is signed by a public CA (instead of being self-signed), skip to
step 4.
3. Add the certificate to the cacerts file that is located on the Enforce Server by completing the following steps:
Replace <version> with the OpenJRE version running on your system.
a) Copy the cert.txt file to the security folder:
• Windows: C:\Program Files\AdoptOpenJRE\jdk8u<version>-b10-jre\lib\security
• Linux: opt/AdoptOpenJRE/jdk8u<version>-b10-jre/lib/security
269
b) Change the directory by running the following command based on your platform:
• Windows: cd C:\Program Files\AdoptOpenJRE\jdk8u<version>-b10-jre\lib\security
• Linux: cd opt/AdoptOpenJRE/jdk8u<version>-b10-jre/lib/security
c) Insert the certificate into the cacerts file by running the following command as an administrator (for Windows) or
as a root user (for Linux).
keytool -import -alias oracleservercert -keystore cacerts -file cert.txt
Related Links
About securing communications between the Enforce Server and the database on page 264
About securing communications between the Enforce Server and Amazon RDS
for Oracle
You can use SSL/Transport Layer Security (TLS) to encrypt all data that is transmitted between the Enforce Server and
the Oracle database hosted with Amazon RDS in a three-tier environment.
These steps assume that you have already set up an AWS account that you can use to manage the Oracle database. See
Deploy Symantec Data Loss Prevention servers on Amazon Web Services .
The following table describes the process to secure communications between the Enforce Server and the database.
270
Table 123: Steps to secure communications between the Enforce Server and the Oracle database hosted with
Amazon RDS
1 Configure the AWS Oracle RDS SSL Configuring Oracle RDS Option Group with
connector. SSL
2 Configure the server certificate on the Configuring the Server Certificate on the
Enforce Server. Enforce Server
3 Configure the AWS Oracle RDS for Secure Setting up an SSL connection over JDBC
Sockets Layer (SSL) connection over
JDBC.
4 Verify the AWS Oracle RDS certificate Verifying the Enforce Server-Oracle RDS
usage. database certificate usage
271
CN=oracle-rds-dns-name")))
The certificate details provided above are valid for rds-ca-2015-root and rds-ca-2019-root certificates, but you
replace the port number with the number used for the SSL port in the option group.
3. Add the certificate to the cacerts file that is located on the Enforce Server by completing the following steps:
Replace <version> with the OpenJRE version running on your system.
a) Copy the Oracle RDS certificate (rds-ca-2015-root.der or rds-ca-2019-root.der) file to the following
location (based on your platform):
• Windows: C:\Program Files\AdoptOpenJRE\jdk8u<version>-b10-jre\lib\security
• Linux: opt/AdoptOpenJRE/jdk8u<version>-b10-jre/lib/security
b) Change the directory by running the following command (based on your platform):
• Windows: cd C:\Program Files\AdoptOpenJRE\jdk8u<version>-b10-jre\lib\security
• Linux: cd opt/AdoptOpenJRE/jdk8u<version>-b10-jre/lib/security
c) Insert the certificate into the cacerts file by running the following command as an administrator (on Windows) ora
root user (on Linux):
keytool -import -alias oracleservercert -keystore cacerts -file rds-ca-2015-root.der
or
keytool -import -alias oracleservercert2019 -keystore cacerts -file rds-ca-2019-root.der
272
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Appendix.Oracle.Options.SSL.html
273
Installing the domain controller agent
Complete the following steps to install the domain controller agent:
1. Copy the symc_dcagent.msi Windows Installer file to your domain controller agent host server.
The symc_dcagent.msi file is located at one of the following locations (based on your pl
• Windows: DLPDownloadHome\DLP\16.0.1\Domain_Controller_Agent_Installer\
• Linux: DLPDownloadHome/DLP/16.0.1/Domain_Controller_Agent_Installer/
atform)
2. Run the symc_dcagent.msi Windows Installer file as an Administrator.
The Vontu Domain Controller Agent Setup Wizard appears.
3. Read the end-user license agreement and accept the terms.
4. Click Next.
The Destination Folder panel appears.
5. Enter the destination folder for the domain controller agent installation. By default, the domain controller agent
installation folder is C:\Program Files\Symantec\DataLossPrevention\DC Agent.
6. Click Next.
The Domain Controller Configuration panel appears.
7. Enter the fully qualified domain name (FQDN) of your domain controller.
8. Click Next.
The DC Agent Service Configuration panel appears.
9. Enter the log on (DOMAIN\USERNAME) and password for the Active Directory user that the domain controller agent
uses to query the domain controller.
10. Click Next.
The Symantec DLP Enforce Server Configuration panel appears.
11. Enter the following information:
• The Enforce Server host name
• The Enforce Server port
• The log on name for the domain controller agent Enforce Server account
• The password for the domain controller agent Enforce Server account
• Optional: If you choose to use certificate authentication, select Use a certificate to authenticate?, then enter the
path to the Enforce Server certificate and the CA root certificate, both located on your Enforce Server.
12. Click Next.
The DC Agent Communication Configuration panel appears.
13. Enter the following information:
• Communication Interval: This value specifies how often the domain controller agent connects to the domain
controller to collect events, in seconds. The default communication interval is 1 hour (3600 seconds).
• Lookback Time: This value specifies the time frame for which the domain controller collects events from the domain
controller, in seconds. The default lookback time is 12 hours (43200 seconds).
274
14. Click Next.
The Ready to Install Vontu Domain Controller Agent panel appears.
15. Click Next.
The Installing Vontu Domain Controller Agent panel appears and displays a progress bar.
16. Click Finish to complete the installation of the domain controller agent.
275
timeouts are matched to the DC_HOSTNAME property list by order. Any Domain Controllers with unspecified login
timeouts will be assigned the default value of 90 minutes.
• EVENTS_BUFFER_SIZE: Specifies the number of events in the domain controller agent buffer. The default value
is 1024.
• ENFORCE_HOSTNAME: Specifies the name of the Enforce Server host.
• ENFORCE_PORT: Specifies the port number through which the domain controller agent connects to the Enforce
Server.
• SSL_CA_ROOT_CERTIFICATE: Specifies the file system path to the CA root certificate.
• SSL_HOST_CERTIFICATE: Specifies the file system path to the Enforce Server certificate.
• HTTP_CONNECT_TIMEOUT: Specifies the connection timeout value. The default timeout value is 300 seconds.
HTTP_SESSION_TIMEOUT: Specifies the session timeout value. The default session timeout value is 0 (the
session never times out).
• COMMUNICATION_INTERVAL: Specifies how often the domain controller agent connects to the domain controller
to collect events, in seconds. The default communication interval is 1 hour (3600 seconds).
• HTTP_POST_MAX_EVENTS: Specifies the maximum number of events to collect and post in a single HTTP
request. The default value is 1024.
• LOG_CONFIGURATION_FILE=DCAgentLogging.properties: Place this log configuration file in the DCAgent
installation directory.
3. Save and close the DCAgentConfig.properties file.
4. Restart the DC Agent service to apply your configuration changes.
5. Log on to the domain controller agent host server as the Service Logon user.
6. In the Credential Manager (Control Panel > User Accounts > Credential Manager), edit the generic credential for
the Enforce Server.
7. Click Save.
Problem Solution
There are no entries in the Domain Controllers list. User identification is disabled by default. Go to System > Incident
Data > User Identification and set a mapping schedule.
The domain controller agent service does not start Check the domain controller log at System > Incident Data >
User Identification page.
If there are no entries on the list, verify that the files were installed
correctly and that the domain controller agent log-on user account
has permission to run the service. Start the service manually.
If there are errors in the log, verify that the log-on user for the
Enforce Server has the correct credentials and switch to TRACE
to collect the trace log.
The IPU tables in the database have no events Check the Enforce Server logs and verify that the log-on user for
the Enforce Server has the correct credentials.
Verify Windows vault entries for the service log-on user.
If you use certificate authentication, verify the private key in your
Enforce Server certificate store and the public key in the domain
controller agent installation directory.
276
Uninstalling the domain controller agent
You can uninstall the domain controller agent from Windows (Control Panel > Programs > Programs and Features >
Uninstall a program), or by running the symc_dcagent.msi Window Installer file again and selecting Remove.
277
3. Unzip the file to C:\Program Files\AdoptOpenJRE\jdk<version>-jre.
Next: Installing a detection server on Windows
After you complete the Single Tier installation, you can find the installation log file at c:\temp\.
You can complete the installation silently from the command line or from a graphical user interface.
Installing silently
Enter values with information specific to your installation for the following:
Command Description
INSTALLATION_DIRECTORY Specifies where the Enforce Server is installed. The default location is C:
\Program Files\Symantec\DataLossPrevention.
DATA_DIRECTORY Defines where Symantec Data Loss Prevention stores files that are
updated while the Enforce Server is running (for example, logs and
licenses). The default location is C:\ProgramData\Symantec
\DataLossPrevention.
Note: If you do not use the default location, you must indicate a folder
name for the data directory. If you set the data directory to the drive root (for
example c:\ or e:\) you cannot successfully uninstall the program.
278
Command Description
The following is an example of what the completed command might look like. The command you use differs based on your
implementation requirements. Using the following command as-is may cause the installation to fail.
279
Installing from a graphical user interface
1. Log on (or remote logon) as Administrator to the computer that is intended for the Symantec Data Loss Prevention
single-tier installation.
2. Install Npcap on the system before you install the single-tier system.
a) On the Internet, go to https://insecure.org
b) Locate the Npcap file npcap-1.10-oem.exe at the DLP_Home\Third_Party directory, where DLP_Home is the
name of the directory in which you unzipped the Symantec Data Loss Prevention software.
c) Double-click on the npcap-1.10-oem.exe and follow the on-screen installation instructions.
d) Install Npca using WinPcap Compatible Mode.
3. Copy the Symantec Data Loss Prevention installer (SingleTierServer.msi) from DLPDownloadHome to a local
directory on the computer where you plan to install the single-tier system.
4. Click Start > Run > Browse to navigate to the folder where you copied the SingleTierServer.msi file.
5. Double-click SingleTierServer.msi to launch the installation wizard.
A welcome notice appears.
6. Click Next.
7. In the End-User License Agreement panel, select I accept the terms in the License Agreement, and click Next.
8. In the Destination Folder panel, accept the Symantec Data Loss Prevention default destination directory and click
Next.
Symantec recommends that you use the default destination directory. However, you can click Browse to navigate to a
different installation location instead.
Directory names, account names, passwords, IP addresses, and port numbers created or specified during the
installation process must be entered in standard 7-bit ASCII characters only. Extended (hi-ASCII) and double-byte
characters are not supported.
9. In the Data Directory panel, accept the default data directory, or enter an alternate directory, and click Next. The
default data directory is:
c:\ProgramData\Symantec\DataLossPrevention\
10. In the JRE Directory panel, click Browse and locate the JRE, and click Next.
11. In the FIPS Cryptography Mode panel, select whether to disable or enable FIPS encryption.
About FIPS encryption
12. In the Service User panel, select one of the following options, then click Next.
• New Users: Select this option to create the Symantec Data Loss Prevention system account user name and
password and confirm the password. This account is used to manage Symantec Data Loss Prevention services.
The default user name is “SymantecDLP.” New service user accounts are local accounts.
NOTE
To use the RMS detection feature, you must enable it after installing the detection server.
Enabling Microsoft Rights Management file monitoring
The password you enter for the System Account must conform to the password policy of the server. For example,
the server may require all passwords to include special characters.
• Existing Users: Select this option to use an existing local or domain user account.
280
Enter a domain service user name and password if you plan to manage the detection server with a domain user. If
you want to use the RMS detection feature, ensure that the domain user that you enter has access to the RMS AD
system (and is a member of the selected AD RMS Super Users group) or the Azure RMS system.
13. (Optional) If you opted to create a new service user, enter the new account name and password. Confirm the
password, then click Next.
14. (Optional) If you opted to use an existing local or domain user account, enter the account name and password. The
user name must be in DOMAIN\username format.
15. In the Oracle Database Server Information panel, enter the Oracle Database Server host name or IP address and
the Oracle Listener Port.
NOTE
If you are running the Oracle database in a RAC environment, use the scan host IP address for the host,
not the database IP address. Confirm that the scan host IP for RAC is accessible and that all of the nodes
associated with it are running during the installation process.
You also enter information in the following fields:
Default values should already be present for these fields. Since this is a single-tier installation with the Oracle
database on this same system, 127.0.0.1 is the correct value for Oracle Database Server Information and 1521 is the
correct value for the Oracle Listener Port.
16. In the Initialize Database panel, select one of the following options:
• Select Initialize Database if you are performing a new Symantec Data Loss Prevention installation.
Select this option if you are reinstalling and want to overwrite the existing Enforce schema and all data. Note
that this action cannot be undone. If this check box is selected, the data in your existing Symantec Data Loss
Prevention database is destroyed when you begin the installation.
Click Next.
In the Enforce Administrator Password panel, enter and confirm a password you use to access the Enforce
Server administration console. The Enforce Server administration console passport must be at least eight
characters long.
• Select Preserve Database Data if you want to connect to an existing database.
Selecting this option skips the database initialization process.
Click Next.
In the Enforce Reinstallation Resources panel, specify the unique Enforce Reinstallation Resources file for the
existing database that you want to use.
17. In the Enforce Administrator Password panel, enter and confirm a password you use to access the Enforce Server
administration console.
18. Click Next.
The Enable external storage for incident attachments panel appears.
19. Select one of the following incident storage locations on the Incident Storage Location panel:
• Database stores incidents in the Oracle database.
• External Storage stores your incident attachments externally.
About external storage for incident attachments
281
20. Click Next and enter the path or browse to your external storage directory (if you selected External Storage), or go to
21 if you selected Database.
21. In the Additional Locale panel, select an alternate locale, or accept the default of None, and click Next.
Locale controls the format of numbers and dates, and how lists and reports are alphabetically sorted. If you accept
the default choice of None, English is the locale for this Symantec Data Loss Prevention installation. If you choose an
alternate locale, that locale becomes the default for this installation, but individual users can select English as a locale
for their use.
See About locales for more information on locales.
22. In the Server Bindings panel, enter the following settings:
• Host. Enter the host name or IP address of the detection server.
• Port. Accept the default port number (8100) on which the detection server should accept connections from the
Enforce Server. If you cannot use the default port, you can change it to any port higher than port 1024, in the range
of 1024–65535.
23. Click Install to begin the installation process.
The Installing panel appears, and displays a progress bar. After a successful installation, the Completing panel
displays.
24. Verify the Symantec Data Loss Prevention single-tier installation.
Verifying a single-tier installation
25. You must import a Symantec Data Loss Prevention solution pack immediately after installing and verifying the single-
tier server, and before changing any single-tier server configurations.
About Symantec Data Loss Prevention solution packs
26. After importing a solution pack, register the detection server component of the single-tier installation.
Registering a detection server
Registering the Single Tier Monitor
27. Create the Enforce Reinstallation Resources file. This file contains the unique CryptoMasterKey.properties file
and keystore files for your Symantec Data Loss Prevention deployment.
Creating the Enforce Reinstallation Resources file
28. Create a backup of your system after completing the installation.
Backing up your system
282
Installing the Java Runtime Environment for a single-tier installation
You install the Java Runtime Environment (JRE) before you complete a single-tier installation.
1. Log on as root to the computer where you plan to install the single-tier system.
2. Copy OpenJDK8U-jre_x64_linux_hotspot_<version>.tar.gz from your DLPDownloadHome/DLP/16.0.1/
New_Installs/Release directory to the computer where you plan to install the Enforce Server.
Where <version> represents the latest supported version.
3. Unzip the file contents (for example, unzip to opt/AdoptOpenJRE).
Next: Installing a Single-tier Server on Linux
If the command indicates that dependencies are missing, you can use YUM repositories to install them. Use the
following command:
yum install repo
283
Table 126: Single-tier installation parameters
Command Description
284
Command Description
bindPort Defines the port number on which the detection server should
accept connections from the Enforce Server. The default port
number is 8100.
If you cannot use the default port, you can change it to any port
higher than port 1024, in the range of 1024–65535.
additionalLocale Defines an additional locale for use by individual users.
The following is an example of what the completed command might look like. The command you use differs based on your
implementation requirements. Using the following command as-is may cause the installation to fail.
./SingleTierConfigurationUtility -silent
-jreDirectory=opt/AdoptOpenJRE/jdk8u322-b10-jre
-serviceUserOption=NewUser
-serviceUserUsername=protect
-oracleHome=/opt/oracle/product/19.3.0.0/db_1
-oracleHost=127.0.0.1
-oracleUsername=protect
-oraclePassword=password
-oraclePort=1521
-oracleServiceName=protect
-initializeDatabaseOption=Preserve
-reinstallationResourceFile=/opt/temp/EnforceReinstallationResources.zip
-fipsOption=Disabled
-externalStorageOption=Database
1. Navigate to/opt/Symantec/DataLossPrevention/SingleTierServer/16.0.10000/Protect/install.
2. Configure the installation by running the Single Tier Configuration Utility. Use the following command to launch the
utility:
./SingleTierConfigurationUtility
285
Oracle database connection Specify the following Oracle database connection settings:
• Oracle Home Directory: For example, use /opt/oracle/product/19.3.0.0/db_1 to define the
home directory if you use the Oracle 19c database.
• Oracle Host: Specify the Oracle server host name or IP address. To install into a test
environment that has no DNS available, use the IP address of the Oracle database server.
Note: If you are running the Oracle database in a RAC environment, use the Scan
Host IP address for Oracle Host, not the database IP address.
• Port: Enter the Oracle listener port.
• Service name: Enter the database service name (typically “protect”).
• Oracle user name and password: Enter the user name and password.
• Database initialization: Select one of the following options:
– Initialize Database: Set the database to initialize by entering 1.
Warning! If you install over an existing installation, entering 1 overwrites the existing
Enforce schema and all data. This means that the existing Symantec Data Loss
Prevention database is destroyed when you run the installer.
– Preserve Database Data: Use an existing database by entering 2.
If you connect an existing Enforce Server database, identify the location of the
EnforceReinstallationResources.zip file from your previous installation.
Creating the Enforce Reinstallation Resources file
Enforce Server settings Specify the following Enforce Server settings.
• Enforce administrator password: If you chose an option to support password authentication
with forms-based logon, enter a password for the Enforce Server Administrator account.
If you chose an option to support password authentication with forms-based logon, enter a
password for the Enforce Server Administrator account.
If you chose to support certificate authentication, enter the Common Name (CN) value
that corresponds to the Enforce Server Administrator user. The Enforce Server assigns
administrator privileges to the user who logs on with a client certificate that contains this CN
value.
• Enable external storage: Select one of the following options:
– Database storage
This option stores data in the database.
– Enable External Storage
This option lets you store incident attachments externally. Enter a path to the external
storage directory.
Network port Accept the default port number (8100) on which the detection server should accept connections
from the Enforce Server. If you cannot use the default port, you can change it to any port higher
than port 1024, in the range of 1024–65535.
NOTE
If any configuration steps fail, the Enforce Server Configuration Utility does not roll back the changes that
were made. You must rollback changes before you re-attempt the installation.
Rolling back a failed Enforce Server installation
4. Verify the Symantec Data Loss Prevention single-tier installation.
Verifying a single-tier installation
5. You must import a Symantec Data Loss Prevention solution pack immediately after installing and verifying the single-
tier server, and before changing any single-tier server configurations.
Importing a Solution Pack
286
6. After importing a solution pack, register the detection server component of the single-tier installation.
7. Create a backup of your system after completing the installation.
Backing up your system
Related Links
Registering a detection server on page 257
Register a detection server to begin implementing a Symantec Data Loss Prevention feature.
Registering the Single Tier Monitor on page 288
2. If the Symantec Data Loss Prevention services do not start, check the log files for possible issues (for example,
connectivity, password, or database access issues).
• For Windows, the Symantec Data Loss Prevention installation log is at c:\ProgramData\Symantec
\DataLossPrevention\EnforceServer\16.0.10000\logs.
You may also need to install the Update for Universal C Runtime in Windows. See https://support.microsoft.com/
en-us/kb/2999226.
• For Linux, the Symantec Data Loss Prevention operational logs are in /var/log/Symantec/
DataLossPrevention/EnforceServer/16.0.10000/logs.
Once you have verified the Enforce Server installation, you can log on to the Enforce Server to view the administration
console.
See Logging On and Off the Enforce Server Administration Console information about logging on to, and using, the
Enforce Server administration console.
You must import a Symantec Data Loss Prevention solution pack immediately after installing and verifying the single-tier
server, and before changing any single-tier server configurations.
Importing a Solution Pack
After importing a solution pack, register a detection server.
Registering a detection server
Registering the Single Tier Monitor
287
Policy authoring considerations
For Single Server deployments, all policies are grouped in the Default Policy Group. Therefore, all policies will apply
to every channel that you have configured. Take this into consideration when authoring your policies to avoid poor
performance on your Single Server deployment.
For more information about policy authoring and policy groups, see About Data Loss Prevention Policy Authoring.
288
5. Enter the General information. This information defines how the server communicates with the Enforce Server.
• In the Name field, enter a unique name for the detection server.
• The Host field is already set to the local host address. You cannot change this setting.
• In the Port field, enter the port number the detection server uses to communicate with the Enforce Server. By
default, the port is set to 8100. If you want to use a different port number, enter any port number greater than 1024
here.
6. Specify the remaining configuration options as appropriate.
See the Symantec Data Loss Prevention Help Center for details on how to configure the Single Tier Monitor.
7. After you have configured each detection channel, click Save.
The Server Detail screen appears.
8. If necessary, click Server Settings or other configuration tabs to specify additional configuration parameters.
9. If necessary, restart the server by clicking Recycle on the Server Detail screen. Or you can start the Symantec DLP
services manually on the server itself.
Symantec Data Loss Prevention Services
10. To verify that the server was registered, return to the System Overview page. Verify that the detection server appears
in the server list, and that the server status is Running.
11. To verify the type of certificates that the server uses, select System > Servers > Alerts. Examine the list of alerts to
determine the type certificates that Symantec Data Loss Prevention servers use:
• If servers use the built-in certificate, the Enforce Server shows a warning event with code 2709: Using built-in
certificate.
• If servers use unique, generated certificates, the Enforce Server shows an info event with code 2710: Using user
generated certificate.
289
3. Install agents.
The agent installation process differs based on the endpoint operating system.
• Windows
• macOS
• Linux
Related Links
Endpoint Tools on page 319
Work with Symantec DLP Agents using the tools that Symantec Data Loss Prevention provides.
About uninstallation passwords on page 329
Related Links
Generating agent installation packages on page 291
Generate the installation package for DLP Agents on the System > Agents > Agent Packaging screen.
290
Generating agent installation packages
Generate the installation package for DLP Agents on the System > Agents > Agent Packaging screen.
The packaging process creates a zip file that contains the installer of your choice. The zip file includes public certificate
and keys and installation scripts to install DLP Agents. You generate a single installation package for each endpoint
platform where you want to deploy.
For example, if you want to install DLP Agents on Windows 64-bit endpoints, you generate a single
AgentInstaller_Win64.zip package. If you specify more than one installer for packaging, such as the Windows 64-
bit agent installer and the Mac 64-bit agent installer, the system generates separate agent packages for each platform.
Before you start generating the agent installation packages confirm that your system is ready to package by doing the
following:
• Confirm that the agent installers are copied to the Enforce Server local file system.
• Confirm that the Enforce Server has at least 3 GB of free space. The packaging process fails if the Enforce Server has
less than 3 GB of free space.
The following table provides instructions for generating agent installation packages. The instructions assume that you
have deployed an Endpoint Server.
1 Navigate to the Agent Packaging Log on to the Enforce Server administration console as an administrator and
page. navigate to the System > Agents > Agent Packaging page.
2 Select one or more DLP Agent Browse to the folder on the Enforce Server where you copied the agent installer
installation files. files.
The following installer files are available:
• Windows 64-bit: AgentInstall-x64_16_0_1.msi
• Windows 32-bit: AgentInstall-x86_16_0_1.msi
• Linux 64 bit RPM:
For Linux distributions, you package each operating system type separately.
– Red Hat Enterprise Linux: AgentInstall-x86_64_16_0_1.rpm
– Ubuntu: AgentInstall-x86_64_16_0_1.deb
• Mac 64-bit: AgentInstall_16_0_1.pkg
3 Enter the server host name. Typically you enter the common name (CN) of the Endpoint Server host, or you can
enter the IP address of the server.
Be consistent with the type of identifier you use (CN or IP). If you used the CN for
the Endpoint Server when deploying it, use the same CN for the agent package. If
you used an IP address to identify the Endpoint Server, use the same IP address
for the agent package.
Alternatively, you can enter the CN or IP address of a load balancer server.
Note: The Enforce Server administration console does not accept IPv6 addresses
as input. Instead of specifying an IPv6 address, you can enter the host name
instead.
Note: To ensure that IPv6-only endpoints can communicate with an Endpoint
Prevent Server, make sure that the Endpoint Prevent Server is running on a dual
stack host. If the Endpoint Prevent Server is running on an IPv4 host, you might
need to configure NAT devices to translate the IP addresses of IPv6-only endpoints.
291
Step Action Description
4 Enter the port number for the The default port is 10443. Typically you do not need to change the default port
server. unless it is already in use or intended for use by another process on the server
host.
5 Add additional servers (optional). Click the plus sign to add additional servers for failover.
If you configure agents to connect to more than one Endpoint Prevent Server, you
can specify a mix of servers that use the DLP Default KeyStore and servers that
use custom keystores.
Note: Symantec Data Loss Prevention allots 2048 characters for Endpoint Server
names. This allotment includes the characters that are used for the Endpoint Server
name, port numbers, and semicolons to delimit each server.
The first server that is listed is the primary; additional servers are secondary and
provide backup if the primary is down.
See About Endpoint Server redundancy.
6 Enter the Endpoint tools password. A password is required to use the Endpoint tools to administer DLP Agents. The
Endpoint tools password is case-sensitive. The password is encrypted and stored
in a file on the Enforce Server. You should store this password in a secure format of
your own so that it can be retrieved if forgotten.
After installing agents, you can change the password on the Agent Password
Management screen.
See About agent password management.
7 Re-enter the Endpoint tools The system validates that the passwords match and displays a message if they do
password. not.
8 Enter the target directory for the The default installation directory for Windows 32- and 64-bit agents is
agent installation (Windows only). %PROGRAMFILES%\Manufacturer\Endpoint Agent. Change the default
path if you want to install the Windows agent to a different location on the endpoint
host. You can only install the DLP Agent to an ASCII directory using English
characters. Using non-English characters can prevent the DLP Agent from starting
and from monitoring data in some scenarios.
Note: Include the drive letter if you plan to change the default directory. For
example, use C:\Endpoint Agent. Not including a drive letter causes the
agent installation to fail.
The target directory for the Mac agent is set by default.
9 Enter the uninstall password The agent uninstall password is supported for Windows agents. The uninstall
(optional, Windows only). password is a tamper-proof mechanism that requires a password to uninstall the
DLP Agent.
The password is encrypted and stored in a file on the Enforce Server. You should
store this password in a secure format of your own so that it can be retrieved if
forgotten.
For information on uninstalling Mac agents, see Removing a DLP Agent from a Mac
Endpoint.
After installing agents, you can change the password on the Agent Password
Management screen.
See About agent password management.
10 Re-enter the uninstall password. The system validates that the passwords match and displays a message if they do
not.
292
Step Action Description
11 Select the truststore that contains You can select either the default truststore that contains the self-signed certificate
the certificate that is used to and key or a custom truststore that you added.
validate the Endpoint Prevent If you configured the Endpoint Prevent Servers to use a custom certificate,
Server certificate. select the truststore that contains the corresponding corresponding CA public
certificate that can validate the custom Endpoint Prevent Server certificate.
Note: If you previously chose to use the DLP Default TrustStore while creating
agent packages, you can switch to a custom truststore the next time you generate
new packages for upgrading agents.
12 Click Generate Installer This action generates the agent installer package for each platform that you
Packages. selected in step 3.
The generation process may take a few minutes.
13 Save the agent package zip file. When the agent packaging process is complete, the system prompts you to
download the agent installation package. Save the zip file to the local file system.
After you save the file you can navigate away from the Agent Packaging screen to
complete the process.
The zip file is named according to the agent installer you uploaded:
• AgentInstaller_Win64.zip
• AgentInstaller_Win32.zip
• AgentInstaller_Linux64.zip
• AgentInstaller_Mac64.zip
If you upload more than one agent installer, the package name is
AgentInstallers.zip. In this case, the zip file contains separate zip files for
each agent package for each platform you selected in step 3.
14 Install DLP Agents using the agent Once you have generated and downloaded the agent package, you use it to install
package. all agents for that platform.
Related Links
Secure Communications Between DLP Agents and Endpoint Servers on page 669
Symantec Data Loss Prevention uses SSL certificates and public-key encryption to authenticate and secure
communications between DLP Agents and Endpoint Servers.
Related Links
Generating agent installation packages on page 291
Generate the installation package for DLP Agents on the System > Agents > Agent Packaging screen.
The agent installation package for Windows agents contains the endpoint certificates, installation files, and the package
manifest.
293
macOS Agent Package Contents
The Mac agent package contains endpoint certificates, installation files, the package manifest, and a file to generate the
installation script for macOS.
File Description
The Mac agent package contains endpoint certificates, installation files, the package manifest, and a file to generate the
installation script for Linux distributions.
File Description
294
NOTE
See Third-party software requirements and recommendations for information about configuring third-party
software to work with the Symantec DLP Agent.
Check the following applications:
• Antivirus software
• Firewall software
Make sure that your antivirus software and firewall software recognize the Symantec DLP Agents as legitimate programs.
295
• If you plan to install agents on the endpoints that run Windows 10, use an elevated command prompt. See Use the
Elevated Command Prompt with Windows 10.
• If you plan to install DLP Agents running Windows 10, verify that Admin Security mode is set to Disabled on the
administrator account. This setting allows administrators to complete tasks such as running endpoint tools and
installing agents.
• Confirm that Windows operating systems meet minimum requirements. See Windows Operating System Requirements
for Endpoint Systems.
• Install Endpoint Servers. See Adding a detection server.
• Generate the agent installation package. See Secure Communications Between DLP Agents and Endpoint Servers.
296
Install the DLP Agent for Windows Manually
Install the DLP Agent for Windows manually prior to installing agents to your entire environment.
See Use the Elevated Command Prompt with Windows 10.
Table 130: Instructions for installing the DLP Agent for Windows manually provides instructions for installing the DLP
Agent for Windows manually.
NOTE
These steps assume that you have generated the agent installation package. Generating agent installation
packages
Table 130: Instructions for installing the DLP Agent for Windows manually
1 Run the DLP Agent installer batch file. You run the install_agent.bat located in the agent installation package
ZIP file.
Note: To troubleshoot the manual installation, you can remove the /q element
from the install_agent.bat file. Removing the /q element launches the
installation wizard which can provide error information. You can also review
the installation log file (installAgent.log located at C:\) for additional
troubleshooting information.
2 Confirm that the agent is running. Once installed, the DLP Agent initiates a connection with the Endpoint Server.
Confirm that the agent is running by going to Agent > Overview and locating the
agent in the list.
See Confirming that the Windows agent is running.
297
/q Specifies a silent install.
You can remove this command to install an agent using the wizard. You might install
using this method if you want to test the installation package when preparing to run a
silent installation.
ARPSYSTEMCOMPONENT Optional properties to msiexec.
ENDPOINTSERVER The Endpoint Server to which agents will connect.
This value is defined during the agent installation packaging process.
SERVICENAME The agent service name. The default value is EDPA.
INSTALLDIR The location where the agent is installed on the endpoint: C:\Program Files
\Manufacturer\Symantec DLP Agent\.
This value is defined during the agent installation packaging process.
UNINSTALLPASSWORDKEY The password the administrator uses when uninstalling agents.
This value is defined during the agent installation packaging process.
WATCHDOGNAME The watchdog service name: WDP.
TOOLS_KEY The password associated with the agent tools.
This value is defined during the agent installation packaging process.
ENDPOINT_CERTIFICATE The endpoint self-signed certificate file name: endpoint_cert.pem.
This file is created during the agent installation packaging process.
ENDPOINT_PRIVATEKEY The endpoint private key file name: endpoint_priv.pem.
This file is created during the agent installation packaging process.
ENDPOINT_TRUSTSTORE The endpoint trust store file to trust the server certificate (server public key):
endpoint_truststore.pem.
This file is created during the agent installation packaging process.
ENDPOINT_PRIVATEKEY_PASSWORD The password associated with the agent certificates.
The password is located in the endpoint_priv.pem file, which is created during the
agent installation packaging process.
The following is an example of what the completed command might look like:
When you install the Symantec DLP Agent, your systems management software issues a command to the specified
endpoints. The following table summarizes important commands:
298
Table 131: Agent installation properties
Command Description
299
Confirming that the Windows agent is running
After you install the agents, the Symantec DLP Agent service automatically starts on each endpoint. Log on to the Enforce
Server and go to System > Agents > Overview. Verify that the newly installed or upgraded agents are registered (that
the services appear in the list).
The watchdog service is deployed with the DLP Agent on Windows endpoints. The watchdog is a service that ensures
that the DLP Agent is running and active. This relationship is reciprocal. If the DLP Agent does not receive regular
requests from the watchdog service, it automatically restarts the watchdog service. This reciprocal relationship ensures
that the DLP Agent is always running and active.
Users cannot stop the watchdog service on their workstations. Preventing users from stopping the watchdog service
allows the DLP Agent to remain active on the endpoint.
Related Links
How to implement Endpoint Prevent on page 1877
Setting up and configuring Endpoint Discover on page 1886
Component Description
Driver (vfsmfd.sys) Detects any activity in the endpoint file system (including activity
on Citrix XenApp and XenDesktop) and relays the information to
the DLP Agent service.
This driver is installed at
<Windows_dir>\System64\drivers. For example, c:
\windows\System64\drivers. All other agent files are
installed into the agent installation directory.
Driver (vnwcd.sys) Intercepts network traffic (HTTP, FTP, and IM protocols) on
the endpoint. After the Symantec Data Loss Prevention Agent
analyzes the content, the vnwcd.sys driver allows or blocks the
data transfer over the network.
This driver is installed at
<Windows_dir>\System64\drivers. For example, c:
\windows\System64\drivers. All other agent files are
installed into the agent installation directory.
Driver (vrtam.sys) Monitors the process creation and destruction, and send
notifications to the DLP Agent. The driver monitors the
applications that are configured as part of Application Monitoring;
for example, CD/DVD applications.
This driver is installed at
<Windows_dir>\System64\drivers. For example, c:
\windows\System64\drivers. All other agent files are
installed into the agent installation directory.
300
Component Description
Symantec DLP Agent service Receives all information from the driver and relays it to the
Endpoint Server. During installation, the DLP Agent is listed under
the task manager as edpa.exe.
Users are prevented from stopping or deleting this service on their
workstation.
Watchdog service Automatically checks to see if the DLP Agent is running. If the
DLP Agent has been stopped, the watchdog service restarts the
DLP Agent. If the watchdog service has been stopped, the DLP
Agent service restarts the watchdog service.
Users are prevented from stopping or deleting this service.
Table 133: Roles for installing the DLP Agent on macOS endpoints
Name Description
DLP administrator Generates the macOS agent installation package and provides it
to the macOS endpoint administrator for deployment.
macOS endpoint administrator Uses the installation package to create an agent deployment
confirmation.
MDM administrator Deploys agent mobileconfig to macOS endpoints.
Network administrator Manages the firewall to enable web access for agents.
O365 administrator Deploys the Outlook add-in manifest to enable Outlook monitoring
for agents.
301
Before You Begin
Confirm the following prerequisites before you start the process to install DLP Agents on macOS endpoints:
• Meet minimum requirements for macOS operating systems. See macOS operating system requirements for endpoint
systems.
• Install Endpoint Servers. See Adding a detection server.
• Generate the agent installation package. See Generating agent installation packages.
You can use the mobile device management (MDM) software of your choosing to distribute profiles that enable monitoring
features on macOS endpoints. See Sample Jamf MDM configuration file for macOS endpoints for information on
configuration files.
NOTE
The steps to deploy MDM profiles use Jamf as an example. The steps differ if you use a different MDM tool.
Steps to Complete Installation Prerequisites
302
Deploy MDM profiles to enable browser extensions. The browsers that you choose are based on the monitor
requirements in your organization. You can enable extensions for the following browsers:
• Enable Monitoring in Google Chrome on macOS Endpoints
• Enable Monitoring in Mozilla Firefox on macOS endpoints
• Deploy the Symantec extension to monitor Edge
4. Enable print moitoring for Microsoft Office applications.
– Enable print monitoring for Microsoft Office applications on macOS endpoints
5. Enable MIP classification notifications and access to Microsoft Office applications.
You can deploy MDM profiles to enable the following features:
• Enable MIP classification notifications on macOS endpoints
• Enable DLP Agent access to Microsoft Office applications
Enable Office Open XML content inspection on macOS endpoints
The macOS endpoint security framework requires special configuration for enabling DLP Agents to inspect Office Open
XML content. You must create an MDM profile that grants the OOXMLHostApp process full disk access on macOS 10.14
and later.
For illustration purposes, the following instructions assume that you plan to use Jamf, an IT management application.
NOTE
When you download the agent installer package from the Broadcom Product Downloads portal, the package
contains a ready-to-use MDM configuration file that you can use with a management application like Jamf
to perform several deployment tasks simultaneously. See Sample Jamf MDM configuration file for macOS
endpoints.
1. In Jamf, select a configuration profile.
2. Navigate to Privacy Preferences Policy Control.
3. Under App Access, in the Identifier field, enter
/Library/Manufacturer/Endpoint Agent/OOXMLHostApp
4. In the Identifier Type menu, select Bundle ID.
5. In the Code Requirement field, enter the following:
identifier OOXMLHostApp and anchor apple generic and certificate
1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate
leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] =
Y2CCP3S9W7
NOTE
If you copy this information from the documentation, make sure that there are no extra line breaks when you
paste it in the Code Requirement field.
6. In the APP OR SERVICE table, add the following settings:
303
7. Click Save.
NOTE
You can refer to the System > Agents > Overview page of the Enforce Server administration console to view
and troubleshoot any issues.
Allow full-disk access for the endpoint security host application (SEHA.app) on macOS endpoints
You must configure an MDM profile to allow full-disk access for the endpoint security host application (SEHA.app) on
macOS 11 endpoints.
For illustration purposes, the following instructions assume that you plan to use Jamf, an IT management application.
1. In Jamf, select a configuration profile.
2. Navigate to Privacy Preferences Policy Control.
3. Under App Access, in the Identifier field, type com.symantec.dlp.ext.host.application.
4. In the Identifier Type menu, select Bundle ID.
5. In the Code Requirement field, enter the following:
anchor apple generic and identifier "com.symantec.dlp.ext.host.application"
and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or
certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate
leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] =
Y2CCP3S9W7)
NOTE
If you copy this information from the documentation, make sure that there are no extra line breaks when you
paste it in the Code Requirement field.
6. In the APP OR SERVICE table, add the following settings:
7. Click Save.
NOTE
You can refer to the System > Agents > Overview page of the Enforce Server administration console to view
and troubleshoot any issues.
Allow Full-disk Access for the DLP Agent on macOS Endpoints
You must configure an MDM profile to allow the full disk access for the DLP Agent on macOS endpoints.
For illustration purposes, the following instructions assume that you plan to use Jamf, an IT management application.
NOTE
When you download the agent installer package from the Broadcom Product Downloads portal, the package
contains a ready-to-use MDM configuration file that you can use with a management application like Jamf
304
to perform several deployment tasks simultaneously. See Sample Jamf MDM configuration file for macOS
endpoints.
1. In Jamf, select a configuration profile.
2. Navigate to Privacy Preferences Policy Control.
3. Under App Access, in the Identifier field, type /Library/Manufacturer/Endpoint Agent/edpa.
4. In the Identifier Type menu, select Path.
5. In the Code Requirement field, enter the following:
identifier edpa and anchor apple generic and certificate
1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate
leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] =
Y2CCP3S9W7
NOTE
If you copy this information from the documentation, make sure that there are no extra line breaks when you
paste it in the Code Requirement field.
6. In the APP OR SERVICE table, add the following settings:
7. Click Save.
NOTE
You can refer to the System > Agents > Overview page of the Enforce Server administration console to view
and troubleshoot any issues.
Configure the DLP Agent to Start Automatically
Confirm that the DLP Agent can start automatically on macOS 13 endpoints.
On macOS 13, the DLP Agent does not start automatically if the EDPA process is disabled on the Login Items settings
menu. Ensure that the DLP Agent always runs by deploying an MDM configuration profile to prevent users from disabling
the EDPA process through the Login Items settings menu.
You can use a sample MDM configuration file with a management application like Jamf to manage the EDPA process. See
21108 to obtain the sample file.
See Jamf documentation on creating an MDM profile to manage login items. See the following URL for details:
https://docs.jamf.com/technical-articles/Uploading_a_Configuration_Profile_for_Managed_Login_Items.html
Enable Monitoring in Google Chrome on macOS Endpoints
The following instructions describe the process of creating an MDM configuration profile to deploy the new Google
Chrome extension for macOS endpoints using MDM settings. For illustration purposes, the instructions assume that you
plan to deploy the extension using Jamf, an IT management application.
Alternatively, you can install the extension manually using the Chrome Web Store. Make sure that the Chrome Web Store
URL is not blocked by your organization's network firewall.
See https://chrome.google.com/webstore/detail/symantec-extension/egaejpfbkjamgheoingidhokbfnidlpi.
305
Before you begin, make sure that you have completed the following steps:
• Allow full-disk access for the endpoint security host application (SEHA.app) on macOS endpoints
• Allow Full-disk Access for the DLP Agent on macOS Endpoints
NOTE
When you download the agent installer package from the Broadcom Product Downloads portal, the package
contains a ready-to-use MDM configuration file that you can use with a management application like Jamf
to perform several deployment tasks simultaneously. See Sample Jamf MDM configuration file for macOS
endpoints.
1. Create a browser policy (.plist file) which you can upload to Jamf.
For example:
NOTE
You can refer to the System > Agents > Overview page of the Enforce Server administration console to view
and troubleshoot any failed deployments.
Enable Monitoring in Mozilla Firefox on macOS endpoints
The following instructions describe the process of creating an MDM configuration profile to deploy the new Mozilla Firefox
extension as well as a signed certificate to enable Outlook Web Access monitoring in Firefox on macOS endpoints.
For illustration purposes, the instructions assume that you plan to deploy the extension using Jamf, an IT management
application. The browser extension is supported only on Mozilla Firefox 64.0 and later versions.
pre
306
Complete the following prerequisites before you begin: Allow full-disk access for the
endpoint security host application (SEHA.app) on macOS endpoints and .Allow Full-disk
Access for the DLP Agent on macOS Endpoints
NOTE
When you download the agent installer package from the Broadcom Product Downloads portal, the package
contains a ready-to-use MDM configuration file that you can use with a management application like Jamf
to perform several deployment tasks simultaneously. See Sample Jamf MDM configuration file for macOS
endpoints.
1. Create a browser policy (.plist file) which you can upload to Jamf. Mozilla provides a template that you can use to
define policies for the Firefox browser.
NOTE
For more information about Firefox policy templates, see https://github.com/mozilla/policy-templates/blob/
master/README.md.
To download the policy template, visit https://github.com/mozilla/policy-templates/blob/master/mac/
org.mozilla.firefox.plist.
You can either create a new .plist file based on Mozilla's policy template or modify the existing .plist file based
on your organization's requirements. For example:
307
2. In Jamf, select a configuration profile.
3. Navigate to Application & Custom Settings, and then click Add.
4. Under Creation Method, select Upload File (PLIST file).
5. In the Preference Domain field, type org.mozilla.firefox.
6. Click the Upload PLIST file button, and then browse to and select the .plist file that you created in Step 1.
7. Click Save.
NOTE
You can refer to the System > Agents > Overview page of the Enforce Server administration console to view
and troubleshoot any failed deployments.
Deploy the Symantec extension to monitor Edge
Before you enable monitoring for Microsoft Edge on macOS endpoints, review the list of supported Microsoft Edge
releases. For more information, see Applications Supported by Endpoint Prevent on macOS.
Before you begin, confirm that you have allowed full disk access for the agent and the
endpoint security host application (SEHA.app) on macOS endpoints. See Allow Full-disk
Access for the DLP Agent on macOS Endpoints and Allow full-disk access for the endpoint
security host application (SEHA.app) on macOS endpoints respectively.
Complete the following steps to create an MDM configuration profile to deploy the new Microsoft Edge extension
for macOS endpoints using MDM settings. For illustration purposes, the instructions assume that you plan to deploy the
extension using Jamf, an IT management application.
NOTE
Alternatively, you can navigate to the Symantec extension in the Edge Add-ins store and then click Get to
install the extension on a single endpoint. Make sure that the Edge Add-ins store URL is not blocked by your
organization's network firewall.
To view the Symantec extension in the Edge add-ins store, visit https://microsoftedge.microsoft.com/addons/
detail/ifcoeclffkpmgoodbmpmfmcpleljpkfl.
1. Create a browser policy (.plist file) which you can upload to Jamf.
For example:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>AllowJavaScriptfromAppleEvents</key>
<true/>
<key>InPrivateModeAvailability</key>
<integer>1</integer>
<key>ExtensionSettings</key>
<dict>
<key>ifcoeclffkpmgoodbmpmfmcpleljpkfl</key>
<dict>
<key>installation_mode</key>
<string>force_installed</string>
<key>update_url</key>
<string>https://edge.microsoft.com/extensionwebstorebase/v1/crx</string>
</dict>
308
</dict>
</dict>
</plist>
On macOS endpoints, users are prompted once to permit the DLP Agent to display notifications about label suggestions
and label enforcement. To prevent MIP classification notifications from being blocked by users, you can create an MDM
configuration profile to bypass the prompt for permission.
For illustration purposes, the following instructions assume that you plan to use Jamf, an IT management application.
1. Create a custom JSON schema to specify macOS app notifications settings.
To view a sample schema, visit https://github.com/talkingmoose/jamf-manifests/blob/master/macOS%20Notifications
%20%28com.apple.notificationsettings%29.json.
2. In Jamf, select a configuration profile.
3. Navigate to Application & Custom Settings > External Applications , and then click Add.
4. In the Source menu, select Custom Schema.
5. In the Preference Domain box, type com.apple.notificationsettings.
6. In the Custom Schema box, enter the custom schema that you created.
7. Under Domain Preferences, do the following:
a) In the Bundle ID box, type com.symantec.dlp.CUI.
b) In the Allow Notifications from App menu, select true
c) In the Alert Type Style menu, select banners
d) In the Show In Notification Center menu, select true
e) In the Badges Enabled menu, select true
8. Click Save.
Enable DLP Agent access to Microsoft Office applications
After you enable MIP configuration for Microsoft Office applications in the agent configuration, endpoint users are
prompted to allow the DLP Agent ('CUI' application) to access Microsoft Word, Microsoft Excel, and Microsoft PowerPoint.
If users do not grant application access, the MIP classification functionality does not work.
You can create an MDM configuration profile to enable the DLP Agent to access Microsoft Office applications without
prompting users for permission. For illustration purposes, the following instructions assume that you plan to use Jamf, an
IT management application.
309
NOTE
When you copy and paste text into the Receiver Code Requirement box in Jamf, make sure that there are no
line breaks.
1. In Jamf, select a configuration profile.
2. Navigate to Privacy Preferences Policy Control.
3. Click Add.
4. Under App Access, do the following:
a) In the Identifier box, type com.microsoft.Word.
b) In the Receiver Identifier Type menu, select Bundle ID.
c) In the Receiver Code Requirement box, type identifier "com.microsoft.Word" and anchor
apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and
certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate
leaf[subject.OU] = UBF8T346G9.
5. Click Add.
6. Under App Access, do the following:
a) In the Identifier box, type com.microsoft.Excel.
b) In the Receiver Identifier Type menu, select Bundle ID.
c) In the Receiver Code Requirement box, type identifier "com.microsoft.Excel" and anchor
apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and
certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate
leaf[subject.OU] = UBF8T346G9.
7. Click Add.
8. Under App Access, do the following:
a) In the Identifier box, type com.microsoft.Powerpoint.
b) In the Receiver Identifier Type menu, select Bundle ID.
c) In the Receiver Code Requirement box, type identifier "com.microsoft.Powerpoint" and anchor
apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and
certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate
leaf[subject.OU] = UBF8T346G9.
9. Click Save.
These steps assume you have generated the agent installation package and completed
installation prerequisites. See Generating agent installation packages and Complete macOS
Endpoint Agent Installation Prerequisites.
310
Installing the DLP Agent for Mac manually
This section provides steps for installing the DLP Agent for Mac manually. If you do not plan to test the agent installation
package, you install Mac agents using MDM software.
1. Locate the agent installation package ZIP (AgentInstaller_Mac64.zip), and unzip it to the Mac endpoint.
Unzip the file to /tmp/MacInstaller.
NOTE
If you are running macOS 10.15.x and later, Symantec recommends that you unzip the file contents to the
/tmp/MacInstaller folder. macOS prevents the installation from running at locations like Downloads,
Documents, and etc.
2. Install the Mac Agent from the command line using the Terminal application.
Run the following command on the target endpoint:
$ sudo sh install_agent.sh
Replace /tmp/MacInstaller with the path where you unzipped the agent installation package.
NOTE
If you are installing the DLP Agent to endpoints that use the Apple M1 chip, you must enable full disc access
to the Terminal application. You can enable full disc access for the Terminal application in the Security &
Privacy area in System Settings. You can set full disc access settings using an MDM profile. See Allow Full-
disk Access for the DLP Agent on macOS Endpoints.
3. (Optional) Review information about the Mac agent installation.
You can use a silent installation process by using mobile device management software (MDM) to install DLP Agents to
endpoints. You must always install the agent installation package from a local directory. If you do not install from a local
directory, some functions of the DLP Agent are disabled.
311
NOTE
The steps to install the agent using MDM profiles use Jamf as an example. The steps differ if you use a different
MDM tool.
1. Move the macOS endpoint agent installation package to a local machine.
2. Build a PKG file using the Jamf Composer tool by completing the following steps:
a) Define a location (for example, /Users/) that all endpoints that are targeted for the installation can access. When
you deploy the package, the MDM software pushes the package to the location you define. The following example
shows the location.
Figure 1: PKG file on local machine
b) Open the Jamf composer and drag the AgentInstaller_Mac64 folder to the Composer window.
c) Set executable permissions (model: 755) for the folder-based settings listed in the following table:
User R W X
312
d) Select Apply to All Enclosed Items.
e) Click Build As PKG and select a location where you want to save the file.
3. Configure the Jamf policy by completing the following steps:
a) Log in to Jamf Pro web console.
b) Go to All Settings > Computer Management and click Packages.
c) Click New. The following screen appears.
Figure 2: New Package
313
Figure 3: Jamf Web Console Policies Example
314
Figure 4: Jamf Web Console Execute Command Example
When the DLP Agent is installed or upgraded on a macOS endpoint, a number of components are installed. Do not
disable or modify any of these components or the DLP Agent may not function correctly.
Component Description
Endpoint Agent daemon (EDPA) The installation process places the EDPA files here: /Library/
Manufacturer/Endpoint Agent.
The com.symantec.manufacturer.agent.plist file
contains configuration settings for the Endpoint Agent daemon.
This file is located at /Library/LaunchDaemons/.
Encrypted database Each DLP Agent maintains an encrypted database at the
endpoint. The database stores incident metadata in the database,
contents on the host file system, and the original file that triggered
the incident, if needed. The DLP Agent analyzes the content
locally.
315
Component Description
Log files The DLP Agent logs information on completed and failed
processes.
Database (rrc.ead) This database maintains and contains non-matching entries for
rules results caching (RRC). About rules results caching (RRC)
Related Links
Setting up and configuring Endpoint Discover on page 1886
How to implement Endpoint Prevent on page 1877
Condition
The agent does not connect to the Endpoint Server.
Cause
There may be an issue with the agent starting up.
Remedy
1. Use the Console application to check the log messages. Review the Mac Agent installer logs at /var/log/
install.log.
2. Rerun the installer with -dumplog option to create detailed installation logs. For example, use the command
sudo installer -pkg /tmp/AgentInstall/AgentInstall_16_0_1.pkg -target / -dumplog.
Replace /tmp/MacInstaller with the path where you unzipped the agent installation package.
316
Before You Begin the Installation
Confirm the following prerequisites before you start the process to install DLP Agents on Linux endpoints:
• Verify that you meet the minimum requirements for Linux operating systems. For more information, see Linux
Operating System Requirements for Endpoint Systems.
• Install the Endpoint Servers. For more information, see Adding a detection server.
• Generate the agent installation package. For more information, see Generating agent installation packages.
NOTE
Optionally, you can sign RPM installation files on any Linux machine before deploying the package to endpoints
in your organization. Sign RPM Files for Linux Endpoints
The DLP Agent requires permissions to be set for executable files. If permissions are not applied, the agent installation
fails.
1. Use sudo credentials to log on to the computer where you plan to install the DLP Agent.
2. Enable repository access on the endpoint to ensure that required packages are installed during the agent installation.
Skip this step if the required packages are already installed on the endpoint.
3. Locate the agent installation package ZIP for one of the following supported distributions:
• Linux: AgentInstaller_Linux64.zip
• Ubuntu: AgentInstaller_LinuxDeb64.zip
This file is generated during the agent installation packaging process. See Agent installation package contents.
4. Unzip the file to the Linux endpoint at /opt/temp/LinuxInstaller.
5. Open a terminal and run one of the following commands for your distribution:
• Linux:
cd /opt/temp/LinuxInstaller
317
>sudo chmod +x
NOTE
You only must run sudo chmod +x *.rpm if changing permissions is required on the endpoint.
• Ubuntu:
cd /opt/temp/LinuxInstaller
sudo chmod +x *.deb
sudo chmod +x install_agent.sh
6. Verify the signature of files before installing them by running the following command:
• Run the following command for Linux endpoints: rpm -K *rpm
• Run the following command for Ubuntu endpoints:
sudo gpg --import Symantec_DLP_DEB_Signing_Key.ascsudo gpg --verify AgentInstall-x86_64_16.0.1.deb sudo
dpkg-sig --verify AgentInstall-x86_64_16.0.1.deb
318
Before You Begin the Installation
These steps assume you have generated the agent installation package and completed installation prerequisites. See
Generating agent installation packages and Complete the Linux Endpoint Agent Installation Prerequisites.
Install the DLP Agent
Complete the following steps to install the DLP Agent for Linux distributions manually.
1. Open a terminal and go to /opt/temp/LinuxInstaller.
2. Install the Linux agent by running the following command on the target endpoint:
sudo ./install_agent.sh
Endpoint Tools
Work with Symantec DLP Agents using the tools that Symantec Data Loss Prevention provides.
Move these tools to a secure directory. The Endpoint tools work with the keystore file that is found in the Agent Install
directory. The tools and the keystore file must be in the same folder to function properly.
NOTE
Before you copy Endpoint tools to the Agent Install directory on Mac and Linux endpoints, change the
permissions for each tool to be executable.
319
Each tool requires a password to operate. You enter the Endpoint tools password during the agent packaging process.
You can manage the Endpoint tools password using the Agent Password Management screen.
Generating agent installation packages
About agent password management
The following table lists some of the tasks that you can complete using endpoint tools.
320
Related Links
Mac endpoint tools features on page 1846
Related Links
Endpoint Tools on page 319
Work with Symantec DLP Agents using the tools that Symantec Data Loss Prevention provides.
321
Shutting Down the Agent and Watchdog Services on Endpoints
Shut down the agent and watchdog service on endpoints (with administrator rights).
Shutting Down the DLP Agent and Watchdog Services on Windows Endpoints
Use the Service_Shutdown tool to shut down the DLP Agent and watchdog services on Windows endpoints. As a tamper-
proofing measure, it is not possible for a user to individually stop either the DLP Agent or watchdog service. This tool
enables users with administrator rights to stop both Symantec Data Loss Prevention services at the same time.
1. Go to the directory where you installed Symantec Data Loss Prevention.
2. Run the following command:
service_shutdown [-p=password]
where [-p=password] is the password you previously specified. If you do not enter a password, you are prompted to
input a password. The default password is VontuStop.
You must run the Service_Shutdown.exe tool from the same directory as the DLP Agent keystore file.
Shutting Down the DLP Agent Service on Mac Endpoints
Use the Service_Shutdown tool to shut down the DLP Agent service on Mac endpoints. As a tamper-proofing measure,
users cannot stop the DLP Agent service on Mac endpoints. However, an administrator with root access can use the
Service_Shutdown tool to stop the Symantec Data Loss Prevention service.
1. Set the Service_Shutdown tool permissions to be executable.
2. Copy the Service_Shutdown tool to the DLP Agent installation folder on the Mac endpoint.
3. Run the following commands as a root user using the Terminal application:
#sudo ./service_shutdown
-p=<tools_password>
Use the service_shutdown.sh tool to shut down the DLP Agent service on supported Linux distribution endpoints. An
administrator with root access can use the service_shutdown.sh tool to stop the Symantec Data Loss Prevention service.
1. Set the service_shutdown tool permissions to be executable.
2. Run the following command as a root user:
sudo ./service_shutdown.sh
You must have administrator rights to use the tool on Windows endpoints.
1. Run the following script from the Symantec Data Loss Prevention Agent installation directory:
vontu_sqlite3 -db=database_file [-p=password]
322
where database_file is your database file and password is your specified tools password.
The Symantec Data Loss Prevention database files for Windows agents are located in the DLP Agent installation
directory and end in the *.ead extension. After you run the command, you are prompted for your password.
2. Enter the default password VontuStop unless you have already created a unique password.
You are provided with a shell to enter SQL statements to view or update the database.
Refer to http://www.sqlite.org/sqlite.html for complete documentation about what commands are available in this shell.
Running the vontu_sqlite3 Tool on Linux Endpoints
You must have sudo access to make changes to the agent database on supported Linux distribution endpoints.
where database_file is your database file and password is your specified tools password.
The vontu_sqlite3 tool is located at /opt/Manufacturer/EndpointAgent.
Running the Vontu_sqlite3 Tool on Mac Endpoints
You must have root access to make changes to the agent database on Mac endpoints.
1. Set the vontu_sqlite3 tool permissions to be executable.
2. Run the following script from the Symantec Data Loss Prevention Agent installation directory:
sudo ./vontu_sqlite3 -db=database_file [-p=password]
where database_file is your database file and password is your specified tools password.
You run this command using the Terminal application. The vontu_sqlite3 tool is located at /Library/
Manufacturer/Endpoint Agent/.
3. Enter the default password VontuStop unless you have already created a unique password.
You are provided with a shell to enter SQL statements to view or update the database.
Refer to http://www.sqlite.org/sqlite.html for complete documentation about what commands are available in this shell.
Related Links
Endpoint Tools on page 319
Work with Symantec DLP Agents using the tools that Symantec Data Loss Prevention provides.
323
Running the Logdump on Windows
You must have administrator rights to use the tool on Windows endpoints.
1. Run the following script from the Symantec Data Loss Prevention Agent installation directory:
logdump -log=log_file [-p=password]
where log_file is the log file you want to view and password is the specified tools password. All Symantec Data Loss
Prevention extended log files are present in the Symantec Data Loss Prevention Agent installation directory. The files
have names with the format edpa_extfile_number.log. After you run this command, you can see the de-obfuscated log.
NOTE
When using Windows PowerShell to run logdump.exe, quotes are required around the log file. For example,
run:
logdump "-log=log_file" [-p=password]
All Symantec Data Loss Prevention extended log files are present in the Symantec Data Loss Prevention Agent
installation directory. The files have names of the form edpa_extfile_number.log. After you run this command, you can
see the de-obfuscated log.
2. (Optional) Print the contents of another log from this view.
Running the Logdump on macOS
You must have root access to make changes to the agent database Linux endpoints.
1. Set the logdump tool permissions to be executable.
2. Run the following scripts from the Symantec Data Loss Prevention Agent installation directory:
sudo ./logdump -log=log_file [-p=password]
where log_file is the log file you want to view and password is the specified tools password.
All Symantec Data Loss Prevention extended log files are present in the Symantec Data Loss Prevention Agent
installation directory. The files have names of the form edpa_extfile_number.log. After you run this command, you can
see the de-obfuscated log.
3. (Optional) Print the contents of another log from this view.
#unique_467/unique_467_Connect_42_task_3
Running the logdump on Linux
You must have sudo access to make changes to the agent database on supported Linux distribution endpoints.
where log_file is the log file you want to view and password is the specified tools password.
All Symantec Data Loss Prevention extended log files are present in the Symantec Data Loss Prevention Agent
installation directory. The files have names of the form edpa_extfile_number.log. After you run this command, you can
see the de-obfuscated log.
324
3. (Optional) Print the contents of another log from this view.
#unique_467/unique_467_Connect_42_task_3
Printing the Contents of Another Log
Result Description
Volume The volume or mount point that the DeviceID.exe tool found.
For example:
Volume: E:\
Dev ID The Device Instance ID for each device.
For example:
USBSTOR\DISK&VEN_UFD&PROD_USB_FLASH_DRIVE&REV_1100\5F73HF00Y9DBOG0DXJ
Regex The regular expression to detect that device instance.
For example:
USBSTOR\\DISK&VEN_UFD&PROD_USB_FLASH_DRIVE&REV_1100\\5F73HF00Y9DBOG0DXJ
Result Description
325
Using the Windows Device ID utility
Use the Device ID utility to extract Device Instance ID strings and to determine what devices the system can recognize for
detection. You must have administrator rights to use this tool.
About the Device ID utilities
To use the Device ID utility
1. Obtain the DeviceID.exe utility.
This utility is available with the Endpoint Server utilities package.
2. Copy the DeviceID.exe utility to a computer where you want to determine Device IDs.
3. Install the devices you want to examine onto the computer where you copied the DeviceID.exe utility.
For example, plug in one or more USB devices, connect a hard drive, and so forth.
4. Run the DeviceID.exe utility from the command line.
For example, if you copied the DeviceID.exe utility to the C:\temp directory, issue the follow command:
C:\TEMP>DeviceID
The file appears in the C:\temp directory and contains the output from the DeviceID process.
5. View the results of the DeviceID process.
The command prompt displays the results for each volume or mount point.
Windows Device ID utility example output
6. Use the DeviceID utility to evaluate the proposed regex string against a device that is currently connected.
Device ID regex evaluation
7. Use the regular expression patterns to configure endpoint devices for detection.
Use the Mac Device ID utility to generate regex information. You use this feature to allow the copying of sensitive
information to company-provided external devices like USB drives and SD cards.
1. Obtain the DeviceID utility.
This utility is available with the Mac agent tools package.
About Endpoint tools
326
2. Copy the DeviceID utility to a computer where you want to determine Device IDs.
3. Install the devices you want to examine onto the computer where you copied the DeviceID utility.
For example, plug in one or more USB devices, connect a hard drive, and so on.
4. Run the DeviceID utility from the Terminal application.
For example, if you copied the DeviceID utility to the Downloads directory, issue the follow command:
$HOME/Downloads/DeviceID where $HOME is your home directory.
The output results display information for each volume or mount point in the Terminal application dialog.
5. Review the DeviceID process results.
6. Use the regex information to configure endpoint devices for detection.
Table 140:
./DeviceID > deviceids.txt The tool outputs the following information to the
deviceids.txt file based on information gathered from the
attached thumb drive:
• Volume: /Volumes/FAT_USB/
• Type (BUS): USB
• Device ID Regex by Vendor: JetFlash&.*
• Device ID Regex by Model: JetFlash&Mass Storage Device&.*
• Device ID Regex by Serial No: JetFlash&Mass Storage
Device&79HCSMJ0RYOHT2FE
327
• Comments
• InternalName
• CompanyName
• LegalCopyright
• ProductVersion
• FileDescription
• LegalTrademarks
• PrivateBuild
• FileVersion
• OriginalFilename
• SpecialBuild
• PublisherName
4. Retain the application information the tool displays. You use the application information when you add an application
on the Global Application Monitoring screen.
Locate the start_agent tool in the /Library/Manufacturer/Endpoint Agent directory on the endpoint.
See Generating agent installation packages for more information.
NOTE
You must unzip this file to a Mac endpoint. You cannot use the tool if it is unzipped to a Windows endpoint.
1. Set the start_agent tool permissions to be executable.
2. From the Symantec Data Loss Prevention Agent installation directory, run the following command:
sudo ./start_agent
where the installation directory is the directory where you installed Symantec Data Loss Prevention.
3. Go to the Agent List screen and confirm that the agent is running.
Starting Agents on Linux
328
3. Go to the Agent List screen and confirm that the agent is running.
Related Links
Using the Agent List screen on page 1969
Endpoint Tools on page 319
Work with Symantec DLP Agents using the tools that Symantec Data Loss Prevention provides.
Related Links
Generating agent installation packages on page 291
Generate the installation package for DLP Agents on the System > Agents > Agent Packaging screen.
About agent password management on page 330
If you want to uninstall a group of agents, specify the uninstallation password in the agent uninstallation command line.
Enter the following parameter in the uninstallation command line;
UNINSTALLPASSWORD="<password>"
where <password> is the password that you specified in the password generator.
329
Upgrading agents and uninstallation passwords
When you upgrade agents, the uninstallation password that was previously applied is removed. To apply an uninstallation
password, you enter one during the agent packaging process. You can apply a new password using the Agent Password
Management screen.
Related Links
About agent password management on page 330
About uninstallation passwords on page 329
Related Links
Generating agent installation packages on page 291
Generate the installation package for DLP Agents on the System > Agents > Agent Packaging screen.
Endpoint Tools on page 319
Work with Symantec DLP Agents using the tools that Symantec Data Loss Prevention provides.
330
Using the Language Pack Utility
Related Links
About locales on page 331
About support for character sets, languages, and locales on page 101
About locales
Locales are installed as part of a language pack.
A locale provides the following:
• Displays dates and numbers in formats appropriate for that locale.
• Sorts lists and reports based on text columns, such as "policy name" or "file owner," alphabetically according to the
rules of the locale.
An administrator can also configure an additional locale for use by individual users. This additional locale need only be
supported by the required version of Java.
For a list of these locales, see https://www.oracle.com/technetwork/java/javase/java8locales-2095355.html.
You use the Language Pack Utility to specify a locale if one is not specified at product installation time.
Using a non-English language on the Enforce Server administration console
About support for character sets, languages, and locales
331
NOTE
The addition of multiple language packs could slightly affect Enforce Server performance, depending on the
number of languages and customizations present. This occurs because an additional set of indexes has to be
built and maintained for each language.
WARNING
Do not modify the Oracle database NLS_LANGUAGE and NLS_TERRITORY settings.
About Symantec Data Loss Prevention language packs
About locales
A Symantec Data Loss Prevention administrator specifies which of the available languages is the default system-wide
language.
To choose the default language for all users
1. On the Enforce Server, go to System > Settings > General and click Configure.
The Edit General Settings screen is displayed.
2. Scroll to the Language section of the Edit General Settings screen, and click the button next to the language you
want to use as the system-wide default.
3. Click Save.
Individual Symantec Data Loss Prevention users can choose which of the available languages and locales they want to
use by updating their profiles.
Editing a user profile
Administrators can use the Language Pack Utility to update the available languages.
Using the Language Pack Utility
About support for character sets, languages, and locales
NOTE
If the Enforce Server runs on a Linux host, you must install language fonts on the host machine using the Linux
Package Manager application. Language font packages begin with fonts-<language_name>. For example,
fonts-japanese-0.20061016-4.el5.noarch
332
To display help for the utility, such as the list of valid options and their flags, enter LanguagePackUtility without any
flags.
NOTE
Running the Language Pack Utility causes the SymantecDLPManagerService and
SymantecDLPIncidentPersisterService services to stop for as long as 20 seconds. Any users who are
logged on to the Enforce Server administration console are logged out automatically. When finished making its
updates, the utility restarts the services automatically, and users can log back on to the administration console.
Language packs for Symantec Data Loss Prevention can be obtained from Product Downloads at the Broadcom Support
Portal.
NOTE
Administrators can only make one other locale available for users that is not based on a previously installed
Symantec Data Loss Prevention language pack.
About support for character sets, languages, and locales
Where filename is the fully qualified path and name of the language pack ZIP file.
For example, if the Japanese language pack ZIP file is stored in c:\temp, add it by entering:
LanguagePackUtility -a c:\temp\Symantec_DLP_16.0.1_Japanese.zip
To add multiple language packs during the same session, specify multiple file names, which are separated by spaces,
for example:
LanguagePackUtility -a
c:\temp\Symantec_DLP_16.0.1_Japanese.zip
Symantec_DLP_16.0.1_Chinese.zip
3. Log on to the Enforce Server administration console and confirm that the new language option is available on the Edit
General Settings screen. To do this, go to System > Settings > General > Configure > Edit General Settings.
333
4. Log on to the Enforce Server administration console and confirm that the new language option is available on the Edit
General Settings screen. To do this, go to System > Settings > General > Configure > Edit General Settings.
Where locale is a valid Java locale code corresponding to a Symantec Data Loss Prevention language pack.
For example, to remove the French language pack enter:
LanguagePackUtility -r fr_FR
To remove multiple language packs during the same session, specify multiple file names, which are separated by
spaces.
3. Log on to the Enforce Server administration console and confirm that the language pack is no longer available on the
Edit General Settings screen. To do this, go to System > Settings > General > Configure > Edit General Settings.
4. Advise users that anyone currently using the Enforce Server administration console must save their work and log off.
5. Run the Language Pack Utility using the -c flag followed by the Java locale code for the locale that you want to
change or add. Enter:
LanguagePackUtility -c locale
Where locale is a valid locale code that is recognized by Java, such as pt_PT for Portuguese.
For example, to change the locale to Brazilian Portuguese enter:
LanguagePackUtility -c pt_BR
6. Log on to the Enforce Server administration console and confirm that the new alternate locale is now available on the
Edit General Settings screen. To confirm the local, go to System > Settings > General > Configure > Edit General
Settings.
If you specify a locale for which there is no language pack, "Translations not available" appears next to
the locale name. This means that formatting and sort order are appropriate for the locale, but the Enforce Server
administration console screens and online Help are not translated.
Related Links
About Symantec Data Loss Prevention language packs on page 331
Post-installation tasks
About post-installation tasks
Backing up your system after installation
About post-installation security configuration
About System Events and Syslog Servers
Enforce Servers and unused NICs
Performing initial setup tasks on the Enforce Server
About updating the JRE to the latest version
334
About FIPS encryption
Configuring Internet Explorer when using FIPS
335
A "certificate" is a keystore file used with a keystore password. The terms "certificate" and "keystore file" are often used
interchangeably. By default, all the connections between the Symantec Data Loss Prevention servers, and the Enforce
Server and the browser, use a self-signed certificate. This certificate is securely embedded inside the Symantec Data
Loss Prevention software. By default, every Symantec Data Loss Prevention server at every customer installation uses
this same certificate.
Although the existing default security meets stringent standards, Symantec provides the keytool and sslkeytool utilities to
enhance your encryption security:
• The keytool utility generates a new certificate to encrypt communication between your web browser and the Enforce
Server. This certificate is unique to your installation.
About browser certificates
Generating a unique browser certificate
• The sslkeytool utility generates new SSL server certificates to secure communications between your Enforce Server
and your detection servers. These certificates are unique to your installation. The new certificates replace the single
default certificate that comes with all Symantec Data Loss Prevention installations. You store one certificate on the
Enforce Server, and one certificate on each detection server in your installation.
NOTE
Symantec recommends that you create dedicated certificates for communication with your Symantec Data
Loss Prevention servers. When you configure the Enforce Server to use a generated certificate, all detection
servers in your installation must also use generated certificates. You cannot use the built-in certificate with
some detection servers and the built-in certificate with other servers.
NOTE
If you install a Network Prevent detection server in a hosted environment, you must generate unique
certificates for your Symantec Data Loss Prevention servers. You cannot use the built-in certificate to
communicate with a hosted Network Prevent server.
About the sslkeytool utility and server certificates
Using sslkeytool to generate new Enforce Server and detection server certificates
About post-installation tasks
You may also need to secure communications between Symantec Data Loss Prevention servers and other servers such
as those used by Active Directory or a Mail Transfer Agent (MTA).
A web browser using a secure connection (HTTPS) requires an SSL certificate. The SSL certificate can be self-signed
or signed by a certificate authority. With a certificate, the user authenticates to other users and services, or to data
integrity and authentication services, using digital signatures. It also enables users to cache the public keys (in the form of
certificates) of their communicating peers. Because a certificate signed by a certificate authority is automatically trusted by
browsers, the browser does not issue a warning when you connect to the Enforce Server administration console. With a
self-signed certificate, the browser issues a warning and asks if you want to connect.
The default certificate installed with Symantec Data Loss Prevention is a standard, self-signed certificate. This certificate
is embedded securely inside the Symantec Data Loss Prevention software. By default, all Symantec Data Loss Prevention
installations at all customer sites use this same certificate. Symantec recommends that you replace the default certificate
with a new, unique certificate for your organization’s installation. The new certificate can be either self-signed or signed by
a certificate authority.
Generating a unique browser certificate
About server security and SSL/TLS certificates
336
Generating a unique browser certificate
By default, connections between the Enforce Server and the browser use a single, self-signed certificate. This certificate is
embedded securely inside the Symantec Data Loss Prevention software.
The keytool utility manages keys and certificates. This utility enables users to administer their own public and private key
pairs and associated certificates for use in self-authentication.
1. Collect the following information:
• Common Name: The fully qualified DNS name of the Enforce Server. This must be the actual name of the server
accessible by all the clients.
For example, https://Server_name.
• Organization Name: The name of your company or organization.
For example, Acme, Inc.
• Organizational unit : The name of your division, department, unit, etc. (Optional)
For example, Engineering
• City: The city, town, or area where you are located.
For example, San Francisco
• State: The name of your state, province, or region.
For example, California or CA
• Country: Your two-letter country code.
For example, US
• Expiration: The certificate expiration time in number of days.
For example: 90
2. Stop all the Symantec DLP services on the Enforce Server.
3. On the Enforce Server, go to a directory based on your platform:
• Windows: C:\Program Files\AdoptOpenJRE\[JRE version]\bin
• Linux: /opt/AdoptOpenJRE/[JRE version]/bin
The keytool software is located in this directory.
4. Use keytool to create the self-signed certificate (keystore file). This keystore file can also be used to obtain a
certificate from a certificate authority.
From within the bin directory, run the following command with the information collected earlier:
If the /opt/AdoptOpenJRE/[JRE version] directory is not on your path, use ./keytool to run it from the current
directory.
keytool -genkey -alias tomcat -keyalg RSA -keysize 1024
-keystore .keystore -validity NNN -storepass protect
-dname "cN=common_name, O=organization_name,
Ou=organization_unit, L=city, S=state, C=XX"
Where:
337
• The -alias parameter specifies the name of this certificate key. This name is used to identify this certificate when
you run other keytool commands. The value for the -alias parameter must be tomcat.
• The -keystore parameter specifies the name and location of the keystore file which must be .keystore located
in this directory. This is specified by using -keystore .keystore
• The -keyalg parameter specifies the algorithm to be used to generate the key pair. In this case, the algorithm to
specify is RSA.
• The -keysize parameter specifies the size of each key to be generated. For example, 1024.
• The -validity parameter specifies the number of days the certificate is good for. For example, -validity 365
specifies that the certificate is good for 365 days (or one year). The number of days you choose to specify for the -
validity parameter is up to you. If a certificate is used for longer than the number of days specified by -validity,
an "Expired" message appears by the browser when it accesses the Enforce Server administration console. The
best practice is to replace an expired certificate with a new one.
• The -storepass parameter specifies the password used to protect the integrity of the keystore.
If you opted to use a password other than "protect," enter it for the -storepass parameter. You must also modify
the following to use the password:
– protect.properties located at ../Protect/config
Update the line # keystore com.vontu.manager.tomcat.keystore.password = my_password to replace
my_password with your password.
– server.xml located at ../tomcat/conf
Update the line:# keystorePass = my_password to replace my_password with your password.
• The dname parameter specifies the X.500 Distinguished Name to be associated with this alias. It is used as
the issuer and subject fields in a self-signed certificate. The parameters that follow are the value of the dname
parameter.
• The -CN parameter specifies your name. For example, CN=linda wu
• The O parameter specifies your organization's name. For example, O=Acme Inc.
• The Ou parameter specifies your organization's unit or division name. For example, Ou=Engineering Department
• The L parameter specifies your city. For example, L=San Francisco
• The S parameter specifies your state or province. For example, S=California
• The C parameter specifies the two-letter countrycode of your country. For example, C=US
• If you are asked for a keypass password, hit Return to make the keypass password the same as the storepass
password.
An updated .keystore file is generated.
5. (Optional) Rename or move the existing .keystore file from the conf (\Protect\tomcat\conf for Windows or
protect/tomcat/conf for Linux) directory.
6. Copy the updated .keystore file into a directory based on your platform: directory.
• Windows: C:\Program Files\Symantec\DataLossPrevention\EnforceServer\16.0.10000\protect
\tomcat\conf
• Linux: /opt/Symantec/DataLossPrevention/EnforceServer/16.0.10000/protect/tomcat/conf
7. Restart the Symantec DLP services on the Enforce Server.
Symantec Data Loss Prevention Services
As an alternative to using a self-signed certificate, you can use a certificate issued by an internal or external certificate
authority (CA). Consult your certificate authority for instructions on how to obtain a CA-signed certificate. Certificate
authorities provide a root certificate and a signed certificate. When using certificates signed by a CA, they need to be
imported into the Enforce Server using the following commands:
keytool -import -alias root -keystore .keystore -trustcacerts -file root_certificate
338
keytool -import -alias tomcat -keystore .keystore -trustcacerts -file signed_certificate
About server security and SSL/TLS certificates
Symantec Data Loss Prevention Directory and File Exclusion from Antivirus Scans
Exclude directories from antivirus scanning to ensure that Symantec Data Loss Prevention functions as expected.
If you are using the Windows platform and using your antivirus software, remove the following OCR directory
from antivirus scanning, if applicable:
C:\SymantecDLPOCR\
Consult your antivirus software documentation for information on how to exclude directories and files from antivirus scans.
About Symantec Data Loss Prevention and antivirus software
Platform Directory
Windows \ProgramData\Symantec\DataLossPrevention\EnforceServer
\16.0.10000\logs
Also exclude subdirectories from antivirus scanning.
\ProgramData\Symantec\DataLossPrevention\EnforceServer
\16.0.10000\scan
\ProgramData\Symantec\DataLossPrevention\EnforceServer
\16.0.10000\scan
\Program Files\Symantec\DataLossPrevention\EnforceServer
\16.0.10000\Protect\tomcat
\Program Files\Symantec\DataLossPrevention\EnforceServer
\16.0.10000\Protect\tomcat\temp
\Program Files\Symantec\DataLossPrevention\EnforceServer
\16.0.10000\Protect\tomcat\work
\ProgramData\Symantec\DataLossPrevention\ServerPlatformCommon
\16.0.10000\incidents
339
Platform Directory
\ProgramData\Symantec\DataLossPrevention\ServerPlatformCommon
\16.0.10000\index
Linux /var/log/Symantec/DataLossPrevention
Also exclude subdirectories from antivirus scanning.
/Symantec/DataLossPrevention/EnforceServer/16.0.10000/Protect/scan
/Symantec/DataLossPrevention/EnforceServer/16.0.10000/Protect/temp
Also remove subdirectories from antivirus scanning.
/Symantec/DataLossPrevention/EnforceServer/16.0.10000/Protect/
tomcat
/Symantec/DataLossPrevention/EnforceServer/16.0.10000/Protect/
tomcat/temp
/Symantec/DataLossPrevention/EnforceServer/16.0.10000/Protect/
tomcat/work
/var/Symantec/DataLossPrevention/ServerPlatformCommon/16.0.10000/
incidents
/var/Symantec/DataLossPrevention/ServerPlatformCommon/16.0.10000/
index
Related Links
Oracle directory and file exclusion from antivirus scans on page 341
Platform Directory
Windows \ProgramData\Symantec\DataLossPrevention\DetectionServer
\16.0.10000\drop
\ProgramData\Symantec\DataLossPrevention\DetectionServer
\16.0.10000\spool\ICAP
\ProgramData\Symantec\DataLossPrevention\DetectionServer
\16.0.10000\spool\PacketCapture
\ProgramData\Symantec\DataLossPrevention\DetectionServer
\16.0.10000\Protect\incidents
\ProgramData\Symantec\DataLossPrevention\DetectionServer
\16.0.10000\Protect\index
\ProgramData\Symantec\DataLossPrevention\DetectionServer
\16.0.10000\logs
\Program Files\Symantec\DataLossPrevention\DetectionServer
\16.0.10000\Protect\temp
Linux /opt/Symantec/DataLossPrevention/DetectionServer/16.0.10000/
Protect
340
Platform Directory
/opt/Symantec/DataLossPrevention/Detection/Server/16.0.10000/
Protect/temp
Also exclude subdirectories from antivirus scanning.
/var/spool/Symantec/DataLossPrevention/DetectionServer/16.0.10000/
drop
/var/spool/Symantec/DataLossPrevention/DetectionServer/16.0.10000/
icap_spool
/var/spool/Symantec/DataLossPrevention/DetectionServer/16.0.10000/
packet_spool
/var/Symantec/DataLossPrevention/DetectionServer/16.0.10000/
incidents
/var/Symantec/DataLossPrevention/DetectionServer/16.0.10000/index
Platform Directory
Windows \ProgramData\Symantec\DataLossPrevention\DetectionServer
\16.0.10000\IgniteStorage
\ProgramData\Symantec\DataLossPrevention\DetectionServer
\16.0.10000\IgniteWork
Linux /opt/Symantec/DataLossPrevention/DetectionServer/16.0.10000/
IgniteStorage
/opt/Symantec/DataLossPrevention/Detection/Server/16.0.10000/
IgniteWork
If you are using the Windows platform and using your antivirus software, remove the following OCR directory
from antivirus scanning, if applicable:
C:\SymantecDLPOCR\
When the Symantec Data Loss Prevention application accesses files and directories, it can appear to antivirus software
as if it were a virus. Therefore, you must exclude certain directories from antivirus scans on Symantec Data Loss
Prevention servers.
Using your antivirus software, exclude the following Oracle directories from antivirus scanning:
• Windows:
– C:\app\Administrator\oradata\protect
– C:\app\Administrator\product\<version>\dbhome_1
341
Where <version> is the Oracle software version you are runnin.
• Linux:
– /opt/oracle/oradata/protect
– /opt/oracle/product/<version>/db_1
Where <version> is the Oracle software version you are runnin.
Most of the Oracle files to be excluded are located in these directories, but additional files are located in other directories.
Use the Oracle Enterprise Manager (OEM) to check for additional files and exclude their directories from antivirus
scanning. Use OEM to view the location of the following database files:
• Data files, which have the file extension *.DBF
• Control files, which have the file extension *.CTL
• The REDO.LOG file
Exclude all the directories with these files from antivirus scanning.
About Symantec Data Loss Prevention and antivirus software
Symantec Data Loss Prevention Directory and File Exclusion from Antivirus Scans
About post-installation tasks
342
• Alerter
• COM+ Event System
• DCOM Server Process Launcher
• Defwatch for Symantec (may not always be present)
• DNS Client
• Event log
• Interix Subsystem Startup (for UNIX Services for Windows for RAs)
• IPSEC Services
• Logical Disk Manager
• Network connections
• OracleOraDb11g_home1TNSListener
The service name is different if you use a non-default Oracle home directory.
• OracleServicePROTECT (on the Enforce Server only)
• Plug and play
• Protected Storage
• Remote procedure call (RPC)
• Removable Storage
• Security Accounts Manager
• Server (required only for Enforce if EDMs are used)
• Symantec AntiVirus
• System Event Notification
• Task Scheduler
• TCP/IP NetBIOS Helper Service
• Terminal Services
• User Name Mapping (for UNIX Services for Windows for RAs)
• SymantecDLPIncidentPersisterService (for Enforce Server only)
• SymantecDLPManagerService (for Enforce Server only)
• SymantecDLPDetectionServerService (for detection servers only)
• SymantecDLPNotifierService (for Enforce Server only)
• Windows Management (Instrumentation)
• Windows Management (Instrumentation Driver Extensions Workstation)
• Windows Time (required if no alternative Enforce/detection server system clock synchronization is implemented)
• Workstation (required for Alerter Service)
The following Windows services should be disabled:
• Dist. File System
• Dist. Link Tracking Client
• Dist. Link Tracking Server
• Dist. Transaction Coordinator
• Error Reporting Service
• Help & Support
• Messenger
• Print Spooler
• Remote Registry
• Wireless Config
Consult your Windows Server documentation for information on these services.
343
Windows Administrative security settings
The following tables provide recommended administrative settings available on a Microsoft Windows system for additional
security hardening.
Consult your Windows Server documentation for information on these settings.
The Local Policy settings are described in the following tables:
Table 144: Security settings > Account Policies > Account Lockout Policy
Table 145: Security settings > Account Policies > Password Policy
Table 146: Security settings > Local Policies > Audit Policy
Table 147: Security settings > Local Policies > User rights assignment
344
User rights assignment Recommended security settings
345
Table 148: Security settings > Local Policies > Security options
346
Security options Recommended security settings
347
On the Enforce Server \Program Files\Symantec\DataLossPrevention\EnforceServer
\16.0.10000\protect\config\model.properties file:
model.notification.host=IP
model.notification.serverobject.host=IP
348
Add SQL*Plus to the SymantecDLP user path
1. On the Enforce Server host computer, log in as the SymantecDLP user.
su - protect
349
To enable TLS 1.0 protocol support in Internet Explorer:
1. Go to Tools > Internet Options.
2. Go to the Advanced tab.
3. Scroll down to the Security settings.
4. Make sure that the following check boxes are selected: Use SSL 2.0, Use SSL 3.0, and Use TLS 1.0.
5. Click Apply.
6. Click OK.
Internet Explorer on all computers that access the Enforce Server must be configured to use the TLS 1.0 protocol.
All Windows computers that access the Enforce Server administration console with an Internet Explorer browser
must be configured for FIPS compliance.
To enable FIPS compliance in Windows
7. Open the Windows Control Panel.
8. Double-click Administrative Tools.
9. Double-click Local Security Policy.
10. In the Local Security Settings, double-click Local Policies.
11. Double-click Security Options.
12. In the Policy pane on the right, double-click System cryptography: Use FIPS compliant algorithms for encryption,
hashing, and signing.
13. Choose the Enabled radio button and then click Apply.
350
Upgrading DLP
Upgrade the Enforce Server, detection servers, and DLP Agents.
Preparing to upgrade
Upgrading to a new release
Upgrading Symantec DLP Agents
Post-upgrade tasks
Symantec Data Loss Prevention upgrade troubleshooting and recovery
Preparing to upgrade
Learn about preparing to upgrade the Enforce Server and detection servers.
Preparing to Upgrade Symantec Data Loss Prevention
Symantec Data Loss Prevention Upgrade Phases
Minimum System Requirements for Upgrading to the Current Release
Requirement for Language Pack Upgrades
Preparing the Oracle Database for a Symantec Data Loss Prevention Upgrade
Enabling Network Detection Uptime Protection
Backward Compatibility for Agent Upgrades
Upgrade Requirements and Restrictions
Preparing your system for the upgrade
Deleting ICE components from the Enforce Server
Preparing Your Environment for Microsoft Rights Management File Monitoring
351
Related Links
Symantec Data Loss Prevention Upgrade Phases on page 352
Complete the upgrade in the phases that are described in the following sections.
Upgrade Requirements and Restrictions on page 366
352
– Windows
– Linux
Related Links
353
Requirement for Language Pack Upgrades on page 354
Symantec Data Loss Prevention requires version-specific language packs.
Preparing to Upgrade Symantec Data Loss Prevention on page 351
Prepare to upgrade Symantec Data Loss Prevention by reviewing new features, upgrading components to the minimum
version, and backing up your database.
Related Links
Preparing to Upgrade Symantec Data Loss Prevention on page 351
Prepare to upgrade Symantec Data Loss Prevention by reviewing new features, upgrading components to the minimum
version, and backing up your database.
Preparing the Oracle Database for a Symantec Data Loss Prevention Upgrade
The following Oracle-related preparations must be made before you upgrade the Symantec Data Loss Prevention
database schema for version 16.0.1:
1 Back up the Oracle database before you start the upgrade. You cannot See Maintaining the DLP System.
recover from an unsuccessful upgrade without a backup of your Oracle
database.
2 Run the Update Readiness Tool to confirm that the Oracle database is Checking the database update readiness
ready to upgrade to Symantec Data Loss Prevention version 16.0.1.
3 Set ORACLE_HOME and PATH variables. Setting ORACLE_HOME and PATH variables
4 Confirm that the database user has permissions to connect to the Confirming the Oracle database user permissions
Enforce Server.
354
• Oracle version
• Oracle patches
• Permissions
• Tablespaces
• Existing schema against standard schema
• Real Application Clusters
• Change Data Capture
• Virtual columns
• Partitioned tables
• Numeric overflow
• Temp Oracle space
• Policy size
Table 150: Using the Update Readiness Tool lists tasks you complete to run the tool.
1 Prepare to run the Update Readiness Tool. Preparing to Run the Update Readiness Tool
2 Create the Update Readiness Tool database Creating the Update Readiness Tool database account
account.
3 Run the tool. You can run the tool for the following scenarios:
• From the command line on the Enforce Server host computer.
Running the Update Readiness Tool at the Command Line
• For Amazon RDS for Oracle.
See the "Preparing the Amazon RDS for Oracle for upgrade" topic
in the Symantec Data Loss Prevention Help for information.
Preparing the Amazon RDS for Oracle for a Symantec Data Loss
Prevention Upgrade
4 Review the update readiness results. Reviewing Update Readiness Results
Preparing the Update Readiness Tool includes downloading the tool and moving it to the Enforce Server.
1. Obtain the current version of the tool from Product Downloads at the Broadcom Support Portal.
The current version of the Update Readiness Tool includes important fixes and improvements, and should be the
version that you use before attempting any upgrade.
Symantec recommends that you download the tool to a directory based on your platform:
• Windows: DLPDownloadHome\DLP\16.0.1\
• Linux: DLPDownloadHome/DLP/16.0.1/
NOTE
Review the Readme file that is included with the tool for a list of Symantec Data Loss Prevention versions
the tool can test.
355
2. Confirm that sufficient disc space is available on the server where the database is running. You confirm space if you
plan to analyze data during the Update Readiness Tool test.
See Estimate the database system hard drive space.
3. Log on as Administrator to the database server system.
4. Confirm the following prerequisites if you are running a three-tier deployment:
• You are running the same Oracle Client version as the Oracle Server version.
If the versions do not match, the Oracle Client cannot connect to the database, which causes the Update
Readiness Tool to fail.
• The Oracle Client is installed as Administrator.
If the Oracle Client is not installed as Administrator, reinstall it and select Administrator on the Select Installation
Type panel. Selecting Administrator enables the command-line clients, expdp and impdp.
5. Shut down all but one instance of the database on RAC nodes if you are upgrading on a system that uses Oracle
RAC.
6. Stop Oracle database jobs if your database has scheduled jobs.
See Stopping Oracle database jobs.
7. Check policy size to ensure past version agents receive policy updates.
See Checking Policy Size for DLP 15.x Agent Compatibility.
8. Unzip the Update_Readiness_Tool.zip file, and then copy the contents of the unzipped folder to the following
location (based on your platform):
• Windows: c:\Program Files\Symantec\DataLossPrevention\EnforceServer
\16.0.1.00000\Protect\Migrator\URT\
• Linux: opt/Symantec/DataLossPrevention/EnforceServer/16.0.1.00000/Protect/Migrator/
URT/
NOTE
The contents of the tool folder must reside directly in the URT folder as specified.
During the upgrade process, the Migration Utility runs the Update Readiness Tool from this location.
Related Links
Checking the database update readiness on page 354
Running the Update Readiness Tool at the Command Line on page 361
356
exclude=TABLE: \"IN\(\'MESSAGELOB\',\'MESSAGECOMPONENTLOB\',\'CONDITIONVIOLATIONLOB\',\'AGENTEVENT\',
\'SYSTEMEVENT\',\'SYSTEMEVENTPARAMETER\'\)\"
• Linux:
expdp protect/<DLP schema password>@protect
NOLOGFILE=YES
ESTIMATE_ONLY=YES
schemas=protect
exclude=TABLE:\"IN\(\'MESSAGELOB\',\'MESSAGECOMPONENTLOB\',\'CONDITIONVIOLATIONLOB\',\'AGENTEVENT\',
\'SYSTEMEVENT\',\'SYSTEMEVENTPARAMETER\'\)\"
Where <DLP schema password> is the Symantec Data Loss Prevention schema password.
The command returns details about the estimated space required to export LOB data from the production database.
2. Confirm whether the space on the hard drive on the system where you plan to run the Update Readiness Tool is
sufficient to perform the data export.
Stopping Oracle database jobs
If your database has scheduled jobs, you must unschedule them and clear the jobs queue before you run the Update
Readiness Tool and start the migration process. After the jobs are unscheduled and the jobs queue is clear, you can run
the Update Readiness Tool and continue your migration.
1. Log on to SQL*Plus using the Symantec Data Loss Prevention database user name and password.
2. Run the following:
BEGIN
FOR rec IN (SELECT * FROM user_jobs) LOOP
dbms_job.broken( rec.job, true);
dbms_job.remove( rec.job);
END LOOP;
END;
/
Confirm that the count is zero. If the count is not zero, run the command to clear the queue again. If a job is running
when you attempt to clear the queue, the job continues to run until it completes and is not cleared. For long running
jobs, Symantec recommends that you wait for the job to complete instead of terminating the job.
4. Exit SQL*Plus.
Checking Policy Size for DLP 15.x Agent Compatibility
Check policy size using the URT to ensure past version agents receive policy updates.
Starting with version 16.0, Symantec Data Loss Prevention features a high-performance and memory-efficient policy
evaluation engine. You can now create complex policies with many compound exceptions without adversely impacting
memory or performance. In the case of endpoint detection, you can create policies that use rules that target specific
components (such as body or attachment). The new engine helps reduce false positives, thereby increasing policy
accuracy and effectiveness.
The memory-efficient policy evaluation engine requires more memory than policies created with DLP 15.x. The 16.0 and
later detection server prevents 15.x DLP Agents from running out of memory by reviewing policy size before sending
policies to 15.x DLP Agents. In the event the aggregate size of all policies targeted at an Endpoint Server exceeds a
threshold (the default threshold is 400 MB), policy updates are not sent to 15.x agents. A system event is generated on
the Enforce Server and detail is logged on the Endpoint Server.
357
NOTE
Symantec strongly recommends upgrading DLP Agents to version 16.0 to benefit from the new policy evaluation
engine.
Symantec recommends that you re-run the URT with the --policy_size parameter if the policy log (generated using the
--quick parameter) lists detection servers with policies that exceed the threshold and have 15.x agents connected to
them.
Do not use the --policy_size parameter with any other options. While the URT is generally run before the upgrade, it
can be invoked after upgrading with the --policy_size parameter on a version 16.0 or later Enforce Server to identify an
individual policy (or policies in a policy group) that exceed the threshold. By using --policy_size, all other URT checks
are disabled. Using the --policy_size parameter ensures the report only lists policy info.
358
Figure 6: Detailed breakdown of policy size when using --policy_size includes a detailed breakdown of all active policies
ordered by size and detection server. Use this log to identify which policies, individually or collectively, are not sent to 15.x
agents because they exceed the threshold.
Figure 6: Detailed breakdown of policy size when using --policy_size
If the aggregate size of all policies sent to the legacy agents exceeds the threshold, Symantec recommends that you
reduce the policy size by removing compound exceptions.
Finding Non-BMP Unicode Characters in Policies
Non-BMP Unicode characters are not supported in policies that detect on text. Follow these steps to remove them using
the URT.
1. Set the --nonbmp_validation parameter in the URT before updating. For example,
UpdateReadinessTool --username <username> --password <password> --service_name <service_name> --
readiness_username <readiness_username> --readiness_password <readiness_password> --target_version <target
version> [--data_pump <DATA_PUMP_DIR>] [--data] [--quick] [--skip_export] [--skip_import] [--no_verbose]
[–policy_size | --nonbmp_validation]
2. Run the URT to identify non-BMP characters in policies and data identifiers. You can view the Non-BMP Validation
Report to determine which policies contain non-BMP characters.
3. Remove the non-BMP characters from policies and data identifiers. IR non-BMP characters remain in policies, the
upgrade fails.
4. Rerun the Update Readiness Tool to confirm that all non-BMP characters have been removed from policies and data
identifiers.
For more information on how non-BMP characters are handled in Data Loss Prevention 16.0.1, see:Handling Non-BMP
Unicode Characters in Data Loss Prevention 16.0.1
Creating the Update Readiness Tool database account
Before you can run the Update Readiness Tool, you must create a database account.
1. Navigate to the folder where you extracted the Update Readiness Tool (for Windows \script and for Linux /
script ).
2. Start SQL*Plus:
sqlplus /nolog
359
3. Run the oracle_create_user.sql script:
@oracle_create_user.sql
4. At the Please enter the password for sys user prompt, enter the password for the SYS user.
5. At the Please enter Service Name prompt, enter a service name for the Oracle Service Name.
6. At the Please enter required username to be created prompt, enter a name for the new upgrade readiness
database account.
7. At the Please enter a password for the new username prompt, enter a password for the new upgrade readiness
database account.
Use the following guidelines to create an acceptable password:
• Passwords cannot contain more than 30 characters.
• Passwords cannot contain double quotation marks, commas, or backslashes.
• Avoid using the & character.
• Passwords are case-sensitive by default. You can change the case sensitivity through an Oracle configuration
setting.
• If your password uses special characters other than _, #, or $, or if your password begins with a number, you must
enclose the password in double quotes when you configure it.
Store the user name and password in a secure location for future use. You use this user name and password to run
the Update Readiness Tool.
8. As the database sysdba user, grant permission to the Symantec Data Loss Prevention schema user name for the
following database objects.
Run the following command if you are running the Oracle database in a non-RAC environment:
sqlplus sys/<password> as sysdba
GRANT READ,WRITE ON directory DATA_PUMP_DIR TO [schema user name];
GRANT SELECT ON dba_registry_history TO [schema user name];
GRANT SELECT ON dba_temp_free_space TO [schema user name];
9. Run the following command if you are running the Oracle database in a RAC environment:
sqlplus sys/<password>@<RAC node ip>:1521/protect as sysdba
GRANT READ,WRITE ON directory DATA_PUMP_DIR TO [schema user name];
10. Confirm that the password for the new upgrade readiness database account is compatible with the expdp and impdp
commands by running the following command:
expdp <oracle_username>/<password>@<oracle_service_name> dumpfile=sandbox.dmp schemas=<oracle_username>
content=metadata_only directory=<dpdir> logfile=exp_sandbox.log reuse_dumpfiles=y exclude=grant
If the command returns password errors, create a password that meets both Oracle password and EXPDP/IMPDP
password requirements (expdp/impdp are OS commands).
Table 151: Parameters for the expdp and impdp compatibility command
Parameter Value
360
Parameter Value
Related Links
Preparing to Run the Update Readiness Tool on page 355
Checking the database update readiness on page 354
You can run the Update Readiness Tool from the command prompt on the database server host computer.
Disable all instances of the DLP database on all but one RAC node if you are upgrading on a system that uses Oracle
RAC. Also, run the tool on the active RAC node. Restore instances once the tool has completed running.
NOTE
The steps assume that you have logged on as the administrator user (for Windows) or as root (for Linux) to the
computer where you run the Update Readiness Tool.
1. Open a command prompt window.
2. Go to the URT directory:
• Windows: c:\Program Files\Symantec\DataLossPrevention\EnforceServer
\16.0.1.00000\Protect\Migrator\URT
• Linux: opt/Symantec/DataLossPrevention/EnforceServer/16.0.1.00000/Protect/Migrator/URT
3. Run the Update Readiness Tool using the following command:
For Windows
For Linux
The <JRE version> represents the OpenJRE version running on your system.
Table 152: Update Readiness Tool Command Line Parameters identifies the command-line parameters:
361
Table 152: Update Readiness Tool Command Line Parameters
Parameter Description
--skip_export This optional parameter prevents the Update Readiness Tool from exporting from the
Symantec Data Loss Prevention schema during the Update Readiness Tool test.
Use this parameter for the following scenarios:
• If you have already created an export DMP file.
• If you plan to export data manually.
--skip_import This optional parameter prevents the Update Readiness Tool from importing data to
the Update Readiness Tool schema during the Update Readiness Tool test.
Use this parameter if you plan to import the data manually.
--no_verbose This optional parameter prevents extra logging details from appearing with the
Update Readiness Tool test command prompt results.
--quick This optional parameter runs the database object check, lists Endpoint Servers and
their associated policies, but skips the update readiness test.
Checking Policy Size for DLP 15.x Agent Compatibility
--policy_size This optional parameter returns a detailed list of policies, policy size, associated
detection servers, and information about individual policies.
When you use this parameter, all other URT checks are disabled.
Checking Policy Size for DLP 15.x Agent Compatibility
--nonbmp_validation This optional parameter returns a list of policies that contain Non-BMP Unicode
characters.
When you use this parameter, the URT creates a separate log file for your review.
Finding Non-BMP Unicode Characters in Policies
Handling Non-BMP Unicode Characters in Data Loss Prevention 16.0.1
Related Links
Preparing to Run the Update Readiness Tool on page 355
Reviewing Update Readiness Results on page 363
362
Reviewing Update Readiness Results
After the test completes, you can locate the results in a log file in the /output/output directory. This directory is located
where you extracted the Update Readiness Tool (URT). If you do not include quick when you run the tool, the test may
take up to an hour to complete. You can verify the status of the test by reviewing log files in the /output/output
directory.
NOTE
Symantec recommends that you contact Support prior to upgrading your system to review the URT results.
Status Description
Pass Items that display under this section are confirmed and ready for update.
Warning If not fixed, items that display under this section may prevent the database from upgrading properly.
Error These items prevent the upgrade from completing and must be fixed.
Related Links
Resolving the error "Data Foreign Key Constraint Validation for EndPointProtocolFilter" on page 363
Resolving the error "Data Foreign Key Constraint Validation for EndPointProtocolFilter"
When running the Update Readiness Tool before an upgrade from Symantec Data Loss Prevention 14.6 to the current
version, the tool returns results in its log file with the error below.
Start: Data Foreign Key Constraint Validation - [date and time] Data violations are detected on your schema,
please use the below query(s) to retrieve the invalid data.
SELECT DISTINCT protocolFilterId AS "PROTOCOLFILTERID" FROM ENDPOINTPROTOCOLFILTER
WHERE protocolFilterId IS NULL OR protocolFilterId NOT IN (SELECT acv.protocolFilterId FROM
AgentConfigurationVersion acv WHERE acv.protocolFilterId IS NOT NULL);
End : Data Foreign Key Constraint Validation - elapsed 0s - FAILED (1 violation)
Complete the following steps to resolve the error "Data Foreign Key Constraint Validation for EndPointProtocolFilter":
1. Run the following command to create a data backup:
create table EndpointProtocolFilter_nomatch as
select * from EndpointProtocolFilter where protocolFilterId not in (select acv.protocolFilterId FROM
AgentConfigurationVersion acv where acv.protocolFilterId IS NOT NULL);
2. Run the following command to confirm the record count:
select count(*) from EndpointProtocolFilter where protocolFilterId not in (select acv.protocolFilterId
FROM AgentConfigurationVersion acv where acv.protocolFilterId IS NOT NULL);
3. Note the record count.
4. Run the following command to delete data that causes the upgrade to fail:
DELETE FROM EndpointProtocolFilter WHERE protocolFilterId NOT IN (SELECT acv.protocolFilterId FROM
AgentConfigurationVersion acv WHERE acv.protocolFilterId IS NOT NULL);
5. Confirm that the number of records deleted matches the record count. See step 3. If the record counts do not match,
contact Symantec Support.
6. Run the following command to complete the delete operation:
commit;
7. Run the following command to confirm that the number of records match:
363
select count(*) from EndpointProtocolFilter where protocolFilterId not in (select acv.protocolFilterId
FROM AgentConfigurationVersion acv where acv.protocolFilterId IS NOT NULL);
Related Links
Reviewing Update Readiness Results on page 363
4. Exit SQL*Plus:
exit
364
Enabling Network Detection Uptime Protection
Enable network detection update protection on the previous version Network Monitor detection server to continue
detecting sensitive data and reporting incidents to the version 16.0.1 Enforce Server.
Enabling network detection update protection allows the server to continue detecting sensitive content by reading the
policy and configuration information from disk.
1. Define non-routable IP address filter if Packet Capture protocols are enabled on the Network Monitor server but no
filters are defined.
a) Go to System > Servers and Detectors > Overview.
b) Click the Network Monitor detection server.
c) Click Configure.
d) Click the Packet Capture tab and edit an enabled protocol filter.
e) Click Use Custom Settings and enter a non-routable IP address in the Use Custom Settings field.
For example, enter 10.10.10.1.
f) Save your changes and recycle the server.
For more information, see Server controls.
2. On the Network Monitor detection server, open the following file in a text editor:
• Windows: c:\Program Files\Symantec\DataLossPrevention\DetectionServer
\16.0.10000\config\protect.properties
• Linux:opt/Symantec/DataLossPrevention/DetectionServer/16.0.10000/config/
protect.properties
3. Update the following settings.
#Enable/disable Network Monitor Up-time Protection
com.vontu.cache.config.enabled = true
#Network Monitor Up-time Protection cache file location
com.vontu.cache.config.dir = ../configCache
#Network Monitor Up-time Protection timeout value in seconds
com.vontu.cache.config.timeout = 10*60000
NOTE
To allow sufficient time for the Enforce Server to send settings to the Network Monitor detection server, Symantec
recommends that you not enter a timeout setting lower than 3*60000.
365
The most stable configuration is for all Enforce Servers, Endpoint Servers, and agents to be on version 16.0.1. Ideally,
you are on one of the following backward-compatible scenarios for a limited time as you upgrade all servers and agents to
version 16.0.1.
As you upgrade Symantec Data Loss Prevention, you may have different components of the suite on different versions.
Before you upgrade to 16.0.1, upgrade Symantec Data Loss Prevention components to at least version 15.8. Symantec
Data Loss Prevention does not support upgrades from version 15.5 or earlier.
NOTE
Symantec recommends that you install the latest maintenance pack and hotfix to ensure that agents include the
latest product defect fixes.
16.0.1 16.0.1 15.8 Agents and the Endpoint Server send incidents that are based on existing
policies that were configured before the upgrade.
Policies and configuration settings can be sent to agents. However, new
policy rules that are introduced in a given release are not supported by
earlier agents; in general, new policy rules are supported by the same agent
version in which the rule is introduced.
Stop all Network Discover scans before you upgrade the Enforce You cannot restart Network Discover scans until at least one
Server to version 16.0.1. Network Discover detection server has been upgraded to version
16.0.1.
Do not modify the host name or IP address of a detection server Detection servers use the original configured IP address or host
to point to a different detection server after you complete the name to maintain and report server-level statistics.
upgrade.
Restart the Restarting the service verifies the upgraded detection server
SymantecDLPDetectionServerControllerService versions in the Enforce Server administration console.
service.
366
Requirements and Known Issues More Details
Upgrade all Network Discover clusters and detection servers to After you upgrade the Enforce Server to version 16.0.1, any
the latest version. configuration changes that you make have no effect on detection
servers that are not upgraded to 16.0.1.
Confirm that all scan status on the Discover Targets page are in See Managing Discover Scan Targets.
a ready and healthy state and incident replication is completed.
Run the Discover Cluster Admin Tool to reduce disk space and Download the Network Discover Cluster Admin Tool package
stop collecting performance statistics. (Symantec_DLP_16.0.1_Discover_Cluster_Admin_Tool_606
from the Broadcom Support Portal.
Use the following options:
1. Run defragmentation commands.
These commands help to reduce the disk space used by the
cluster storage.
2. Stop collecting performance statistics.
For more details, see the Readme.txt file that is included with
the package.
Confirm that the Enforce Server, data node, and worker
node servers are on.
Back up the Discover Cluster Authentication packages that are Back up the following files:
generated for the data node and worker node.
• Worker Node:
dlp_discover_cluster_workernode_auth.zip
• Data Node:
dlp_discover_cluster_datanode_auth.zip
You can back up both files by backing up
dlp_discover_cluster_auth.zip.
Migrating a Network Discover clusters to a detection server where Install Network Discover clusters on a separate server.
Network Discover scans are run is not supported. Likewise, Create a File System - High Speed Discovery target that uses a
migrating a detection server where Network Discover scans are Network Discover cluster.
run to a Network Discover cluster is not supported.
Install Network Discover clusters on a separate server.
Related Links
Preparing to Upgrade Symantec Data Loss Prevention on page 351
Prepare to upgrade Symantec Data Loss Prevention by reviewing new features, upgrading components to the minimum
version, and backing up your database.
367
Deleting ICT Components Before Upgrading
Starting with Symantec Data Loss Prevention version 16.0, support for Information Centric Tagging (ICT) is removed. If
you implemented ICT in DLP 15.8, use the following steps to remove Content Matches ICT Classification rules, and
replace the rules with Content Matches Keyword rules.
1. Deploy 15.8 MP3 agents that include support for detecting ICT tags by way of a Keyword policy.
2. Switch the ”Content Matches ICT Classification” rules in policies to the ”Content Matches Keyword” rules.
NOTE
During the upgrade to DLP 16.0.1, the URT checks for ICT rules in existing policies. The upgrade fails and does not
proceed If any ICT rules are detected. The rules must be modified before upgrade.
3. Remove ICT eDAR scans and their related history information.
4. Wait for one month to ensure that all agents receive the updated policies. Waiting also ensures that all ”Content
Matches ICT Classification” incidents get time to synchronize to the Enforce database.
NOTE
Waiting a month after switching the rules is important before attempting to upgrade to 16.0.1. DLP 16.0.1 must not
receive (by way of MVU functionality) .idc files that contain the old ICT rule references. If Enforce receives the .idc
files that contain old ICT rule references, those .idc files are marked as .idc.bad and the old ICT rule references
are dropped.
5. If any ICT incidents are synchronized to Enforce after the upgrade, they are marked as .idc bad and the ICT incidents are not
persisted. You must ensure that all detection servers are online so that all incidents are synchronized to Enforce.
6. Once you have completed these necessary changes to ICT rules, you can rerun the URT. If you get a success message, you can
then proceed with the upgrade to DLP 16.0.1.
368
Remove ICE response rules
1. See the Response Rule section under Information Centric Encryption Data Validation in the Update Readiness
Tool log. The section lists response rules that should be deleted.
2. Log in to the Enforce Server administration console and go to the Manage > Policy > Response Rules screen.
3. Complete the following steps for each ICE response rule that is listed in the Response Rule section.
a) Open the response rule and note the policies where it is used.
b) Open the Policies screen, go to the Response Rule tab, and remove the ICE response rule.
c) Open the Response Rules screen and delete the ICE response rules.
4. Run the Update Readiness Tool again to confirm that no ICE response rules are listed in the output.
If the test lists responses rules, complete step 3 again to remove the ICE response rules.
Next: Remove ICE settings
3. Run the Update Readiness Tool again to confirm that no agent configuration settings are listed in the output.
If the test lists agent configuration settings, complete step 2 for each agent configuration where ICE settings are
enabled.
369
Prepare the AD RMS Environment for RMS Monitoring
Complete the following steps to prepare your AD RMS environment for monitoring.
1. Confirm that the latest AD RMS client is installed.
2. Confirm that the AD RMS account has Read and Execute permissions to access ServerCertification.asmx.
For additional details, refer to the Microsoft Developer Network article: https://msdn.microsoft.com/en-us/library/
mt433203.aspx.
3. Confirm that the AD RMS superuser group and Service Group both have Read and Execute permissions.
4. Add each detection server to the AD RMS domain.
5. Complete the following to change the previous Symantec Data Loss Prevention version service user to a domain user
that has access to the AD RMS superuser group.
• Shut down all services on the detection server before updating the service user.
• Run the ChangeServiceUser.exe utility to change the service user:
C:\Program Files\Symantec\DataLossPrevention\ServerPlatformCommon
\16.0.10000\Protect\bin\ChangeServiceUser.exe
USAGE: ChangeServiceUser.exe [installation directory]
[new service user username] [new service user password]
Parameters:
[new service user password] is optional.
C:\Program Files\Symantec\DataLossPrevention\ServerPlatformCommon
\16.0.10000\Protect\bin\ChangeServiceUser.exe
C:\Program Files\Symantec\DataLossPrevention\ [AD RMS domain name]\[super user
username]
[super user password]
After running the script, the command prompt displays the change status, including the service user change status.
6. Start all services after updating the service user.
For Azure RMS, complete the following on each detection server to enable RMS file monitoring:
1. Locate the plugin Enable-Plugin.ps1 located on the detection server at the following path:
370
C:\Program Files\Symantec\DataLossPrevention\ContentExtractionService
\16.0.10000\Plugins\Protect\plugins\contentextraction
2. Run the plugin by executing the following command:
C:\Program Files\Symantec\DataLossPrevention\ContentExtractionService
\16.0.10000\Plugins\Protect\plugins\contentextraction\MicrosoftRightsManagementPlugin
\ConfigurationCreator.exe
Do you want to configure ADAL authentication [y/n]: n
Do you want to configure symmetric key authentication [y/n]: y
Enter your symmetric key (base-64): [user's Azure RMS symmetric key]
Enter your app principal ID: [user's Azure RMS app principal ID]
Enter your BPOS tenant ID: [user's Azure RMS BPOS tenant ID]
After running this script, the following files are created in the MicrosoftRightsManagementPlugin at \Program
Files\Symantec\DataLossPrevention\ContentExtractionService\16.0.10000\Plugins\Protect
\plugins\contentextraction:
• rightsManagementConfiguration
• rightsManagementConfigurationProtection
4. Restart each detection server to complete the process.
NOTE
You can confirm that Symantec Data Loss Prevention is monitoring RMS content by reviewing
the ContentExtractionHost_FileReader.log file (located at \ProgramData\Symantec
\DataLossPrevention\DetectionServer\16.0.10000\logs\debug). Error messages that display
for the MicrosoftRightsManagementPlugin.cpp item indicate that the plugin is not monitoring RMS
content.
Enabling RMS detection for AD-managed RMS
For AD RMS, complete the following on each detection server to enable RMS file monitoring:
1. Run the plugin, Enable-Plugin.ps1, which is located at located at \Program Files\Symantec
\DataLossPrevention\Protect\bin on the Enforce Server.
powershell.exe -ExecutionPolicy RemoteSigned -File
"C:\Program Files\Symantec\DataLossPrevention\ContentExtractionService
\16.0.10000\Plugins\Protect\plugins\contentextraction\MicrosoftRightsManagementPlugin
\Enable-Plugin.ps1"
371
2. Restart each detection server to complete the process.
NOTE
You can confirm that Symantec Data Loss Prevention is monitoring RMS content by reviewing
the ContentExtractionHost_FileReader.log file (located at \ProgramData\Symantec
\DataLossPrevention\DetectionServer\16.0.10000\logs\debug). Error messages that display
for the MicrosoftRightsManagementPlugin.cpp item indicate that the plugin is not monitoring RMS
content.
1 Download and extract the upgrade software. Downloading and extracting the upgrade software
2 Confirm that your existing Enforce Server and Verifying that the Enforce Server and the detection
detection servers are running. servers are running
3 Close all files and folders in your existing Ensure that all folders and files in your Data Loss
Enforce Server environment. Prevention (for Windows) or DataLossPrevention
(for Linux) directory are closed and unlocked. The
upgrader requires access to all folders and files
during the upgrade process.
372
Step Action Description
4 Install the Java Runtime Environment on the Install the Java Runtime Environment on the
Enforce Server. Enforce Server on Windows
Install the Java Runtime Environment on the
Enforce Server on Linux
5 Install the version 16.0.1 Enforce Server. Install an Enforce Server on Windows
Install an Enforce Server on Linux
6 Migrate the previous version to the version Migrate Data on the Enforce Server on Windows
16.0.1 Enforce Server. Migrate Data on the Enforce Server on Linux
7 Install the Java Runtime Environment on the Install the Java Runtime Environment on a
detection server. Detection Server on Windows
Install the Java Runtime Environment on a
Detection Server on Linux
8 Install the version 16.0.1 detection servers. Install a Detection Server on Windows
Install a Detection Server on Linux
9 Migrate the previous version to the version Migrate Data on a Detection Server on Windows
16.0 detection servers. Migrate Data on a Detection Server on Linux
10 Perform a system backup. Backing up your system
11 (Optional) Apply the updated agent Applying the updated configuration to Endpoint
configuration to Endpoint Prevent detection Prevent servers
servers.
12 (Optional) Update Symantec DLP Agents. About Symantec Data Loss Prevention Agent
upgrades
13 (Optional) Update any scanners. Upgrading your scanners
14 If you are running a Windows platform, Upgrading or installing Npcap for Network Monitor
upgrade WinPcap or install Npcap (Network
Monitor deployments only).
373
4. Extract the contents of the Symantec_DLP_16.0.1_Agent_Win-IN.zip file.
5. Extract the contents of the Symantec_DLP_16.0.1_Agent_Mac-IN.zip file.
6. Extract the contents of the Symantec_DLP_16.0.1_Agent_Lin-IN.zipfile.
7. Note where you saved the MSI and PKG files so you can quickly find them later.
Related Links
Symantec Data Loss Prevention Upgrade Phases on page 352
Complete the upgrade in the phases that are described in the following sections.
Migrating on Windows
The following sections include steps to migrate to a new version on Windows:
• Migrating the Previous Version to a New Enforce Server Installation on Windows
• Migrating a Previous Version Detection Server or Cluster to the Latest Version on Windows
• Migrating previous version data to a new single-tier installation on Windows
Table 157: Steps to migrate the previous version to a new Enforce Server installation
1 Install the Microsoft Visual C++ Redistributable for Download the VC_redist.x64.exe file from The
Visual Studio 2015, 2017, and 2019. latest supported Visual C++ downloads.
After you complete the installation, restart the server.
2 Install the Java Runtime Environment on the See Install the Java Runtime Environment on the Enforce
Enforce Server. Server on Windows.
3 Install the version 16.0.1 Enforce Server. See Install an Enforce Server on Windows.
You install the Enforce Server on the same system
where the previous version is running.
4 Migrate the previous version to the version 16.0.1 See Migrate Data on the Enforce Server on Windows.
Enforce Server.
5 Back up the upgraded system. See Backing up your system.
The process to migrate does not move all plug-ins. See Migrating plug-ins.
374
Install the Java Runtime Environment on the Enforce Server on Windows
You install the Java Runtime Environment (JRE) on the Enforce Server before you install the Enforce Server.
1. Log on (or remote logon) as Administrator to the Enforce Server system on which you intend to install Enforce.
2. Copy OpenJDK8U-jre_x64_windows_hotspot_<version>.zip from your DLPDownloadHome\DLP
\16.0.1\New_Installs\x64\Release directory to the computer where you plan to install the Enforce Server.
Where <version> represents the latest supported version.
For example, move the file to c:\temp).
3. Unzip the file to C:\Program Files\AdoptOpenJRE\jdk<version>-jre.
Install an Enforce Server on Windows
Install an Enforce Server on Windows
The instructions that follow describe how to install an Enforce Server on a Windows computer in a two- or three-tier
environment. The steps to install the Enforce Server in a single-tier environment are different.
Installing a single-tier server on Windows
NOTE
If you are running the database in a RAC environment, confirm that the scan host IP for RAC is accessible and
the nodes associated with it are all up and running during the install process.
These instructions assume that the EnforceServer.msi file and license file have been copied into the c:\temp
directory on the Enforce Server computer.
NOTE
Enter directory names, account names, passwords, IP addresses, and port numbers that you create or specify
during the installation process using standard 7-bit ASCII characters only. Extended (hi-ASCII) and double-byte
characters are not supported.
The installation process automatically generates log information saved to a file MSI*.log (* is replaced with random
characters) in the %TEMP% folder. You can change log file name and location by starting the installation from the command
line by running the /L*v option. See the example below:
msiexec /i EnforceServer.msi /L*v c:\temp\enforce_install.log
You can complete the installation silently or using a graphical user interface.
Command Description
INSTALLATION_DIRECTORY Specifies where the Enforce Server is installed. The default location is C:\Program
Files\Symantec\DataLossPrevention.
DATA_DIRECTORY Defines where Symantec Data Loss Prevention stores files that are updated while the
Enforce Server is running (for example, logs and licenses). The default location is c:
\ProgramData\Symantec\DataLossPrevention\EnforceServer\.
Note: If you do not use the default location, you must indicate a folder name for the data
directory. If you set the data directory to the drive root (for example c:\ or e:\) you
cannot successfully uninstall the program.
375
Command Description
The following is an example of what the completed command might look like. The command you use differs based on your
implementation requirements. Using the following command as-is may cause the installation to fail.
1. Symantec recommends that you disable any antivirus, pop-up blocker, and registry protection software before you
begin the Symantec Data Loss Prevention installation process.
2. Log on (or remote logon) as Administrator to the Enforce Server system where you intend to run the Migration Utility.
3. Go to the folder where you copied the EnforceServer.msi file (c:\temp).
4. Double-click EnforceServer.msi to start the installation wizard.
NOTE
The installation process automatically generates log information saved to a file MSI*.log (replace * with
random characters) in the %TEMP% folder. You can change log file name and location by starting the
installation from the command line by running the /L*v option.
376
msiexec /i EnforceServer.msi /L*v c:\temp\enforce_install.log
Symantec recommends that you use the default destination directory. References to the "installation directory" in
Symantec Data Loss Prevention documentation are to this default location.
8. In the Data Directory panel, accept the default data directory, or enter an alternate directory, and click Next. The
default data directory is:
c:\ProgramData\Symantec\DataLossPrevention\
NOTE
If you do not use the default location, you must indicate a folder name for the data directory (for example,
c:\enforcedata). If you set the data directory to the drive root (for example c:\ or e:\) you cannot
successfully uninstall the program.
9. In the JRE Directory panel, click Browse to locate the JRE, and click Next.
10. In the FIPS Cryptography Mode panel, select whether to disable or enable FIPS encryption.
11. In the Service User panel, select one of the following options.
• Existing Users: Select this option to use an existing local or domain user account.
Click Next.
12. In the Oracle Database panel, enter details about the Oracle database server. Specify one of the following options in
the Oracle Database Server field:
Host Enter host information based on your Symantec Data Loss Prevention installation:
• Single- and two-tier installation (Enforce and Oracle servers on the same system): The Oracle Server
location is 127.0.0.1.
• Three-tier installation (Enforce Server and Oracle server on different systems): Specify the Oracle server
host name or IP address.
If you are running the Oracle database in a RAC environment, use the scan host IP address for the host,
not the database IP address. Confirm that the scan host IP for RAC is accessible and that all of the nodes
associated with it are running during the installation process.
Port Enter the Oracle Listener Port, or accept the default.
Service Name Enter the database service name (typically “protect”).
Username Enter the Symantec Data Loss Prevention database user name.
Password Enter the Symantec Data Loss Prevention database password.
If your Oracle database is not a supported version, you are warned and offered the choice of continuing or canceling
the installation. You can continue and upgrade the Oracle database later.
NOTE
Symantec Data Loss Prevention requires the Oracle database to use the AL32UTF8 character set. If your
database is configured for a different character set, you are notified and the installation is canceled. Correct
the problem and re-run the installer.
377
13. Click Next.
14. In the Additional Locale panel, select an alternate locale, or accept the default of None, and click Next.
Locale controls the format of numbers and dates, and how lists and reports are alphabetically sorted. If you accept
the default choice of None, English is the locale for this Symantec Data Loss Prevention installation. If you choose an
alternate locale, that locale becomes the default for this installation, but individual users can select English as a locale
for their use.
See About locales for more information on locales.
15. Click Install.
The installation process can take a few minutes. After a successful installation, a completion notice displays.
16. Restart any antivirus, pop-up blocker, or other protection software that you disabled before starting the Symantec Data
Loss Prevention installation process.
17. Run the Upgrade Readiness tool to confirm that the Oracle database is ready to be migrated to the new instance.
After you install the version 16.0.1 Enforce Server, you use the Migration Utility to migrate data to the new instance. The
Migration Utility migrates Enforce Server data in two phases as listed in the following table:
Phage Description
Before you run the Migration Utility, run the Update Readiness Tool to confirm that the database is ready for migration.
See Checking the database update readiness.
You can migrate data silently or using interactive mode.
Migrate Silently
1. Log on (or remote logon) as Administrator to the Enforce Server system where you intend to run the Migration Utility.
2. Use the command prompt to navigate to the following directory:
C:\Program Files\Symantec\DataLossPrevention\EnforceServer\16.0.10000\Protect\Migrator
3. Run the following command in an elevated command prompt:
MigrateEnforce.bat
-silent
-sourceVersion="<previous version>"
-jreDirectory="C:\Program Files\AdoptOpenJRE\jdk8u<version>-b10-jre"
378
Where previous version represents the previous, active version (for example, use -sourceVersion=16.0 to
migrate from Symantec Data Loss Prevention version 16.0).
A message indicates when the migration completes.
Migrate Using Interactive Mode
1. Log on (or remote logon) as Administrator to the Enforce Server system where you intend to run the Migration Utility.
2. Use the command prompt to navigate to the following directory:
C:\Program Files\Symantec\DataLossPrevention\EnforceServer\16.0.10000\Protect\Migrator
3. Run the Migration Utility: migrateEnforce.bat.
4. Confirm that OpenJRE is installed at the listed location, then press Enter.
If no JRE displays, you must install it before proceeding.
See Install the Java Runtime Environment on the Enforce Server on Windows.
A list of the migration phases appears.
5. Enter Y and press Enter to start phase 1.
6. Select the active Symantec Data Loss Prevention version to migrate and press Enter.
After phase 1 completes, a message provides a path to where you can access the phase 1 report. The report
lists details about the data files, document profiles, property files, plugins, and keystores that were migrated. Resolve
any errors listed on this page before proceeding to phase 2.
NOTE
The previous version continues to run, including the services and the database, after phase 1
completes. You can exit the migration process and continue to phase 2 at a later time.
7. Press Enter to start phase 2.
A message indicates when the migration completes.
NOTE
If the upgrade fails because of DatabaseProcessCheck, see Stop all Symantec Data Loss Prevention
database sessions.
8. If migration fails, review the Enforce Server MigrationUtility.log located at C:\ProgramData\Symantec
\DataLossPrevention\EnforceServer\16.0.10000\logs\debug\ for more details.
Migrating a Previous Version Detection Server or Cluster to the Latest Version on Windows
Upgrade the detection server or cluster by installing the new version where the existing version is running and migrating
data to the new version.
The migration process backs up services .conf files. You can locate these files at \Program Files\Symantec
\DataLossPrevention\DetectionServer\<source_version>\Protect\backups\ in a folder formatted
as service-yyyy-mm-dd-hh-mm-ss. (Replace <source_version> with the previous version number.) You use the
.conf files if you are recovering your previous version system. See Backing Up and Recovering on Windows for more
information about recovering your system.
379
Table 160: Steps to Migrate the Previous Version to a New Detection Server or Cluster
Step Action
1 Install the Java Runtime Environment on a Detection Server on Windows on the detection server or
cluster.
2 Install the 16.0.1 detection server or clusters.
3 Migrate the previous version to the version 16.0.1 detection servers or clusters.
4 Backup the upgraded system.
You install the Java Runtime Environment (JRE) on the server computer before you install the detection server.
1. Log on (or remote logon) as Administrator to the Enforce Server system on which you intend to install Enforce.
2. Copy OpenJDK8U-jre_x64_windows_hotspot_<version>.zip from your DLPDownloadHome\DLP
\16.0.1\New_Installs\x64\Release directory to the computer where you plan to install the detection server.
For example, move the file to c:\temp).
3. Unzip the file to C:\Program Files\AdoptOpenJRE\<version>-jre.
Replace <version> with the JRE version.
Install a Detection Server on Windows
Install a Detection Server on Windows
Complete the following steps to install a detection the detection server software on a server computer.
After you install the detection server, you migrate previous version data to complete the upgrade process.
NOTE
The following instructions assume that the DetectionServer.msi file has been copied into the c:\temp
directory on the server computer. SeeDownloading and extracting the upgrade software.
The installation process automatically generates log information saved to a file MSI*.log (* is replaced with random
dcharacters) in the %TEMP% folder. You can change log file name and location by starting the installation from the
command line by running the /L*v option. See the example bellow:
msiexec /i DetectionServer.msi /L*v c:\temp\detectionserver_install.log
You can complete the installation silently from the command line. Enter values with information specific to your installation
for the following:
380
Table 161: Detection Server Installation Parameters for Upgrading
Command Description
INSTALLATION_DIRECTORY Specifies where the detection server is installed. The default location is C:\Program Files
\Symantec\DataLossPrevention.
DATA_DIRECTORY Defines where Symantec Data Loss Prevention stores files that are updated while the Enforce
Server is running (for example, logs and licenses). The default location is \ProgramData
\Symantec\DataLossPrevention\DetectionServer\.
Note: If you do not use the default location, you must indicate a folder name for the data
directory. If you set the data directory to the drive root (for example c:\ or e:\) you cannot
successfully uninstall the program.
The following text is an example of what the completed command might look like. The command you use differs based on
your implementation requirements. Using the following command as-is may cause the installation to fail.
msiexec /i DetectionServer.msi /qn /norestart
INSTALLATION_DIRECTORY="C:\Program Files\Symantec\DataLossPrevention"
DATA_DIRECTORY="C:\ProgramData\Symantec\DataLossPrevention\DetectionServer"
JRE_DIRECTORY="C:\Program Files\AdoptOpenJRE\jdk8u322-b06-jre"
FIPS_OPTION=Disabled
SERVICE_USER_OPTION=ExistingUser
1. Log on as Administrator to the computer on which you plan to install the detection server.
2. If you are installing a Network Monitor detection server, install Npcap on the server computer.
Complete the following steps to install Npcap:
a) Locate the Npcap file npcap-1.10-oem.exe at DLP_Home\Third_Party directory, where DLP_Home is the
name of the directory in which you unzipped the Symantec Data Loss Prevention software.
b) Double-click on the npcap-1.10-oem.exe and follow the on-screen installation instructions.
c) Install Npca using WinPcap Compatible Mode.
3. Copy the detection server installer (DetectionServer.msi) from the Enforce Server to a local directory on the
detection server.
DetectionServer.msi is included in your software download (DLPDownloadHome) directory.
381
4. Click Start > Run > Browse to navigate to the folder where you copied the DetectionServer.msi file.
5. Double-click DetectionServer.msi to start the installation wizard.
The Welcome panel of the Installation Wizard appears.
NOTE
The installation process automatically generates log information saved to a file MSI*.log (replace * with
random characters) in the %TEMP% folder. You can change log file name and location by starting the
installation from the command line by running the /L*v option. See the example bellow:
msiexec /i EnforceServer.msi /L*v c:\temp\detectionserver_install.log
6. Click Next.
The End-User License Agreement panel displays.
7. After reviewing the license agreement, select I accept the terms in the License Agreement, and click Next.
8. In the Destination Folder panel, accept the default destination directory, or enter an alternate directory, and click
Next.
For example: c:\Program Files\Symantec\DataLossPrevention\
Symantec recommends that you use the default destination directory. However, you can click Change to navigate to a
different installation location instead.
NOTE
Directory names, IP addresses, and port numbers created or specified during the installation process must
be entered in standard 7-bit ASCII characters only. Extended (hi-ASCII) and double-byte characters are not
supported.
9. In the Data Directory panel, accept the default data directory, or enter an alternate directory, and click Next. The
default data directory is c:\ProgramData\Symantec\DataLossPrevention\.
NOTE
If you do not use the default location, you must indicate a folder name for the data directory. If you set the
data directory to the drive root (for example c:\ or e:\) you cannot successfully uninstall the program.
10. In the JRE Directory panel, click Browse to locate the JRE, and click Next.
11. In the FIPS Cryptography Mode panel, select whether to disable or enable FIPS encryption.
12. In the Service User panel select the existing local or domain user account.
13. In the Server Bindings panel, enter the following settings:
• Host. Enter the host name or IP address of the detection server.
• Port. Accept the default port number (8100) on which the detection server should accept connections from the
Enforce Server. If you cannot use the default port, you can change it to any port higher than port 1024, in the range
of 1024–65535.
14. Click Install to begin the installation process.
The Installing panel appears, and displays a progress bar. After a successful installation, the Completed panel
appears. Click Finish.
15. Restart any antivirus, pop-up blocker, or other protection software that you disabled before starting the detection
server installation process.
Migrate Data on a Detection Server on Windows
382
Migrate Data on a Detection Server on Windows
Use the Migration Utility to migrate data to the new version 16.0.1 detection server instance.
The Migration Utility migrates detection server data in two phases as listed in the following table:
Phase Description
where <previous version> represents where the previous, active version (for example, use -sourceVersion=16.0 to
migrate from Symantec Data Loss Prevention version 16.0.
A message indicates when the migration completes.
Migrate Using Interactive Mode
1. Use the command prompt to navigate to the following directory:
C:\Program Files\Symantec\DataLossPrevention\DetectionServer\16.0.10000\Protect
\Migrator
2. Run the Migration Utility: migrateDetection.bat.
3. Confirm that OpenJRE is installed at the listed location, then press Enter.
If no JRE displays, you must install it before proceeding.
See Install the Java Runtime Environment on a Detection Server on Windows.
4. Enter Y and press Enter to start phase 1.
5. Select the active Symantec Data Loss Prevention version to migrate and press Enter.
After phase 1 completes, a message provides a path to where you can access the phase 1 report. The report
lists details about the data files, document profiles, property files, plugins, and keystores that were migrated. Resolve
any errors listed on this page before proceeding to phase 2.
383
NOTE
The previous version continues to run, including the services and the database, after phase 1
completes. You can exit the migration process and continue to phase 2 at a later time.
6. Press Enter to start phase 2.
A message indicates when the migration completes.
7. If the migration fails, review the detection server migration logs in MigrationUtility.log located at C:
\ProgramData\Symantec\DataLossPrevention\DetectionServer\16.0.10000\logs\debug.
The process to migrate data does not move all plug-ins. Migrating Plug-ins
Install a Network Discover Cluster on Windows
Follow this procedure to install the Network Discover Cluster software on a Windows server computer.
Before You Begin
Complete the following prerequisites before starting the Network Discover Cluster installation:
• Copy the DetectionServer.msi file into the c:\temp directory on the server computer.
• Install the JRE where you plan to install the nodes. See Install the Java Runtime Environment on a Detection Server
on Windows.
Install the Nodes
Complete the following procedure to install the node software on a server computer. You specify the node type during the
installation process.
Install a data node before installing worker nodes. Installing the data node first defines where worker nodes communicate
once they are installed.
See Detection Servers for details on nodes.
The installation process automatically generates log information that is saved to a file MSI*.log (* is replaced with
random characters) in the %TEMP% folder. You can change log file name and location by starting the installation from the
command line by running the /L*vexampl option. See the e below:
msiexec /i DetectionServer.msi /L*v c:\temp\detectionserver_install.log
You can complete the installation silently from the command line or from a graphical user interface.
Install Nodes Silently
You can opt to install nodes from the command line.
Enter values with information specific to your installation for the parameters listed in the following table:
384
Table 163: Node installation parameters for upgrading
Command Description
INSTALLATION_DIRECTORY Specifies where the node is installed. The default location is C:\Program
Files\Symantec\DataLossPrevention.
DATA_DIRECTORY Defines where Symantec Data Loss Prevention stores files that are updated
while the Enforce Server is running (for example, logs and licenses). The
default location is \ProgramData\Symantec\DataLossPrevention
\DetectionServer\.
Note: If you do not use the default location, you must indicate a folder
name for the data directory. If you set the data directory to the drive root (for
example, c:\ or e:\) you cannot successfully uninstall the program.
The following examples list completed commands for worker nodes and data nodes. The commands that you use differ
based on your implementation requirements. Using the following commands as-is may cause the installation to fail.
• Data node example command:
msiexec /i "DetectionServer.msi" /qn /norestart /log "package_det_install.log"
385
JRE_DIRECTORY="C:\Program Files\AdoptOpenJDK\jre-8.0.262.10-hotspot"
FIPS_OPTION="Disabled"
SERVICE_USER_USERNAME="SymantecDLP"
SERVICE_USER_PASSWORD=<password>
DISCOVER_CLUSTER_ROLE_OPTION=DN
DISCOVER_CLUSTER_IP=0.0.0.0
INSTALLATION_DIRECTORY="C:\Program Files\Symantec\DataLossPrevention"
DISCOVER_CLUSTER_AUTH_PACKAGE="C:\temp\dlp_discover_cluster_datanode_auth.zip"
DISCOVER_CLUSTER_CLIENT_CONNECTION_PORT_RANGE=<StartPort>..<EndPort>
DISCOVER_CLUSTER_DISCOVERY_PORT_RANGE=<StartPort>..<EndPort>
• Worker node example command:
msiexec /i "DetectionServer.msi" /qn /norestart /log "package_det_install.log"
JRE_DIRECTORY="C:\Program Files\AdoptOpenJDK\jre-8.0.262.10-hotspot"
FIPS_OPTION="Disabled"
SERVICE_USER_USERNAME="SymantecDLP"
SERVICE_USER_PASSWORD=<password>
DISCOVER_CLUSTER_ROLE_OPTION=WN
DISCOVER_CLUSTER_IP=0.0.0.0
INSTALLATION_DIRECTORY="C:\Program Files\Symantec\DataLossPrevention"
DISCOVER_CLUSTER_AUTH_PACKAGE="C:\temp\dlp_discover_cluster_workernode_auth.zip"
DISCOVER_CLUSTER_CLIENT_CONNECTION_PORT_RANGE=<StartPort>..<EndPort>
5. Click Next.
The End-User License Agreement panel displays.
6. After reviewing the license agreement, select I accept the terms in the License Agreement, and click Next.
7. In the Destination Folder panel, accept the default destination directory, or enter an alternate directory, and click
Next.
For example: c:\Program Files\Symantec\DataLossPrevention\
Symantec recommends that you use the default destination directory. However, you can click Change to navigate to a
different installation location instead.
386
NOTE
Directory names, IP addresses, and port numbers that are created or specified during the installation
process must be entered in standard 7-bit ASCII characters only. Extended (hi-ASCII) and double-byte
characters are not supported.
8. In the Data Directory panel, accept the default data directory, or enter an alternate directory, and click Next. The
default data directory is: c:\ProgramData\Symantec\DataLossPrevention\.
NOTE
If you do not use the default location, you must indicate a folder name for the data directory. If you set the
data directory to the drive root (for example, c:\ or e:\) you cannot successfully uninstall the program.
9. In the JRE Directory panel, click Browse to locate the JRE, and click Next.
10. In the FIPS Cryptography Mode panel, select whether to disable or enable FIPS encryption.
11. In the Service User panel select the existing local or domain user account.
12. In the Server Bindings panel, enter the following settings:
• Host: Enter the host name or IP address of the data node.
• Port: Accept the default port number (8100) on which the data node should accept connections from the Enforce
Server. If you cannot use the default port, you can change it to any port higher than port 1024, in the range of
1024–65535.
Click Next.
13. Server Role panel, select the node type you plan to install.
Install a data node before installing worker nodes. Installing the data node first defines where worker nodes
communicate once they are installed.
14. In the Network Discover Cluster Settings panel, enter the following settings:
• Cluster Discovery Port Range:
Enter the starting and ending ports to use for discovering data nodes in a cluster. This parameter is required for the
data node installation. The default values of the start port and end port are 47500 and 47520, respectively.
• Client Connection Port Range:
Enter the starting and ending ports used for communication between the worker and data nodes in a cluster. This
parameter is required for the data node and worker node installation. The default values of the start port and end
port are 10800 and 10820 respectively.
Click Next.
15. In the Network Discover Cluster Authentication Package panel, select the authentication package for the node type
you are installing:
• Worker node: dlp_discover_cluster_workernode_auth.zip
• Data node: dlp_discover_cluster_datanode_auth.zip
Click Next.
16. Click Install to begin the installation process.
The Installing panel appears, and displays a progress bar. After a successful installation, the Completed panel
appears. Click Finish.
387
17. Restart any antivirus, pop-up blocker, or other protection software that you disabled before starting the node
installation process.
Migrate Data on a Network Discover Cluster on Windows
Use the Migration Utility to migrate data to the new version 16.0.1 Network Discover Cluster instance.
After you install the version 16.0.1 Network Discover cluster, you use the Migration Utility to migrate data to the new
instance.
The Migration Utility migrates Network Discover cluster data in two phases as listed in the following table:
Phase Description
Where <previous version> represents where the previous, active version (for example, use -sourceVersion=16.0 to
migrate from Symantec Data Loss Prevention version 16.0.
A message indicates when the migration completes.
Migrate Using Interactive Mode
1. Use the command prompt to navigate to the following directory:
C:\Program Files\Symantec\DataLossPrevention\DetectionServer\16.0.10000\Protect
\Migrator
2. Run the Migration Utility: migrateDetection.bat.
3. Confirm that OpenJRE is installed at the listed location, then press Enter.
If no JRE displays, you must install it before proceeding.
See Install the Java Runtime Environment on a Detection Server on Windows.
4. Enter Y and press Enter to start phase 1.
388
5. Select the active Symantec Data Loss Prevention version to migrate and press Enter.
After phase 1 completes, a message provides a path to where you can access the phase 1 report. The report
lists details about the data files, document profiles, property files, plugins, and keystores that were migrated. Resolve
any errors listed on this page before proceeding to phase 2.
NOTE
The previous version continues to run, including the services and the database, after phase 1
completes. You can exit the migration process and continue to phase 2 at a later time.
6. Press Enter to start phase 2.
A message indicates when the migration completes.
7. If the migration fails, review the Network Discover cluster migration logs in MigrationUtility.log located at C:
\ProgramData\Symantec\DataLossPrevention\DetectionServer\16.0.10000\logs\debug.
The process to migrate data does not move all plug-ins. Migrating Plug-ins
Table 165: Steps to migrate the previous version to a new new single-tier installation
389
Installing the Java Runtime Environment for a Single-tier Installation on Windows
You install the Java Runtime Environment (JRE) before you complete a single-tier installation.
1. Log on (or remote logon) as Administrator to the computer where you plan to install the single-tier system.
2. Copy OpenJDK8U-jre_x64_windows_hotspot_<version>.zip from your DLPDownloadHome\DLP
\16.0.1\New_Installs\Release directory to the computer where you plan to install the Enforce Server.
Where <version> represents the latest supported version.
For example, move the file to c:\temp).
3. Unzip the file to C:\Program Files\AdoptOpenJRE\jdk<version>-jre.
Next: Installing a single-tier server on Windows
Installing a single-tier server on Windows
Symantec recommends that you disable any antivirus, pop-up blocker, and registry-protection software before you begin
the Symantec Data Loss Prevention installation process.
NOTE
Create the Enforce Reinstallation Resources file before starting the installation process. This file contains the
unique CryptoMasterKey.properties file and keystore files for your Symantec Data Loss Prevention
deployment that you can use if you need to uninstall your deployment.
Creating the Enforce Reinstallation Resources file
The following instructions assume that the SingleTierServer.msi file, license file, and solution pack file have been
copied into the c:\temp directory on the Enforce Server.
The installation process automatically generates log information saved to a file MSI*.log (* is replaced with random
characters) in the %TEMP% folder. You can change log file name and location by starting the installation from the command
line by running the /L*v option. See the example bellow:
msiexec /i EnforceServer.msi /L*v c:\temp\enforce_install.log.
After you complete the Single Tier installation, you can find the installation log file at c:\temp\.
You can complete the installation silently from the command line. Enter values with information specific to your installation
for the following:
Command Description
INSTALLATION_DIRECTORY Specifies where the Enforce Server is installed. The default location is C:
\Program Files\Symantec\DataLossPrevention.
DATA_DIRECTORY Defines where Symantec Data Loss Prevention stores files that are
updated while the Enforce Server is running (for example, logs and
licenses). The default location is C:\ProgramData\Symantec
\DataLossPrevention.
Note: If you do not use the default location, you must indicate a folder
name for the data directory. If you set the data directory to the drive root (for
example c:\ or e:\) you cannot successfully uninstall the program.
390
Command Description
The following is an example of what the completed command might look like. The command you use differs based on your
implementation requirements. Using the following command as-is may cause the installation to fail.
391
ORACLE_SERVICE_NAME=protect
1. Log on (or remote logon) as Administrator to the computer that is intended for the Symantec Data Loss Prevention
single-tier installation.
2. Copy the Symantec Data Loss Prevention installer (SingleTierServer.msi) from DLPDownloadHome to a local
directory on the computer where you plan to install the single-tier system.
3. Click Start > Run > Browse to navigate to the folder where you copied the SingleTierServer.msi file.
4. Double-click SingleTierServer.msi to launch the installation wizard.
A welcome notice appears.
5. Click Next.
6. In the End-User License Agreement panel, select I accept the terms in the License Agreement, and click Next.
7. In the Destination Folder panel, accept the Symantec Data Loss Prevention default destination directory and click
Next.
Symantec recommends that you use the default destination directory. However, you can click Browse to navigate to a
different installation location instead.
Directory names, account names, passwords, IP addresses, and port numbers created or specified during the
installation process must be entered in standard 7-bit ASCII characters only. Extended (hi-ASCII) and double-byte
characters are not supported.
8. In the Data Directory panel, accept the default data directory, or enter an alternate directory, and click Next. The
default data directory is:
c:\ProgramData\Symantec\DataLossPrevention\
9. In the JRE Directory panel, click Browse and locate the JRE, and click Next.
10. In the FIPS Cryptography Mode panel, select whether to disable or enable FIPS encryption.
11. In the Service User panel, select an existing local or domain user account.
12. Click Next.
13. In the Update User panel, confirm the account name and password.
This account is used to manage updates sent to the detection server.
14. In the Oracle Database Server Information panel, enter the Oracle Database Server host name or IP address and
the Oracle Listener Port.
NOTE
If you are running the Oracle database in a RAC environment, use the scan host IP address for the host,
not the database IP address. Confirm that the scan host IP for RAC is accessible and that all of the nodes
associated with it are running during the installation process.
You also enter information in the following fields:
Default values should already be present for these fields. Since this is a single-tier installation with the Oracle
database on this same system, 127.0.0.1 is the correct value for Oracle Database Server Information and 1521 is the
correct value for the Oracle Listener Port.
392
15. Click Next.
16. In the Additional Locale panel, select an alternate locale, or accept the default of None, and click Next.
Locale controls the format of numbers and dates, and how lists and reports are alphabetically sorted. If you accept
the default choice of None, English is the locale for this Symantec Data Loss Prevention installation. If you choose an
alternate locale, that locale becomes the default for this installation, but individual users can select English as a locale
for their use.
See the .
17. In the Server Bindings panel, enter the following settings:
• Host. Enter the host name or IP address of the detection server.
• Port. Accept the default port number (8100) on which the detection server should accept connections from the
Enforce Server. If you cannot use the default port, you can change it to any port higher than port 1024, in the range
of 1024–65535.
18. Click Install to begin the installation process.
The Installing panel appears, and displays a progress bar. After a successful installation, the Completing panel
displays.
19. If you have not done so already, run the Upgrade Readiness tool to confirm that the Oracle database is ready to be
migrated to the new instance. If you have already run the Upgrade Readiness tool, skip this step.
Migrating data on a single-tier installation on Windows
After you install the version 16.0.1 Enforce Server, you use the Migration Utility to migrate data to the new instance. The
Migration Utility migrates Enforce Server data in the following two phases:
1. Runs a report to confirm the status of the file system
The report lists information to confirm that the file system is ready for migration and identifies issues. The report lists
saved customizations. Saved customizations include certificates, keystores, plugins, FlexResponse scripts, and
configuration file settings.
The first phase moves data files, document profiles, property files, plugins, and keystores to the 16.0.1 instance.
2. Performs pre-checks before DLP services are taken down during the migration
The second phase moves incidents, indexes, services, and the database.
Before you start the migration, use the Upgrade Readiness tool to confirm that the Oracle database is ready for migration.
See Checking the database update readiness.
You can migrate data silently or using interactive mode.
• Migrate silently
• Migrate using interactive mode
Migrate silently
1. Log on (or remote logon) as Administrator to the Single Tier Server system where you intend to run the Migration
Utility.
2. Run the following command in an elevated command prompt:
MigrateSingleTierServer.bat
-silent
-sourceVersion="<previous version>"
-jreDirectory="C:\Program Files\AdoptOpenJRE\jdk8u<version>-b10-jre"
Where <previous version> represents the previous, active version (for example, use -sourceVersion=16.0 to migrate
from Symantec Data Loss Prevention version 16.0).
393
Migrate using interactive mode
1. Log on (or remote logon) as Administrator to the Single Tier Server system where you intend to run the Migration
Utility.
2. Use the command prompt to navigate to the following directory:
C:\Program Files\Symantec\DataLossPrevention\SingleTierServer\16.0.10000\Protect
\Migrator
3. Run the Migration Utility: migrateSingleTierServer.bat.
4. Confirm that OpenJRE is installed at the listed location, then press Enter.
If no JRE displays, you must install it before proceeding.
Installing the Java Runtime Environment for a Single-tier Installation on Windows
A list of the migration phases appears.
5. Enter Y and press Enter to start phase 1.
6. Select the active Symantec Data Loss Prevention version to migrate and press Enter.
After phase 1 completes, a message provides a path to where you can access the phase 1 report. The report
lists details about the data files, document profiles, property files, plugins, and keystores that were migrated. Resolve
any errors listed on this page before proceeding to phase 2.
NOTE
The previous version continues to run, including the services and the database, after phase 1
completes. You can exit the migration process and continue to phase 2 at a later time.
7. Press Enter to start phase 2.
A message indicates when the migration completes.
NOTE
If the upgrade fails because of DatabaseProcessCheck, see Stop all Symantec Data Loss Prevention
database sessions.
8. If migration fails, review the Enforce Server migration logs in the MigrationUtility.log located at C:
\ProgramData\Symantec\DataLossPrevention\SingleTierServer\16.0.10000\logs\debug.
Migrating on Linux
The following sections include steps to migrate to a new version on Linux:
• Migrating the previous version to a new Enforce Server installation on Linux
• Migrating a Previous Version Detection Server or Cluster to the Latest Version on Linux
• Migrating Previous Version Data to a New Single-Tier Installation on Linux
394
NOTE
The migration process backs-up services .conf files. You can locate these files at /opt/Symantec/
DataLossPrevention/EnforceServer/<source_version>/Protect/backups in a folder that is
formatted as service-yyyy-mm-dd-hh-mm-ss. (Replace <source_version> with the previous version
number.) You use the .conf files if you are recovering your previous version system. See .
Table 167: Steps to migrate the previous version to a new Enforce Server installation
1 Install the Java Runtime Environment on See Install the Java Runtime Environment
the Enforce Server. on the Enforce Server on Linux.
2 Sign RPM files. See Sign RPM files.
3 Install the version 16.0.1 Enforce Server. See Install an Enforce Server on Linux.
You install the Enforce Server on the same
system where the previous version is
running.
4 Migrate the previous version to the version SeeMigrate Data on the Enforce Server on
16.0.1 Enforce Server. Linux.
5 Back up the upgraded system. SeeBacking up your system.
The process to migrate does not move all plug-ins. See Migrating plug-ins.
Install the Java Runtime Environment on the Enforce Server on Linux
You install the Java Runtime Environment (JRE) on the Enforce Server before you install the Enforce Server.
1. Log on as root to the Enforce Server system on which you intend to install Enforce.
2. Copy OpenJDK8U-jre_x64_linux_hotspot_<version>.tar.gz from your DLPDownloadHome/DLP/16.0.1/
New_Installs/Release directory to the computer where you plan to install the Enforce Server.
Where <version> represents the latest supported version.
3. Unzip the file contents (for example, unzip to opt/AdoptOpenJRE).
Next: Sign RPM files
Sign RPM files
Before you install the latest Symantec Data Loss Prevention version on a Linux platform, Symantec recommends
that you use the RPM signing key to verify the signature of RPM files. All RPM packages provided in the
Symantec_DLP_16_0_1_Platform_Lin-IN_<platform_lin_version>.zip are signed with a GPG key. The
signature provides integrity protection and ensures that the packages are the same packages produced by Symantec and
were not altered in any way by a malicious third-party.
NOTE
If you try to install and do not use the RPM signing key, a "NOKEY" warning message displays during the
installation.
395
Use the RPM signing key before you install the Enforce Server, detection server, or a single-tier system.
1. Locate the Symantec_DLP_RPM_Signing_Key.asc file in the DLPDownloadHome directory. The
Symantec_DLP_RPM_Signing_Key.asc is packaged in the Symantec_DLP_16_0_1_Platform_Lin-
IN_<platform_lin_version>.zip file.
2. Copy the Symantec_DLP_RPM_Signing_Key.asc file to the computer where you plan to install the server
component.
3. Log on as root to the computer where you plan to install the server component.
4. Import the key to the RPM key ring by running the following command:
rpm --import Symantec_DLP_RPM_Signing_Key.asc
6. Verify the signature of files before installing them by running the following command:
rpm -K *rpm
The instructions that follow describe how to install an Enforce Server on a Linux computer.
These instructions assume that the EnforceServer.zip file and license file have been copied into the /opt/temp
directory on the Enforce Server computer.
1. Symantec recommends that you disable any antivirus, pop-up blocker, and registry protection software before you
begin the Symantec Data Loss Prevention installation process.
2. Log on as root to the Enforce Server system on which you intend to install Enforce.
3. Navigate to the directory where you copied the EnforceServer.zip file (/opt/temp/).
4. Unzip the file to the same directory (/opt/temp/).
If you prompted whether or not to replace install.sh, enter Y for yes. The install.sh is identical for all
packages.
5. Confirm file dependencies for RPM files by running the following command:
rpm -qpR *.rpm
You can also specify a file to confirm by running the following command:
rpm -qpR .rpm-file
If the command indicates that dependancies are missing, you can use YUM repositories to install them. Use the
following command:
yum install repo
396
NOTE
If you use YUM to install, you cannot override the default relocatable roots where Symantec Data Loss
Prevention is installed.
7. Restart any antivirus, pop-up blocker, or other protection software that you disabled.
8. Run the Update Readiness Tool to confirm that the Oracle database is ready to be migrated to the new instance, if you
haven't run it already.
9. Start the migration process.
Next: Migrate Data on the Enforce Server on Linux
Migrate Data on the Enforce Server on Linux
After you install the version 16.0.1 Enforce Server, you use the Migration Utility to migrate data to the new instance. The
Migration Utility migrates Enforce Server data in the following two phases:
1. Runs a report to confirm the status of the file system
The report lists information to confirm that the file system is ready for migration and identifies issues. The report lists
saved customizations. Saved customizations includes certificates, keystores, plugins, FlexResponse scripts, and
configuration file settings.
The first phase of the migration also moves data files, document profiles, property files, plugins, and keystores to the
16.0.1 instance.
2. Performs pre-checks before DLP services are taken down during the migration
The second phase of the migration moves incidents, indexes, services, and the database.
Before you start the migration, use the Upgrade Readiness tool to confirm that the Oracle database is ready for migration.
See Checking the database update readiness
You can migrate data silently or using interactive mode.
The process to migrate data does not move all plug-ins. See Migrating Plug-ins.
NOTE
Before you run the Migration Utility, you must switch to root user.
Migrate silently
1. Open the command prompt window.
2. Switch user to root: su - root.
3. Go to the following directory:
opt/Symantec/DataLossPrevention/EnforceServer/16.0.10000/Protect/Migrator
4. Use the following command to complete the migration silently:
./migrateEnforce.sh
-silent
-sourceVersion="<previous version>"
-jreDirectory="/opt/AdoptOpenJRE/jdk8u322-b06-jre"
Where <previous version> is the previous version number of the previous active version installation. The path /opt/
AdoptOpenJRE/jdk8u322-b06-jre points to the current JRE location.
A message indicates when the migration completes.
397
Migrate using interactive mode
1. Open the command prompt window.
2. Switch user to root: su - root.
3. Go to the following directory:
opt/Symantec/DataLossPrevention/EnforceServer/16.0.10000/Protect/Migrator
4. Run the Migration Utility by running the following command:
./migrateEnforce.sh
5. Confirm that OpenJRE is installed and that the directory is correct, then enter Y.
6. Press Enter.
If no JRE displays, you must install it before proceeding.
See Install the Java Runtime Environment on the Enforce Server on Linux.
A list of the migration phases appears.
7. Enter Y and press Enter to start phase 1.
After phase 1 completes, a message provides a path to where you can access the phase 1 report. The report lists
details about the data files, document profiles, property files, plugins, and keystores that were migrated. Resolve any
errors listed on this page before proceeding to phase 2.
8. Select the active Symantec Data Loss Prevention version to migrate and press Enter.
NOTE
The previous version continues to run, including the services and the database, after phase 1 completes.
You can exit the migration process and continue to phase 2 at a later time.
9. Enter Y and press Enter to start phase 2.
A message indicates when the migration completes.
NOTE
If the upgrade fails because of DatabaseProcessCheck, see Stop all Symantec Data Loss Prevention
database sessions.
10. If the migration fails, review the Enforce Server migration logs in MigrationUtility.log at /var/log/
Symantec/DataLossPrevention/EnforceServer/16.0.10000/debug/ for more details.
Migrating a Previous Version Detection Server or Cluster to the Latest Version on Linux
Upgrading the detection server or cluster includes installing the new version where the existing version is running and
migrating data to the new version.
Please add that all Discover servers and Cluster nodes should be upgrade to latest version. Applicable to windows also.
NOTE
The migration process backs up services .conf files. You can locate these files at /opt/Symantec/
DataLossPrevention/DetectionServer/<source_version>/Protect/backups in a folder formatted
as service-yyyy-mm-dd-hh-mm-ss. (Replace <source_version> with the previous version number.)
You use the .conf files if you are recovering your previous version system. See Backing up and recovering on
Linux for more information about recovering your system.
398
Table 168: Steps to migrate the previous version to a new detection server or cluster
Step Action
You install the Java Runtime Environment (JRE) on the server computer before you install the detection server.
1. Log on as root to the Enforce Server system on which you intend to install Enforce.
2. Copy OpenJDK8U-jre_x64_linux_hotspot_8u322-b06.tar.gz from your DLPDownloadHome/DLP/16.0.1/
New_Installs/Release directory to the computer where you plan to install the Enforce Server.
3. Unzip the file contents (for example, unzip to opt/AdoptOpenJRE).
Install a Detection Server on Linux
Install a Detection Server on Linux
Follow this procedure to install the detection server software on a server computer. You
specify the type of detection server during the server registration process that follows
this installation process. See Preparing to Upgrade Symantec Data Loss Prevention.
Follow this procedure to install the detection server software on a server computer. You specify the type of detection
server during the server registration process that follows this installation process.
NOTE
The following instructions assume that the DetectionServer.zip file has been copied into the /opt/temp/
directory on the server computer.
1. Log on as root to the computer on which you intend to install the detection server.
2. Copy the detection server installer (DetectionServer.zip) from the Enforce Server to a local directory on the
detection server. The DetectionServer.zip file is included in your software download (DLPDownloadHome)
directory. It should have been copied to a local directory on the Enforce Server during the Enforce Server installation
process.
3. Navigate to the directory where you copied the DetectionServer.zip file (/opt/temp/).
4. Unzip the file contents (for example, unzip to /opt/temp).
5. Confirm file dependencies for RPM files by running the following command:
rpm -qpR *.rpm
You can also specify a file to confirm by running the following command:
rpm -qpR .rpm-file
399
Replace repo with the repository package name.
6. Install the detection server by running the following command:
./install.sh -t detection
After you install the version 16.0.1 detection server, you use the Migration Utility to migrate data to the new instance.
The Migration Utility migrates detection server data in two phases as listed in the following table:
Phage Description
Where <previous version> represents the previous version number. The /opt/Symantec/DataLossPrevention/
ServerJRE/1.8.0_202 points to the current JRE location.
A message indicates when the migration completes.
400
Migrate Using Interactive Mode
1. Open the command prompt window.
2. Switch user to root: su - root.
3. Go to the following directory:
/opt/Symantec/DataLossPrevention/DetectionServer/16.0.1.00000/Protect/Migrator
4. Run the Migration Utility by running the following command:
./migrateDetectionServer.sh
The process to migrate data does not move all plug-ins. See Migrating Plug-ins.
Install a Network Discover Cluster on Linux
Follow this procedure to install the Network Discover cluster software on a server computer.
You specify the type of cluster during the server registration process that follows this installation process.
Before you Begin
Complete the following prerequisites before starting the Network Discover cluster installation:
• Complete upgrade preparation steps. See Preparing to Upgrade Symantec Data Loss Prevention.
• Copy the DetectionServer.zip file into the /opt/temp/ directory on the server computer.
Steps to Install a Network Discover Cluster on Linux
The following section lists steps that you complete to install clusters on Linux platforms.
401
Step 1: Secure the Communications between Nodes
Create an authentication package using the DiscoverClusterKeyTool before installing worker and data nodes. The
authentication package enables encrypted communication between nodes and the Enforce Server.
1. Locate the DiscoverClusterKeyTool at /opt/Symantec/DataLossPrevention/
EnforceServer/16.0.1.00000/Protect/bin/DiscoverClusterKeyTool
2. Prepare to run the authentication package.
Enter values that include information specific to your installation. See the following table for a list of parameters and
descriptions.
Command Description
generate-package-type Defines the type of node for which the authentication is used,
including the following:
• WN for worker nodes.
• DN for a data node.
• All for both worker and data nodes.
enforce-url (Optional) Enter the Enforce Server host name or IP.
If you do not enter a value, the tool assigns the URL https://
<localhost>/.
enforce-username Enter an Enforce Server username with administrator rights.
enforce-password Enter the password for the user specified in enforce-username.
keystore-password (Optional) Enter a password for the keystore.
If you do not specify a password, the tool assigns a randomly
generated password.
truststore-password (Optional) Enter a password for the truststore.
If you do not specify a password, the tool assigns a randomly
generated truststore password.
disable-ssl-verification (Optional) Indicate whether to disable SSL verification while
connecting to the Enforce Server.
You can enter one of the following values:
• true disables SSL verification at the client side
• false (default) keeps SSL verification that is enabled at the
client side
output-dir (Optional) Define the directory where the tool creates the
authentication package zip.
By default, the tool creates the package at the current directory.
402
-disable-ssl-verification=true
-output-dir=/opt/Symantec/DataLossPrevention/DataLossPreventionDetectionServer
/16.0.1.00000/Protect/keystore/discovercluste
WN dlp_discover_cluster_workernode_auth.zip
se during the worker node installation.
DN dlp_discover_cluster_datanode_auth.zip
Use during the data node installation.
All dlp_discover_cluster_auth.zip
The file contains dlp_discover_cluster_workernode_auth.zip and
dlp_discover_cluster_datanode_auth.zip in it.
Extract the individual ZIP files for access during worker node and data node installation.
You can also specify a file to confirm by running the following command:
rpm -qpR .rpm-file
403
Replace repo with the repository package name.
7. Install the detection server by running the following command:
./install.sh -t detection
Command Description
404
Command Description
The following examples list completed commands for worker nodes and data nodes. The commands that you use differ
based on your implementation requirements. Using the following commands as-is may cause the installation to fail.
• Data node example command:
./DetectionServerConfigurationUtility -silent
-jreDirectory=/usr/lib/jvm/adoptopenjdk-8-hotspot-jre/
-serviceUserOption=SymantecDLP
-serviceUserUsername=protect
-bindHost=[IP or host name]
-bindPort=8100
-fipsOption=Disabled
-detectionCommunicationDefaultCertificates=Enabled
-discoverClusterRoleOption=DN
-discoverClusterIP=0.0.0.0
-discoverClusterAuthPackage=/opt/dlp_discover_cluster_datanode_auth.zip
-discoverClusterClientConnectionPortRange=<StartPort>..<EndPort>
-discoverClusterDiscoveryPortRange=<StartPort>..<EndPort>
405
-discoverClusterClientConnectionPortRange=<StartPort>..<EndPort>
Network port Accept the default port number (8100) on which the detection server should accept connections from the
Enforce Server. If you cannot use the default port, you can change it to any port higher than port 1024, in
the range of 1024–65535.
Network interface Enter the detection server network interface (bind address) to use to communicate with the Enforce
Server. If there is only one network interface, leave this field blank.
Node type Define the type of server that you are installing, which includes the following:
• DN for data node
• WN for worker node
Data node IP If you are installing the data node, enter the IP of the server where you plan to install the data node.
Network Discover cluster Used with the cluster IP to discover data nodes in a cluster.
discovery port range This parameter is required for the data node installation.
The default value is 47500..47520.
Network Discover cluster Defines the range of ports used for communication between worker and data nodes in a cluster.
client connection port This parameter is required for the data node and worker node installation.
range The default value is 10800..10820.
Cluster authentication Define the authentication package location.
package Target the file based on the node type that you are installing:
• Worker node: dlp_discover_cluster_workernode_auth.zip
• Data node: dlp_discover_cluster_datanode_auth.zip
406
Migrate Data on a Network Discover Cluster on Linux
After you install the version 16.0.1 Network Discover cluster, you use the Migration Utility to migrate data to the new
instance.
The Migration Utility migrates Network Discover cluster data in two phases as listed in the following table:
Phage Description
Where <previous version> represents the previous version number. The /opt/Symantec/DataLossPrevention/
ServerJRE/1.8.0_202 points to the current JRE location.
A message indicates when the migration completes.
Migrate using interactive mode
1. Open the command prompt window.
2. Switch user to root: su - root.
3. Go to the following directory:
/opt/Symantec/DataLossPrevention/DetectionServer/16.0.10000/Protect/Migrator
4. Run the Migration Utility by running the following command:
./migrateDetectionServer.sh
407
5. Confirm the JRE directory that displays.
If no JRE displays, install the JRE.
6. Confirm that OpenJRE is installed and that the directory is correct, then enter Y and press Enter.
If no JRE displays, you must install it before proceeding.
SeeInstall the Java Runtime Environment on a Detection Server on Linux.
7. Enter Y and press Enter to start phase 1.
After phase 1 completes, a message provides a path to where you can access the phase 1 report. The report lists
details about the data files, document profiles, property files, plugins, and keystores that were migrated. Resolve any
errors listed on this page before proceeding to phase 2.
8. Select the active Symantec Data Loss Prevention version to migrate and press Enter.
9. Enter Y and press Enter to start phase 2.
A message indicates when the migration completes.
10. If the migration fails, review the Network Discover cluster migration logs in MigrationUtility.log at /var/log/
Symantec/DataLossPrevention/DetectionServer/16.0.10000/debug/.
The process to migrate data does not move all plug-ins. See Migrating Plug-ins.
Table 174: Steps to migrate the previous version to a new new single-tier installation
1 Install the Java Runtime Environment. See Installing the Java Runtime
Environment for a Single-tier Installation.
2 Sign RPM files. See Sign RPM files .
3 Install the version 16.0.1 single-tier system. See Installing a Single-tier Server on Linux.
4 Migrate the previous version to the version 16.0.1 single-tier See Migrating Data on a Single-tier
installation. Installation on Linux.
5 Back up the upgraded system. See Backing up your system.
408
Installing the Java Runtime Environment for a Single-tier Installation
You install the Java Runtime Environment (JRE) before you complete a single-tier installation.
1. Log on as root to the computer where you plan to install the single-tier system.
2. Copy OpenJDK8U-jre_x64_linux_hotspot_<version>.tar.gz from your DLPDownloadHome/DLP/16.0.1/
New_Installs/Release directory to the computer where you plan to install the Enforce Server.
Where <version> represents the latest supported version.
3. Unzip the file contents (for example, unzip to opt/AdoptOpenJRE).
Next: Installing a Single-tier Server on Linux
Installing a Single-tier Server on Linux
Symantec recommends that you disable any antivirus, pop-up blocker, and registry-protection software before you begin
the Symantec Data Loss Prevention installation process.
NOTE
The following instructions assume that the SingleTierServer.zip file, license file, and solution pack file
have been copied into the /opt/temp directory on the Symantec Data Loss Prevention single-tier installation
server.
1. Log on as root to the computer that is intended for the Symantec Data Loss Prevention single-tier installation.
2. Copy the Symantec Data Loss Prevention single-tier installer (SingleTierServer.zip) from DLPDownloadHome
to a local directory on the single-tier computer (for example, /opt/temp/).
3. Unzip the file contents (for example, unzip to /opt/temp).
If you prompted whether or not to replace install.sh, enter Y for yes. The install.sh is identical for all
packages.
4. Confirm file dependencies for RPM files by running the following command:
rpm -qpR *.rpm
If the command indicates that dependencies are missing, you can use YUM repositories to install them. Use the
following command:
yum install repo
After you install the version 16.0.1 Enforce Server, you use the Migration Utility to migrate data to the new instance. The
Migration Utility migrates Enforce Server data in the following two phases:
1. Runs a report to confirm the status of the file system
409
The report lists information to confirm that the file system is ready for migration and identifies issues. The report lists
saved customizations. Saved customizations includes certificates, keystores, plugins, FlexResponse scripts, and
configuration file settings.
The first phase of the migration also moves data files, document profiles, property files, plugins, and keystores to the
16.0.1 instance.
2. Performs pre-checks before DLP services are taken down during the migration
The second phase of the migration moves incidents, indexes, services, and the database.
Before you start the migration, use the Upgrade Readiness tool to confirm that the Oracle database is ready for migration.
See Checking the database update readiness.
You can migrate data silently or using interactive mode.
The process to migrate data does not move all plug-ins. See Migrating plug-ins.
NOTE
Before you run the Migration Utility, you must switch to root user.
Migrate silently
1. Open the command prompt window.
2. Switch to root user: su root.
3. Go to the following directory:
/opt/Symantec/DataLossPrevention/SingleTierServer/16.0.1.00000/Protect/Migrator
4. Run the following command as root to complete the migration using silent mode:
./migrateSingleTierServer.sh
-silent
-sourceVersion="<previous version>"
-jreDirectory="/opt/AdoptOpenJRE/jdk8u<version>-b10-jre"
Where <previous version> is the previous version number and /opt/AdoptOpenJRE/jdk8u<version>-b10-jre points to
the current JRE location.
Migrate using interactive mode
1. Open the command prompt window.
2. Switch to root user: su root.
3. Go to the following directory:
/opt/Symantec/DataLossPrevention/SingleTierServer/16.0.1.00000/Protect/Migrator
4. Run the Migration Utility using the following command:
./migrateSingleTierServer.sh
5. Confirm that OpenJRE is installed and that the directory is correct, then enter Y.
6. Press Enter.
If no JRE displays, you must install it before proceeding.
SeeInstalling the Java Runtime Environment for a Single-tier Installation.
A list of the migration phases appears.
410
7. Enter Y and press Enter to start phase 1.
After phase 1 completes, a message provides a path to where you can access the phase 1 report. The report lists
details about the data files, document profiles, property files, plugins, and keystores that were migrated. Resolve any
errors listed on this page before proceeding to phase 2.
8. Select the active Symantec Data Loss Prevention version to migrate and press Enter.
NOTE
The previous version continues to run, including the services and the database, after phase 1 completes.
You can exit the migration process and continue to phase 2 at a later time.
9. Enter Y and press Enter to start phase 2.
A message indicates when the migration completes.
NOTE
If the upgrade fails because of DatabaseProcessCheck, see Stop all Symantec Data Loss Prevention
database sessions.
10. If the migration fails, review the Enforce Server migration logs in MigrationUtility.log at /var/log/
Symantec/DataLossPrevention/EnforceServer/16.0.1.00000/debug/ for more details.
-t N/A This required parameter defines the installation type. Enter one of the
following, depending on what you plan to install:
• enforce
• detection
• singletier
• indexers
-i /opt/Symantec/ Defines the path to the installation directory. You can indicate a path
DataLossPrevention where you want to relocate the installation type.
-d /var/Symantec/ Defines the path to the data directory.
DataLossPrevention
-l /var/log/Symantec/ Defines the path to the logs directory.
DataLossPrevention
-r /var/run/Symantec/ Defines the path to the run directory.
DataLossPrevention
-s /var/spool/Symantec/ Defines the path to the spool directory.
DataLossPrevention
411
Verifying that the Enforce Server and the detection servers are running
Verify that the Enforce Server is running.
Check that all of the detection servers to be upgraded are running the appropriate Symantec Data Loss Prevention
version.
1. Log on to the Enforce Server.
2. Go to System > Servers and Detectors > Overview and check that the Symantec Data Loss Prevention servers are
running.
Related Links
Upgrading Symantec Data Loss Prevention on page 372
Related Links
Symantec Data Loss Prevention Upgrade Phases on page 352
Complete the upgrade in the phases that are described in the following sections.
412
NOTE
Npcap is also recommended for any type of Windows-based detection server you deploy.
1. Download Npcap from https://nmap.org/npcap.
2. Run the npcap-<version>.exe file.
3. On the Installation Options screen select Install Npcap in WinPcap API-compatible Mode.
4. Click install.
Updating an appliance
You update appliance software using the Enforce Server administration console.
For steps to update an appliance, see Updating appliance software.
413
Table 176: Upgrade process for Symantec DLP Agents
1 Create the Symantec Data Loss Prevention Agent installation You create the agent installation package using the
package. Enforce Server administration console. This package
contains a BAT file that you use to upgrade Windows
agents and a PKG file you use to upgrade the Mac
agents.
Secure Communications Between DLP Agents and
Endpoint Servers
2 Bundle the Mac agent installation files if you plan to upgrade Process to upgrade the DLP Agent on Mac
Mac agents.
3 Install the upgrade package on endpoints. Choose one of the following upgrade methods:
• Upgrade the DLP Agent by using silent upgrades.
Upgrading the Windows agent silently
Upgrading DLP Agents on Mac endpoints silently
• Upgrade the DLP Agent manually.
Upgrading the Windows agent manually
Upgrading the DLP Agent for Mac manually
• Performing the DLP Agent Upgrade for Linux
414
For instructions about migrating endpoints from the default DLP Agent certificate to a custom certificate, see Configuring
DLP Agents to Use Custom Certificates.
For information about the limitations of using custom certificates, see Limitations of DLP support for custom certificates.
Related links
Related Links
Generating agent installation packages on page 415
Agent installation package contents on page 417
Generate the agent installation package for agents at the System > Agents > Agent Packaging screen.
1 Navigate to the Agent Packaging Log on to the Enforce Server administration console as an administrator and
page. navigate to the System > Agents > Agent Packaging page.
2 Select one or more DLP Agent Browse to the folder on the Enforce Server where you copied the agent installer
installation files. files.
The following installer files are available:
• Windows 64-bit: AgentInstall-x64_16_0_1.msi
• Windows 32-bit: AgentInstall-x86_16_0_1.msi
• Linux 64 bit RPM:
For Linux distributions, you package each operating system type separately.
– Red Hat Enterprise Linux: AgentInstall-x86_64_16_0_1.rpm
– Ubuntu: AgentInstall-x86_64_16_0_1.deb
• Mac 64-bit: AgentInstall_16_0_1.pkg
415
Step Action Description
3 Enter the server host name. Typically you enter the common name (CN) of the Endpoint Server host, or you can
enter the IP address of the server.
Be consistent with the type of identifier you use (CN or IP). If you used the CN for
the Endpoint Server when deploying it, use the same CN for the agent package. If
you used an IP address to identify the Endpoint Server, use the same IP address
for the agent package.
Alternatively, you can enter the CN or IP address of a load balancer server.
Note: The Enforce Server administration console does not accept IPv6 addresses
as input. Instead of specifying an IPv6 address, you can enter the host name
instead.
Note: To ensure that IPv6-only endpoints can communicate with an Endpoint
Prevent Server, make sure that the Endpoint Prevent Server is running on a dual
stack host. If the Endpoint Prevent Server is running on an IPv4 host, you might
need to configure NAT devices to translate the IP addresses of IPv6-only endpoints.
4 Enter the port number for the The default port is 10443. Typically you do not need to change the default port
server. unless it is already in use or intended for use by another process on the server
host.
5 Add additional servers (optional). Click the plus sign to add additional servers for failover.
If you configure agents to connect to more than one Endpoint Prevent Server, you
can specify a mix of servers that use the DLP Default KeyStore and servers that
use custom keystores.
Note: Symantec Data Loss Prevention allots 2048 characters for Endpoint Server
names. This allotment includes the characters that are used for the Endpoint Server
name, port numbers, and semicolons to delimit each server.
The first server that is listed is the primary; additional servers are secondary and
provide backup if the primary is down.
See About Endpoint Server redundancy.
6 Enter the Endpoint tools password. A password is required to use the Endpoint tools to administer DLP Agents. The
Endpoint tools password is case-sensitive. The password is encrypted and stored
in a file on the Enforce Server. You should store this password in a secure format of
your own so that it can be retrieved if forgotten.
After installing agents, you can change the password on the Agent Password
Management screen.
See About agent password management.
7 Re-enter the Endpoint tools The system validates that the passwords match and displays a message if they do
password. not.
8 Enter the target directory for the The default installation directory for Windows 32- and 64-bit agents is
agent installation (Windows only). %PROGRAMFILES%\Manufacturer\Endpoint Agent. Change the default
path if you want to install the Windows agent to a different location on the endpoint
host. You can only install the DLP Agent to an ASCII directory using English
characters. Using non-English characters can prevent the DLP Agent from starting
and from monitoring data in some scenarios.
Note: Include the drive letter if you plan to change the default directory. For
example, use C:\Endpoint Agent. Not including a drive letter causes the
agent installation to fail.
The target directory for the Mac agent is set by default.
416
Step Action Description
9 Enter the uninstall password The agent uninstall password is supported for Windows agents. The uninstall
(optional, Windows only). password is a tamper-proof mechanism that requires a password to uninstall the
DLP Agent.
The password is encrypted and stored in a file on the Enforce Server. You should
store this password in a secure format of your own so that it can be retrieved if
forgotten.
For information on uninstalling Mac agents, see Removing a DLP Agent from a Mac
Endpoint.
After installing agents, you can change the password on the Agent Password
Management screen.
See About agent password management.
10 Re-enter the uninstall password. The system validates that the passwords match and displays a message if they do
not.
11 Select the truststore that contains You can select either the default truststore that contains the self-signed certificate
the certificate that is used to and key or a custom truststore that you added.
validate the Endpoint Prevent If you configured the Endpoint Prevent Servers to use a custom certificate,
Server certificate. select the truststore that contains the corresponding corresponding CA public
certificate that can validate the custom Endpoint Prevent Server certificate.
Note: If you previously chose to use the DLP Default TrustStore while creating
agent packages, you can switch to a custom truststore the next time you generate
new packages for upgrading agents.
12 Click Generate Installer This action generates the agent installer package for each platform that you
Packages. selected in step 3.
The generation process may take a few minutes.
13 Save the agent package zip file. When the agent packaging process is complete, the system prompts you to
download the agent installation package. Save the zip file to the local file system.
After you save the file you can navigate away from the Agent Packaging screen to
complete the process.
The zip file is named according to the agent installer you uploaded:
• AgentInstaller_Win64.zip
• AgentInstaller_Win32.zip
• AgentInstaller_Linux64.zip
• AgentInstaller_Mac64.zip
If you upload more than one agent installer, the package name is
AgentInstallers.zip. In this case, the zip file contains separate zip files for
each agent package for each platform you selected in step 3.
14 Install DLP Agents using the agent Once you have generated and downloaded the agent package, you use it to install
package. all agents for that platform.
Related Links
Agent installation package contents on page 417
Generate the agent installation package for agents at the System > Agents > Agent Packaging screen.
417
The Mac agent package contains endpoint certificates, installation files, the package manifest, and a file to generate the
installation script for macOS.
File Description
endpoint_truststore.pem
addin_trustore.pem Agent certificates required for Outlook monitoring.
addin_cert.pem
addin_priv.pem
install_agent.sh Use to install the DLP Agent.
Install_Readme.rtf Provides commands for packaging and installing the agent
The agent installation package for Windows agents contains the endpoint certificates, installation files, and the package
manifest.
The Mac agent package contains endpoint certificates, installation files, the package manifest, and a file to generate the
installation script for macOS.
File Description
418
Linux Agent Package Contents
The Mac agent package contains endpoint certificates, installation files, the package manifest, and a file to generate the
installation script for Linux distributions.
File Description
Related Links
Secure Communications between DLP Agents and Endpoint Servers upgrade on page 414
Symantec Data Loss Prevention uses SSL certificates and public-key encryption to authenticate and secure
communications between DLP Agents and Endpoint Servers.
419
Table 181: Process to upgrade agents on Windows endpoints
1 Prepare endpoints that have Safe Mode monitoring enabled. Upgrading previous version DLP Agents with
Windows Safe Mode monitoring enabled
2 Upgrade the agent. Upgrading the Windows agent manually
Upgrade an agent manually. You can upgrade an agent manually when you Upgrading the Windows agent silently
want to test the configuration.
Upgrade the agents using your SMS. You upgrade agents using this
method to upgrade many agents at one time.
Upgrading previous version DLP Agents with Windows Safe Mode monitoring enabled
If you are upgrading DLP Agents with Safe Mode monitoring enabled, you must delete the registry entries for the TDI
drivers before you upgrade the agents.
Locate and delete the following TDI registry entries on each endpoint with Safe Mode monitoring enabled:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tdifdvvvv.sys]
For the file tdifdvvvv.sys, replace vvvv with the DLP Agent version. For example, DLP Agent version 12.5.2 would
display as tdifd1252.sys.
Related Links
Process to upgrade the DLP Agent on Windows on page 419
420
NOTE
These steps assume that you have generated the agent installation package. See Generating agent installation
packages.
1. In your SMS package, specify the upgrade_agent.bat package.
NOTE
Do not rename the upgrade_agent.bat file for any reason. If you rename this file, your systems
management software cannot recognize the file and the installation fails.
2. Specify the upgrade_agent.bat installation properties.
When you install the Symantec DLP Agent, your systems management software issues a command to the specified
endpoints. The following is an example of what the command might look like:
For details on entering this information into your particular systems management software, see the software product
documentation.
After you upgrade the agents, the DLP Agent service automatically starts on each endpoint computer. Log on to the
Enforce Server and go to System > Agents > Overview, then locate the upgraded agent. Verify that the newly upgraded
agent is registered by the confirming that the latest version displays in the list.
Related Links
Process to upgrade the DLP Agent on Windows on page 419
421
Before you upgrade DLP Agents on Mac endpoints, confirm that you have completed prerequisite steps. About Symantec
Data Loss Prevention Agent upgrades
1 Package the Mac agent installation files. Packaging Mac agent upgrade files
You compile the Mac agent installation files into one PKG file. You later
use this file to manually upgrade an agent, or to insert in your SMS to
upgrade many Mac endpoint agents simultaneously.
You can also add endpoint tools to the package and add a custom
package identifier.
2 Upgrade the agent. Upgrading the DLP Agent for Mac manually
Upgrade an agent manually. You can upgrade an agent manually when Upgrading DLP Agents on Mac endpoints
you want to test the configuration. silently
Upgrade the agents using your SMS. You upgrade agents using this
method to upgrade many agents at one time.
3 Confirm that the Mac agent service is running. Confirming that the Mac agent is Running
4 (Optional) Review the upgraded Mac agent components. What gets upgraded for DLP Agents on
These components include the drivers that prevent tampering and keep Mac endpoints
the agent running.
$ cd /tmp/MacInstaller Defines the path where the Mac agent upgrade files reside.
$ ./create_package Calls the create_package tool.
-i <com.company.xyz> (Optional) Includes a custom package identifier.
You can register the DLP Agent installer receipt data with a
custom package identifier. Replace <com.company.xyz> with
information specific to your deployment.
-t ./Tools (Optional) Calls the create_package tool to bundle the agent tools.
About optional maintenance tools
The following is an example of what the completed command might look like:
422
After you execute the command, a message displays the package creation status.
A file that is named AgentInstall_WithCertificates.pkg is created in the location you indicated. Based on the
example, AgentInstall_WithCertificates.pkg is created at /tmp/MacInstaller.
3. (Optional) If you opted to register the DLP Agent with a custom package identifier, verify the custom package identity.
Execute the following command:
$ pkgutil --pkg-info <com.company.xyz>
Related Links
Packaging Mac agent upgrade files on page 422
Table 184: Instructions for installingupgrading the DLP Agent on a Mac endpoint
423
Step Action Description
3 Verify the Mac agent upgrade. To verify the Mac agent upgrade, open the Activity Monitor and search for the
edpa process. It should be up and running.
The Activity Monitor displays processes being run by logged on user
and edpa runs as root. Select View All Processes to view edpa if you are not
logged on as root user.
You can also confirm that agent was installed to the default directory: /
Library/Manufacturer/Endpoint Agent.
4 (Optional) Troubleshoot the upgrade. If you experience upgrade issues, use the Console application to check the log
messages.
Review the Mac Agent installer logs at /var/log/install.log.
In addition, you can rerun the installer with -dumplog option to create detailed
installation logs. For example, use the command sudo installer -pkg /
tmp/AgentInstall/AgentInstall_15_8.pkg -target / -dumplog.
Replace /tmp/MacInstaller with the path where you unzipped the agent
installation package.
5 (Optional) Review information about See What gets upgraded for DLP Agents on Mac endpoints.
the Mac agent installation.
Related Links
Process to upgrade the DLP Agent on Mac on page 421
NOTE
If messages indicate that the process failed, review the install.log file that is located in the /var/log
directory on each Mac endpoint.
Related Links
Setting up and configuring Endpoint Discover on page 1886
How to implement Endpoint Prevent on page 1877
424
If you are running macOS 10.15 and later, the SEHA application must be running. If the SEHA is not running, the
Endpoint Security Client Down agent event is logged and the endpoint goes into a critical state. For the SEHA
application to run, you must configure disk access using MDM profiles. See Complete macOS Endpoint Agent Installation
Prerequisites.
Component Description
Endpoint Agent daemon (EDPA) The installation process places the EDPA files here: /Library/
Manufacturer/Endpoint Agent.
The com.symantec.manufacturer.agent.plist file
contains configuration settings for the Endpoint Agent daemon.
This file is located at /Library/LaunchDaemons/.
Encrypted database Each DLP Agent maintains an encrypted database at the
endpoint. The database stores incident metadata in the database,
contents on the host file system, and the original file that triggered
the incident, if needed. The DLP Agent analyzes the content
locally.
Log files The DLP Agent logs information on completed and failed
processes.
Database (rrc.ead) This database maintains and contains non-matching entries for
rules results caching (RRC). About rules results caching (RRC)
Related Links
Setting up and configuring Endpoint Discover on page 1886
How to implement Endpoint Prevent on page 1877
425
Steps to Install the Agent on Linux Endpoints
Complete the following steps to install agents on Linux endpoints:
1. Completing the Linux Endpoint Agent Upgrade Prerequisites
2. (Optional) Signing RPM Files for Linux Endpoints
3. Performing the DLP Agent Upgrade for Linux
4. Confirm That the Linux Agent is Running
The DLP Agent requires permissions to be set for executable files. If permissions are not applied, the agent upgrade fails.
1. Use sudo credentials to log on to the computer where you plan to install the DLP Agent.
2. Enable repository access on the endpoint to ensure that required packages are installed during the agent upgrade.
Skip this step if the required packages are already installed on the endpoint.
3. Locate the agent installation package ZIP (AgentInstaller_Linux64.zip).
This file is generated during the agent installation packaging process. See Agent installation package contents.
4. Unzip the file to the Linux endpoint at /opt/temp/LinuxInstaller.
NOTE
You only must run sudo chmod +x *.rpm if changing permissions is required on the endpoint.
Signing RPM Files for Linux Endpoints
426
NOTE
If you try to install and do not use the RPM signing key, a "NOKEY" warning message displays during the
installation.
1. Locate the Symantec_DLP_Linux_Signing_Key.asc file in the DLPDownloadHome directory. The
Symantec_DLP_Linux_Signing_Key.asc is packaged in the Symantec_DLP_16.0.1_Agent_Lin-IN.zip
file.
2. Copy the Symantec_DLP_Linux_Signing_Key.asc file to the computer where you plan to install the DLP Agent.
3. Use sudo credentials to log on to the computer where you plan to install the DLP Agent.
4. Import the key to the RPM key ring by running the following command:
rpm --import Symantec_DLP_RPM_Signing_Key.asc
6. Verify the signature of files before installing them by running the following command:
• Run the following command for Linux endpoints: rpm -K *rpm
• Run the following command for Ubuntu endpoints:
sudo gpg --import Symantec_DLP_DEB_Signing_Key.ascsudo gpg --verify AgentInstall-x86_64_16.0.1.deb sudo
dpkg-sig --verify AgentInstall-x86_64_16.0.1.deb
These steps assume you have completed prerequisites and generated the agent installation package.
Upgrade the DLP Agent
Complete the following steps for upgrading the DLP Agent for Linux manually.
1. Open a terminal and go to /opt/temp/LinuxInstaller.
2. Upgrade the Linux agent by running the following command on the target endpoint:
sudo ./install_agent.sh
427
command :- sudo rpm -qip '/root/Downloads/AgentInstaller_Linux64/AgentInstall-x86_64_16_0_1.rpm'
output = Name : AgentInstall
Version : 16.0.10000.60239
Release : 1
Architecture: x86_64
Install Date: (not installed)
Group : Unspecified
Size : 567801693
License : Broadcom
Signature : RSA/SHA256, Monday 20 February 2023 04:43:01 AM CST, Key ID 0b2b5c54b891399b
Source RPM : AgentInstall-16.0.10000.60239-1.src.rpm
Build Date : Monday 20 February 2023 04:41:35 AM CST
Build Host : cb-rh65-xoxo
Post-upgrade tasks
Perform certain tasks after you finish upgrading Symantec Data Loss Prevention.
Performing post-upgrade tasks
Verifying Symantec Data Loss Prevention operations
Updating Connections to the Cloud Detection Service
Migrating Plug-ins
About securing communications between the Enforce Server and the database
About remote indexers
428
About updating the JRE to the latest version
429
Complete the following steps in the current Symantec Data Loss Prevention version.
1. Add a cloud detector.
For more information, see Adding a cloud detector.
2. Complete the following steps to select the cloud detector in the Gatelet or Securelet configuration.
a) Navigate to the Manage > Application Detection > Configuration page.
b) Click the edit icon for the Cloud Connector that you want to modify.
The Edit Configuration page appears.
c) Select the cloud detector in the Rest Detectors area.
d) Save your changes.
Migrating Plug-ins
During the upgrade process, the Migration Utility moves plug-ins from the previous version system to the new system
location:
• Windows: \Program Files\Symantec\DataLossPrevention\EnforceServer\16.0.1.00000\Protect
\plugins
• Linux: /opt/Symantec/DataLossPrevention/EnforceServer/16.0.1.00000/Protect/plugin
The following table lists the plugins that are migrated based on your platform.
Windows Linux
FileShare\plugin_settings FileShare/plugin_settings
MicrosoftRightsManagementPlugin MicrosoftRightsManagementPlugin/
\rightsManagementConfiguration rightsManagementConfiguration
MicrosoftRightsManagementPlugin MicrosoftRightsManagementPlugin/
\rightsManagementConfigurationProtection rightsManagementConfigurationProtection
contentextraction\MarkupTestPlugin contentextraction/MarkupTestPlugin
The Migration Utility does not move plug-ins in other locations, custom plug-ins, custom scripts, previous version log files,
or JAR files to the new version system location. You manually copy these files to the new location.
1. Locate the files you plan to move.
Most plug-ins and scripts are stored on the previous version system at one of the following locations:
• Windows: SymantecDLP\Protect\plugins
• Linux: opt/SymantecDLP/Protect/plugins
430
2. Copy the files to the following locations on the new version system based on server and platform:
About securing communications between the Enforce Server and the database
You can use Transport Layer Security (TLS) to encrypt all data that is transmitted between the Enforce Server and the
database server in a three-tier environment. You create unique, self-signed certificates that you store on the Enforce
Server.
You must upgrade Symantec Data Loss Prevention before you secure communications between the Enforce Server and
the database using TLS. The Symantec Data Loss Prevention upgrade cannot communicate over TLS.
Table 121: Steps to secure communications between the Enforce Server and the database describes the process to
secure communications between the Enforce Server and the database.
Table 187: Steps to secure communications between the Enforce Server and the database
1 Generate the self-signed certificates using the orapki About orapki command line options
command-line utility that is provided with the Oracle database. Using orapki to generate the server certificate on the
Oracle database
2 Configure the JDBC driver on the Enforce Server to use the Configuring communication on the Enforce Server
TLS connection and port.
3 Configure the server certificate on the Enforce Server. Configuring the Server Certificate on the Enforce Server
4 Verify the database certificate usage on the Enforce Server. Verifying the Enforce Server database certificate usage
431
Table 188: Orapki utility examples
Windows: orapki wallet create -wallet c:\oracle You use this command to create a wallet where certificates are
\wallet\server_wallet -auto_login -pwd password stored.
Linux: orapki wallet create -wallet ./ This command also creates the server_wallet directory.
server_wallet -auto_login -pwd password
Windows: orapki wallet add -wallet c:\oracle You use this command to add a self-signed certificate and a pair
\wallet\server_wallet -dn "CN=oracleserver" - of private/public keys to the wallet.
keysize 2048 -self_signed -validity 3650 -pwd
password -sign_alg sha256
Linux: orapki wallet add -wallet /opt/oracle/
wallet/server_wallet -dn "CN=oracleserver" -
keysize 2048 -self_signed -validity 3650 -pwd
password -sign_alg sha256
Windows: orapki wallet display -wallet c:\oracle You use this command to view the contents of the wallet to
\wallet\server_wallet confirm that the self-signed certificate was created successfully.
Linux: orapki wallet display -wallet /opt/oracle/
wallet/server_wallet
Windows: orapki wallet export -wallet c:\oracle You use this command to export the self-signed certificate.
\wallet\server_wallet -dn "CN=oracleserver" -cert In addition to exporting the certificate files, the command creates
c:\oracle\wallet\server_wallet\cert.txt the file cert.txt in a location based on your platform:
Linux: orapki wallet export -wallet /opt/oracle/
wallet/server_wallet -dn "CN=oracleserver" -
• Windows: c:\oracle\wallet\server_wallet
cert /opt/oracle/wallet/server_wallet/cert.txt • Linux: /opt/oracle/wallet/server_wallet
Related Links
Using orapki to generate the server certificate on the Oracle database on page 432
2. Go to the oracle directory by running the following command (based on your platform):
• Windows: cd c:\oracle
• Linux: cd /opt/oracle
432
3. Create the wallet directory by running the following command:
mkdir wallet
cd wallet
4. Create a wallet on the Oracle server with auto login enabled by running the following command (based on your
platform):
• Windows: At the directory c:\oracle\wallet, run orapki wallet create -wallet .\server_wallet -
auto_login -pwd walletpassword
• Linux: At the directory /opt/oracle/wallet, run orapki wallet create -wallet ./server_wallet -
auto_login -pwd walletpassword
NOTE
Use a wallet password that adheres to the password policy. Passwords must have a minimum length of eight
characters and contain alphabetic characters combined with numbers or special characters.
On Oracle 12c systems, the Operation is successfully completed message displays when the command completes.
The following two files are created under the server_wallet directory (among similarly named .lck files):
• cwallet.sso
• ewallet.p12
5. Generate the self-signed certificate and add it to the wallet by running the following command (based on your
platform):
• Windows:
orapki wallet add -wallet c:\oracle\wallet\server_wallet -dn "CN=oracleserver" -keysize 2048 -
self_signed -validity 3650 -pwd walletpassword -sign_alg sha256
• Linux:
orapki wallet add -wallet /opt/oracle/wallet/server_wallet -dn "CN=oracleserver" -keysize 2048
-self_signed -validity 3650 -pwd walletpassword -sign_alg sha256
Replace oracleserver with the name of the computer where Oracle is running.
6. View the wallet to confirm that the certificate was created successfully by running the following command (based on
your platform):
• Windows:
orapki wallet display -wallet c:\oracle\wallet\server_wallet
• Linux:
orapki wallet display -wallet /opt/oracle/wallet/server_wallet
When the certificate is created successfully, the command returns information in the following form:
Requested Certificates:
User Certificates:
Subject: CN=oracleserver
Trusted Certificates:
Subject: CN=oracleserver
7. Export the certificate by running the following command (based on your platform):
• Windows:
orapki wallet export -wallet c:\oracle\wallet\server_wallet -dn "CN=oracleserver" -cert c:
\oracle\wallet\server_wallet\cert.txt
• Linux:
433
orapki wallet export -wallet /opt/oracle/wallet/server_wallet -dn "CN=oracleserver" -cert /
opt/oracle/wallet/server_wallet/cert.txt
8. Confirm that cert.txt is created at the following location (based on your platform):
• Windows: c:\oracle\wallet\server_wallet
• Linux: /opt/oracle/wallet/server_wallet
Next: Configuring communication on the Enforce Server
434
7. Navigate to the admin directory (based on your platform):
• Windows: %ORACLE_HOME%\network\admin
• Linux: $ORACLE_HOME/network/admin
8. Open the sqlnet.ora file. Create a new sqlnet.ora file if it does not exist.
9. Replace the line SQLNET.AUTHENTICATION_SERVICES=(TNS) with the following (based on your platform):
• Windows:
SQLNET.AUTHENTICATION_SERVICES=(NONE)
SSL_CLIENT_AUTHENTICATION = FALSE
WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = c:\oracle
\wallet\server_wallet)))
• Linux:
SQLNET.AUTHENTICATION_SERVICES=(NONE)
SSL_CLIENT_AUTHENTICATION = FALSE
WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = /opt/
oracle/wallet/server_wallet)))
LISTENER_PROTECT =
(ADDRESS = (PROTOCOL = TCPS)(HOST = [oracle host name])(PORT = 2484))
The listener status displays in the command prompt. If the command prompt indicates that the listener is running but
no services are running on the database, run the following commands:
su - oracle (Only required for Linux)
export ORACLE_SERVICE_NAME=protect
sqlplus /nolog
435
If Connected to an idle instance appears, run the following command:
SQL> startup
SQL> exit
lsnrctl status
Next: Configuring the Server Certificate on the Enforce Server
NOTE
If the server certificate on the Oracle database is signed by a public CA (instead of being self-signed), skip to
step 4.
3. Add the certificate to the cacerts file that is located on the Enforce Server by completing the following steps:
Replace <version> with the OpenJRE version running on your system.
a) Copy the cert.txt file to the security folder:
• Windows: C:\Program Files\AdoptOpenJRE\jdk8u<version>-b10-jre\lib\security
• Linux: opt/AdoptOpenJRE/jdk8u<version>-b10-jre/lib/security
b) Change the directory by running the following command based on your platform:
• Windows: cd C:\Program Files\AdoptOpenJRE\jdk8u<version>-b10-jre\lib\security
• Linux: cd opt/AdoptOpenJRE/jdk8u<version>-b10-jre/lib/security
c) Insert the certificate into the cacerts file by running the following command as an administrator (for Windows) or
as a root user (for Linux).
keytool -import -alias oracleservercert -keystore cacerts -file cert.txt
436
4. Restart all Symantec Data Loss Prevention services.
Next: Verifying the Enforce Server database certificate usage
Related Links
About securing communications between the Enforce Server and the database on page 431
437
Step Action Description
3 Install the OpenJRE. See Installing the OpenJRE for steps to install.
Note: The latest JRE improves LDAP security. However, the
improved security may cause the SSL connection to Microsoft Active
Directory to fail. If the SSL connection fails, add the following key to
your SymantecDLPManager.conf file, then restart the Enforce Server:
Note:
wrapper.java.additional.30 =-
Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true
4 Update the JRE. Updating the JRE to the latest version on Windows
Updating the JRE to the latest version on Linux
5 Reinstate the CA certificates included in Reinstate CA certificates
the cacerts file backup.
438
3. Download the file (in ZIPtar.gz format) and move it to the Enforce Server and the detection servers.
4. Unzip the file to the JRE directory on the server.
Symantec recommends that you use the following directory:
C:\Program Files\AdoptOpenJRE\jdk8u<version>-jre/opt/AdoptOpenJRE/jdk8u<version>-jre
The unzipping process completes the installation.
Updating the JRE to the latest version on Windows
After the migration process completes, you have the option to delete the previous version directory (at C:\Program
Files\AdoptOpenJRE\jdk8u<previous_version>-b10-jre), where previous version refers to the previous JRE
version. You can also safely leave the previous JRE version on the server.
439
Update the JRE using silent mode
After the migration process completes, you have the option to delete the previous version directory (at C:\Program
Files\AdoptOpenJRE\jdk8u<previous_version>-b10-jre), where previous version refers to the previous JRE
version. You can also safely leave the previous JRE version on the server.
440
Update the JRE using interactive mode
During the migration process, all Symantec Data Loss Prevention services are shut down and restarted automatically.
1. Log on as a root user.
2. Create a directory called /JREMigrationUtility.
3. Move the JREMigrationUtility.zip file to /JREMigrationUtility directory.
4. Unzip JREMigrationUtility.zip.
5. Open a command prompt and navigate to the /JREMigrationUtility/Migrator directory.
6. Execute the following command:
./ServerJREMigrationUtility -jreDirectory=<JRE directory>
Where <JRE directory> is the directory where the JRE is located (for example, /opt/AdoptOpenJRE/
jdk8u<version>-b10-jre).
7. Choose the Symantec Data Loss Prevention version where you are upgrading the JRE. Enter the number
corresponding with the version.
8. Press Enter.
The migration process displays in the command line. You can find the migration log (MigrationUtility.log) in the
/JREMigrationUtility/Migrator folder.
After the migration process completes, you have the option to delete the previous version directory (at /opt/
AdoptOpenJRE/jdk8u<previous_version>-b10-jre), where previous version refers to the previous JRE version.
You can also safely leave the previous JRE version on the server.
Update the JRE using silent mode
441
Table 191: Silent mode parameters on Linux
After the migration process completes, you have the option to delete the previous version directory (at /opt/
AdoptOpenJRE/jdk8u<previous_version>-b10-jre), where previous version refers to the previous JRE version.
You can also safely leave the previous JRE version on the server.
Reinstate CA certificates
You reinstate the cacerts file to ensure that various components can communicate with Symantec Data Loss
Prevention.
These steps assume you have updated the JRE.
1. Export any custom certificates from the cacerts backup you created.
Backing up the cacerts file
The cacerts file may include expired or obsolete certificates. Select certificates that you have previously
imported into the cacerts file. Selecting previously imported certificates ensures that the cacerts file
includes certificates required for communicating with Symantec Data Loss Prevention components.
2. Import the certificates to the new cacerts file.
Locate the cacerts file at one of the following locations:
• Windows: C:\Program Files\AdoptOpenJRE\jdk8u<version>-jre\lib\security\
• Linux: /opt/AdoptOpenJRE/jdk8u<version>-jre/lib/security
Related Links
Reverting the JRE on Windows on page 443
Reverting the JRE on Linux on page 443
442
Reverting the JRE on Windows
Replace <JRE directory> with the directory where the previous JRE is located.
4. Choose the Symantec Data Loss Prevention version where you are upgrading the JRE. Enter the number
corresponding with the version.
You can uninstall the unused JRE version, but you are not required to do so.
Reverting the JRE on Linux
Replace <JRE directory> with the directory where the previous JRE is located.
You can uninstall the unused JRE version, but you are not required to do so.
443
Stop all Symantec Data Loss Prevention database sessions
The upgrade process fails if database sessions remain active during the migration. Confirm that the database
DatabaseProcessCheck action is stopped before starting the Enforce Server migration.
1. Reboot the previous version Enforce Server.
2. Access the server where the database is running.
3. Start SQL*Plus:
sqlplus /nolog
6. Confirm that the machine referenced does not have DLP services running. If services are running, stop them.
7. Rerun the query in step 5 to confirm that sessions are no longer running. If sessions are still running in the database,
continue to the next step. If no sessions are running, rerun phase 2 of the Enforce Server migration process.
See Migrate Data on the Enforce Server on Windows.
See Migrating data on a single-tier installation on Windows.
See Migrate Data on the Enforce Server on Linux.
See Migrating Data on a Single-tier Installation on Linux.
8. Run the following SQL command to stop orphaned sessions:
SET SERVEROUTPUT ON;
DECLARE
CURSOR inactive_process IS
SELECT 'ALTER SYSTEM KILL SESSION ' || '''' || sid || ',' ||
serial# || ''''
AS kill_stmt, module, sid, serial#
FROM v$session
WHERE (
UPPER(module) LIKE 'VONTU%' OR
UPPER(client_identifier) LIKE 'VONTU%' OR
UPPER(module) = 'SYMANTEC DLP: INCIDENT DELETOR' OR
UPPER(module) = 'DATAUSER_MERGE' OR
444
UPPER(module) = 'DATA INSIGHT DATA REFRESH'
) AND
module <> 'Vontu Refresh CBO Stats' AND
UPPER(module) NOT LIKE '%SCHEMA UPGRADER%';
BEGIN
FOR x IN inactive_process LOOP
DBMS_OUTPUT.put_line(x.kill_stmt);
EXECUTE IMMEDIATE x.kill_stmt;
END LOOP;
END;
/
You may also need to install the Update for Universal C Runtime in Windows. See https://support.microsoft.com/en-us/
kb/2999226.
445
• The Symantec Data Loss Prevention license file for your deployment.
• If your deployment uses Symantec Management Console, the host name or IP address of the Symantec Management
Console server to use for managing Symantec Data Loss Prevention Endpoint Agents.
• A backup of the Symantec Data Loss Prevention Oracle database. For more information, see Maintaining the
DLP System.
• The location of the Oracle Base and Home directories.
• The Administrator credentials for your Symantec Data Loss Prevention deployment.
• The credentials for connecting to the Oracle database.
• The type of authentication that is used in your Symantec Data Loss Prevention deployment.
• The host name or IP address and port number that the Enforce Server uses to communicate with the Oracle database.
Related Links
Reverting the Enforce Server to a Previous Release on page 446
Reverting Detection Servers and Network Discover Clusters to the Previous Release on page 447
Use the following steps to complete a detection server or Network Discover cluster rollback after you complete the
Enforce Server rollback.
446
c) Paste the services to a location based on your platform:
• Windows: \Program Files\Symantec\DataLossPrevention\EnforceServer\Services
• Linux: /opt/Symantec/DataLossPrevention/EnforceServer/Services
5. Restore the Symantec Data Loss Prevention Oracle database from the latest backup.
Consult the Oracle documentation for more information.
For Linux platforms, the restored database files should be owned by the oracle user. If they are not, set the owner
on the /opt/oracle/oradata/protect directory (this directory is the default directory for Oracle installation; your
deployment may use different directory) by running the following command as the root user:
chown -R oracle:oinstall protect
Reverting Detection Servers and Network Discover Clusters to the Previous Release
Use the following steps to complete a detection server or Network Discover cluster rollback after you complete the
Enforce Server rollback.
These steps apply to detection servers and worker and data nodes that comprise a Network Discover cluster.
NOTE
If you roll back the detection server first, the detection server displays a Unknown status on the System >
Servers and Detectors > Overview > Server / Detector Detail screen.
1. Stop all Symantec Data Loss Prevention services that are running on the detection server host.
447
3. Enable the services on the previous Symantec Data Loss Prevention version.
For Windows platform, confirm that the Startup type is set to automatic for each service.
4. Start services on the previous Symantec Data Loss Prevention version.
Start services based on the server type you are reverting:
• Detection server: Symantec DLP Detection Server
• Network Discover cluster data node:
– Symantec DLP Detector
– Symantec DLP Enforce Connector
• Network Discover cluster worker node: Symantec DLP Detector
5. Complete the following steps if you are restoring a cluster:
a) Open DiscoverCluster.properties, which is located at the following path (based on your platform):
• Windows: \Program Files\Symantec\DataLossPrevention\DetectionServer
\16.0.10000\Protect\configb
• Linux /opt/Symantec/DataLossPrevention/DetectionServer/16.0.10000/Protect/config
b) Replace the paths for the variables listed in the table that matches your platform.
448
Creating the Enforce Reinstallation Resources file
Before you uninstall Symantec Data Loss Prevention, create an EnforceReinstallationResources.zip file
using the Reinstallation Resources Utility. This file includes files such as the CryptoMasterKey.properties file and
keystore files, which are required to connect Symantec Data Loss Prevention to an existing DLP database.
Each Symantec Data Loss Prevention installation encrypts its database using a unique
CryptoMasterKey.properties file. An exact copy of this file is required if you intend to reuse the existing Symantec
Data Loss Prevention database. If the CryptoMasterKey.properties file becomes lost or corrupted and you do not
have a backup, contact Symantec Technical Support to recover the file.
Complete the following procedure to create the EnforceReinstallationResources.zip file required by the
Symantec Data Loss Prevention 16.0.1 installer.
If you choose to run the EnforceServer.msi file to complete the installation, on the Initialize Database panel
select Preserve Database Data and specify the EnforceReinstallationResources.zip file.
3. Identify this new EnforceReinstallationResources.zip when reinstalling Symantec Data Loss Prevention from
your backup version.
Include the following parameters (in addition to other required parameters):
reinstallationResourceFile="/opt/EnforceReinstallationResources.zip"
449
Maintaining the DLP System
Learn about maintaining the Symantec Data Loss Prevention system.
Performing system maintenance
Understanding Underlying System Resources
System Event Reports and Alerts
Using Diagnostic Tools
Working with the DLP database
Backing Up and Recovering on Windows
Backing up and recovering on Linux
Log files
Uninstalling Data Loss Prevention components
About High Availability and Disaster Recovery for Symantec Data Loss Prevention
450
Diagnostic Tools
451
Linux directory structure Windows directory structure Description
452
Linux directory structure Windows directory structure Description
Detection Server
The following table describes the detection server directory structure.
453
Table 196: Detection Server Directory Structures
454
Linux directory structure Windows directory structure Description
455
Table 197: Network Discover Cluster Directory Structures
If you store your incident attachments on the Enforce Server host Do not place your storage directory under the /SymantecDLP
computer folder
If you store incident attachments on a computer other than your • Ensure that both the external storage server and the Enforce
Enforce Server host computer Server are in the same domain.
• Create a "protect" user with the same password as your
Enforce Server "protect" user to use with your external storage
directory.
• If you are using a Linux system for external storage, change
the owner of the external storage directory to the external
storage "protect" user.
• If you are using a Microsoft Windows system for external
storage, share the directory with Read/Write permissions with
the external storage "protect" user.
After you have set up your storage location you can enable external storage for incident attachments in the Installation
Wizard. All incident attachments will be stored in the external storage directory. Incident attachments in the external
storage directory cannot be migrated back to the database. All incident attachments stored in the external storage
directory are encrypted and can only be accessed from the Enforce Server administration console.
The incident deletion process deletes incident attachments in your external storage directory after it deletes the
associated incident data from your database. You do not need to take any special action to delete incidents from the
external storage directory.
456
Configuring the Incident Attachment External Storage Directory after Installation or Upgrade
If you did not configure the incident attachment external storage directory during the installation or upgrade process, you
can enable or update external storage settings in the Protect.properties configuration file. You can also disable
external storage of incident attachments in this file.
1. On the Enforce Server host, open the following file in a text editor:
Microsoft Windows: \Program Files\Symantec\DataLossPrevention\EnforceServer
\16.0.10000\Protect\config\Protect.properties
Linux: /opt/Symantec/DataLossPrevention/EnforceServer/16.0.10000/Protect/config/
Protect.properties
2. Enable incident attachment external storage:
com.symantec.dlp.incident.blob.externalize=true
Do not change or delete the parameter specifying the path to the external storage directory.
3. Save the file.
4. Restart the SymantecDLPManagerService and SymantecDLPIncidentPersisterService services.
457
Table 199: Symantec Data Loss Prevention Enforce Server services
Symantec DLP Provides the centralized reporting and management services for Symantec Data Loss Prevention.
Manager
Symantec DLP Controls the detection servers.
Detection Server
Controller
Symantec DLP Notifier Manages communications between other DLP services and prevents transactional conflicts between the
services and the database.
Symantec DLP Incident Writes the incidents to the database.
Persister
Symantec DLP Enforce This service is hosted and runs on the data node of a Network Discover Cluster. The data node
Connector communicates with the Monitor Controller through the Enforce Connector Service.
See Network Discover Cluster.
Symantec DLP This service is hosted and runs on the data node and worker nodes of a Network Discover Cluster. The data
Detection Server node communicates with worker nodes through the Detector Connector Service. This service also helps
with the entire scanning activity.
When this service is hosted on the data node, you must ensure that this service is never shutdown
instantaneously by aborting its process.
458
Starting an Enforce Server on Windows
Use the following procedure to start the Symantec Data Loss Prevention services on a Windows Enforce Server.
To start the Symantec Data Loss Prevention services on a Windows Enforce Server
1. On the computer that hosts the Enforce Server, navigate to Start > All Programs > Administrative Tools > Services
to open the Windows Services menu.
2. Start the Symantec Data Loss Prevention services in the following order:
• SymantecDLPNotifierService
• SymantecDLPManagerService
• SymantecDLPIncidentPersisterService
• SymantecDLPDetectionServerControllerService
NOTE
Start the SymantecDLPNotifierService service first before starting other services.
Related Links
Stopping an Enforce Server on Windows on page 459
Use the following procedure to stop the Symantec Data Loss Prevention services on a Windows Enforce Server.
To stop the Symantec Data Loss Prevention services on a Windows Enforce Server
1. On the computer that hosts the Enforce Server, navigate to Start > All Programs > Administrative Tools > Services
to open the Windows Services menu.
2. From the Services menu, stop all running Symantec Data Loss Prevention services in the following order:
• SymantecDLPDetectionServerControllerService
• SymantecDLPIncidentPersisterService
• SymantecDLPManagerService
• SymantecDLPNotifierService
Related Links
Starting an Enforce Server on Windows on page 459
Use the following procedure to start the Symantec Data Loss Prevention services on a detection server.
1. On the computer that hosts the detection server, navigate to Start > All Programs > Administrative Tools >
Services to open the Windows Services menu.
2. Start the SymantecDLPDetectionServerService service.
Related Links
Stopping a Detection Server on Windows on page 460
459
Stopping a Detection Server on Windows
Use the following procedure to stop the Symantec Data Loss Prevention service on a Windows detection server.
1. On the computer that hosts the detection server, navigate to Start > All Programs > Administrative Tools >
Services to open the Windows Services menu.
2. Stop the SymantecDLPDetectionServerService service.
Related Links
Starting a Detection Server on Windows on page 459
Use the following procedure to start the Network Discover cluster services on a Windows server.
1. On the computer that hosts the detection server, navigate to Start > All Programs > Administrative Tools >
Services to open the Windows Services menu.
2. Start the following services.
• SymantecDLPDetectorService
• SymantecEnforceConnectorService
Related Links
Stopping a Network Discover Cluster on Windows on page 460
Use the following procedure to stop the Network Discover cluster service on a Windows server.
Use the following procedure to stop the Network Discover cluster service on a Windows server.
1. On the computer that hosts the Network Discover cluster, navigate to Start > All Programs > Administrative Tools >
Services to open the Windows Services menu.
2. Stop the following services.
• SymantecDLPDetectorService
• SymantecEnforceConnectorService
Related Links
Starting a Detection Server on Windows on page 459
Use the following procedure to start the Symantec Data Loss Prevention services on a single-tier installation on Windows.
1. On the computer that hosts the Symantec Data Loss Prevention server applications, navigate to Start > All Programs
> Administrative Tools > Services to open the Windows Services menu.
2. Start the Symantec Data Loss Prevention in the following order:
• SymantecDLPNotifierService
• SymantecDLPManagerService
• SymantecDLPIncidentPersisterService
• SymantecDLPDetectionServerControllerService
• SymantecDLPDetectionServerService
460
NOTE
Start the SymantecDLPNotifierService service before starting other services.
Related Links
Stopping Services on Single-tier Windows Installations on page 461
Use the following procedure to stop the Symantec Data Loss Prevention services on a single-tier installation on Windows.
1. On the computer that hosts the Symantec Data Loss Prevention server applications, navigate to Start > All Programs
> Administrative Tools > Services to open the Windows Services menu.
2. From the Services menu, stop all running Symantec Data Loss Prevention services in the following order:
• SymantecDLPDetectionServerService
• SymantecDLPDetectionServerControllerService
• SymantecDLPIncidentPersisterService
• SymantecDLPManagerService
• SymantecDLPNotifierService
Related Links
Starting Services on Single-tier Windows Installations on page 460
Use the following procedure to start the Symantec Data Loss Prevention services on a Linux Enforce Server.
1. On the computer that hosts the Enforce Server, log on as root.
2. Start the Symantec DLP Notifier service by running the following command:
service SymantecDLPNotifierService start
3. Start the remaining Symantec Data Loss Prevention services, by running the following commands:
service SymantecDLPManagerService start
service SymantecDLPIncidentPersisterService start
service SymantecDLPDetectionServerControllerService start
Related Links
Stopping an Enforce Server on Linux on page 462
461
Stopping an Enforce Server on Linux
Use the following procedure to stop the Symantec Data Loss Prevention services on a Linux Enforce Server.
1. On the computer that hosts the Enforce Server, log on as root.
2. Stop all running Symantec Data Loss Prevention services by running the following commands:
service SymantecDLPDetectionServerControllerService stop
service SymantecDLPIncidentPersisterService stop
service SymantecDLPManagerService stop
service SymantecDLPNotifierService stop
Related Links
Starting an Enforce Server on Linux on page 461
Use the following procedure to start the Symantec Data Loss Prevention service on a Linux detection server.
1. On the computer that hosts the detection server, log on as root.
2. Start the Symantec Data Loss Prevention service by running the following command:
service SymantecDLPDetectionServerService start
Related Links
Stopping a Detection Server on Linux on page 462
Use the following procedure to stop the Symantec Data Loss Prevention service on a Linux detection server.
1. On the computer that hosts the detection server, log on as root.
2. Stop the Symantec Data Loss Prevention service by running the following command:
service SymantecDLPDetectionServerService stop
Related Links
Starting a Detection Server on Linux on page 462
Use the following procedure to start the Network Discover cluster service on a Linux server.
1. On the computer that hosts the Network Discover cluster server, log on as root.
2. Start the Network Discover cluster service by running the following command:
service SymantecDLPDetectorService start
service SymantecEnforceConnectorService start
Related Links
Stopping a Network Discover Cluster Server on Linux on page 463
Use the following procedure to stop the Symantec Data Loss Prevention service on a Linux Network Discover
cluster server.
462
Stopping a Network Discover Cluster Server on Linux
Use the following procedure to stop the Symantec Data Loss Prevention service on a Linux Network Discover
cluster server.
1. On the computer that hosts the Network Discover cluster server, log on as root.
2. Stop the Network Discover cluster server service by running the following command:
service SymantecDLPDetectorService stop
service SymantecEnforceConnectorService stop
Related Links
Starting a Network Discover Cluster Server on Linux on page 462
Use the following procedure to start the Network Discover cluster service on a Linux server.
Use the following procedure to start the Symantec Data Loss Prevention services on a single-tier installation on Linux.
1. On the computer that hosts the Symantec Data Loss Prevention server applications, log on as root.
2. Start the Symantec DLP Notifier service by running the following command:
service SymantecDLPNotifierService start
3. Start the remaining Symantec Data Loss Prevention services by running the following commands:
service SymantecDLPManagerService start
service SymantecDLPIncidentPersisterService start
service SymantecDLPDetectionServerControllerService start
service SymantecDLPDetectionServerService start
Related Links
Stopping Services on Single-tier Linux Installations on page 463
Use the following procedure to stop the Symantec Data Loss Prevention services on a single-tier installation on Linux.
1. On the computer that hosts the Symantec Data Loss Prevention servers, log on as root.
2. Stop all running Symantec Data Loss Prevention services by running the following commands:
service SymantecDLPDetectionServerService stop
service SymantecDLPDetectionServerControllerService stop
service SymantecDLPIncidentPersisterService stop
service SymantecDLPManagerService stop
service SymantecDLPNotifierService stop
Related Links
Starting services on single-tier Linux installations on page 463
Related Links
Log files on page 518
463
DLP Agent Logs
DLP Agent logs contain service and operational data for every DLP Agent. Each DLP Agent has multiple components
that are logged. The amount of information that is logged can be configured by setting the log level for each DLP Agent
component. After the log level for an DLP Agent component has been configured, the log can be collected and sent
to Symantec Support. Symantec Support can use the log to troubleshoot a problem or to improve performance for a
Symantec Data Loss Prevention Endpoint installation.
See Setting the log levels for an Endpoint Agent.
Windows Total number of free bytes divided by the total number of available bytes
Linux Disk usage of the root partition
Symantec recommends using standard system tools to determine the system state. Do not rely solely on the system
statistics that are provided on the Server/Detector Detail page.
Diagnostic Tools
You can also define a system alert that sends an email when the event occurs.
464
By default, the Incident Counter is enabled and the threshold is set to 1,000,000 incidents. The Incident Counter runs
daily at 2:05 A.M. Using the configuration parameters described in Incident counter parameters, you can configure the
threshold, specify when the Incident Counter runs, and you can enable or disable the Incident Counter.
1. On the Enforce Server host, open the following file in a text editor:
Microsoft Windows: \Program Files\Symantec\DataLossPrevention\EnforceServer
\16.0.10000\Protect\config\Manager.properties
Linux: /opt/Symantec/DataLossPrevention/EnforceServer/16.0.10000/Protect/config/
Manager.properties
2. Set the parameters that are described in the following table to configure the Incident Counter.
Property Description
If you need to use either of the two optional parameters, you must add them.
3. Save the file.
4. Restart the SymantecDLPManagerService service.
Incident Hiding
Incident hiding lets you flag specified incidents as "hidden." Because these hidden incidents are excluded from normal
incident reporting, you can improve the reporting performance of your Symantec Data Loss Prevention deployment by
hiding any incidents that are no longer relevant. The hidden incidents remain in the database; they are not moved to
another table, database, or other type of offline storage.
You can set filters on incident reports in the Enforce Server administration console to display only hidden incidents or to
display both hidden and non-hidden incidents. Using these reports, you can flag one or more incidents as hidden by using
the Hide/Unhide options that are available when you select one or more incidents and click the Incident Actions button.
Review the following table for a description of available options.
465
Table 200: Incident Hiding options
Option Description
The hidden state of an incident displays in the incident snapshot screen in the Enforce Server administration console. The
History tab of the incident snapshot includes an entry for each time the Do Not Hide or Allow Hiding flags are set for the
incident.
Filtering Incident Lists and Reports using the Filter By controls
Access to hiding functionality is controlled by roles. You can set the following user privileges on a role to control access,
as described in the following table.
Option Description
Hiding incidents
Unhiding hidden incidents
Preventing incidents from being hidden
System Events
Review system events to
System events related to your Symantec Data Loss Prevention installation are monitored, reported, and logged. System
events include notifications from Cloud Operations for cloud services.
System event reports are viewed from the Enforce Server administration console:
• The five most recent system events of severity Warning or Severe are listed on the Overview screen (System >
Servers and Detectors > Overview).
About the Overview screen
See #unique_744/unique_744_Connect_42_v15599810 for information on the Servers Overview screen.
• Reports on all system events of any severity can be viewed by going to System > Servers and Detectors > Events.
466
System Events Reports
• Recent system events for a particular detection server or cloud service are listed on the Server/Detector Detail screen
for that server or detector.
Server/Detector Detail screen
See for information on the Server Detail screen.
• Click on any event in an event list to go to the Event Details screen for that event. The Event Details screen provides
additional information about the event.
Server and Detectors Event Detail
There are three ways that system events can be brought to your attention:
• System event reports displayed on the administration console
• System alert email messages
System Alerts
• Syslog functionality
Enabling a Syslog Server
Some system events require a response.
About System Svent Responses
To narrow the focus of system event management you can:
• Use the filters in the various system event notification methods.
System Events Reports
• Configure the system event thresholds for individual servers.
Configuring Event Thresholds and Triggers
Events Description
Type The type (severity) of the event. Type may be any one of those listed in the "System event types" folder.
Time The date and time of the event.
Server The name of the server on which the event occurred.
Host The IP address or host name of the server on which the event occurred.
Code A number that identifies the kind of event.
See System event codes and messages for information on event code numbers.
Summary A brief description of the event. Click on the summary for more detail about the event.
467
Table 203: System event types
Event Description
System
information
Warning
Severe
1. Go to the Filter section of the events report screen and select one of the date range options.
2. Click Apply.
3. Select Custom from the date list to specify beginning and end dates.
Apply Additional Advanced Filters
In addition to filtering by date range, you can also apply advanced filters. Advanced filters are cumulative with the current
date filter. This means that events are only listed if they match the advanced filter and also fall within the current date
range. Multiple advanced filters can be applied. If multiple filters are applied, events are only listed if they match all the
filters and the date range.
1. Click on Advanced Filters and Summarization.
2. Click on Add Filter.
3. Choose the filter you want to use from the left-most drop-down list. Available filters are listed in System events
advanced filter options.
4. Choose the filter-operator from the middle drop-down list.
NOTE
You can use the Cloud Operations filter value to view events from Cloud Operations for your detectors.
For each advanced filter you can specify a filter-operator Is Any Of or Is None Of.
5. Enter the filter value, or values, in the right-hand text box, or click a value in the list to select it.
• To select multiple values from a list, hold down the Control key and click each one.
• To select a range of values from a list, click the first one, then hold down the Shift key and click the last value in the
range you want.
468
6. (Optional) Specify additional advanced filters if needed.
7. When you have finished specifying a filter or set of filters, click Apply.
Click the red X to delete an advanced filter.
The Applied Filters bar lists the filters that are used to produce the list of events that is displayed. Note that multiple
filters are cumulative. For an event to appear on the list it must pass all the applied filters.
The following advanced filters are available:
Filter Description
Event Code Filter events by the code numbers that identify each kind of event.
You can filter by a single code number or multiple code numbers
separated by commas (2121, 1202, 1204). Filtering by code
number ranges, or greater than, or less than operators is not
supported.
Event type Filter events by event severity type (Info, Warning, or Severe).
Server Filter events by the server on which the event occurred.
NOTE
A small subset of the parameters that trigger system events have thresholds that can be configured. These
parameters should only be adjusted with advice from Symantec Support. Before changing these settings, you
should have a thorough understanding of the implications that are involved. The default values are appropriate
for most installations.
Configuring event thresholds and triggers
Related Links
on page 469
Item Description
469
Item Description
Item Description
470
3. Select Report > Save As.
4. Enter the saved report information.
Saving custom incident reports
5. Click Save.
The default event threshold values are appropriate for most installations. A small subset of the parameters that trigger
system events have thresholds that can be configured. These parameters are configured for each detection server or
detector separately. These parameters should only be adjusted with advice from Symantec Support. Before changing
these settings, you should have a thorough understanding of the implications.
1. Go to the Overview screen (System > Servers and Detectors > Overview).
2. Click on the name of a detection server or detector to display that server's Server/Detector Detail screen.
3. Click Server/Detector Settings.
The Advanced Server/Detector Settings screen for that server is displayed.
4. Change the configurable parameters, as needed.
BoxMonitor.DiskUsageError Indicates the amount of filled disk space (as a Low disk space
percentage) that triggers a severe system event.
For example, a Severe event occurs if a detection
server is installed on the C drive and the disk
space error value is 90. The detection server
creates a Severe system event when the C drive
usage is 90% or greater. The default is 90.
BoxMonitor.DiskUsageWarning Indicates the amount of filled disk space (as Low disk space
a percentage) that triggers a Warning system
event. For example, a Warning event occurs if the
detection server is installed on the C drive and the
disk space warning value is 80. Then the detection
server generates a Warning system event when
the C drive usage is 80% or greater. The default is
80.
BoxMonitor.MaxRestartCount Indicates the number of times that a system Process name restarts
process can be restarted in one hour before a excessively
Severe system event is generated. The default is
3.
IncidentDetection.MessageWaitSevere Indicates the number of minutes messages need Long message wait time
to wait to be processed before a Severe system
event is sent about message wait times. The
default is 240.
IncidentDetection.MessageWaitWarning Indicates the number of minutes messages need Long message wait time
to wait to be processed before sending a Severe
system event about message wait times. The
default is 60.
471
Parameter Description Event
Related Links
System Events on page 466
Review system events to
There are three ways that system events can be brought to your attention:
• System event reports displayed on the administration console
• System alert email messages
System Alerts
• Syslog functionality
Enabling a Syslog Server
In most cases, the system event summary and detail information should provide enough information to direct investigation
and remediation steps. The following table provides some general guidelines for responding to system events.
Low disk space If this event is reported on a detection server, recycle the Symantec Data Loss Prevention services
on the detection server. The detection server may have lost its connection to the Enforce Server.
The detection server then queues its incidents locally, and fills up the disk.
If this event is reported on an Enforce Server, check the status of the Oracle and the Symantec DLP
Incident Persister services. Low disk space may result if incidents do not transfer properly from the
file system to the database. This event may also indicate a need to add additional disk space.
Tablespace is almost full Add additional data files to the database. When the hard disk is at 80% of capacity, obtain a bigger
disk instead of adding additional data files.
Licensing and versioning Contact Symantec Support.
472
System event or category Appropriate response
Monitor not responding Restart the Symantec DLP Detection Server service. If the event persists, check the network
connections. Make sure the computer that hosts the detections server is turned on by connecting
to it. You can connect with terminal services or another remote desktop connection method. If
necessary, contact Symantec Support.
Symantec Data Loss Prevention Services
Alert or scheduled report Go to System > Settings > General and ensure that the settings in the Reports and Alerts and
sending failed SMTP sections are configured correctly. Check network connectivity between the Enforce Server
and the SMTP server. Contact Symantec Support.
Auto key ignition failed Contact Symantec Support.
Cryptographic keys are Contact Symantec Support.
inconsistent
Long message wait time Increase detection server capacity by adding more CPUs or replacing the computer with a more
powerful one.
Decrease the load on the detection server. You can decrease the load by applying the traffic filters
that have been configured to detect fewer incidents. You can also re-route portions of the traffic to
other detection servers.
Increase the threshold wait times if all of the following items are true:
• This message is issued during peak hours.
• The message wait time drops down to zero before the next peak.
• The business is willing to have such delays in message processing.
process_name restarts Check the process by going to System > Servers > Overview. To see individual processes on this
excessively screen, Process Control must be enabled by going to System > Settings > General > Configure.
N incidents in queue Investigate the reason for the incidents filling up the queue.
The most likely reasons are as follows:
• Connection problems. Response: Make sure the communication link between the Endpoint
Server and the detection server is stable.
• Insufficient connection bandwidth for the number of generated incidents (typical for WAN
connections). Response: Consider changing policies (by configuring the filters) so that they
generate fewer incidents.
473
Syslog functionality is an on or off option. If syslog is turned on, all Severe events are sent to the syslog server.
1. Go to the \Program Files\Symantec\DataLossPrevention\EnforceServer\16.0.10000\Protect
\config directory on Windows or the /opt/Symantec/DataLossPrevention/EnforceServer/16.0.10000/
Protect/config directory on Linux.
2. Open the Manager.properties file.
3. Uncomment the #systemevent.syslog.protocol = line by removing the # symbol from the beginning of the line, and
enter [ udp | tcp | tls ] to secure communications sent from the Enforce Server to the syslog server.
4. Uncomment the #systemevent.syslog.host= line by removing the # symbol from the beginning of the line, and enter
the hostname or IP address of the syslog server.
5. Uncomment the #systemevent.syslog.port= line by removing the # symbol from the beginning of the line. Enter the
port number that should accept connections from the Enforce Server server. The default is 514.
NOTE
If you are using TCP or TLS communication, ensure that the port you enter correctly corresponds to the port
that is configured on the syslog server.
6. Uncomment the #systemevent.syslog.format= [{0}] {1} - {2} line by removing the # symbol from the
beginning of the line. Then define the system event message format to be sent to the syslog server:
If the line is uncommented without any changes, the notification messages are sent in the format: [server name]
summary - details. The format variables are:
• {0} - the name of the server on which the event occurred
• {1} - the event summary
• {2} - the event detail
For example, the following configuration specifies that Severe system event notifications are sent to a syslog host
named server1 which uses port 600.
systemevent.syslog.protocol = TCP
systemevent.syslog.host=server1
systemevent.syslog.port=600
systemevent.syslog.format= [{0}] {1} - {2}
Using this example, a low disk space event notification from an Enforce Server on a host named server1 would look like:
server1 Low disk space - Hard disk space for
incident data storage server is low. Disk usage is over 82%.
System Events
System Alerts
Configure system alerts to notify Symantec Data Loss Prevention administrators about a wide variety of system
conditions.
System alerts are email messages that are sent to designated addresses when a particular system event occurs. You
define what alerts (if any) that you want to use for your installation. Alerts are specified and edited on the Configure Alert
screen, which is reached by System > Servers and Detectors > Alerts > Add Alert.
Alerts can be specified based on event severity, server name, or event code, or a combination of those factors. Alerts can
be sent for any system event.
474
The email that is generated by the alert has a subject line that begins with Symantec Data Loss Prevention System
Alert followed by a short event summary. The body of the email contains the same information that is displayed by the
Event Detail screen to provide complete information about the event.
Configuring the Enforce Server to send email alerts
Configuring system alerts
Server and Detectors event detail
To send out email alerts regarding specified system events, the Enforce Server has to be configured to support the
sending of alerts and reports. This section describes how to specify the report format and how to configure Symantec
Data Loss Prevention to communicate with an SMTP server.
After completing the configuration described here, you can schedule the sending of specific reports and can create
specific system alerts.
1. Go to System > Settings > General and click Configure.
The Edit General Settings screen is displayed.
2. In the Reports and Alerts section, select one of the following distribution methods:
• Send reports as links, logon is required to view. Symantec Data Loss Prevention sends email messages with
links to reports. You must log on to the Enforce Server to view the reports.
NOTE
If the Send reports as links option is set, reports with incident data cannot be distributed.
• Send report data with emails. Symantec Data Loss Prevention sends email messages and attaches the report
data.
3. Enter the Enforce Server domain name or IP address in the Fully Qualified Manager Name field.
If you send reports as links, Symantec Data Loss Prevention uses the domain name as the basis of the URL in the
report email.
Do not specify a port number unless you have modified the Enforce Server to run on a port other than the default of
443.
4. If you want alert recipients to see any correlated incidents, check the Correlations Enabled box.
When correlations are enabled, users see them on the Incident Snapshot screen.
475
5. In the SMTP section, identify the SMTP server to use for sending out alerts and reports.
Enter the relevant information in the fields as described in the following table:
6. Click Save.
476
• Is any of.
• Is none of.
For each kind of condition, you can specify appropriate parameters:
• Event type. You can select one, or a combination of, Information, Warning, Severe. Click on an event type to specify
it. To specify multiple types, hold down the Control key while clicking on event types. You can specify one, two, or all
three types.
• Server. You can select one or more servers from the list of available servers. Click on the name of the server to specify
it. To specify multiple servers, hold down the Control key while clicking on server names. You can specify as many
different servers as necessary.
• Event code. Enter the code number. To enter multiple code numbers, separate them with commas or use the Return
key to enter each code on a separate line.
System event codes and messages
By combining multiple conditions, you can define alerts that cover a wide variety of system conditions.
NOTE
If you define more than one condition, the conditions are treated as if they were connected by the Boolean
"AND" operator. This means that the Enforce Server only sends the alert if all conditions are met. For example,
if you define an event type condition and a server condition, the Enforce Server only sends the alert if the
specified event occurs on the designated server.
1. Go to the Alerts screen (System > Servers and Detectors > Alerts).
2. Click the Add Alert tab to create a new alert, or click on the name of an alert to modify it.
The Configure Alert screen is displayed.
3. Fill in (or modify) the name of the alert. The alert name is displayed in the subject line of the email alert message.
4. Fill in (or modify) a description of the alert.
5. Click Add Condition to specify a condition that will trigger the alert.
Each time you click Add Condition you can add another condition. If you specify multiple conditions, every one of the
conditions must be met to trigger the alert.
Click on the red X next to a condition to remove it from an existing alert.
6. Enter the email address that the alert is to be sent to. Separate multiple addresses by commas.
7. Limit the maximum number of times this alert can be sent in one hour by entering a number in the Max Per Hour box.
If no number is entered in this box, there is no limit on the number of times this alert can be sent out. The
recommended practice is to limit alerts to one or two per hour, and to substitute a larger number later if necessary. If
you specify a large number, or no number at all, recipient mailboxes may be overloaded with continual alerts.
8. Click Save to finish.
The Alerts list is displayed.
477
Diagnostic Tools
Use diagnostics tools available on dashboard pages of the Enforce Server administration console and from log files.
Symantec Data Loss Prevention provides diagnostic tools that can be used to monitor system health and troubleshoot
problems with the underlying system.
The following tools are included:
• Diagnostic system information is displayed on-screen in the dashboard pages of the Enforce Server administration
console.
System Information Review
• Diagnostic information about the Symantec Data Loss Prevention is displayed on-screen in the dashboard pages of
the Enforce Server administration console.
• A utility for bundling system log files is installed with Symantec Data Loss Prevention.
Log Collection Utility
System > Servers and Detectors > Overview Displays a list of the system servers as well as recent error-
level and warning-level system events. The overview provides
functionality for adding servers, upgrading, and accessing the
Server/Detector Detail pages.
System > Servers and Detectors > Overview > Server/ Displays the detailed information about the server, provides
Detector Detail functionality to stop, start, and recycle services, configure the
server, and access the Server/Detector Settings page.
System > Servers and Detectors > Overview > Server/ Enables the system administrators to modify Advanced Server
Detector Detail > Server Settings settings.
System > Servers and Detectors > Events Provides a system events report.
System > Servers and Detectors > Events > Server/Detector Provides the additional details for the individual events that are
Event Detail listed in the system events report.
System > Servers and Detectors > Alerts Enables the system administrators to enable alerts for system
events.
478
Working with the DLP database
This section includes the following topics:
Working with Symantec Data Loss Prevention database diagnostic tools
Viewing Tablespaces and Data File Allocations
Adjusting warning thresholds for tablespace usage in large databases
Generating a Database Report
Viewing Table Details
Recovering from Symantec Data Loss Prevention database connectivity issues
Field Description
479
Field Description
480
3. Save the changes to the Manager.properties file and close it.
4. Restart the Symantec DLP Manager service to apply your changes.
481
Tab and description Field and description
% Full
The percentage of the table currently in use.
Other Tables Table Name
This tab lists all other tables in the schema. The name of the table.
In Tablespace
The name of the tablespace that contains the table.
Size (MB)
The size of the table, in megabytes.
% Full
The percentage of the table currently in use.
Indices Index Name
This table lists all of the indexes in the schema. The name of the index.
Table Name
The name of the table that contains the index.
In Tablespace
The name of the tablespace that contains the table.
Size (MB)
The size of the table, in megabytes.
% Full
The percentage of the table currently in use.
LOB Segments Table Name
This table lists all of the large object (LOB) tables in the schema. The name of the table.
Column Name
The name of the table column containing the LOB data.
In Tablespace
The name of the tablespace that contains the table.
LOB Segment Size (MB)
The size of the LOB segment, in megabytes.
LOB Index Size
The size of the LOB index, in megabytes.
% Full
The percentage of the table currently in use.
NOTE
The percentage used value for each table displays the percentage of the table currently in use as reported by
the Oracle database in dark blue. It also includes an additional estimated percentage used range in light blue.
Symantec Data Loss Prevention calculates this range based on tablespace utilization.
482
This section includes the following topics:
About Backup and Recovery on Windows
About periodic system backups on Windows
About partial backups on Windows
Preparing the backup location on Windows
Performing a cold backup of the Oracle database on Windows
Backing up the server configuration files on Windows
Backing up files stored on the file system on Windows
Oracle hot backups on Windows platforms
About Windows System Recovery
483
About scheduling a system backup on Windows
Related Links
About periodic system backups on Windows on page 483
1 Determine the size of the backup sections. Determining the Size of the Backup on Windows
2 Calculate the total size of the backup. Calculating the total size of the backup on Windows
484
Step Action Description
1. Log on to the computer that hosts the database as a user with administrative privileges.
2. Navigate to Windows > Start > All Programs > Oracle - OraDb<ver>_home1 > Application Development > SQL
Plus to open Oracle SQL*Plus.
4. Click OK.
5. At the SQL> command prompt, to connect as the sysdba user, enter:
connect sys/password as sysdba
485
8. To exit Oracle SQL*Plus, enter:
exit
1. On the computer that hosts the server on which customizations were added or changes were made, select the
\Program Files\Symantec\DataLossPrevention\<server>\16.0.10000 directory.
Where <server> represents either EnforceServer or DetectionServer.
2. Right-click the directory. Select Properties.
3. On the General tab, note the Size.
4. Repeat steps 1–3 for the \ProgramData\Symantec\DataLossPrevention\DetectionServer
\16.0.10000\logs directory.
5. Repeat steps 1–4 for any other computers that host Symantec Data Loss Prevention server applications.
6. Calculate the total size of the directories and record this number.
Calculating the total size of the backup on Windows
Determine the Size of the Server Configuration Files
1. On the computer that hosts the server on which configuration changes were made, select the \Program Files
\Symantec\DataLossPrevention\<server>\16.0.10000\Protect\config directory.
Where <server> represents either EnforceServer or DetectionServer.
2. Right-click the directory and select Properties.
3. On the General tab, note the Size.
4. Repeat steps 1–3 for any other computers that host Symantec Data Loss Prevention server applications.
5. Calculate the total size of the configuration directories on all servers and record this number.
Calculating the total size of the backup on Windows
Calculating the total size of the backup on Windows
Use the sizes from the individual procedures to sum the total size of the backup.
1. Enter the size of the database here: _______
2. Enter the size of the file system files here: _______
3. Enter the size of the server configuration files here: _______
4. Add the size of the database to the size of the configuration files and file system files for a total size here: _______
486
To identify a backup location
1. Make sure that the backup location is accessible from the computers that host the servers and databases that need to
be backed up.
2. Verify that the amount of available disk space in a potential backup location is greater than the size of the backup.
To determine the amount of space available on the hard disk, on the General tab, check the capacity.
Make sure that this number is greater than the size of the database.
Determining the Size of the Backup on Windows
3. After you identify a computer with enough disk space, note down its fully qualified domain name. Enter this information
on the Recovery Information Worksheet.
To determine the name of a computer, navigate to My Computer > Properties > Computer Name.
Recovery Information Worksheet for Windows
Preparing the backup location on Windows
Remember that this directory should be created on a computer other than the one that hosts the database, the Enforce
Server, or the detection servers.
2. Create the following subdirectories in which to store the backup files:
\Program Files\Symantec\DataLossPrevention\SymantecDLP_Backup_Files\File_System
\Program Files\Symantec\DataLossPrevention\SymantecDLP_Backup_Files\
Server_Configuration_Files
\Program Files\Symantec\DataLossPrevention\SymantecDLP_Backup_Files\Database
\Program Files\Symantec\DataLossPrevention\SymantecDLP_Backup_Files\Recovery_Aid
\Program Files\Symantec\DataLossPrevention\SymantecDLP_Backup_Files\Services
3. Complete the Recovery Information Worksheet with the Drive you used in the previous step.
Recovery Information Worksheet for Windows
Preparing the backup location on Windows
487
Oracle hot backups on Windows platforms
488
With this command you are generating a copy of the backup control file and outputting this file to the \Program Files
\Symantec\DataLossPrevention\SymantecDLP_Backup_Files\Recovery_Aid directory that you created previously.
Creating Backup Directories on Windows
NOTE
The normal destination of a trace file is the user_dump directory. Assuming you followed the installation
steps in the Symantec Data Loss Prevention Oracle Installation and Upgrade Guide, this directory is
\oracle\diag\rdbms\protect\trace. If you installed Oracle differently, issue SQL*Plus command
show parameter user_dump_dest; to display the user_dump directory.
4. Issue the following command to backup the init.ora file.
create pfile='C:\Program Files\Symantec\DataLossPrevention\SymantecDLP_Backup_Files\
Recovery_Aid\init.ora' from spfile;
Exit Sql*Plus:
exit;
2. Enter the following SQL commands to create lists of files that must be backed up:
SELECT file_name FROM dba_data_files
UNION
SELECT file_name FROM dba_temp_files
UNION
SELECT name FROM v$controlfile
UNION
SELECT member FROM v$logfile;
3. Save the list of files returned by the query to use in the following procedures: C:\Program Files
\Symantec\DataLossPrevention\ SymantecDLP_Backup_Files\Recovery_Aid\
oracle_datafile_directories.txt.
4. Exit SQL*Plus:
exit;
489
Creating Recovery Aid Files on Windows
1. In Oracle SQL*Plus, at the SQL> command prompt, enter:
create pfile='C:\Temp\inittemp.ora' from spfile;
3. Navigate to the C:\Temp directory and verify that the inittemp.ora file was created.
4. In Windows, copy the inittemp.ora file from the C:\Temp directory to the \Recovery_Aid subdirectory that you
created earlier on the backup computer.
Creating Backup Directories on Windows
3. On the computer that hosts the database, stop the OracleService databasename, where databasename is the Global
Database Name and SERVICE_NAME selected during installation.
See Installing an Enforce Server.
Related Links
Performing a cold backup of the Oracle database on Windows on page 487
490
recorded in the Recovery Information Worksheet for reference. Otherwise, create a backup location on a
computer that is accessible from the Oracle host.
Recovery Information Worksheet for Windows
4. On the computer that hosts the database, select the %ORACLE_HOME%\database\PWDprotect.ora file and copy
it into the C:\Program Files\Symantec\DataLossPrevention\SymantecDLP_Backup_Files\Database
directory of the computer that hosts the backup files.
1. On the computer that hosts the database, navigate to Start > All Programs > Administrative Tools > Services to
open the Windows Services menu.
2. From the Services menu, start all of the Oracle services:
• OracleServiceDATABASENAME
where DATABASENAME is the Global Database Name and SERVICE_NAME selected during installation.
SeeInstalling an Enforce Server.
3. On the computer that hosts the Enforce Server, start the SymantecDLPNotifierService service before starting other
Symantec Data Loss Prevention services.
4. Start the remaining Symantec Data Loss Prevention services, which might include the following:
• SymantecDLPManagerService (on the computer that also host the Enforce Server)
• SymantecDLPIncidentPersisterService (on the computer that also host the Enforce Server)
• SymantecDLPDetectionServerControllerService (on the computers that also hosts the Enforce Server)
• SymantecDLPDetectionServerService (on the computers that also host a detection server)
This renamed directory is especially important for multi-tier installations, where configuration directories reside on
multiple servers.
491
Performing a cold backup of the Oracle database on Windows
This renamed directory is especially important for multi-tier installations, where configuration directories reside on
multiple servers.
492
Backing up files stored on the file system on Windows
1. Copy the \keystore directory from the Enforce Server and the detection servers.
NOTE
The \keystore folder is located at both the Program Files and ProgramData locations depending
on the features and products running in your environment. Copy the contents at both locations to create a
complete backup.
Locate the \keystore directory at the following paths:
• Enforce Server:
– \ProgramData\DataLossPrevention\EnforceServer\16.0.10000\keystore
– \Program Files\DataLossPrevention\EnforceServer\16.0.10000\Protect\keystore
• Detection servers:
– \ProgramData\Symantec\DataLossPrevention\DetectionServer\16.0.10000\keystore
– \Program Files\Symantec\DataLossPrevention\DetectionServer\16.0.10000\Protect
\keystore
2. Copy these directories to the \Program Files\Symantec\DataLossPrevention
\SymantecDLP_Backup_Files\File_System directory on the computer that hosts the backup files.
The file path and the name of the computer that hosts the backup files was recorded in the Recovery Information
Worksheet for reference.
Related Links
Backing up files stored on the file system on Windows on page 492
About Windows System Recovery on page 494
493
The incremental scan index keeps track of which items have already been scanned. This index is automatically created
and updated during incremental scans.
The incremental scan index is in the directory C:\Program Files\Symantec\DataLossPrevention
\DetectionServer\16.0.10000\Protect\scan\incremental_index.
1. Pause or stop any incremental scans that are in progress or scheduled to run.
2. Stop the SymantecDLPDetectionServerControllerService service.
3. Copy the incremental scan index directory to a backup location.
4. If you need to restore the incremental scan index, copy the files back into this directory.
Make sure all the Network Discover targets have the same target identifiers as when the incremental scan index was
backed up.
Component Description
494
About Windows System Recovery
1. Print this page containing the Recovery Information Worksheet.
2. In the first row of the "Customer names and locations" column, write in the computer name of the host where you have
set up the backup directory.
3. In the subsequent rows in the "Customer names and locations" column, in the space provided preceding the backup
directory, write in the volume drive letter where the backup directory is located.
For example, if the drive is "D" you would enter:
_D_:\Program Files\Symantec\DataLossPrevention\SymantecDLP_Backup_Files
4. Store this worksheet in a secure location because it contains sensitive data.
Backup file information Example names and locations Customer names and locations
495
About Windows System Recovery
The following table describes the steps necessary to recover Windows.
Based on the type of database failure you experienced, choose the appropriate database recovery procedure:
• If the previous database can no longer be used, create a new database.
• If the database malfunctioned due to a system failure or user error, restore the previously existing database. For
example, if an important file was accidentally deleted, you can restore the database to a point in time when the
important file still existed.
Restoring an Existing Database on Windows
Creating a New Database on Windows
About recovering your system on Windows platforms
4. On the computer that hosts the database, stop all of the Oracle services.
5. Copy the contents of the \Program Files\Symantec\DataLossPrevention\SymantecDLP_Backup_Files
\Database directory to the %ORACLE_BASE%\oradata\protect directory (for example, C:\oracle\oradata
\protect) on the computer that hosts the new database. The information about the computers and directories is
located on the Recovery Information Worksheet.
Recovery Information Worksheet for Windows
496
6. To open Oracle SQL*Plus, navigate to Windows > Start > All Programs > Oracle - OraDb<ver>_home1 >
Application Development > SQL Plus. This navigation assumes the default locations from the Oracle installation
process.
7. At the SQL> command prompt, to connect as the sysdba user, enter:
connect sys\password as sysdba
Related Links
About recovering your system on Windows platforms on page 495
Create a new database then copy the contents of the backup database to the new database.
About recovering the database on Windows
1. If you have not co-located the database and the database server, make sure that each is in a healthy state.
2. See #unique_217/unique_217_Connect_42_v120001064 to install an Oracle database.
This step assumes that the drive structure of the new database is the same as the drive structure of the old database.
Perform the following tasks in the order presented:
• Copy the contents of the \SymantecDLP_Backup_Files\Database directory to the \oracle\product
\19.3.0.0\oradata\protect directory on the computer that hosts the new database. The information about
the computers and directories is located on the Recovery Information Worksheet.
Recovery Information Worksheet for Windows
• To open Oracle SQL*Plus, navigate to Windows > Start > All Programs > Oracle - OraDb<ver>_home1 >
Application Development > SQL Plus. This navigation assumes the default locations from the Oracle installation
process.
• At the SQL> command prompt, to connect as the sysdba user, enter
connect sys/password@protect as sysdba
Where password is the password created for single- and two-tier installations.
• At the SQL> prompt, enter
startup
3. If the drive structure of the new database is different from the drive of the old database, perform the following tasks in
the order presented:
• Edit the inittemp.ora file in the \SymantecDLP_Backup_Files\Recovery_Aid directory to reflect the drive
structure of the new database. The information about this computer is in the Recovery Information Worksheet.
Recovery Information Worksheet for Windows
The following parameters might need to be modified to accommodate differences in directory structure:
*.background_dump_dest
*.control_files
*.core_dump_dest
497
*.user_dump_dest
• Rename the edited inittemp.ora file to initprotect.ora.
• Copy the initprotect.ora file to the $ORACLE_HOME\database directory on the computer that hosts the new
database.
• Copy the contents of the \SymantecDLP_Backup_Files\Database directory to the \oracle\product
\19.3.0.0\oradata\protect directory on the computer that hosts the new database. The information about
this computer is in the Recovery Information Worksheet.
Recovery Information Worksheet for Windows
• On the computer that hosts the new database, open Oracle SQL*Plus. Navigate to Windows > Start > All
Programs > Oracle - OraDb19g_home1 > Application Development > SQL Plus.
This navigation assumes that the default locations were accepted during the Oracle installation process. See
#unique_217/unique_217_Connect_42_v120001064 for additional details.
• At the SQL> command prompt, to connect as the sysdba user, enter:
connect sys/password@protect as sysdba
Where password is the password created for single- and two-tier installations.
• At the SQL> prompt, enter:
create spfile from pfile='%ORACLE_HOME%\database\
initprotect.ora';
• To shut down, enter:
shutdown
• To start, enter:
startup
1. Make sure that the Enforce Server application and the computer hosting it are in a healthy state.
2. Make sure that the Oracle database is intact and running correctly.
About recovering the database on Windows
3. Reinstall the Enforce Server.
See Installing an Enforce Server.
498
4. When you get to the Final Confirmation window in the installation procedure, make sure that the Initialize Enforce
Data box is not checked.
5. Continue with the installation procedure as described in Installing an Enforce Server on Windows.
6. Restore the server files listed in the following table.
Related Links
Recovery Information Worksheet for Windows on page 494
Use the recovery information worksheet to record important information about your system.
About recovering your system on Windows platforms on page 495
499
Recovering a detection server on Windows
1. Make sure the server to host the recovered detection server application and the computer that hosts the server are in
a healthy state.
2. Follow the instructions in Installing a detection server on Windows create a detection server.
3. Restore the server files.
500
About backup and recovery on Linux
Perform system backups in case the Symantec Data Loss Prevention system crashes and needs to be restored. The
system that should be backed up includes the Enforce Server, the detection servers, the database, and the incident
attachment external storage directory, if present. These backup procedures can be used for single-tier, two-tier, and three-
tier installations.
The cold backup procedures for the Oracle database are for non-database administrators who have no standard backup
methods for databases.
Symantec recommends that administrators perform backups of their entire system. Administrators should follow all of the
backup instructions that are in this section in the order in which they are presented.
Administrators who would prefer to back up only part of their system must determine which subsets of the system backup
instructions to follow.
Symantec recommends that your storage system administrator perform all backups of your incident attachment external
storage directories.
About periodic system backups on Linux
About partial backups on Linux
501
Such times may be on weekends when users are unlikely to use the system and when incidents are less likely to be
generated.
• The backup methods that are described in this section do not accommodate point-in-time recovery. If the last system
backup was two days ago and the system crashes, the information from those two days is lost. The system cannot be
restored to times other than the time of the last backup.
• Before performing a backup, use regular company or system notifications to let users know that the system is offline
and unavailable during the system backup.
Related Links
About periodic system backups on Linux on page 501
1 Determine the size of the backup sections. Determining the Size of the Backup on Linux
2 Calculate the total size of the backup. Calculating the total size of the backup on Linux
3 Identify the backup location. Identifying a backup location on Linux
4 Create the backup directories. Creating backup directories on Linux
502
However, file system and server configuration files do not need to be backed up as often as the database. The size of the
backup varies depending on what is backed up. Only follow the sizing procedures in this section that are relevant to the
backup being performed.
Preparing the backup location on Linux
Determine the Size of the Database
1. Log on to the computer that hosts the Oracle database as the oracle user.
2. To open Oracle SQL*Plus, enter:
sqlplus /nolog
SELECT ROUND(SUM(bytes)/1024/1024/1024, 4) GB
FROM (
SELECT SUM(bytes) bytes
FROM dba_data_files
UNION ALL
SELECT SUM(bytes) bytes
FROM dba_temp_files
UNION ALL
SELECT SUM(bytes) bytes
FROM v$log
);
1. On the computer that hosts the server on which customizations were added or changes were made, logon as root.
2. Change to the /opt/Symantec/DataLossPrevention/ContentExtractionService/16.0.10000/
Plugins/Protect/plugins directory.
3. Use the disk usage command to determine the sizes of the directory trees and their contents. The output is displayed
in kilobytes, megabytes, and gigabytes.
du -h
503
4. Note the size.
5. Repeat steps 2 through 4 for the /var/log/Symantec/DataLossPrevention<Enforce Server or
Detection Server>/16.0.10000/ directory.
6. Repeat steps 1 through 5 for any other computers that host Symantec Data Loss Prevention servers.
7. Calculate the total size of the directories and record this number.
Calculating the total size of the backup on Linux
Determine the Size of the Server Configuration Files
1. On the computer that hosts the server on which configuration changes were made, logon as root.
2. Change to the /opt/Symantec/DataLossPrevention/<Enforce Server or Detection
Server>/16.0.10000/Protect/config directory.
3. Use the disk usage command to determine the sizes of the directory trees and their contents:
du -h
Use the sizes from the individual procedures to sum the total size of the backup.
1. Enter the size of the database here: _______
2. Enter the size of the file system files, here: _______
3. Enter the size of the server configuration files here: _______
4. Add the size of the database to the size of the configuration files and file system files for a total size here: _______
Make sure that this number is greater than the size of the database.
Determining the Size of the Backup on Linux
504
3. After you identify a computer that has enough disk space, note down its fully qualified domain name. Enter this
information on the Recovery Information Worksheet.
Recovery Information Worksheet for Linux
4. To determine the name of a computer, enter:
hostname -f
This directory is usually under /opt if the backup computer has a Linux operating system. It can be created in any
directory.
Remember that this directory should be created on a computer other than the one that hosts the database, the Enforce
Server, or the detection servers.
2. Create the following subdirectories in which to store the backup files:
mkdir /opt/Symantec/DataLossPrevention_Backup_Files/File_System
mkdir /opt/Symantec/DataLossPrevention_Backup_Files/Server_Configuration_Files
mkdir /opt/Symantec/DataLossPrevention_Backup_Files/Database
mkdir /opt/Symantec/DataLossPrevention_Backup_Files/Recovery_Aid
mkdir /opt/Symantec/DataLossPrevention_Backup_Files/Recovery_Aid/Services
505
Table 218: Steps to perform a cold backup of the Oracle database
6. If you have not already done so, create the recovery aid directory on the computer that hosts the Oracle database:
/opt/oracle/Recovery_Aid
7. To find the directory in which the trace file was created, in the next line, enter:
show parameter user_dump;
506
9. To exit Oracle SQL*Plus, enter:
exit
10. Change to the directory from step 5. Copy the trace file from the Recovery_Aid subdirectory on the computer that
hosts the Oracle database to the /Recovery_Aid subdirectory on the backup computer that you created earlier.
Other trace files are located in the user_dump directory. Be sure to copy the file with the most recent date and
timestamp.
To check the date and the timestamps of the files in the directory, enter:
ls -l *controlfile.trc
11. Rename the file so that it can be easily identified, for example:
controlfilebackupMMDDYY.trc.
Related Links
Collecting a list of files to be backed up on page 507
Performing a Cold Backup of the Oracle Database on Linux on page 505
2. Enter following SQL commands to create lists of files that must be backed up:
SELECT file_name FROM dba_data_files
UNION
SELECT file_name FROM dba_temp_files
UNION
SELECT name FROM v$controlfile
UNION
SELECT member FROM v$logfile;
507
4. After receiving the Connected message, at the SQL> command prompt, enter:
create pfile='/tmp/inittemp.ora' from spfile;
6. Change to the /tmp directory and verify that the inittemp.ora file was created.
7. Copy the inittemp.ora file to the /Recovery_Aid subdirectory on the backup computer that you created earlier.
Creating backup directories on Linux
Services can be stopped by changing to the /etc directory and running the following command:
./init.d/SymantecDLPServiceName stop
4. On the computer that hosts the database, log on as the oracle user.
5. To open Oracle SQL*Plus, enter:
sqlplus /nolog
508
Copying the Database Files to the Backup Location on Linux
Back up database files in the /Recovery_Aid directory and the database password file.
4. On the computer that hosts the database, copy the $ORACLE_HOME/dbs/orapwprotect file into the /opt/
DataLossPrevention_Backup_Files/Database directory of the computer or storage device that hosts the
backup files.
The file path and the name of the computer or storage device that hosts the backup files should have been recorded in
the Recovery Information Worksheet for reference.
509
5. On the computer that hosts the Enforce Server, log on as root.
6. Change directory to /opt/Symantec/DataLossPrevention/<Enforce Server or Detection
Server>/16.0.10000/Protect/bin.
7. Before starting other Symantec Data Loss Prevention services, start the SymantecDLPNotifierService service.
./SymantecDLPNotifierService.sh start
8. Start the remaining Symantec Data Loss Prevention services in the following order:
• ./SymantecDLPManagerService.sh start (on the computers that also host the Enforce Server)
• ./SymantecDLPIncidentPersisterService.sh start (on the computers that also host the Enforce Server)
• ./SymantecDLPDetectionServerControllerService.sh start (on the computers that also host the Enforce
Server)
• ./SymantecDLPDetectionServerService.sh start (on the computers that also host a detection server)
Services can be started by changing to the etc directory and running the following command:
./init.d/SymantecDLPServiceName start
Services can be stopped by changing to the etc directory and running the following command:
./init.d/SymantecDLPServiceName stop.
This renamed directory is especially important for multi-tier installations, where configuration directories reside on
multiple servers.
510
Backing up system logs on Linux
• Keystore files
Backing up keystore files on Linux
• Services
Backing up services on Linux
This renamed directory is especially important for multi-tier installations with log directories on multiple servers.
511
Backing up Keystore Files on Linux
If the administrators in your organization generate their own Tomcat server certificate, back up the keystore file containing
the certificate.
1. Copy the /opt/Symantec/DataLossPrevention/EnforceServer/16.0.10000/Protect/tomcat/
conf/.keystore file from the computer that hosts the Enforce Server for which the certificate was generated.
2. Copy this file to the /opt/DataLossPrevention_Backup_Files/File_System directory on the computer that
hosts the backup files.
The file path and the name of the computer that hosts the backup files was recorded in the Recovery Information
Worksheet for reference.
Recovery Information Worksheet for Linux
1. Copy the /keystore directory from the Enforce Server and the detection servers.
NOTE
The /keystore folder is located at both the /var/ and /opt/ locations depending on the features and
products running in your environment. Copy the contents at both locations to create a complete backup.
The /keystore directory is at the following paths:
• Enforce Server:
– /var/Symantec/DataLossPrevention/EnforceServer/16.0.10000/keystore
– /opt/Symantec/DataLossPrevention/EnforceServer/16.0.10000/Protect/keystore
• Detection servers:
– /var/Symantec/DataLossPrevention/DetectionServer/16.0.10000/keystore
– /opt/Symantec/DataLossPrevention/DetectionServer/16.0.10000/Protect/keystore
2. Copy these directories to the /opt/DataLossPrevention_Backup_Files/File_System directory on the
computer that hosts the backup files.
The file path and the name of the computer that hosts the backup files was recorded in the Recovery Information
Worksheet for reference.
Recovery Information Worksheet for Linux
512
The incremental scan index is in the directory/var/Symantec/DataLossPrevention/
DetectionServer/16.0.10000/scan/incremental_index.
1. Pause or stop any incremental scans that are in progress or scheduled to run.
2. Stop the SymantecDLPDetectionServerControllerService service.
3. Copy the incremental scan index directory to a backup location.
4. If you need to restore the incremental scan index, copy the files back into this directory.
Make sure all the Network Discover targets have the same target identifiers as when the incremental scan index was
backed up.
513
who created the recovery files may use another directory. Store this worksheet in a secure location because it contains
sensitive data.
Performing a Cold Backup of the Oracle Database on Linux
Backup File Information Example Names and Locations Customer Names and Locations
514
Restoring an Existing Database on Linux
Use the following steps to restore a database backup to a Linux server.
1. Make sure that the database environment is healthy. Check the existing database, the database server that hosts the
existing database, and the computer that hosts the database server.
2. On the computer that hosts the Enforce Server, log on as root.
3. Change directory to /opt/Symantec/DataLossPrevention/EnforceServer/16.0.10000/Protect/bin.
4. Stop all running Symantec Data Loss Prevention services in the following order:
• ./SymantecDLPDetectionServerService.sh stop (on the computers that also host a detection server)
• ./SymantecDLPDetectionServerControllerService.sh stop (on the computers that also host the Enforce
Server)
• ./SymantecDLPIncidentPersisterService.sh stop (on the computers that also host the Enforce Server)
• ./SymantecDLPManagerService.sh stop (on the computers that also host the Enforce Server)
• ./SymantecDLPNotifierService.sh stop (on the computers that also host the Enforce Server)
Services can be stopped by changing to the etc directory and running the following command:
./init.d/SymantedDLPServiceName stop
Services can be started by changing to the etc directory and running the following command:
./init.d/SymantecDLPServiceName start
5. On the computer that hosts the database, log on as the oracle user.
To open Oracle SQL*Plus, enter:
sqlplus /nolog
where password is the password created for single-tier and two-tier installations.
6. After receiving the "Connected" message, at the SQL> command prompt, stop all of the Oracle services by entering:
shutdown immediate
10. At the SQL> command prompt, to connect as the sysdba user, enter:
connect sys/password as sysdba
515
Recovering Your System on Linux
The following step assumes that the drive structure of the new database is different from the drive structure of the old
database.
4. Perform the following tasks in the order presented:
• Edit the inittemp.ora file in the \DataLossPrevention_Backup_Files\Recovery_Aid directory to
reflect the drive structure of the new database. The information about this computer is in the Recovery Information
Worksheet.
Recovery Information Worksheet for Linux
The following parameters might need to be modified to accommodate differences in directory structure:
*.background_dump_dest
*.control_files
*.core_dump_dest
*.user_dump_dest
• Rename the edited inittemp.ora file to initprotect.ora.
• Copy the edited initprotect.ora file to the $ORACLE_HOME/dbs directory on the computer that hosts the new
database.
• Copy the contents of the /DataLossPrevention_Backup_Files/Database directory to the opt/oracle/
oradata/protect directory on the computer that hosts the new database. The information about this computer is
in the Recovery Information Worksheet.
Recovery Information Worksheet for Linux
• To open Oracle SQL*Plus, enter:
sqlplus /nolog
• At the SQL> command prompt, to connect as the sysdba user, enter:
connect sys/password@protect as sysdba
Where password is the password created for single- and two-tier installations.
• At the SQL> prompt, enter:
create spfile from pfile='$ORACLE_HOME/dbs/initprotect.ora';
• To shut down, enter:
516
shutdown
• To start, enter:
startup
Related Links
Recovery Information Worksheet for Linux on page 513
Use the recovery information worksheet to record important information about your system.
Recovering Your System on Linux on page 513
517
Recovering a Detection Server on Linux
Recover a detection server by confirming that server host is healthy and installing installing a new detection server
instance.
1. Make sure the server to host the recovered detection server application and the computer that hosts the server are in
a healthy state.
2. Reinstall the detection server.
See Installing a detection server on Linux.
3. Restore the server files listed in the following table.
Related Links
Recovery Information Worksheet for Linux on page 513
Use the recovery information worksheet to record important information about your system.
Recovering Your System on Linux on page 513
Log files
Symantec Data Loss Prevention provides a number of different log files that record information about the behavior of the
software. Log files fall into these categories:
• Operational log files record detailed information about the tasks the software performs and any errors that occur while
the software performs those tasks. You can use the contents of operational log files to verify that the software functions
as you expect it to. You can also use these files to troubleshoot any problems in the way the software integrates with
other components of your system.
For example, you can use operational log files to verify that a Network Prevent for Email Server communicates with a
specific MTA on your network.
Operational Log Files
• Debug log files record fine-grained technical details about the individual processes or software components that
comprise Symantec Data Loss Prevention. The contents of debug log files are not intended for use in diagnosing
system configuration errors or in verifying expected software functionality. You do not need to examine debug log files
to administer or maintain an Symantec Data Loss Prevention installation. However, Symantec Support may ask you to
518
provide debug log files for further analysis when you report a problem. Some debug log files are not created by default.
Symantec Support can explain how to configure the software to create the file if necessary.
Debug Log Files
• Installation log files record information about the Symantec Data Loss Prevention installation tasks that are performed
on a particular computer. You can use these log files to verify an installation or troubleshoot installation errors.
Installation log files reside in the following locations:
– installdir\SymantecDLP\.install4j\installation.log stores the installation log for Symantec Data
Loss Prevention.
– installdir\oracle_home\admin\protect\ stores the installation log for Oracle.
Operational Log Files
The Enforce Server and the detection servers store operational log files in the c:\ProgramData\Symantec
\DataLossPrevention\<EnforceServer or DetectionServer>logs\ directory on Windows installations and
in the /var/log/Symantec/DataLossPrevention/<EnforceServer or DetectionServer>/16.0.10000/
directory on Linux installations. A number at the end of the log file name indicates the count (shown as 0 in Operational
log files).
Operational log files lists and describes the Symantec Data Loss Prevention operational log files.
519
Log file name Description Server
Network Prevent for Web operational log files and event codes
Network Prevent for Web access log files and fields
Network Prevent for Email log levels
Network Prevent for Email operational log codes
Network Prevent for Email originated responses and codes
520
Table 222: Debug log files
521
Log file name Description Server
522
Log file name Description Server
Indexer0.log This log file contains information when an EDM Enforce Server (or
profile or IDM profile is indexed. It also includes the computer where the
information that is collected when the external indexer external indexer is
is used. If indexing fails, then this log should be running)
consulted.
jdbc.log This log file is a trace of JDBC calls to the database. By Enforce Server
default, writing to this log is turned off.
machinelearning_native_filereader.log This log file records the runtime category Detection Server
classification (positive and negative) and
associated confidence levels for each message
that is detected by a VML profile. The default
logging level is "info" which is configurable using
\log4cxx_config_filereader.xml in a
location based on your platform:
• Windows: \ProgramData\Symantec
\DataLossPrevention\
DetectionServer\16.0.10000\logs
• Linux: /var/log/Symantec/
DataLossPrevention/
DetectionServer/16.0.10000/logs
machinelearning_training_0_0.log This log file records the design-time base accuracy Enforce Server
percentages for the k-fold evaluations for all VML
profiles.
machinelearning_training_native_manager.log
This log file records the total number of features Enforce Server
that are modeled at design-time for each
VML profile training run. The default logging
level is "info" which is configurable using
log4cxx_config_manager.xml in a location
based on your platform:
• Windows: \ProgramData\Symantec
\DataLossPrevention\
DetectionServer\16.0.10000\logs
• Linux: /var/log/Symantec/
DataLossPrevention/
DetectionServer/16.0.10000/logs
MonitorController0.log This log file is a detailed log of the connections Enforce Server
between the Enforce Server and the detection
servers. It gives details around the information that is
exchanged between these servers including whether
policies have been pushed to the detection servers or
not.
PacketCapture.log This log file pertains to the packet capture process that Network Monitor
reassembles packets into messages and writes to the
drop_pcap directory. Look at this log if there is a
problem with dropped packets or traffic is lower than
expected. PacketCapture is not a Java process, so
it does not follow the same logging rules as the other
Symantec Data Loss Prevention system processes.
PacketCapture0.log This log file describes issues with PacketCapture Network Monitor
communications.
523
Log file name Description Server
RequestProcessor0.log This log file pertains to SMTP Prevent only. SMTP Prevent
The log file is primarily for use in cases where detection servers
SmtpPrevent_operational0.log is not
sufficient.
ScanDetail-target-0.log Where target is the name of the scan target. All white Discover detection
spaces in the target's name are replaced with hyphens. servers
This log file pertains to Discover server scanning. It is
a file by file record of what happened in the scan. If the
scan of the file is successful, it reads success, and then
the path, size, time, owner, and ACL information of the
file scanned. If it failed, a warning appears followed by
the file name.
tomcat\localhost.date.log These Tomcat log files contain information for any Enforce Server
action that involves the user interface. The logs include
the user interface errors from red error message box,
password failures when logging on, and Oracle errors
(ORA –#).
SymantecDLPIncidentPersister.log This log file contains minimal information: stdout and Enforce Server
stderr only (fatal events).
SymantecDLPManager.log This log file contains minimal information: stdout and Enforce Server
stderr only (fatal events).
SymantecDLPMonitor.log This log file contains minimal information: stdout and All detection servers
stderr only (fatal events).
SymantecDLPMonitorController.log This log file contains minimal information: stdout and Enforce Server
stderr only (fatal events).
SymantecDLPNotifier.log This log file pertains to the Notifier service and its Enforce Server
communications with the Enforce Server and the
MonitorController service. Look at this file to
see if the MonitorController service registered
a policy change.
SymantecDLPUpdate.log This log file is populated when you update Symantec Enforce Server
Data Loss Prevention.
524
Configuring Server Logging Behavior
Use the Configuration tab of the System > Servers and Detectors > Logs screen to change logging configuration
parameters for any server in the Symantec Data Loss Prevention deployment. The Select a Diagnostic Log Setting
menu provides preconfigured settings for Enforce Server and detection server logging parameters. You can select an
available preconfigured setting to define common log levels or to enable logging for common server features. The Select
a Diagnostic Log Setting menu also provides a default setting that returns logging configuration parameters to the
default settings used at installation time.
Preconfigured log settings for the Enforce Server describes the preconfigured log settings available for the Enforce
Server.
Optionally, you can upload a custom log configuration file that you have created or modified using a text editor. (Use the
Collection tab to download a log configuration file that you want to customize.) You can upload only those configuration
files that modify logging properties (file names that end with Logging.properties). When you upload a new log
configuration file to a server, the server first backs up the existing configuration file of the same name. The new file is then
copied into the configuration file directory and its properties are applied immediately.
You do not need to restart the server process for the changes to take effect, unless you are directed to do so.
As of the current software release, only changes to the PacketCaptureNativeLogging.properties and
DiscoverNativeLogging.properties files require you to restart the server process.
Server controls
Make sure that the configuration file that you upload contains valid property definitions that are applicable to the type
of server you want to configure. If you make a mistake when uploading a log configuration file, use the preconfigured
Restore Defaults setting to revert the log configuration to its original installed state.
The Enforce Server administration console performs only minimal validation of the log configuration files that you upload.
It ensures that:
• Configuration file names correspond to actual logging configuration file names.
• Root level logging is enabled in the configuration file. This configuration ensures that some basic logging functionality
is always available for a server.
• Properties in the file that define logging levels contain only valid values (such as INFO, FINE, or WARNING).
If the server detects a problem with any of these items, it displays an error message and cancels the file upload.
If the Enforce Server successfully uploads a log configuration file change to a detection server, the administration console
reports that the configuration change was submitted. If the detection server then encounters any problems when it tries to
apply the configuration change, it logs a system event warning to indicate the problem.
Select a Diagnostic
Description
Log Setting value
Restore Defaults Restores log file parameters to their default values.
Custom Attribute Lookup Logs diagnostic information each time the Enforce Server uses a lookup plug-in to populate
Logging custom attributes for an incident. Lookup plug-ins populate custom attribute data using
LDAP, CSV files, or other data repositories. The diagnostic information is recorded in the
IncidentPersister_0.log file and Tomcat log file. The Tomcat log file is located at the
following locations:
• Windows: c:\ProgramData\Symantec\DataLossPrevention\EnforceServer\
16.0.10000\logs\tomcat\localhost.date.log
• Linux: /var/log/Symantec/DataLossPrevention/
EnforceServer/16.0.10000/logs/tomcat/localhost.date.log
525
Table 224: Preconfigured log settings for detection servers
Select a Diagnostic
Detection server uses Description
Log Setting value
Restore Defaults All detection servers Restores log file parameters to their default values.
Discover Trace Logging Network Discover Servers Enables informational logging for Network Discover scans. These
log messages are stored in FileReader0.log.
Detection Trace Logging All detection servers Logs information about each message that the detection server
processes. This includes information such as:
• The policies that were applied to the message
• The policy rules that were matched in the message
• The number of incidents that the message generated.
When you enable Detection Trace Logging,
the resulting messages are stored in the
detection_operational_trace_0.log file.
Note: Trace logging can produce a large amount of data, and the
data is stored in clear text format. Use trace logging only when
you need to debug a specific problem.
Packet Capture Debug Network Monitor Servers Enables basic debug logging for packet capture with
Logging Network Monitor. This setting logs information in the
PacketCapture.log file.
While this type of logging can produce a large amount of data, the
Packet Capture Debug Logging setting limits the log file size to
50 MB and the maximum number of log files to 10.
If you apply this log configuration setting to a server, you must
restart the server process to enable the change.
Email Prevent Logging Network Prevent for Email Enables full message logging for Network Prevent for Email
servers servers. This setting logs the complete message content and
includes execution and error tracing information. Logged
information is stored in the RequestProcessor0.log file.
Note: Trace logging can produce a large amount of data, and the
data is stored in clear text format. Use trace logging only when
you need to debug a specific problem.
Network Prevent for Email operational log codes
Network Prevent for Email originated responses and codes
ICAP Prevent Message Network Prevent for Web Enables operational and access logging for Network Prevent for
Processing Logging servers Web. This setting logs information in the FileReader0.log
file.
Network Prevent for Web operational log files and event codes
Network Prevent for Web access log files and fields
526
Table 225: Preconfigured log settings for the Network Discover Cluster
Detection Trace Logging Enables informational logging for Network Discover scans. These
log messages are stored in FileReader0.log .
When you select Detection Trace Logging, the zip file containing
the debug logs for the detection service are copied to the data
node and all the worker nodes at the following location:
C:\ProgramData\Symantec\DataLossPrevention
\DetectionServer\<product_version>
\LoggingConfigurationOverwrite
The following properties are used to enable trace logging:
• com.symantec.dlp.clouddetectionserver.logging.Uni
in UDSDetectorLogging.properties .
• UDSEnforceConnectorLogging.properties for the
enforce connector process in data node
Change the Log Configuration for a Symantec Data Loss Prevention Server
Follow this procedure to change the log configuration for a Symantec Data Loss Prevention server.
1. Click the Configuration tab if it is not already selected.
2. If you want to configure logging properties for a detection server, select the server name from the Select a Detection
Server menu.
3. If you want to apply preconfigured log settings to a server, select the configuration name from the Select a Diagnostic
Configuration menu next to the server you want to configure.
See Preconfigured log settings for the Enforce Server and Preconfigured log settings for detection servers for a
description of the diagnostic configurations.
4. To customize log configuration, do one of the following:
• If you instead want to use a customized log configuration file, click Choose File next to the server you want to
configure. Then select the logging configuration file to use from the File Upload dialog, and click Open. You upload
only logging configuration files, and not configuration files that affect other server features.
• For the Network Discover Cluster, you can customize the following files and upload them by choosing Choose file
in the Log Configuration File section and then the customized files are downloaded to the data node and worker
nodes. Based on the customization done, the logs are collected for the data node and worker nodes:
– UDSDetectorLogging.properties
– UDSEnforceConnectorLogging.properties
527
NOTE
For the customization of the UDSEnforceConnectorLogging.properties file to take
effect, restart the Enforce Connector Service.
NOTE
If the Choose File button is unavailable because of a previous menu selection, click Clear Form.
5. Click Configure Logs to apply the preconfigured setting or custom log configuration file to the selected server.
6. Check for any system event warnings that indicate a problem in applying configuration changes on a server.
Location/Targets Description
All Detection Servers, except Network Discover Cluster The Enforce Server administration console stores all log and
configuration files that you collect in a single ZIP file on the
Enforce Server computer. If you retrieve files from multiple
Symantec Data Loss Prevention servers, each server's files are
stored in a separate subdirectory of the ZIP file.
Network Discover Cluster For Network Discover Cluster log collection, when you select the
Operational Logs, Debug and Trace Logs, or Configuration
Files checkbox, the File Path and Credentials fields are
displayed. Enter the file share path and credentials for a file share
folder where you want to upload the cluster log files. You must
have read and write permissions for this file share folder. The
cluster logs are uploaded to this file share and they are not stored
on the Enforce Server. The data node and all the worker nodes in
the cluster upload their logs to this file share.
Checkboxes on the Collection tab enable you to collect different types of files from the selected servers. File types for
collection describes each type of file.
528
Table 227: File types for collection
Operational Logs Operational log files record detailed information about the tasks the software performs
and any errors that occur while the software performs those tasks. You can use the
contents of operational log files to verify that the software functions as you expect it
to. You can also use these files to troubleshoot any problems in the way the software
integrates with other components of your system.
For example, you can use operational log files to verify that a Network Prevent for Email
Server communicates with a specific MTA on your network.
Debug and Trace Logs Debug log files record fine-grained technical details about the individual processes or
software components that comprise Symantec Data Loss Prevention. The contents
of debug log files are not intended for use in diagnosing system configuration errors
or in verifying expected software functionality. You do not need to examine debug log
files to administer or maintain a Symantec Data Loss Prevention installation. However,
Symantec Support may ask you to provide debug log files for further analysis when you
report a problem. Some debug log files are not created by default. Symantec Support
can explain how to configure the software to create the file if necessary.
Configuration Files Use the Configuration Files option to retrieve both logging configuration files and server
feature configuration files.
Logging configuration files define the overall level of logging detail that is recorded in
server log files. Logging configuration files also determine whether specific features or
subsystem events are recorded to log files.
You can modify many common logging configuration properties by using the presets that
are available on the Configuration tab.
If you want to update a logging configuration file by hand, use the Configuration Files
checkbox to download the configuration files for a server. You can modify individual
logging properties using a text editor and then use the Configuration tab to upload the
modified file to the server.
Configuring server logging behavior
The Configuration Files option retrieves the active logging configuration files and also
any backup log configuration files that were created when you used the Configuration
tab. This option also retrieves server feature configuration files. Server feature
configuration files affect many different aspects of server behavior, such as the location
of a syslog server or the communication settings of the server. You can collect these
configuration files to help diagnose problems or verify server settings. However, you
cannot use the Configuration tab to change server feature configuration files. You can
only use the tab to change logging configuration files.
Agent Logs Use the Agent Logs option to collect DLP agent service and operational log files from
an Endpoint Prevent detection server. This option is available only for Endpoint Prevent
servers. To collect the DLP Agent logs, you must have already pulled the log files from
individual agents to the Endpoint Prevent detection server using a Pull Logs action.
Use the Agent List screen to select individual agents and pull selected log files to the
Endpoint Prevent detection server. Then use the Agent Logs option on this page to
collect the log files.
When the logs are pulled from the endpoint, they are stored on the Endpoint Server in
an unencrypted format. After you collect the logs from the Endpoint Server, the logs are
deleted from the Endpoint Server and are stored only on the Enforce Server. You can
only collect logs from one endpoint at a time.
Operational, debug, trace log files are stored in the server_identifier/logs subdirectory of the ZIP file.
server_identifier identifies the server that generated the log files, and it corresponds to one of the following values:
529
• If you collect log files from the Enforce Server, Symantec Data Loss Prevention replaces server_identifier with the
string Enforce. Note that Symantec Data Loss Prevention does not use the localized name of the Enforce Server.
• If a detection server’s name includes only ASCII characters, Symantec Data Loss Prevention uses the detection server
name for the server_identifier value.
• If a detection server’s name contains non-ASCII characters, Symantec Data Loss Prevention uses the string
DetectionServer-ID-id_number for the server_identifier value. id_number is a unique identification number for
the detection server.
If you collect agent service log files or operational log files from an Endpoint Prevent server, the files are placed in the
server_identifier/agentlogs subdirectory. Each agent log file uses the individual agent name as the log file prefix.
Follow this procedure to collect log files and log configuration files from Symantec Data Loss Prevention servers.
To collect log files from one or more servers
1. Click the Collection tab if it is not already selected.
2. Use the Date Range menu to select a range of dates for the files you want to collect. Note that the collection process
does not truncate downloaded log files in any way. The date range limits collected files to those files that were last
updated in the specified range.
3. To collect log files from the Enforce Server, select one or more of the checkboxes next to the Enforce Server entry to
indicate the type of files you want to collect.
4. To collect log files from one or all detection servers, use the Select a Detection Server menu to select either the
name of a detection server or the Collect Logs from All Detection Servers option. Then select one or more of the
checkboxes next to the menu to indicate the type of files you want to collect.
5. Click Collect Logs to begin the log collection process.
• For the Enforce Server log collection, the administration console adds a new entry for the log collection process in
the Previous Log Collections list at the bottom of the screen. If you are retrieving many log files, you may need to
refresh the screen periodically to determine when the log collection process has completed.
• For Network Discover Cluster log collection, when the logs are successfully collected, the success message is
added in the Previous Log Collections list at the bottom of the screen. Navigate to the file share folder where the
cluster logs were uploaded. The file share folder has subfolders for each data node (DN) and worker node (WN),
that contain the logs for each of these nodes.
A system event is generated in case there is a failure for Network Discover Cluster log collection.
The default timeout interval for the log collection command is 30 minutes.
NOTE
You can run only one log collection process at a time.
6. To cancel an active log collection process, click Cancel next to the log collection entry. You may need to cancel log
collection if one or more servers are offline and the collection process cannot complete.
When you cancel the Enforce Server log collection, the ZIP file contains only those files that were successfully
collected.
7. To download the Enforce Server collected logs to your local computer, click Download next to the log collection entry.
The Download option is not available for Network Discover Cluster log collection.
8. For the Enforce Server collected logs, to remove ZIP files stored on the Enforce Server, click Delete next to a log
collection entry.
The Delete option is not available for Network Discover Cluster log collection.
530
About log event codes
Operational log file messages are formatted to closely match industry standards for the various protocols involved.
These log messages contain event codes that describe the specific task that the software was trying to perform when the
message was recorded. Log messages are generally formatted as:
Timestamp [Log Level] (Event Code) Event description [event parameters]
• Network Prevent for Web operational log files and event codes
• Network Prevent for Email operational log codes
• Network Prevent for Email originated responses and codes
Network Prevent for Web Operational Log Files and Event Codes
Network Prevent for Web log file names use the format of WebPrevent_OperationalX.log (where X is a
number). The number of files that are stored and their sizes can be specified by changing the values in the
FileReaderLogging.properties file. This file is in the c:\Program Files\Symantec\DataLossPrevention
\DetectionServer\16.0.10000\Protect\config (Windows) or /opt/Symantec/DataLossPrevention/
DetectionServer/16.0.10000/Protect/config (Linux) directory. By default, the values are:
• com.vontu.icap.log.IcapOperationalLogHandler.limit = 5000000
• com.vontu.icap.log.IcapOperationalLogHandler.count = 5
Status codes for Network Prevent for Web operational logs lists the Network Prevent for Web-defined operational logging
codes by category. The italicized part of the text contains event parameters.
Table 228: Status codes for Network Prevent for Web operational logs
Operational Events
1100 Starting Network Prevent for Web
Connectivity Events
1200 Listening for incoming connections at icap_bind_address:icap_bind_port
Where:
• icap_bind_address is the Network Prevent for Web bind address to which the server listens. This address is specified
with the Icap.BindAddress Advanced Setting.
• icap_bind_port is the port at which the server listens. This port is set in the Server > Configure page.
1201 Connection (id=conn_id) opened from host(icap_client_ip:icap_client_port)
Where:
• conn_id is the connection ID that is allocated to this connection. This ID can be helpful in doing correlations between
multiple logs.
• icap_client_ip and icap_client_port are the proxy's IP address and port from which the connect operation to Network
Prevent for Web was performed.
1202 Connection (id=conn_id) closed (close_reason)
Where:
• conn_id is the connection ID that is allocated to the connect operation.
• close_reason provides the reason for closing the connection.
531
Code Text and Description
Network Prevent for Web access log fields lists the fields. The values of fields that are enclosed in quotes in this example
are quoted in an actual message. If field values cannot be determined, the message displays - or "" as a default value.
Field Explanation
532
Field Explanation
referrer Header value from the request that contains the URI from which this request came.
user_agent User agent that is associated with the request.
processing_time (milliseconds) Request processing time in milliseconds. This value is the total of the receiving, content
inspection, and sending times.
conn_id Connection ID associated with the request.
client_ip IP of the ICAP client (proxy).
client_port Port of the ICAP client (proxy).
action_code An integer representing the action that Network Prevent for Web takes. Where the action code is
one of the following:
• 0 = UNKNOWN
• 1 = ALLOW
• 2 = BLOCK
• 3 = REDACT
• 4 = ERROR
• 5 = ALLOW_WITHOUT_INSPECTION
• 6 = OPTIONS_RESPONSE
• 7 = REDIRECT
icap_method_code An integer representing the ICAP method that is associated with this request. Where the ICAP
method code is one of the following:
• -1 = ILLEGAL
• 0 = OPTIONS
• 1 = REQMOD
• 2 = RESPMOD
• 3 = LOG
traffic_source_code An integer that represents the source of the network traffic. Where the traffic source code is one
of the following:
• 1 = WEB
• 2 = UNKNOWN
533
Network Prevent for Email Log Levels
Network Prevent for Email log file names use the format of EmailPrevent_OperationalX.log (where X is a
number). The number of files that are stored and their sizes can be specified by changing the values in the
FileReaderLogging.properties file. By default, the values are:
• com.vontu.mta.log.SmtpOperationalLogHandler.limit = 5000000
• com.vontu.mta.log.SmtpOperationalLogHandler.count = 5
At various log levels, components in the com.vontu.mta.rp package output varying levels of detail. The
com.vontu.mta.rp.level setting specifies log levels in the RequestProcessorLogging.properties file
which is stored in the FileReaderLogging.properties file. This file is in the c:\Program Files\Symantec
\DataLossPrevention\DetectionServer\16.0.10000\Protect\config (Windows) or /opt/Symantec/
DataLossPrevention/DetectionServer/16.0.10000/Protect/config (Linux) directory. For example,
com.vontu.mta.rp.level = FINE specifies the FINE level of detail.
Network Prevent for Email log levels describes the Network Prevent for Email log levels.
Level Guidelines
INFO General events: connect and disconnect notices, information on the messages that are processed per connection.
FINE Some additional execution tracing information.
FINER Envelope command streams, message headers, detection results.
FINEST Complete message content, deepest execution tracing, and error tracing.
Table 231: Status codes for Network Prevent for Email operational log
Code Description
Core Events
1100 Starting Network Prevent for Email
534
Code Description
Connectivity Errors
5200 Connection is rejected from the unauthorized host (tid=id
local=hostname:port
remote=hostname:port)
535
Code Description
Message Events
1300 Message complete (cid=N message_id=3 dlp_id=message_identifier
size=number sender=email_address recipient_count=N
disposition=response estatus=statuscode rtime=N
dtime=N mtime=N
Where:
• Recipient_count is the total number of addressees in the To, CC, and BCC fields.
• Response is the Network Prevent for Email response which can be one of: PASS, BLOCK,
BLOCK_AND_REDIRECT, REDIRECT, MODIFY, or ERROR.
• Thee status is an Enhanced Status code.
Network Prevent for Email originated responses and codes
• The rtime is the time in seconds for Network Prevent for Emailto fully receive the message from the sending MTA.
• The dtime is the time in seconds for Network Prevent for Email to perform detection on the message.
• The mtime is the total time in seconds for Network Prevent for Email to process the message Message Errors.
Message Errors
5300 Error while processing message (cid=N message_id=header_ID
dlp_id=message_identifier size=0 sender=email_address
recipient_count=N disposition=response estatus=statuscode
rtime=N dtime=N mtime=N reason=Explanation
Where header_ID is an RFC 822 Message-Id header if one exists.
5301 Sender rejected during re-submit
536
Table 232: Network Prevent for Email originated responses
Enhanced
Code Text Description
Status
250 2.0.0 Ok: Carry on. Success code that Network Prevent for Email uses.
221 2.0.0 Service The normal connection termination code that Network Prevent for Email
closing. generates if a QUIT request is received when no forward MTA connection is
active.
451 4.3.0 Error: This “general, transient” error response is issued when a (potentially)
Processing recoverable error condition arises. This error response is issued when a more
error. specific error response is not available. Forward connections are sometimes
closed, and their unexpected termination is occasionally a cause of a code 451,
status 4.3.0. However sending connections should remain open when such a
condition arises unless the sending MTA chooses to terminate.
421 4.3.0 Fatal: This “general, terminal” error response is issued when a fatal, unrecoverable
Processing error condition arises. This error results in the immediate termination of any
error. sender or receiver connections.
Closing
connection.
421 4.4.1 Fatal: That an attempt to connect the forward MTA was refused or otherwise failed to
Forwarding establish properly.
agent
unavailable.
421 4.4.2 Fatal: Closing connection. The forwarded MTA connection is lost in a state where
Connection further conversation with the sending MTA is not possible. The loss usually
lost to occurs in the middle of message header or body buffering. The connection is
terminated immediately.
forwarding
agent.
451 4.4.2 Error: The forward MTA connection was lost in a state that may be recoverable if the
Connection connection can be re-established. The sending MTA connection is maintained
lost to unless it chooses to terminate.
forwarding
agent.
421 4.4.7 Error: The last command issued did not receive a response within the time window
Request that is defined in the RequestProcessor.DefaultCommandTimeout. (The time
timeout window may be from RequestProcessor.DotCommandTimeout if the command
issued was the “.”). The connection is closed immediately.
exceeded.
421 4.4.7 Error: The connection was idle (no commands actively awaiting response) in excess of
Connection the time window that is defined in RequestProcessor.DefaultCommandTimeout.
timeout
exceeded.
501 5.5.2 Fatal: A fatal violation of the SMTP protocol (or the constraints that are placed
Invalid on it) occurred. The violation is not expected to change on a resubmitted
transmission message attempt. This message is only issued in response to a single
command or data line that exceeds the boundaries that are defined in
request.
RequestProcess.MaxLineSize.
537
Enhanced
Code Text Description
Status
502 5.5.1 Error: Defined but not currently used.
Unrecognized
command.
550 5.7.1 User This combination of code and status indicates that a Blocking response rule has
Supplied. been engaged. The text that is returned is supplied as part of the response rule
definition.
Note that a 4xx code and a 4.x.x enhanced status indicate a temporary error. In such cases the MTA can resubmit the
message to the Network Prevent for Email Server. A 5xx code and a 5.x.x enhanced status indicate a permanent error. In
such cases the MTA should treat the message as undeliverable.
About log files
Uninstalling a server
You can uninstall Symantec Data Loss Prevention components (Enforce Server or detection server) from servers.
Uninstalling removes all Symantec Data Loss Prevention data, including the following:
• Incremental scan index that is used with Network Discover. If you want to preserve the incremental scan index,
back it up before you uninstall Symantec Data Loss Prevention. See the Symantec Data Loss Prevention System
Maintenance Guide for information about backing up the incremental scan index.
• Enforce Schema and keystore files encrypted in the CryptoMasterKey.properties file. Symantec recommends
that you create a backup of this data before you uninstall a Symantec Data Loss Prevention server component. You
can use the backup for disaster recovery and to reinstall Symantec Data Loss Prevention.
Run the Reinstallation Resources Utility to create a backup.
Creating the Enforce Reinstallation Resources file
• Keystore files that are used for encrypting communication to DLP Agents. These keystore files are not backed
up by the Reinstallation Resources Utility. Symantec recommends that you create a backup of this data before
you uninstall a Symantec Data Loss Prevention server component. You back up these keystore files for disaster
recovery for connecting DLP Agents to a recovered system.
Backing up keystore files on Windows
Backing up Keystore Files on Linux
See the Symantec Data Loss Prevention System Maintenance Guide for details on backing up your system and
uninstalling servers.
538
Creating the Enforce Reinstallation Resources file
Before you uninstall Symantec Data Loss Prevention, create an EnforceReinstallationResources.zip file
using the Reinstallation Resources Utility. This file includes files such as the CryptoMasterKey.properties file and
keystore files, which are required to connect Symantec Data Loss Prevention to an existing DLP database.
Each Symantec Data Loss Prevention installation encrypts its database using a unique
CryptoMasterKey.properties file. An exact copy of this file is required if you intend to reuse the existing Symantec
Data Loss Prevention database. If the CryptoMasterKey.properties file becomes lost or corrupted and you do not
have a backup, contact Symantec Technical Support to recover the file.
Complete the following procedure to create the EnforceReinstallationResources.zip file required by the
Symantec Data Loss Prevention 16.0.1 installer.
If you choose to run the EnforceServer.msi file to complete the installation, on the Initialize Database panel
select Preserve Database Data and specify the EnforceReinstallationResources.zip file.
3. Identify this new EnforceReinstallationResources.zip when reinstalling Symantec Data Loss Prevention from
your backup version.
Include the following parameters (in addition to other required parameters):
reinstallationResourceFile="/opt/EnforceReinstallationResources.zip"
539
• Ensure that you have backed up all keystore files.
See Backing up keystore files on Windows.
• Run the Reinstallation Resources Utility to create a backup of the CryptoMasterKey.properties file and Enforce
Server keystore files.
See Creating the Enforce Reinstallation Resources file.
• Shut down services to ensure that all Symantec Data Loss Prevention components are removed.
See Starting and Stopping Services on Windows.
NOTE
If you are uninstalling Network Discover clusters, uninstall worker nodes before uninstalling data nodes.
Uninstalling Silently
You can also use the following commands to uninstall Symantec Data Loss Prevention in Silent Mode:
• Run the following command to uninstall the Enforce Server:
C:\msiexec /x EnforceServer.msi /qn /L*v c:\uninstall.log
• Run the following command to uninstall a detection server or node:
C:\msiexec /x DetectionServer.msi /qn /L*v c:\uninstall.log
540
Running this command leaves dependencies on the server. You can remove symantec-dlp-
keyview-12-5-12.5.0.0-19012.x86_64 if you are running version 16.0; version 16.0 uses a
different KeyView version. KeyView 12.5 is required for version 15.8, so leave this dependency if you are running a
15.8 system on the server.
Do not remove the following required dependencies if you are running a version of Symantec Data Loss
Prevention on the server:
• symantec-dlp-enforce-server-system-dependencies-1.0.0-1.el7.x86_64
• symantec-dlp-enforce-server-services-1.0.0-1.el7.x86_64
• Run the following uninstallation command to remove all servers, nodes, and components for all versions that exist
on the server:
rpm -e $(rpm -qa "symantec-dlp-*")
Removing DLP Agents from Windows Endpoints Using System Management Software
Follow this procedure if you hid the Symantec Data Loss Prevention service from the Add or Remove Programs list (ARP)
during installation.
Because the Symantec DLP Agent does not appear in the ARP, you cannot use the ARP list for the uninstallation process.
You must use the MSI command to remove the Symantec DLP Agent. Only use the MSI command uninstallation if you
have hidden the Symantec DLP Agent from the ARP during installation.
To remove the agent with the MSI command
541
1. Open the command prompt window.
2. Enter the string:
msiexec /x AgentInstall_16_0_1.msi
7. Click OK.
You can add options to the uninstall command such as SilentMode or Logname. SilentMode allows the Symantec
DLP Agent to uninstall without displaying a user interface on the desktop. The installation takes place in the
background of the workstation and is not visible to the user. Logname Lets you set any log file you want. However, this
option is only available if you have the original installer present. If you do not have the original installer, you must use
the product code.
The code for a silent install is:
/QN:silentmode
msi.exe has several other options. For further options, see your MSI guide.
Removing DLP Agents from Mac endpoints Using System Management Software
Use the following steps to remove DLP Agents from Mac endpoints using your system management software (SMS).
1. Locate the uninstall_agent command and copy it to a temporary location on the endpoint.
This tool is located in the Symantec_DLP_16.0.1_Agent_Mac-IN.zip file.
2. Add the uninstall command to your SMS.
sudo / /tmp/uninstall_agent -prompt=n
/rm -f /tmp/uninstall_agent
Replace /tmp with the location where the uninstall_agent command is located.
542
3. Identify agents to be uninstalled and run the uninstallation.
$sudo ./uninstall_agent
NOTE
You can review uninstall logs on the Terminal application by running this command: sudo ./uninstall_agent
-prompt=no -log=console. By default, logs are saved to the uninstall_agent.log file.
The command removes files and folders that are associated with the agent.
3. Review uninstallation logs at /var/log/AgentUninstall.log.
About High Availability and Disaster Recovery for Symantec Data Loss
Prevention
Use this content to optimize your Symantec Data Loss Prevention implementation high availability (HA) and disaster
recovery (DR) plan and policies.
These high availability and disaster recovery considerations and recommended best practices for Symantec Data Loss
Prevention (DLP) components are provided so that your organization can assess successful implementations. Your
assessment can help you to tune and optimize your DLP implementation for HA and DR.
NOTE
This document does not provide a comprehensive high availability and disaster recovery plan.
Every DLP deployment is unique to the security and compliance needs of an organization. These recommendations may
not exactly meet with the HA and DR requirements of your organization. The HA/DR plan that you use for DLP should fit
with the IT plan your organization uses.
543
Testing and Qualification Disclaimer
Not all products and configurations that are mentioned in this document have been tested or fully qualified by Symantec.
The document also references third-party tools, products, and configurations that are not tested or officially certified
by Symantec. Before you implement an HA and DR plan, see DLP System Requirements.
Governance Considerations
Organizations strive to meet multiple regulations in the current regulatory environment. When considering a high
availability (HA) and disaster recovery (DR) solution for Symantec Data Loss Prevention, consider the following items:
• What type of data is captured
• Where is data stored
• How long is data retained at each point along the communication path
First, an understanding of the architecture and data communication flow can help you to decide on the most effective
approach.
Second, it is important to consider HA/DR solutions from an information and data governance and response perspective.
Answer the following questions to form as a basis for how your organization determines a need for HA and DR for
Symantec Data Loss Prevention:
• What is the acceptable period of time between a data event and the notification? The acceptable period may be based
on the data governance standards of your organization (for example, breach and investigations and policies and
processes).
• How much time can be allowed to pass between incident creation to notification within the Enforce Server
administration console?
Related Links
General Considerations for DLP Data Flow and Incident Data Storage on page 544
Familiarize yourself with the DLP data flow and incident storage and how each relates to different DLP components.
Best-Practice Considerations for Optimizing Symantec Data Loss Prevention for High Availability and Disaster
Recovery on page 545
Meet governance and regulatory requirements by configuring your DLP environment to meet your business needs while
balancing server resources.
Regulatory Requirements Affecting High Availability and Disaster Recovery on page 545
Cybersecurity Control Frameworks on page 545
Review cybersecurity control framework requirements for disaster recovery, contingencies, continuity, planning, alternate
storage, and processing capabilities.
Control Categories on page 546
Review the cybersecurity control frameworks that may be implicated in regulatory requirements and cybersecurity control
frameworks.
General Considerations for DLP Data Flow and Incident Data Storage
Familiarize yourself with the DLP data flow and incident storage and how each relates to different DLP components.
For DLP Agents, the Symantec Data Loss Prevention data flow stores incident data on the endpoint where
the DLP Agent is installed. The data is saved until the agent connects to the Endpoint Server. You can configure the
agents to store incidents for a predetermined period or based on the available disk space.
All detection servers store the incident and log data locally until they connect to the Enforce Server. You can configure the
detection servers to store incidents for a predetermined period or based on the available disk space.
544
If your organization has a Recovery Time Objective (RTO) for the Enforce Server and the Oracle database of up to
8 hours, then you must configure your agents and servers to accommodate incident data up to 24 hours. This period
provides substantial flexibility for the RTO. This approach ensures that you do not lose any incident data and alleviates
the need for advanced HA/DR programs, software, and hardware expenditures. However, you may not have access to
incident data until the Enforce Server and Oracle server connections are reestablished. Symantec recommends that you
review these scenarios with your risk, legal, and compliance teams to determine an appropriate recovery objective for
Symantec Data Loss Prevention.
Best-Practice Considerations for Optimizing Symantec Data Loss Prevention for High
Availability and Disaster Recovery
Meet governance and regulatory requirements by configuring your DLP environment to meet your business needs while
balancing server resources.
When apportioning server size and resources, consider the size of the local disk. If the Enforce Server or database goes
down, each server and DLP Agent stores all incidents locally until the Enforce Server and DLP services come back online.
545
Control Categories
Review the cybersecurity control frameworks that may be implicated in regulatory requirements and cybersecurity control
frameworks.
Review the following list of control categories:
• Contingency Planning
– Alternate Processing Site
• Alternate Information Processing Site
• Alternate Information Processing Site Agreements
• Technology Services Continuity Recovery Site Identification
– Alternate Storage Site
• Alternate Information Storage Site
• Alternate Information Storage Site Agreements
• Business Continuity Plan Offsite Documentation Storage
• Continuity Plan Off-Site Storage
• Technology Continuity Off-Site Materials Backup Storage Selection
• Technology Recovery Hardware Location
• Contingency Plan
• Contingency Plan Testing and Exercises
• Contingency Planning Policy and Procedures
• Contingency Training
• Information System Recovery and Reconstitution
– Data Restoration Procedures
– Data Restoration Testing
– IT Resource Recovery Prioritization
– Standby System Component Role Assumption
– System Restoration Asset Protection
– System Restoration Procedures
– System Transaction Recovery Mechanisms
Architectural Considerations
Review the following HA/DR considerations as they relate to your system architecture.
Enterprise customers most commonly deploy Symantec Data Loss Prevention to a three-tier environment. A three-tiered
environment is represented by components that are listed in the following table.
546
Table 234: Three-tier environment components
Oracle database Symantec Data Loss Prevention supports Enterprise See Oracle Architectural
Edition. Symantec recommends that customers use this Considerations.
edition if they have a strong Oracle presence. In general,
Enterprise Edition provides options that are more robust
for HA and DR.
Symantec Data Loss Prevention also supports Standard
Edition. Symantec recommends that customers use this
edition if they rely on Oracle less frequently. This edition is
common if the database has been licensed directly from
Symantec as part of the overall DLP license acquisition.
Enforce Server administration The Enforce Server serves as the primary user interface See Enforce Server Architectural
console for Symantec Data Loss Prevention and is the method Considerations.
for writing and deploying policy, as well as aggregating
and storing incidents in the database. Only one Enforce
Server administration console can be active in a deployed
Symantec Data Loss Prevention instance, which is the
most important consideration for HA and DR purposes.
Detection servers Most detection servers are responsible for analyzing See Detection Server Architectural
content and generating incidents. This type of detection Considerations.
server includes the following: See Cloud Architectural
Considerations.
• Network Monitor
• Network Prevent for Web
• Network Prevent for Email
• Network Discover
• Network Discover clusters
The Endpoint Prevent server, which provides
server support for Endpoint Prevent and Endpoint
Discover, typically acts as a relay, sending policies down
to DLP Agents and retrieving incidents generated from
agents.
You can use cloud servers to replace on-premises
detection servers.
Symantec offers several services for cloud-based
detection and integrations.
Each tier represents different functionality as part of the whole Symantec Data Loss Prevention system. Because of the
multiple tiers, HA and DR considerations should be evaluated independently for each tier rather than treating the entire
system as a homogenous whole.
547
NOTE
Incident detection and blocking that uses response rules that the detection server applies should continue on
detection servers and agents.
Loss of the Oracle database is significant for the system, but does not stop DLP from running. Detection servers and
agents use the cached version of the last used policy set to trigger incidents (and execute block rules, if configured).
Lack of access to the Enforce Server administration console is typically the biggest impact from an Oracle outage.
Configuring HA and DR for the Oracle database generally depends on the edition of Oracle that you use:
• Enterprise Edition
Multiple options exist for near real-time high availability (for example, Oracle RAC) and site recovery (for example,
Data Guard). These options can typically be highly automated to achieve mostly transparent fail over with minimal user
intervention.
• Standard Edition
The options for backup and recovery are manual and can often be automated through custom scripting. Cold or warm
backups using Oracle Recovery Manager ( RMAN) provide the pathway to availability and recovery.
548
period, there is a potential for new incidents to not be recorded. New incidents are not recorded if the detection server or
endpoint does not have sufficient disk space available.
The Enforce Server presents a unique challenge among the tiered components; only one Enforce Server can be active
in a Symantec Data Loss Prevention deployment. You can create a secondary Enforce Server; however, ensure that the
DLP Services on secondary or standby Enforce Server are stopped. Because of this limitation, most strategies regarding
Enforce Server availability and disaster recovery are centered on creation of an active-passive architecture where a
second Enforce Server is located in an alternate site (or same site, if availability is a chief concern) with services stopped.
While most configuration data is kept in the Oracle database, a key set of files must be automatically or manually synced
to the secondary/recovery Enforce Server to ensure operational continuity. See Configure the Enforce Server for High
Availability and Disaster Recovery for additional information on what files are necessary. Failover to the secondary server
does not have to be manual. You can use custom scripts that are triggered by monitoring software to automate the failover
process.
Backup and recovery options for an Enforce Server are not limited to physical hardware. Many excellent solutions exist for
server virtualization (for example, VMware VMotion) which provides protection against host failure and for server mirroring
or replication (either using snapshots or automated replication). When considering these solutions, keep in mind the
requirement that only one Enforce Server can be active.
Question Details
How long can an outage be tolerated? Identifying enterprise availability and recovery tiers for the Enforce
Server helps drive the architectural requirements or operational
strategies that are required to restore the service. Smaller
tolerances require more automated solutions and dedicated
standby recovery target hardware. Larger tolerances allow
systems to be rebuilt and restored in a more manual fashion,
sacrificing recovery speed for lower infrastructure costs.
Is the Enforce Server Virtualized? Virtualization presents many advantages over physical hardware
for HA and DR of the Enforce Server.
Is there a possibility to invest in alternate site standby hardware? Many customers have a passive standby Enforce Servers
in an alternate site, but an agile organization may be able to
quickly install the Enforce Server software on a new server
and copy necessary configuration files to the new server. This
method trades infrastructure costs for a delay in the recovery
time. Understanding your organization’s Recovery Point Objective
(RPO) is important to determine the need for dedicated recovery
targets.
549
Table 236: Detection server outage summary
Network Monitor, Network Prevent for Web, Network Prevent for Detection and incident logging stops.
Email
Network Discover: Active or scheduled scans stop and no incidents are logged.
Endpoint Prevent/Endpoint Discover: Detection on agents continues as usual (including blocking and
popup notifications).
Incidents are stored locally on the endpoint until the Endpoint
Server is available. If the Endpoint Server is down for an extended
period, new incidents may not be recorded. New incidents are
not recorded if the endpoint does not have sufficient disk space
available. These incidents are not visible in the Enforce Server
until the Endpoint Servers are restored.
Loss of detection servers has a significant impact on the Symantec Data Loss Prevention solution. Depending on the
type of detection server, traffic inspection can fail. Fortunately, most detection servers are horizontally scalable. Strong
availability is achieved by using load-balancing solutions that are coupled with N+1 or N+2 server deployments. As loss
of each type of detection server has different impacts on operations, different considerations can be given to each for HA/
DR.
Companies often use Network Prevent for Email and Network Prevent for Web detection servers as a primary line of
defense for data loss prevention, especially due to their ability to block content. For high availability purposes, deploying
these servers in an N+1 or N+2 allotment provides an excellent guard against single-server failure when accompanied by
load-balancing technologies.
The critical nature of these two detection server types means that customers often have active or warm standby
infrastructure at an alternate site for disaster recovery purposes.
Endpoint Servers do not directly inspect most traffic and merely serve as a relay for policies and incidents
to DLP Agents. These servers relay data, so the loss of a single or multiple Endpoint Servers temporarily is acceptable.
NOTE
However, Endpoint Servers detect data when two-tier detection is used with EDM and IDM profiles.
Consider implementing one of the following architectural scenarios for Endpoint Prevent and Endpoint Discover servers:
• Load-balance Endpoint Servers in an N+1 configuration. This configuration improves availability for agents because
one URL/virtual IP address can be used to represent all Endpoint Servers
• Locate Endpoint Servers in a DMZ or public-facing private cloud instance. This configuration provides availability to
agents even when they are not connected to the corporate network
550
• Change the endpoint keystore password on the Enforce Server.
• Apply the same password on the backup Enforce Server.
• Restart Endpoint Servers to ensure that the keystore password is applied.
• Create an agent installation package using the new endpoint keystore password. The backup Enforce Server can then
communicate to agents using certificates that use the same keystore password.
NOTE
The above failover plan has not been tested with third-party certificates.
Network Monitor
Network Monitor uses a SPAN or TAP connection, and therefore needs special consideration for high availability and
disaster recovery.
Consider implementing the following architectural scenarios for Network Monitor servers:
• If you virtualize servers, dedicate a host to the virtual machine so that it can take full advantage of the physical network
cards in the host.
• If you use physical hardware, deploy in an N+1 configuration where “load balancing” is performed by way of traffic
steering on advanced edge network appliances. Customers typically have a standby/active infrastructure that is
deployed in an alternate site location. The infrastructure is not merely for failover purposes. It also monitors traffic in
the alternate site.
Network Discover
Owing to the nature of planned, scheduled scans, Network Discover is often the lowest priority in a high availability
and disaster recovery plan. Most customers rebuild a new Network Discover server upon failure of an existing server,
rather than keeping dedicated failover hardware. Documents generating incidents from Network Discover are often not
generated in real time, but over the course of days, weeks, months, or even years. The recovery point objective is usually
measured in a longer time frame that allows for a more casual plan to rebuild the servers.
Related Links
Performing a cold backup of the Oracle database on Windows on page 487
Performing a Cold Backup of the Oracle Database on Linux on page 505
Configure the Symantec Data Loss Prevention Cloud Service for Disaster Recovery on page 561
Best Practices
551
Go to the following sections to learn how to optimize these components in your Symantec Data Loss Prevention
environment for high availability and disaster recovery:
• Configure Oracle 19c Enterprise Edition for High Availability and Disaster Recovery
• Configure Oracle 19c Standard Edition for High Availability and Disaster Recovery
• Configure the Enforce Server for High Availability and Disaster Recovery
• Configure Detection Servers for High Availability and Disaster Recovery
• Configure Information Centric Analytics for High Availability and Disaster Recovery
Configure Oracle 19c Enterprise Edition for High Availability and Disaster Recovery
Apply the recommendations and best practices to optimize the Oracle Enterprise Edition database for high availability and
disaster recovery.
Use Oracle Real Application Clusters (RAC). RAC enables you to run a single Oracle Database across multiple servers. This
maximizes availability and enables horizontal scalability, while accessing shared
storage. If one node of the cluster fails, other nodes enable continued function of the
database.
Use Oracle Data Guard. Oracle Data Guard can replicate each database record and save them to a secondary
database or cluster. If a catastrophic database or database server failure occurs, Data
Guard minimizes data loss.
See the Oracle Data Guard documentation for details on the Data Guard architecture
and implementation.
https://docs.oracle.com/en/database/oracle/oracle-database/19/sbydb/index.html
Use ARCHIVELOG mode for backups. To use Data Guard, you must run the database in ARCHIVELOG mode. This setting
enables the use of a flashback database. A flashback database allows for reverting the
database to a moment in time before failure occurred.
Use ARCHIVELOG mode for backups.
The flashback database feature can take a large amount of disk space.
See the following Oracle resources for backup scenarios:
• Use flashback for RMAN backups.
https://docs.oracle.com/en/database/oracle/oracle-database/19/bradv/rman-
performing-flashback-dbpitr.html
• Use RMAN for hot and incremental backups.
https://docs.oracle.com/en/database/oracle/oracle-database/19/bradv/index.html
Verify the failover, backup, and restore Symantec recommends that you verify the failover, backup, and restore procedure at
procedure. least once a year. Testing failover at this frequency ensures that you can resolve
problems before failover issues occur.
Create and maintain a testing environment. Create a testing environment that is a full copy of the production environment. You
use this environment to test all major Enforce Server changes without impacting the
production environment. The complete DR processes should be documented and
tested quarterly at most, and yearly at a minimum. Make sure that each member of the
team can perform the entire process.
Synchronize the Oracle wallet certificates. Update the connection wallet and connection strings in the jdbc.properties
and tnsnames.ora files as needed. Synchronizing ensures that communication
between the primary and secondary nodes remains operational.
552
Architecture for Oracle 19c Enterprise Edition HA/DR
The following diagram provides an example of an Oracle 19c Enterprise Edition implementation that is optimized for HA/
DR.
Figure 7: Oracle HA/DR Configuration
Configure Oracle 19c Standard Edition for High Availability and Disaster Recovery
Apply the recommendations listed in the following table to optimize the Oracle Standard Edition database for high
availability and disaster recovery.
Use Oracle Fail Safe (for Windows servers). Oracle Fail Safe provides failover services.
See Oracle documentation for feature and setup information:
https://docs.oracle.com/cd/E27731_01/doc.41/e24699/intro.htm#OFSCN109
Use RMAN for backups. You can use RMAN for hot and incremental backups.
See the Oracle documentation for feature and setup information:
https://docs.oracle.com/en/database/oracle/oracle-database/19/bradv/index.html
Verify the failover, backup, and restore procedure. Symantec recommends that you verify the failover, backup, and restore
procedure at least once per year. Testing failover at this frequency ensures that
you can resolve problems before failover issues occur.
553
Best practice Description
Create and maintain a testing environment. Review the following recommendations before creating the testing encironment:
• Create a testing environment that is a full copy of the production
environment. You use this environment to test all major Enforce Server
changes without impacting the production environment.
• Document the complete DR processes. Test quarterly at most and yearly at
a minimum. Make sure that each member of the team can perform the entire
process.
• If the Enforce Server is connected to a cloud service, ensure that the
production environment UUID is different from the backup environment
UUID. Using different IDs ensures that DLP Cloud points to the production
environment. See Configure the Symantec Data Loss Prevention Cloud
Service for Disaster Recovery.
• Ensure that Enforce server in the test environment does not attempt to
connect to the production detection servers. You can do this by changing
the IP or host names of the connected detection servers to prevent the test
Enforce Server from connecting to the production detection servers.
Synchronize the Oracle wallet certificates. Synchronize the Oracle wallet for use with the TLS wrapper for
the JDBC connection. Synchronizing ensures that communication between the
primary and secondary nodes remains operational.
Configure the Enforce Server for High Availability and Disaster Recovery
Apply the recommendations listed in the following table to optimize the Symantec Data Loss Prevention Enforce Server
for high availability and disaster recovery.
See the following best practices for configuring the Enforce Server for HA/DR
• Prevent Database Corruption During Failover Events
• Use a DNS Alias for the Enforce Server
• Use an Active/Passive Strategy
• Use Server Virtualization for the Enforce Server
• Create a Password Update Plan
• Back up Licenses
• Back up Configuration Files
• Back up the Tomcat Certificates
• Back up the AD Integration
• Back up Plug-ins
• Back up Indexed Content
• Back up the Derby DB
• Back up LOB Externalization
• Test Failover and Validation
• Run the Update Readiness Tool
• Back up the CA Root Certificate
• Configure the Symantec Data Loss Prevention Cloud Service for Disaster Recovery
During failover, you can switch the database connection from the primary Enforce Server to the secondary Enforce Server.
554
NOTE
Do not run Enforce Server instances simultaneously. Connecting both Enforce Server instances to the
database can corrupt the database.
Prevent database corruption by completing the following procedure:
1. Stop all DLP services on the primary Enforce Server.
NOTE
Set the startup type to Disabled to ensure that the services on the primary Enforce Server cannot start.
2. On the secondary Enforce Server, update the jdbc.properties file to point to the Oracle database previously used
by the primary Enforce Server.
3. Start all DLP services on the secondary Enforce Server.
NOTE
You can set the startup type to Automatic to start the services automatically if the Enforce Server is
rebooted.
Use a DNS alias for the Enforce Server name. Using an alias speeds recovery because you are not required to change
the Enforce Server DNS name. You only change the alias pointer.
When designing an HA configuration, the biggest problem is downtime. You can minimize downtime by having a warm
standby/passive server ready for action. If a disaster or a failover event occurs, a warm standby/passive server minimizes
the downtime.
You can clone the Enforce Server (with all services stopped and disabled) for use in the warm standby/passive instance.
Keep the services stopped and disabled until the server activates.
You can use virtual machines for primary and secondary instances of the Enforce Server with a full clone of the primary.
Whether you use dedicated or non-dedicated resources for the Enforce Server and detection server depends on several
factors. Consider the following items when choosing resource allocation:
• Number of CPUs
• Amount of dedicated RAM
• Resource reservations for CPU cycles and RAM
The virtualization overhead and guest operating system overhead can lead to a performance degradation in throughput
for large datasets compared to a system running on physical hardware. Use your own test results as a basis for sizing
deployments to virtual machines. For HA purposes, choose a server virtualization environment that is configured to
prevent over-subscription on host machines. Over-subscription is detrimental to DLP performance.
You can clone DLP using virtualization tools. DLP install files are synced up hourly with rsync (or similar application)
between primary and secondary. You must clone the secondary Enforce Server when the primary DLP services are not
running.
555
Create a Password Update Plan
Set up a sync that matches the cadence of the password rotation. Create scheduled tasks to create the
EnforceResinstallationResources.zip file and all the java keystore (*.jks) files in the JRE, Tomcat paths, and
custom command and control certs.
You can confirm the cryptographic key rotation by reviewing log entries. For example, the log
manager_operational_X.log may list the following log:
(MANAGER.2) The Manager is now running26/Apr/21:16:05:14:259-0400 [INFO]
(MANAGER.805) Checking if cryptographic keys require rotation26/Apr/21:16:05:14:312-0400 [INFO]
(MANAGER.806) The System cryptographic keystore has been rotated. Next rotation will occur in 30 days26/
Apr/21:16:05:14:325-0400 [INFO]
(MANAGER.807) The External cryptographic keystore has been rotated. Next rotation will occur in 30 days
Consider the scenarios listed in the following table when managing DLP passwords:
If... Do
You change the Endpoint and Network Discover communications Sync the Endpoint and Network Discover communications
password, a new .jks file is created (for example, password and all other keystore files at the following location
certificate_authority_v#.jks, where # signifies the (depending on your platform):
number of times the password is changed).
• Windows: C:\ProgramData\Symantec
\DataLossPrevention\EnforceServer
\vv.u\keystore\
• Linux: /var/Symantec/DataLossPrevention/
EnforceServer/vv.u/keystore/
You update the database password (when you run Sync the DatabasePassword.properties file that is
the DBPasswordChanger.exe utility.), the located in the config folder based on the server and platform:
DatabasePassword.properties file is updated. • Windows:
– Enforce Server: C:\Program Files\Symantec
\DataLossPrevention\ EnforceServer
\vv.u\Protect\config\
– Detection server: C:\Program Files\Symantec
\DataLossPrevention\DetectionServer
\vv.u\Protect\config\
• Linux:
– Enforce Server: /opt/Symantec/
DataLossPrevention/EnforceServer/ vv.u/
Protect/config/
Detection server: /opt/Symantec/
DataLossPrevention/
DetectionServer /vv.u/Protect/config/
556
If... Do
Your organization uses an internal Certificate Authority. Sync the cacerts file from the ServerJRE, or reinstall the
root CA certificate for your organization. The file is at one of the
following locations, depending on your platform and JRE type:
• Windows:
– OpenJRE: C:\Program Files\AdoptOpenJRE
\jdk8u<version>-jre\lib\<version>
– Symantec-provided: C:\Program Files
\Symantec\DataLossPrevention\ServerJRE
\<version>\lib\security
• Linux:
– OpenJRE: /opt/AdoptOpenJRE/
jdk8u<version>-jre/lib/security/
– Symantec-provided JRE: /opt/Symantec/
DataLossPrevention/ServerJRE/<version>/
lib/security/
Back up Licenses
Back up each of the license files (*.slf). The file is at one of the following locations, depending on your platform:
• Windows: C:\ProgramData\Symantec\DataLossPrevention\EnforceServer\<DLP Version>\Protect
\license\
• Linux: /var/Symantec/DataLossPrevention/EnforceServer/<DLP Version>/Protect/license/
Back up all configuration files to the secondary server to ensure that any edits are also active. Configuration files include
settings for OCR servers, DB connections, and all other Enforce Server-specific configurations that may have been
adjusted in your environment.
Configuration files are at one of the following locations, depending on your platform:
• Windows: C:\Program Files\Symantec\DataLossPrevention\EnforceServer\<DLP Version>
\Protect\config\
• Linux: /opt/Symantec/DataLossPrevention/EnforceServer/<DLP Version>/Protect/config/
Back up the Tomcat certificate. The certificate is located at one of the following locations, depending on your platform:
• Windows: C:\Program Files\Symantec\DataLossPrevention\EnforceServer\<DLP Version>
\Protect\Tomcat\conf\server.xml
• Linux: /opt/Symantec/DataLossPrevention/EnforceServer/<DLP Version>/Protect/Tomcat/conf/
server.xml
If you do not back up the files, you can reinstall the Tomcat certificate for the Enforce Server. The following table lists the
file locations.
557
Table 240: Tomcat certificate locations on the Enforce Server
Back up the AD files (used for AD Realms and AD login to the Enforce Server) at the following locations, depending on
your platform:
• Windows:
– C:\Program Files\Symantec\DataLossPrevention\EnforceServer\<DLP Version>\Protect
\Tomcat\webapps\ProtectManager\WEB-INF\SpringSecurityContext.xml
– C:\Program Files\Symantec\DataLossPrevention\EnforceServer\<DLP Version>\Protect
\config\krb5.ini
• Linux:
– /opt/Symantec/DataLossPrevention/EnforceServer/<DLP Version>/Protect/Tomcat/webapps/
ProtectManager/WEB-INF/SpringSecurityContext.xml
– /opt/Symantec/DataLossPrevention/EnforceServer/<DLP Version>/Protect/config/krb5.conf
Back up Plug-ins
Back up any plug-ins that have been updated or added since the installation.
NOTE
Also back up LDAP Lookup plug-ins and scripts wherever the scripts are located.
Back up all the files at the following locations, depending on your platform:
• Windows: C:\Program Files\Symantec\DataLossPrevention\EnforceServer\<DLP Version>
\Protect\plugins\
• Linux: /opt/Symantec/DataLossPrevention/EnforceServer/<DLP Version>/Protect/plugins/
Backup or re-index all indexed content (*.rdx). This content is at one of the following locations, depending on your
platform:
558
• Windows: C:\ProgramData\Symantec\DataLossPrevention\ServerPlatformCommon\<DLP Version>
\index\
• Linux: /var/Symantec/DataLossPrevention/ServerPlatformCommon/<DLP Version>/index/
Derby databases save incremental scan data that is generated after Discover scanning. Back up these databases to
prevent duplicate incidents from being logged in the event that the database is corrupted.
Shut down the Symantec DLP Manager service before backing up the Derby databases.
NOTE
If you do not shut down the service, you risk corrupting the database, which renders it useless.
The database is at one of the following locations, depending on your platform:
• Windows: C:\ProgramData\Symantec\DataLossPrevention\EnforceServer\<DLP Version>\Protect
\scan\catalog\
• Linux: /var/Symantec/DataLossPrevention/EnforceServer/<DLP Version>/scan/catalog
If you use LOB externalization, consider backing it up. Ensure that both primary and secondary write to the same external
storage. If writing to the same external storage is not possible, disable LOB externalization.
NOTE
If you disable LOB externalization, the Oracle database is used for storage.
Keep in mind that this process is time consuming and difficult, especially if your environment has a large data
set. Symantec recommends that you implement an incremental backup strategy to cut down on overhead. Consider
using RAID 5, 6, or 10 to store the backup.
Several strategies exist for keeping a secondary LOB externalization backup. For example, use a high
availability NAS with a built-in redundancy, run a scheduled rsync, maintain a Windows file system HA, use a block level
mirrored storage replication, and so on.
Document the entire failover process and ensure that it can be followed by any member of your infrastructure team.
Complete the items listed in the following table when testing failover and validation.
559
Table 241: Failover and validation checklist
Change the JDBC.properties file to point to the new Point to the new Enforce Server, which means adjusting the host, port, and
Enforce Server DB. service_name to point to the new database instance.
Note: You also adjust the host, port, and service_name values on the
server.
Note: For Windows, update the registry key: HKEY_LOCAL_MACHINE >
Software > Symantec > Data Loss Prevention > Enforce Server > vv.u
> Installation.
Note: For Linux, update values at /etc/Symantec/
DataLossPrevention/EnforceServer/<DLP Version>/
Installation/
Disable DLP services on the primary server. Errors occur Prior to performing the failover test, note the oldest and newest incidents.
if services start up during the failover test. After failover, confirm that the oldest and newest incidents are present.
Disable LOB externalization in the Confirm that you can see all tabs and that no data is garbled. Also
Protect.properties file to test new incidents confirm that the highlighted data is present. Once you have validated the
coming in. incident highlights, you can trigger the LOB Migration, which moves the
incident LOB details to the External Storage location.
During the upgrade preparation period, you can run the Update Readiness Tool (URT) to analyze data and table structure
in the database. The process lists the potential database issues that you address before migrating.
The URT identifies data that is no longer compatible with the new schema. Analyzing data helps identify potential
problems before the migration process is started. If you find problems with the database, you can fix them while keeping
the previous version of the Enforce Server up and running.
Issues that are related to LOB data (for example, scan failures or deprecated features that are remaining in LOB data)
cause the migration to fail. During this time, the Enforce Server is not up and running.
Related Links
Checking the database update readiness on page 354
If your company uses an internal Certificate Authority (for example, you use your own CA server and your own
certificates), Symantec recommends that you back up the CA root certificate as part of your disaster recovery plan.
Complete the following steps to back up the CA root certificate:
1. Open a command prompt.
2. Change the directory to where the CA root certificate file is located.
3. Run the following command to export the certificate in .crt format.
keytool -exportcert -keystore CARoot.jks -alias [exampledomain].com -file CA.crt
4. Import the .crt file into the cacerts file by completing the following steps.
1. Run one of the following commands based on your server platform:
– Windows:
cd: C:\Program Files\AdoptOpenJRE\jdk8u<version>-b10-jre\lib\security
560
keytool -importcert -alias [exampledomain].com -keystore cacerts -file \path\to\CA.crt
– Linux:
cd /opt/AdoptOpenJRE/jdk8u<version>-b10-jre/lib/security/
keytool -importcert -alias [exampledomain].com -keystore cacerts -file /path/to/CA.crt
2. Enter the cacerts password: changeit.
5. Locate the Intermediate.crt file, root CA, and SSL cert files.
6. Import the certificates into the cacerts by completing the following steps:
1. Run one of the following commands based on your server platform:
• Windows:
keytool -importcert -alias SSL -keystore cacerts -file \path\to\SSL.crt
• Linux:
keytool -importcert -alias SSL -keystore cacerts -file /path/to/SSL.crt
2. Enter the password for cacerts: changeit.
7. Restart the SymantecDLPManagerService.
Configure the Symantec Data Loss Prevention Cloud Service for Disaster Recovery
The following table lists recommendations for configuring the Symantec Data Loss Prevention cloud service for high
availability and disaster recovery.
Table 242: Best practices for configuring Symantec Data Loss Prevention cloud service
Clone the Enforce Server. See Use Server Virtualization for the Enforce Server.
Record the Enforce Server UUID (also identified as the EnforceID The UUID is the randomly generated GUID. You restore
and UUID). the UUID from the previous system to restore a new system. If
the UUID does not match, then you must re-enroll each of
the CDS bundles that you have.
See article 258252 for additional information.
Synchronize and back up the cryptography certificates in The file is located at one of the following locations, depending on
enforce_keystore.jks. your platform:
• Windows: C:\ProgramData\Symantec
\DataLossPrevention\EnforceServer\<DLP
Version>\keystore\
• Linux: /var/Symantec/DataLossPrevention/
EnforceServer/<DLP Version>/keystore/
This file contains one or more cloud certificates for communication
with one or more Cloud Detection Services (CDS). If you do
not have the jks file, then you can obtain another enrollment
bundle from the Cloud Management Portal (CMP). Use the bundle
to connect back up to the CDS. If you have more than one CDS,
they will all be reconnected after applying the first bundle.
561
• Configure Detection Servers
• Use Server Virtualization for Detection Servers
• Configure Network Prevent for Email
• Configure Detection Servers
• Use Server Virtualization for Detection Servers
Backing up Network Discover servers is not necessary. Reinstall the servers using the same DNS alias/name as the
previous server to re-use the Derby DB (used for scan tracking). Upon reinstallation, the Enforce Server pushes the Derby
DB to new servers.
As a best practice, configure the server virtualization to prevent over subscription. If over subscription occurs for host
machines, DLP performance is degraded.
Whether you use dedicated or non-dedicated resources for the detection servers depends on several factors. Consider
the following items when choosing resource allocation:
• Number of CPUs
• Amount of dedicated RAM
• Resource reservations for CPU cycles and RAM
The following table lists recommendations and best practices for configuring a virtualized detection server environment:
Table 243: Recommendations for configuring server virtualization for detection servers
Clone virtual machines with DLP up and running. Use the virtualization tools that are provided by
your virtualization hosting solution.
Clone the secondary detection server when the To restore detection servers, you are not required to use a cloned
primary DLP services are not running. version. You can install fresh detection servers without losing data.
Use active and passive groups. The number of groups depends on the organizational priority. The
priority is based on how many passive servers the environment
requires.
The following table lists recommendations for configuring Network Prevent for Email for high availability and
disaster recovery.
562
Table 244: Recommendations for configuring Network Prevent for Email
Use DNS MX records for the mail flow. Mail flow high availability should be configured with DNS
MX records. If the detection servers are down, this setting ensures
that mail is delivered by going to the next hop in the MX record.
Use a load balancer. In email flow, a load balancer can be configured with a many-to-
many configuration. The number of upstream MTA connections,
detection server connections, and downstream MTA connections
must be the same in each location. If they do not match, mail
queuing up or performance issues may occur. The load balancer
can be inline between the upstream MTA and the detection
servers. You can also use load balancers between the detection
servers and downstream MTAs.
Run Network Prevent for Email in the cloud. Running Network Prevent for Email in the cloud can provide a
more reliable platform. The cloud can also provide an improved
email flow for Network Prevent for Email monitoring. Use
the DLP Cloud Detection Service.
Validate the TLS certificates. Rotate the certificates at least once per year if not
more. TLS issues are a common problem with the email flow.
Deploy for spike traffic. Calculate the mail flow at 1.2x the normal flow so that spikes can
be absorbed in the current deployment.
Account for Symantec Mail Gateway files and synchronizations. Confirm the files that are in use for quarantine.
If you have a non-CA issued certificate, then you sync the
Protect\plugins\EmailQuarantineConnect
\keystore.jks to all Network Prevent for Email servers.
563
Figure 8: Network Prevent for Email with a load balancer
In the web flow, there can be a many-to-many configuration between the proxy and the detection server. See Architecture
for Network Prevent for Web with a Load Balancer.
The load balancer can be configured to distribute the outbound http requests to the configured proxy and detection server.
564
Figure 9: Network Prevent for Web with a load balancer
The following table lists recommendations for configuring Endpoint Servers for high availability and disaster recovery.
Use DNS aliases for each endpoint server. You can easily build a new Endpoint Server by using the
same DNS alias. The process to recreate all the packages with
new DNS names takes much longer.
Use a load balancer. Endpoint servers can be placed behind a load balancer for agent
communication. The load balancer apportions communication
between DLP Agents and endpoint servers equally. In general,
apply the following capabilities and settings to ensure that load
balancers work best with Symantec Data Loss Prevention:
• 1 Gbps throughput
• Source IP persistence
Set the persistence time to be greater than the agent polling
period.
• 24-hour SSL session timeout period
See Architecture for Endpoint Servers with a Load Balancer.
Use DNS aliases for each endpoint server. New agent packages are generated with the load
balancer DNS name in the Endpoint Server Host field. The agents
contact the load balancer, which passes the connection request
to the Endpoint Server to perform the SSL handshake for the
agent. Once connected, the load balancer continues the normal
communication protocol.
565
Recommendations More information
Back up the Endpoint Server certificates. The certificates are at C:\Program Files\Symantec
\DataLossPrevention\DetectionServer\<DLP
version>\Protect\keystore.
Deploy an Endpoint Server in the DMZ. For organizations that need agent awareness without the need
for users to log in through a VPN, deploy an Endpoint Server in
the DM. This configuration allows agents to check in when they
are connected to the Internet.
See Architecture for Endpoint Servers in the DMZ.
566
Figure 10: Endpoint Load Balancer setup
567
Figure 11: Endpoint Servers in the DMZ Setup
Configure Network Discover Clusters for High Availability and Disaster Recovery
Prepare your Network Discover clusters for disaster recovery scenarios and for high availability by backing up the data
node after the initial installation and performing a periodic backup of the data node.
Use the initial backup to define the detector ID. You use the detector ID to connect a new Network Discover Cluster.
568
Create a Backup of the Data Node After Installation
Create a backup of the data node after installation to ensure transient information is available in the event you must install
a new Network Discover Cluster.
Target the following locations for backup, based on the platform:
Platform Location
Create a periodic backup of the following storage locations on the data node. You use this backup in case that you must
recover a cluster.
Target the following locations for backup, based on the platform:
Platform Location
Windows • C:\ProgramData\Symantec\DataLossPrevention
\DetectionServer\IgniteStorage
• C:\ProgramData\Symantec\DataLossPrevention
\DetectionServer\IgniteWork
Linux • /var/data/Symantec/DataLossPrevention/DetectionServer/
IgniteStorage
• /var/data/Symantec/DataLossPrevention/DetectionServer/
IgniteWork
If a data node is irrecoverable or has been hit by a disaster, it is considered a catastrophic failure for any on-going scans.
In this case, the scan information that is maintained in the local database is not accessible and the cluster health displays
as Critical on the Discover Cluster Details screen.
If the server goes down, complete the following reinstallation steps:
1. Install a new Network Discover cluster. Ensure that the cluster uses the following configurations:
– The same IP/Network and hardware configuration that was used for the previous cluster.
– The authentication package located on the Enforce Server.
See Network Discover Clusters.
2. Reinstate the default storage directory by completing the following steps:
a. Stop the Symantec DLP Enforce Connector Service and Symantec DLP Detector Server Service on the data node.
See Stopping a Detection Server on Windows or Stopping a Detection Server on Linux.
b. Overwrite the default storage directory with the data node backup.
See "Backup the Data Node" above.
569
c. Start the Symantec DLP Enforce Connector Service and the Symantec DLP Detector Server Service on the data
node.
See Starting a Detection Server on Windows or Starting a Detection Server on Linux
3. Replace the detector ID in the new cluster with the previous. Use the detector ID from the backup that you created in
"Create a Backup of the Data Node After installation."
4. Review the Network Discover cluster on the System > Servers and Detectors > Overview screen. If scans are
running, stop then restart them.
NOTE
Statistical inaccuracies may exist between the previously running and the scans that were started after
the recovery. Symantec recommends that the DLP Administrator starts fresh scans on the newly installed
Network Discover cluster.
Configure Information Centric Analytics for High Availability and Disaster Recovery
The following table lists architecture details and recommendations for configuring Information Centric Analytics (ICA) to
optimize for high availability and disaster recovery.
Table 248: List of architecture details and best practices for configuring ICA
ICA is typically deployed in a two- or three-server environment. The main components of a deployment include a
Web Server (Microsoft IIS), Database Server (SQL Enterprise), and an Analysis Server (SQL Analysis Services).
Because ICA is implemented with industry standard technologies, setting up HA/DR is straightforward.
570
Figure 12: Endpoint Load Balancer Setup
On the web server component, an IIS website hosts two applications, all built into a single directory folder. Two
approaches can be taken for resiliency on the web tier: simple load balancing or a Windows Failover Cluster (WFC). See
the following table for more details.
Load balancing Load balancing ensures cut-over if there is failure, but users may
lose session data. However, generally, losing session data is
acceptable in ICA.
If you deploy load balancing, replicate the file system
and IIS configuration to an extra server and configure the Network
Load Balancing (NLB) feature. You can find documentation at the
following location:
WFC follow the standard documentation that is provided by Microsoft.
The application files are shared between the failover cluster
servers.
See the following information on configuring failover clusters
and IIS:
• See the Failover Cluster Deployment Guide: https://
docs.microsoft.com/en-us/windows-server/failover-clustering/
create-failover-cluster
• Configuring IIS in a Windows Server failover cluster: https://
docs.microsoft.com/en-us/troubleshoot/iis/configure-w3svc-
wsfc
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/
windows-server-2012-r2-and-2012/hh831698(v=ws.11)
571
Configuring the ICA Database for High Availability (tier 2)
The database tier has two main components: the SQL Data Warehouse and the ICA Database Utilities. There may also
be other data warehouses present if you are using API base integrations like CloudSOC, EDR, Email Security.Cloud, or
Vulnerability Scanners. For those cases, configure HA/DR, and at minimum create standard database backups.
For the main Data Warehouse, you can use SQL Server Always On Availability Groups. The configuration is built on top of
the WFC configuration that is mentioned in the Web Server section.
See the documentation at https://docs.microsoft.com/en-us/sql/database-engine/availability-groups/windows/getting-
started-with-always-on-availability-groups-sql-server?view=sql-server-ver15.
Deploy the database utilities to a clustered file server. This configuration provides access to the integration binaries
if SQL fails over.
See the documentation at https://docs.microsoft.com/en-us/windows-server/failover-clustering/deploy-two-node-clustered-
file-server.
For MS SQL Analysis Services (MSSAS) component, you synchronize a single ‘cube’ with the ICA data warehouse. The
MSSAS component may be combined with the SQL Server or it may be a standalone server for scalability.
Managing the synchronization can be done in a few different ways depending on your objective. Either an NLB can be
used to manage the failover of redundant MSSAS instances or WSFC can be used, or both. With ICA, there is only a
single server of MSSAS used.
See the Microsoft documentation at https://docs.microsoft.com/en-us/analysis-services/instances/high-availability-and-
scalability-in-analysis-services?view=asallproducts-allversions.
ICA is fully dependent on external integrations. If those controls or applications go down, ICA is no longer up to date. With
many of the database-to-database integrations, you can place a network load balancer (NLB) between integrations if HA/
DR is configured correctly.
Alternatively, you can configure ICA to integrate with both instances of another application. If ICA goes down, you can
manually turn off the old integration and turn on the new integration. Usually ICA back loads data from another data
source after it comes back up. ICA back loads data because it tracks a watermark on each integration. As long as the
data source is not purged, ICA catches up automatically, though there may be a one-time spike in the length of processing
time.
The following diagram provides an example of an ICA high availability and disaster recovery implementation that is
optimized for HA/DR.
572
Figure 13: ICA high availability and disaster recovery
573
Managing the Enforce Server
Use the Enforce Server administration console.
Managing Enforce Server services and settings
Managing roles and usersManaging roles and users
Connecting to group directories
Credential Store
Managing System Events and Messages
Managing the Symantec Data Loss Prevention database
Adding a new product module
Applying a server Maintenance Pack
Symantec DLP Provides the centralized reporting and management services for Symantec Data Loss Prevention.
Manager
Symantec DLP Controls the detection servers.
Detection Server
Controller
Symantec DLP Notifier Manages communications between other DLP services and prevents transactional conflicts between the
services and the database.
Symantec DLP Incident Writes the incidents to the database.
Persister
574
Service Name Description
Symantec DLP Enforce This service is hosted and runs on the data node of a Network Discover Cluster. The data node
Connector communicates with the Monitor Controller through the Enforce Connector Service.
See Network Discover Cluster.
Symantec DLP This service is hosted and runs on the data node and worker nodes of a Network Discover Cluster. The data
Detection Server node communicates with worker nodes through the Detector Connector Service. This service also helps
with the entire scanning activity.
When this service is hosted on the data node, you must ensure that this service is never shutdown
instantaneously by aborting its process.
575
1. On the computer that hosts the Enforce Server, navigate to Start > All Programs > Administrative Tools > Services
to open the Windows Services menu.
2. Start the Symantec Data Loss Prevention services in the following order:
• SymantecDLPNotifierService
• SymantecDLPManagerService
• SymantecDLPIncidentPersisterService
• SymantecDLPDetectionServerControllerService
NOTE
Start the SymantecDLPNotifierService service first before starting other services.
Related Links
Stopping an Enforce Server on Windows on page 459
Related Links
Starting an Enforce Server on Windows on page 459
576
Starting Services on Single-tier Windows Installations
Use the following procedure to start the Symantec Data Loss Prevention services on a single-tier installation on Windows.
1. On the computer that hosts the Symantec Data Loss Prevention server applications, navigate to Start > All Programs
> Administrative Tools > Services to open the Windows Services menu.
2. Start the Symantec Data Loss Prevention in the following order:
• SymantecDLPNotifierService
• SymantecDLPManagerService
• SymantecDLPIncidentPersisterService
• SymantecDLPDetectionServerControllerService
• SymantecDLPDetectionServerService
NOTE
Start the SymantecDLPNotifierService service before starting other services.
Related Links
Stopping Services on Single-tier Windows Installations on page 461
Related Links
Starting Services on Single-tier Windows Installations on page 460
577
Starting an Enforce Server on Linux
Use the following procedure to start the Symantec Data Loss Prevention services on a Linux Enforce Server.
1. On the computer that hosts the Enforce Server, log on as root.
2. Start the Symantec DLP Notifier service by running the following command:
service SymantecDLPNotifierService start
3. Start the remaining Symantec Data Loss Prevention services, by running the following commands:
service SymantecDLPManagerService start
service SymantecDLPIncidentPersisterService start
service SymantecDLPDetectionServerControllerService start
Related Links
Stopping an Enforce Server on Linux on page 462
Related Links
Starting an Enforce Server on Linux on page 461
Related Links
Stopping a Detection Server on Linux on page 462
Related Links
Starting a Detection Server on Linux on page 462
578
Starting services on single-tier Linux installations
Use the following procedure to start the Symantec Data Loss Prevention services on a single-tier installation on Linux.
1. On the computer that hosts the Symantec Data Loss Prevention server applications, log on as root.
2. Start the Symantec DLP Notifier service by running the following command:
service SymantecDLPNotifierService start
3. Start the remaining Symantec Data Loss Prevention services by running the following commands:
service SymantecDLPManagerService start
service SymantecDLPIncidentPersisterService start
service SymantecDLPDetectionServerControllerService start
service SymantecDLPDetectionServerService start
Related Links
Stopping Services on Single-tier Linux Installations on page 463
Related Links
Starting services on single-tier Linux installations on page 463
Configure Reports and Alerts & SMTP settings. Configuring the Enforce Server to send email alerts
Identify the SMTP Server to use for sending out alerts and Configuring the Enforce Server to send email alerts
reports.
Install a new License file. Installing a new license file
View Process Control status. Enabling Advanced Process Control
Configure the Agent Connection Status. Configuring the agent connection status
579
Setting More information
580
Table 252: Traffic report screen columns
Column Description
Server The name of the server that is associated with the statistics.
For Network Monitor Servers and Network Prevent Servers, click the server name to see a Traffic
Detail screen that shows traffic by protocol.
Cumulative Statistics A breakdown of data statistics for the selected time period. Data fields vary depending on detection
server type. The possible fields are:
• Data—The quantity of data that is processed during the selected time period.
• Files—The number of files that a Discover Server scanned.
• Messages—The number of message components (email message components, Web post
components, and so on) that were processed.
• Incidents—The number of incidents Symantec Data Loss Prevention has captured.
• Encrypted Attachments—The number of encrypted attachments. Symantec Data Loss
Prevention cannot analyze encrypted attachments.
• Unprocessable Files or Unprocessable Components—An item is reported as Unprocessable
if the file cannot be opened for unknown reasons. Files that do not contain text or that cannot
be opened for a known reason (such as graphics or password-protected files) are not labeled
Unprocessable.
The following events can cause Unprocessable files and components:
– A corrupted network stream
– A long timeout or short timeout occurs when Symantec Data Loss Prevention waits to receive
extracted content (ContentExtraction.LongTimeout or ContentExtraction.ShortTimeout)
– An extraction size that is larger than the limit that is specified in FileReader.MaxFileSize
– A file that is larger than the size limit that is set in ContentExtraction.MaxContentSize (30MB
default).
Note: “Components” include the individual items that comprise an archive, or compressed file.
• Discarded Packets—The number of packets Symantec Data Loss Prevention copied (for
analysis) but then discarded before they were analyzed.
Messages or Files/Incidents A graph representing the data processed. Graphs show the following types of information:
Over Time • Messages—The number of messages (files, email message components, Web post components,
and so on) that were processed.
• Incidents—The number of incidents Symantec Data Loss Prevention has captured.
• Data—The amount of data processed (in gigabytes).
• Discards—The number of packets Symantec Data Loss Prevention copied (for analysis) but then
discarded before they were analyzed.
581
copies. Symantec Data Loss Prevention is sometimes forced to discard packet copies before it can analyze them. For
example, packets may be discarded when there is a large spike in traffic.
If you see a spike in discarded packets, go to the View drop-down list (near top right). Then select the shortest time period
in which the spike is still visible. For example, if a spike in discarded packets occurred today, set the View time period to
Today.
If a spike in discarded packets corresponds with a spike in protocol traffic, it may indicate that the server cannot process
all of the traffic at once. Try to use IP filters to filter out some of the traffic over the relevant protocol(s). To set up IP filters,
select System > Servers > Protocols and view the associated online Help . You can also use a traffic sniffer to capture
and analyze traffic to determine what to filter out.
Symantec Data Loss Prevention may also discard packets when there is not enough memory in the system to store them
until they can be reconstructed. Such discards may result from bad network conditions or malfunctioning servers that
leave many connections open over a period of time.
Traffic screen (Traffic report)
Protocols screen
The Protocols screen displays the list of protocols that you can monitor with Symantec Data Loss Prevention. Each
protocol lists the following information:
Column Description
Click anywhere in a protocol’s row to view or edit its settings. Add, edit, or delete a protocol using the controls:
Control Action
582
Control Action
Click this icon next to a protocol to delete that protocol from the
Symantec Data Loss Prevention system. A dialog box confirms
the deletion.
Configure a protocol
Configure Server - Edit Protocol Filtering
Configure a protocol
Use this screen to configure a new protocol or to modify the options for a system-configured protocol. Symantec Data
Loss Prevention handles protocols differently, depending on whether they are system-configured (preconfigured in
the Symantec Data Loss Prevention system) or user-configured. Symantec Data Loss Prevention recognizes system-
configured protocols (such as SMTP and HTTP) based on protocol signature. It recognizes user-configured TCP protocols
(such as Telnet) based on the port over which the traffic travels.
Many application protocols are supported under both IPv4 and IPv6 including:
• SMTP
• HTTP
• FTP
• Telnet
• VLAN
• Custom
The following protocols are supported under IPv4, but not supported under IPv6:
• NNTP
• GRE
• IM:MSN
• IM:Yahoo
• IM:AOL
Entering IPv6 addresses in fully-normalized formats is a best practice, when specifying an IPv6 address in the Symantec
Data Loss Prevention user interface, unless otherwise noted. In a fully-normalized IPv6 address, leading zeros are
trimmed and sequences of zeros are compressed with colons. When you enter a normalized address, it is generally
displayed in that format.
The preferred input format for IPv6 addresses is either fully compressed or trimmed, in most cases. The following
examples are accepted as input for IPv6 addresses in Symantec Data Loss Prevention, depending on the usage:
• Long - 128 bits commonly portrayed as eight 4-digit hexadecimal fields, for example:
1000:0200:0003:0000:0000:0000:0000:abcd
• Fully compressed (also called "double colon") - internal zero fields are replaced with a double colon, for example:
1000:200:3::abcd
• Trimmed - leading zeros are removed, for example:
1000:200:3:0:0:0:0:abcd
When IPv6 addresses appear in URLs or email addresses, the addresses are presented as the HTTP client (usually a
web browser) transmits them. An IPv6 address appearing in a URL is not a common case, as URLs and email addresses
usually use hostnames rather than explicit IP addresses. This behavior is also true for IPv4 addresses.
You can enter a mixture of IPv4 and IPv6 addresses separated by semicolons on the Configure Protocol screen.
583
Click the right arrow to view the options for each section. Enter or modify information about the protocol in the available
fields.
Field Description
Name Enter or modify the protocol name. You can use up to 256 characters. The
protocol name appears in a number of places in the system, so be sure to
provide a user-friendly name.
This value is required.
Ports This field appears only for user-configured TCP protocols. Enter one or
more port numbers that are associated with the protocol. Separate port
numbers with commas or hyphens. For example: 18, 23, 25-29, 82. If you
configure a Telnet protocol, enter 23 as the port number.
Low Ports Monitored This field appears only for system-configured protocols, such as HTML and
SMTP. Enter port numbers lower than 1024 that you want Symantec Data
Loss Prevention to monitor. Cumulatively, ports you specify for any protocols
serve as a positive filter. The ports tell Symantec Data Loss Prevention
to monitor traffic of all protocol types on each of the specified ports. For
example, if you specify port 25 for the SMTP entry, that port is monitored
for traffic of all listed protocol types. Note that ports lower than 1024 are not
monitored if you do not specify them for at least one protocol. By default,
Symantec Data Loss Prevention monitors traffic on ports equal to or greater
than 1024.
584
Field Description
IP Enter any IP-based filters you want to use. If you leave this field blank,
Symantec Data Loss Prevention matches and stores all streams. You can
enter a mixture of IPv4 and IPv6 addresses separated by semicolons on the
Configure Protocol screen.
When configuring protocol filters with IPv6 addresses, note that:
• Filters are specified with CIDR (classless inter-domain routing) blocks.
Subnet bitmasks the size of the address indicate that the entry must
match the exact network address. The bitmask limit is 32 bits for IPv4
addresses and 128 bits for IPv6 addresses.
• IPv4 and IPv6 filters are completely independent.
• All valid formats are supported.
• As with IPv4 filters, IPv6 filters can be overridden per detection server.
• Limit of the protocol IP filter list in the user interface is 2800 bytes.
The format of the IP protocol filters (found in the protocol definitions and
protocol filter definitions) is:
Filtering (may override at server level) The Filtering fields enable you to specify details about the traffic you want to
ignore to reduce the load and improve system performance. This section is
also included in the Protocol Filter menu for individual Servers.
585
Field Description
IP Filter Filters out unwanted traffic in the protocol; uses the same IP Protocol Filter
format as for IP.
L7 Sender Filter Specify any of the following items to evaluate:
• The sender email (for SMTP/MSN IM)
• IP addresses (for UTCP)
• Proxy-authenticated user names (for proxied HTTP/FTP)
• User names (for AIM/Yahoo IM)
When configuring L7 filters with IPv6 addresses, note that:
• Filters are specified with wildcards
• Only long-format IPv6 addresses are acceptable; do not use normalized
(fully compressed or trimmed) IPv6 addresses. For example, the
following IPv6 address is valid:
fdda:*:*:*:*:*:*:*
Only long-format IPv4 and IPv6 addresses are valid.
For IPv4, four fields separated by dots is a long format valid address; for
example:
1.2.*.*
For IPv6, eight fields separated by colons is a long-format valid address; for
example:
1:2:3:4:*:*:*:*
For both IPv4 and IPv6, filters are specified with wildcards and filtering only
applies to custom protocols.
See the L7 Recipient Filter description for more information about the
format of filter entries.
586
Field Description
L7 Recipient Filter Any recipient email (for SMTP/MSN IM/FTP) or IP addresses (for UTCP),
user names (for Yahoo IM/AIM), or URLs (for HTTP) to be evaluated.
When using IPv6 addresses with Sender/Recipient rules, note that:
• Filters are specified with wildcards.
• Only long-format IPv6 addresses are acceptable, do not use normalized
addresses.
• Inline and reusable patterns are supported.
You can use filters to include (inspect) or exclude (ignore) messages from
specific senders or to specific recipients. You must precede each entry with
a plus sign (+) or minus sign (-) to include or exclude matching results. For
example:
• Any email address mask that starts with a plus sign (+) keeps matching
messages for inspection. If you add the sender filter +*@abc.com,
all messages that are sent from anyone in the abc.com domain are
inspected.
• Any email address mask that starts with a minus sign (-) excludes
matching messages from inspection. If you add the recipient filter
-*@xyz.com, all messages that are sent to anyone in the xyz.com
domain are not inspected.
If you add an asterisk (*) to the end of the filter expression, any message not
explicitly matching any of the filter masks is ignored. For example, if you add
the sender filter +*@abc.com,*, all messages from anyone in the abc.com
domain are inspected, but all other messages are ignored.
You can also include asterisk wildcards elsewhere in the address strings.
The specific filter syntax depends on the protocol. For example, for email
addresses you can use wildcards anywhere in the filter string as follows:
• +*@symantec.com inspects all email to/from symantec.com.
• +*.symantec.com inspects all email to/from any subdomains of
symantec.com.
• -*symantec.com excludes all email to/from any email address ending in
symantec.com.
• -phil@fakedomain.com excludes all email to/from
phil@fakedomain.com.
The order in which filters are evaluated is from left to right. For example, if
you add the recipient filter
-ceo@xyz.com, +*@xyz.com,*,
all messages that are sent to ceo@xyz.com are ignored, and all messages
that are sent to anyone in the xyz.com domain are inspected. The last
asterisk tells the filter to ignore all other messages.
If the sender and recipient filters conflict, the resulting message is ignored.
For example, this situation can happen if the sender filter for a particular
message evaluates as “inspect” and the recipient filter evaluates as “ignore.”
If a recipient filter has multiple exclusion masks, recipients can match
any of the exclusion masks and the message is excluded. For example, if
the recipient filter is -*@xyz.com, -*@abc.com, all the messages that are
sent to xyz.com and abc.com domains are ignored. Also, the messages
that are sent to either xyz.com or abc.com (but not both) are ignored. If
messages have any additional recipients in other domains, the messages
are inspected.
You can monitor messages sent from the xyz.com domain but ignore
message sent to that domain by adding the following filters:
587
Field Description
Sampling (Processed/10000) The number out of each 10,000 messages you want to monitor as a
representative sampling. For example, enter 10000 to have Symantec Data
Loss Prevention search every message in this protocol. If you enter 200, it
searches 200 out of every 10,000 messages. The value must be positive
and less than or equal to 17280.
This value is required.
Content Processing Use the Content Processing section to specify how to handle the messages
in this protocol.
Select one of the following options:
• Generic String Extraction—Evaluate the entire message against all
applicable policies.
• Don’t Process Content—Do not evaluate the content at all; count every
message as an incident.
588
Field Description
Protocols screen
About protocol filtering
589
Protocol configuration examples
You configure protocols to indicate which network traffic the system captures, processes, and presents to you. Protocols
are divided into two categories:
• System protocols are the protocols that Symantec Data Loss Prevention fully supports.
• Custom protocols let you define and monitor network communication that Symantec Data Loss Prevention does not
fully support. Symantec Data Loss Prevention also provides a number of well known protocols as custom protocols.
The following examples show common protocol configurations:
• Filtering HTTP for browser-generated traffic
• Monitoring only outbound email
• Monitoring for the existence of prohibited traffic
• Monitoring for high port incidents
For information about protocol support:
Configure a protocol
HTTP has a wide variety of encapsulated content. HTTP header values often define the type of content in the stream. The
header values are name value pairs. For example the program that launched an HTTP request is often described after the
header name User-agent.
This example filters HTTP headers based on the User-agent to capture data from browsers. These browsers contain
User-agent values of Mozilla or Opera.
To filter HTTP headers based on the User-agent
1. Select System > Settings > Protocols from the navigation bar.
2. Select the HTTP protocol.
3. In the Filtering (may override at server level) section of the page, enter the following in the Content field:
I,user-agent:,mozilla,opera
If you use a custom configuration, you must make the same change in every server’s HTTP configuration.
Monitoring only outbound email
Symantec Data Loss Prevention can capture inbound email and outbound email at an organization. Outbound email is
often identified as the most important email to monitor. In most organizations, the email servers are located in a set of
subnets.
To set up SMTP to monitor only a certain set of subnets
1. Select System > Settings > Protocols from the navigation bar.
2. Select the SMTP protocol.
3. In the Filtering (may override at server level) section of the page, enter the following in the Content field:
+,*,10.1.0/16;-,*,*
This example assumes that the source net where your Servers are located is 10.1.0.0 with a subnet mask of
255.255.0.0. The rule filters out any SMTP traffic not coming from the 10.1 subnet.
590
4. Click Save, and then restart the monitors.
In some cases, it is helpful to know if traffic occurs for a certain protocol or destination. For instance, traffic to address
10.1.2.3 on ports 5000 thru 5010 may indicate the existence of an online service that is prohibited in any organization.
The traffic may be encrypted or otherwise unreadable and may create many incidents, so you might want to record its
existence only.
To record only the existence of traffic
1. Select System > Settings > Protocols from the navigation bar.
2. Click Add Protocol.
3. Enter a name for the protocol in the Name field.
4. In the Recognition section of the page, enter the following information:
Ports 5000-5010
IP +,10.1.2.3/32 ,*;-,*,*
5. Click Save.
The new protocol appears at the end of the protocol list. You can use the new protocol in policies and report filters.
Monitoring for high port incidents
In some organizations, firewalls allow connections between high port applications like p2p. This traffic can occur over
any port and may be interspersed with a great deal of random data. To identify potential areas of investigation without
overwhelming the Server with traffic, you can create a sampling protocol.
To create a sampling protocol
1. Select System > Settings > Protocols from the navigation bar.
2. Click Add Protocol.
3. Enter a name for the protocol in the Name field.
4. In the Recognition section of the page, enter the following into the Ports field:
1025-36355
This entry instructs the protocol to match any high port traffic.
5. In the Filtering section of the page, enter the following into the Sampling field:
100
This value reduces the number of streams created that Symantec Data Loss Prevention inspects. Adjust this number
based on the server’s ability to process the new traffic in a timely fashion.
591
6. Click Save.
7. Look for the new protocol at the end of the protocol list. If the protocol is not at the bottom of the list, move it there.
Moving it ensures that more well-defined traffic is not mistakenly defined as this generic traffic.
Table 254: Enforce Server screen load test platforms and configurations
Platform Configuration
Related Links
About Enforce Server screen load performance on page 592
About screen load performance testing on page 592
Enforce Server screen load test results on page 593
592
About Enforce Server screen load performance on page 592
Test platform and configurations on page 592
Enforce Server screen load test results on page 593
Incidents > All Reports > [saved incident N 15 seconds to display 232 incident links,
report name here] 50 dashboard reports, 108 saved incident
reports, and 74 default reports
Incidents > Network > Incidents - New Y 1 second with 531,410 incidents
Incidents > Network > Incidents - All 2 seconds for 888,000 incidents
Incidents > Endpoint > Incidents - New Y 1 second with 569,496 incidents
Incidents > Endpoint > Incidents - All 6 seconds for 569,000 incidents
Incidents > Discover > Incidents - New Y 1 second second with 7,449,321 incidents
Incidents > Discover > Incidents - All 13 seconds for 7,400,000 million incidents
Scans
Manage > Data Profiles > Indexed N 2 minutes with 972 Indexed Document
Documents profiles
Manage > Data Profiles > Exact Data N 7 seconds with 504 Exact Data Profiles
Manage > Data Profiles > Vector Machine N 1 seconds with 25 Vector Machine Learning
Learning Profiles
Manage > Policies > Policy List N 1 minute for 2,635 policies
Manage > Policies > Response N 4 seconds for 503 response rules
RulesResponse Rule List Page
Manage > Policies > Data Identifiers N 1 seconds for 295 system data identifiers
and 50 custom data identifiers
593
Table 257: System screen load test results
System > Servers and Detectors > N 3 seconds for 300 monitors
Overview
System > Login Management > DLP N 1 seconds for 505 users
Users
System > Login Management > Y 1 seconds for 51 roles
RolesDLP Roles List Page
System > Servers and Detectors > Policy N 1 seconds for 200 policy groups
Groups
System > System Reports N 27 seconds for 101 saved system reports
System > Incident Data > Attributes, N 1 second for 50 custom incident attributes
Custom Attributes tab
System > Servers and Detectors > N 1 second for 100 alerts
Alerts
System > Agents > Agent Groups Y 1 seconds for 116 agent groups
System > Agents > Global Application Y 2 seconds for 375 applications
Monitoring
System > Agents > Endpoint Devices N 2 seconds for 50 endpoint devices
System > Settings > Credentials Y 1 seconds with 150 credentials
System > Settings > Protocols Y 1 second with 24 protocols
System > Servers and Detectors > Traffic N 11 seconds with 300 servers
System > Database > Table Details N 8 seconds with 585 tables
Related Links
About Enforce Server screen load performance on page 592
Test platform and configurations on page 592
About screen load performance testing on page 592
594
Working with General Settings
595
Configuring user authentication and role assignment using Active Directory
You use manually managed roles for users that you create manually.
About configuring roles and users
Users who are assigned to multiple roles must specify the desired role at log on. Consider an example where you assign
the user named "User01" to two roles, "Report" and "System Admin." If "User01" wanted to log on to the system to
administer the system, the user would log on with the following syntax: Login: System Admin\User01
Logging On and Off the Enforce Server Administration Console
The Administrator user (created during installation) has access to every part of the system and therefore is not a member
of any access-control role.
About the administrator account
Authentication Sign-on
Description
mechanism mechanism
SAML Single sign-on With SAML authentication, the Enforce Server administration console authenticates each
authentication user by validating the supplied email, user name, or other user attributes that map to
attributes the identity provider uses.
When SAML is enabled, users access the Enforce Server Admin console URL and are
redirected to the identity provider logon page, where they enter their credentials. After they
are authenticated with the identity provider, their user attributes are sent to the Enforce
Server. The Enforce Server attempts to find a user with matching attributes. If the user is
found, they are logged on to the Enforce Server administration console.
Configuration template file used: springSecurityContext-SAML.xml
About SAML authentication
Password Forms-based sign- With password authentication, the Enforce Server administration console authenticates each
authentication on user. It determines if the supplied user name and password combination matches an active
user account in the Enforce Server configuration. An active user account is authenticated if it
has been assigned a valid role.
Users enter their credentials into the Enforce Server administration console's logon page and
submit them over an HTTPS connection to the Tomcat container that hosts the administration
console.
With password authentication, you must configure the user name and password of each user
account directly in the Enforce Server administration console. You must also ensure that each
user account has at least one assigned role.
Configuration template file used: springSecurityContext-Form.xml
Manage and add users
596
Authentication Sign-on
Description
mechanism mechanism
Active Directory Forms-based sign- With Microsoft Active Directory authentication, the Enforce Server administration console
authentication on first evaluates a supplied user name to determine if the name exists in a configured Active
Directory server. If the user name exists in Active Directory, the supplied password for the
user is evaluated against the Active Directory password. Any password that is configured in
the Enforce Server configuration is ignored.
With Active Directory authentication, you must configure a user account for each new Active
Directory user in the Enforce Server administration console. When you upgrade to Symantec
Data Loss Prevention 15, your existing users do not have to be set up again.
You do not have to enter a password for an Active Directory user account. You can switch to
Active Directory authentication after you have already created user accounts in the system.
However, only those existing user names that match Active Directory user names remain
valid after the switch.
Configuration template file used: springSecurityContext-Kerberos.xml
Verifying the Active Directory connection
Certificate Single sign-on Certificate authentication enables a user to automatically log on to the Enforce Server
authentication from Public Key administration console using an X.509 client certificate. This certificate is generated by your
Infrastructure (PKI) public key infrastructure (PKI). To use certificate-based single sign-on, you must first enable
certificate authentication as described in this section.
Configuring certificate authentication for the Enforce Server administration console
The client certificate must be delivered to the Enforce Server when a client's browser
performs the SSL handshake with the Enforce Server administration console. For example,
you might use a smart card reader and middleware with your browser to automatically
present a certificate to the Enforce Server. Or, you might obtain an X.509 certificate from a
certificate authority. Then you would upload the certificate to a browser that is configured to
send the certificate to the Enforce Server.
When a user accesses the Enforce Server administration console, the PKI automatically
delivers the user's certificate to the Tomcat container that hosts the administration console.
The Tomcat container validates the client certificate using the certificate authorities that you
have configured in the Tomcat trust store.
Configuration template file used: springSecurityContext-Certificate.xml
Adding certificate authority (CA) certificates to the Tomcat trust store
The Enforce Server administration console uses the validated certificate to determine whether
the certificate has been revoked.
About certificate revocation checks
If the certificate is valid and has not been revoked, then the Enforce Server uses the common
name (CN) in the certificate to determine if that CN is mapped to an active user account with
a role in the Enforce Server configuration. For each user that accesses the Enforce Server
administration console using certificate-based single sign-on, you must create a user account
in the Enforce Server that defines the corresponding user's CN value. You must also assign
one or more valid roles to the user account.
Here are some important things to note when you set up SAML authentication.
• You must restart the manager when you change the way you authenticate users in SAML. Changing this mapping
criteria in the springSecurityContext file for SAML without restarting the manager results in users that are out of
597
sync, as the system continues to use previous version of the file. For example, if you change the mapping criteria from
user name to email address, you must restart the manager.
• You must remap each user when you change the way you map users in SAML. Changing mapping criteria invalidates
the existing user's mapping.
• You must validate the XML syntax before you restart the manager. Some characters such as "&" that can be part of a
user attribute make the XML invalid. You need to replace these characters with their XML escape string. For example,
instead of "&" use "&".
• Do not delete any XML nodes in the XML files.
• Attribute names in XML must exactly match (including case) attribute names in the identity provider.
• When switching from forms-based to SAML authentication, you must go through each user and disable password
access for non-Web Services users.
• When switching from Certificate authentication to SAML authentication, make sure that the ClientAuth value in
server.xml is set to false.
Configuring user authentication and role assignment using Active Directory
Setting up authentication
Authentication configuration steps shows a summary of the tasks for the setup with links to more information on each
step.
598
Table 259: Authentication configuration steps
Step 1 Edit the Spring context file for the authentication method. Set up and configure the authentication method
Step 2 Set up the authentication configuration. For SAML:Set up the SAML authentication configuration
For Active Directory/Kerberos:
Configuring Active Directory authentication
For Forms-based:
Configuring forms-based authentication
For Certificate:
Configuring certificate authentication
Step 3 Restart the Enforce Server. About Symantec Data Loss Prevention services
Step 4 For SAML, generate and download the service provider Generate or download Enforce (service providers) SAML
SAML metadata. The Enforce Server administration metadata
console is the service provider.
Step 5 For SAML, configure Enforce as a SAML service Configure the Enforce Server as a SAML service
provider with the identity provider. provider with the IdP (Create an application in your
identity provider)
Step 6 For SAML, download the identity provider metadata. Export the IdP metadata to DLP
Step 7 Complete the process by restarting the Enforce Server. About Symantec Data Loss Prevention services
Step 8 Log on to the Enforce Server administration console Administrator Bypass URL
using the Administrator Bypass URL.
NOTE
The Enforce Server administration console (the service provider in SAML) and the IdP exchange messages
using the settings in the configuration. Ensure that your settings match with your IdP's configuration and
capabilities. Unmatched settings break the system.
You must restart the Enforce Server twice: once after you set up the authentication configuration in the
springSecurityContext.xml file, and once after you download the IdP metadata file and replace the
contents of idp-metadata.xml in the Enforce install directory with the IdP metadata.
Administrator Bypass URL
599
NOTE
The files that you must modify are commented with details to help you through the update process.
To set up the authentication method
1. Delete (or rename) the springSecurityContext.xml file in the [your install directory]/Protect/
tomcat/webapps/ProtectManager/WEB-INF/.
2. Go to the [your install directory]/Protect/tomcat/webapps/ProtectManager/security/
template folder and select the appropriate configuration template file for your authentication method:
• SpringSecurityContext-SAML.xml for SAML authentication configurations
• SpringSecurityContext-Form.xml for forms and client certificate-based authentication configurations
• SpringSecurityContext-Certificate.xmlfor client certificate-based authentication only
• springSecurityContext-Kerberos.xml for Active Directory/Kerberos authentication configurations
3. Copy the file you selected into the [your install directory]/Protect/tomcat/webapps/
ProtectManager/WEB-INF/ folder.
4. Rename the file to springSecurityContext.xml.
5. Configure the springSecurityContext.xml file:
6. Final steps:
• SAML: For instructions on how to set up the SAML authentication configuration, see Set up the SAML
authentication configuration.
• Forms Based: If the template file that you copied is for forms-based authentication, there are no additional
settings to configure. The DLP User Authentication section of the General Settings now indicates that your user
authentication method is Forms Based.
• Client certificate: To enable client certificate authentication, set clientAuth to want or true in
<InstallDirectory>/Protect/tomcat/config/server.xml. The DLP User Authentication section of
the General Settings now indicates that your user authentication method is Certificate.
• Active Directory: To enable Active Directory authentication, replace the value for krbConfLocation in
[your install directory]/Protect/tomcat/webapps/ProtectManager/WEB-INF/
springSecurityContext.xml
with the path to your krb5.ini file.
The DLP User Authentication section of the General Settings now indicates that your user authentication
method is Active Directory. You can configure the list of domains in this DLP User Authentication section of the
General Settings page
NOTE
You can no longer perform the initial setup of Active Directory through the Enforce Server administration
console.
Configuring the Enforce Server for Active Directory authentication
600
NOTE
Unless you only want to access the Enforce Server administration console from the host machine, don't use
localhost as the host name.
Set the property value of "nameID" by editing the property name ="nameID" value in the Spring file to a name identifier
such as emailAddress, WindowsDomainQualifiedName, or another nameID that your IdP supports. Here's an example
for email address:
<property name="nameID" value=urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" />
You may want to use a combination of user attributes returned from the IdP to identify a Data Loss Prevention user. In this
case you can set the userAttributes property. For example:
<property name="authnContexts">
<list>
<!-- User name and password -->
<value>urn:oasis:names:tc:SAML2.0:ac:classes:Password</value>
<!--Password Protected Transport -->
<value>urn:oasis:names:tc:SAML2.0:ac:classes:PasswordProtectedTransport</value>
<!--Integrated Windows Authentication -->
<value>urn:federation:authentication:windows</value>
<!--One time token or two factor authentication -->
<value>urn:oasis:names:tc:SAML2.0:ac:classes:TimeSyncToken</value>
<!--Any authentication method that your IDP supports -->
<value>urn:oasis:names:tc:SAML2.0:ac:classes:unspecified</value>
601
1. Restart the Enforce Server.
2. Log on as Administrator using the Bypass url. This Bypass URL is accessed directly; you don't need to logon to the
Enforce Server administration console to access this URL.
3. Go to System > Settings > General and navigate to the DLP User Authentication section.
4. Click the link to the right of The SAML config file for your IdP is at to download the metadata.
Configure the Enforce Server as a SAML service provider with the IdP (Create an application in your identity provider)
Configure the Enforce Server as a SAML service provider with the IdP (Create an application in
your identity provider)
These steps vary depending on the IdP that you use. Here is a broad overview of the steps if you use Symantec VIP
Access Manager as your IdP:
To configure the Enforce Server as a SAML service provider with the IdP create an application
1. Log on to the VIP Access Manager administration console as administrator.
2. Click generic template.
3. Name the connector.
4. Select the access policy as SSO (single sign-on).
5. Configure your portal by selecting an icon for your site (this icon appears on the identity provider's dashboard).
6. Upload the Enforce Server metadata.
602
Protect/config/krb5.conf on Linux
-->
property name="krbConfLocation" value="C:\Program Files\Symantec\
DataLossPrevention\EnforceServerprotect
\config\krb5.ini"/>
</bean>
Set up and configure the authentication method
Configuring forms-based authentication
Integrating Active Directory for user authentication
603
Most businesses and organizations find the following roles fundamental when they implement the Symantec Data
Loss Prevention system:
• System Administrator
This role provides access to the System module and associated menu options in the Enforce Server administration
console. Users in this role can monitor and manage the Enforce Server and detection servers(s). Users in this role
can also deploy detection servers and run Discover scans. However, users in this role cannot view detailed incident
information or author policies. All solution packs create a "Sys Admin" role that has system administrator privileges.
• User Administrator
This role grants users the right to manage users and roles. Typically this role grants no other access or privileges.
Because of the potential for misuse, it is recommended that no more than two people in the organization be assigned
this role (primary and backup).
• Policy Admininistrator
This role grants users the right to manage policies and response rules. Typically this role grants no other access or
privileges. Because of the potential for misuse, it is recommended that no more than two people in the organization be
assigned this role (primary and backup).
• Policy Author
This role provides access to the Policies module and associated menu options in the Enforce Server administration
console. This role is suited for information security managers who track incidents and respond to risk trends. An
information security manager can author new policies or modifying existing policies to prevent data loss. All solution
packs create an "InfoSec Manager" (ISM) role that has policy authoring privileges.
• Incident Responder
This role provides access to the Incidents module and associated menu options in the Enforce Server
administration console. Users in this role can track and remediate incidents. Businesses often have at least two
incident responder roles that provide two levels of privileges for viewing and responding to incidents.
A first-level responder may view generic incident information, but cannot access incident details (such as sender or
recipient identity). In addition, a first-level responder may also perform some incident remediation, such as escalating
an incident or informing the violator of corporate security policies. A second-level responder might be escalation
responder who has the ability to view incident details and edit custom attributes. A third-level responder might be an
investigation responder who can create response rules, author policies, and create policy groups.
All solution packs create an "InfoSec Responder" (ISR) role. This role serves as a first-level responder. You can use
the ISM (InfoSec Manager) role to provide second-level responder access.
Your business probably requires variations on these roles, as well as other roles. For more ideas about these and other
possible roles, see the descriptions of the roles that are imported with solution packs.
Roles included with solution packs
604
Table 260: Financial Services Solution Pack roles
Configuring Roles
Each Symantec Data Loss Prevention user is assigned to one or more roles that define the privileges and rights that
user has within the system. The role of user determines system administration privileges, policy authoring rights, incident
access, access to masked data, and more. If a user is a member of multiple roles, the user must specify the role when
logging on, for example: Login: Sys Admin/sysadmin01.
About role-based access control
About configuring roles and users
605
1. Navigate to the System > Login Management > Roles screen.
2. Click Add Role.
The Configure Role screen appears, displaying the following tabs: General, Incident Access, Policy Management,
and Users & Groups.
3. In the General tab:
• Enter a unique Name for the role. The name field is case-sensitive and is limited to 30 characters. The name that
you enter should be short and self-describing. Use the Description field to annotate the role name and explain its
purpose in more details. The role name and description appear in the Role List screen.
• Use the User Privileges section to grant user privileges for the role.
System privileges include the following options:
User Administration Select the User Administration option to enable users to create more roles and users in the Enforce
(Superuser) Server.
Server Administration Select the Server Administration option to enable users to perform the following functions:
• Configure detection servers.
• Create and manage Data Profiles for Exact Data Matching (EDM), Form Recognition, Indexed
Document Matching (IDM), and Vector Machine Learning (VML).
• Configure and assign incident attributes.
• Configure system settings.
• Configure response rules.
• Create policy groups.
• Configure recognition protocols.
• View system event and traffic reports.
• Import policies.
Note: Selecting Server Administration also provides Agent Management privileges.
Agent Management Select the Agent Management option to enable users to perform the following functions:
• Review agent status
• Review agent events
• Manage agents and perform troubleshooting tasks
• Delete, restart, and shut down agents
• Change the Endpoint Server to which agents connect
• Pull agent logs
• Access agent summary reports
• View agent group conflicts
• Review server logs
• Manage server logs, including canceling log collection, configuring logs, and downloading and
deleting logs
End User Remediation Select the End User Remediation Administration option to enable users to manage the following
Administration functions:
• End User Remediation - Incident Configurations
• End User Remediation - Remediation Configurations and Execution
User Reporting (Risk Select the User Reporting option to enable users to view the user risk summary.
Summary, User Snapshot)
Note: The Incident > View privilege is automatically enabled for all incident types for users with the
User Reporting privilege.
606
Incidents privileges allow you to grant users in this role the following incident privileges. These settings apply to
all incident reports in the system, including the Executive Summary, Incident Summary, Incident List, and Incident
Snapshots.
View Select the View option to enable users in this role to view policy violation incidents.
You can customize incident viewing access by selecting various Actions and Display Attribute
options as follows:
• By default the View option is enabled (selected) for all types of incidents: Network Incidents,
Discover Incidents, and Endpoint Incidents.
• To restrict viewing access to only certain incident types, select (highlight) the type of incident you
want to authorize this role to view. (Hold down the Ctrl key to make multiple selections.) If a role
does not allow a user to view part of an incident report, the option is replaced with "Not Authorized"
or the option is left blank.
Note: If you revoke an incident-viewing privilege for a role, the system deletes any saved reports for
that role that rely on the revoked privilege. For example, if you revoke (deselect) the privilege to view
network incidents, the system deletes any saved network incident reports associated with the role.
Actions Select among the following Actions to customize the actions that a user can perform when an incident
occurs:
• Remediate Incidents
This privilege lets users change the status or severity of an incident. You can set a data owner, add
a comment to the incident history, set the Do Not Hide and Allow Hiding options, and execute
response rule actions. In addition, if you are using the Incident Reporting and Update API, select
this privilege to remediate the location and status attributes.
• Smart Response Rules to execute
You specify which Smart Response Rules that can be executed on a per role basis. Configured
Smart Response Rules are listed in the "Available" column on the left. To expose a Smart
Response Rule for execution by a user of this role, select it and click the arrow to add it to the
right-side column. Use the CTRL key to select multiple rules.
• Perform attribute lookup
Lets a user look up incident attributes from external sources and populate their values for incident
remediation.
• Delete incidents
Lets users delete an incident.
• Hide incidents
Lets a user hide an incident.
• Unhide incidents
Lets a user restore previously hidden incidents.
• Export Web archive
Lets a user export a report that the system compiles from a web archive of incidents.
• Export XML
Lets a user export a report of incidents in XML format.
• Email incident report as CSV attachment
Lets a user email as an attachment a report containing a comma-separated listing of incident
details.
607
Incident Reporting and Select user privileges to enable access for Web Services clients that use the Incident Reporting and
Update API Update API:
• Incident Reporting
Enables Web Services clients to retrieve incident details.
• Incident Update
Enables Web Services clients to update the incident details.
Note: The Incident Reporting and Update APIs are deprecated. Use the REST-based Incident API
instead. You do not need to set privileges for using the REST Incident API.
Display Attributes Select among the following Display Attributes to customize what attributes appear in the Incidents
view for the policy violations that users of the role can view.
Shared attributes are common to all types of incidents:
• History
The incident history.
• Body
The body of the message.
• Attachments
The names of any attachments or files.
• Matches
The highlighted text of the message that violated the policy appears on the Matches tab of the
Incident Snapshot screen. You can set masking for matches according to roles. See Setting Up
Masking for Roles.
• Sender
The message sender.
• Recipients
The message recipients.
• Subject
The subject of the message.
• Original Message
Controls whether the original message that caused the policy violation incident is viewable.
Note: To view an attachment properly, both the "Attachment" and the "Original Message" options must
be checked.
Endpoint attributes are specific to Endpoint incidents:
• Username
The name of the Endpoint user.
• Machine name
The name of the computer where the Endpoint Agent is installed.
Discover attributes are specific to Discover incidents:
• File Owner
The name of the owner of the file being scanned.
• Location
The location of the file being scanned.
608
Custom Attributes The Custom Attributes list includes all the custom attributes configured by your system administrator,
if any.
• Select View All if you want users to be able to view all custom attribute values.
• Select Edit All if you want users to edit all custom attribute values.
• To restrict the users to certain custom attributes, clear the View All and Edit All check boxes,
Then individually select the View or Edit check box for each custom attribute you want viewable or
editable.
Note: If you select Edit for any custom attribute, the View check box is automatically selected
(indicated by being grayed out). If you want the users in this role to be able to view all custom attribute
values, select View All.
Discover allows you to grant users in this role the following privileges:
Folder Risk Reporting This privilege lets users view Folder Risk Reports. For more information, see Using Data Insight .
Note: The Data Insight page in the Enforce Server administration console is now accessible to
all Network Discover customers without a license file.
Content Root Enumeration This privilege lets users configure and run Content Root Enumeration scans. For more information
about Content Root Enumeration scans,
4. In the Incident Access tab, configure any conditions (filters) on the types of incidents that users in this role can view.
NOTE
You must select the View option on the General tab for settings on the Incident Access tab to have any
effect.
• Click Add Condition.
• Select the type of condition and its parameters from left to right, as if writing a sentence. The first drop-down list in
a condition contains the alphabetized system-provided conditions that are associated with any custom attributes.
For example, select Policy Group from the first drop-down list, select Is Any Of from the second list, and then
select Default Policy Group from the final listbox. These settings would limit users to viewing only those incidents
that the default policy group detected.
5. In the Policy Management tab, select one of the following policy privileges for the role:
• Import Policies
This privilege lets users import policy files that have been exported from an Enforce Server.
To enable this privilege, the role must also have the Server Administration, Author Policies, Author Response
Rules, and All Policy Groups privileges.
• Author Policies
This privilege lets users add, edit, and delete policies within the policy groups that are selected.
Users can also modify system data identifiers, and create custom data identifiers.
It also lets users create and modify User Groups.
This privilege does not let users create or manage Data Profiles. This activity requires Enforce Server administrator
privileges.
• Discover Scan Control
Lets the users in this role create Discover targets, run scans, and view Discover Servers.
• Credential Management
Lets users create and modify the credentials that the system requires to access target systems and perform
Discover scans.
• Policy Groups
609
Select All Policy Groups only if users in this role need access to all existing policy groups and any that will be
created in the future.
Otherwise you can select individual policy groups or the Default Policy Group.
NOTE
These options do not grant the right to create, modify, or delete policy groups. Only the users whose role
includes the Server Administration privilege can work with policy groups.
• Author Response Rules
Enables users in this role to create, edit, and delete response rules.
NOTE
Users cannot edit or author response rules for policy remediation unless you select the Author
Response Rules option.
Preventing users from authoring response rules does not prevent them from executing response rules. For example, a
user with no response-rule authoring privileges can still execute smart response rules from an incident list or incident
snapshot.
6. In the Users & Groups tab, select one of the following items:
• Select Users and select any users to which to assign this role. If you have not yet configured any users, you can
assign users to roles after you create the users.
• Select User Groups and select a user group to which to assign this role.
7. Click Save to save your newly created role to the Enforce Server database.
610
4. Configure the Authentication section of the Configure User page. Only options that are enabled are available on this
page.
Option Instructions
Use Single Sign If SAML authentication had been enabled, the user can sign on using Single Sign On Mapping on the Configure
On Mapping User page.
Use Password Select this option to use password authentication and allow the user to sign on using the Enforce Server
access administration console log on page. This option is required if the user account will be used for a Reporting API
Web Service client.
If you select this option, also enter the user password in the Password and the Re-enter Password fields. The
password must be at least eight characters long and is case-sensitive. For security purposes, the password is
obfuscated and each character appears as an asterisk.
If you configure advanced password settings, the user must specify a strong password. In addition, the password
may expire at a certain date and the user has to define a new one periodically.
Configuring password enforcement settings
You can choose password authentication even if you also use certificate authentication. If you use certificate
authentication, you can optionally disable sign on from the Enforce Server administration console log on page.
Disabling password authentication and forms-based logon
Symantec Data Loss Prevention authenticates all Reporting API clients using password authentication. If you
configure Symantec Data Loss Prevention to use certificate authentication, any user account that is used to
access the Reporting API Web Service must have a valid password. See the Symantec Data Loss Prevention
Reporting API Developers Guide.
Note: If you configure Active Directory integration with the Enforce Server, users authenticate using their Active
Directory passwords. In this case the password field does not appear on the Users screen.
Note: Integrating Active Directory for user authentication
Use Certificate Select this option to use certificate authentication and allow the user to automatically single sign-on with a
authentication certificate that is generated by a separate Private Key Infrastructure (PKI). This option is available only if you
have manually configured support for certificate authentication.
About authenticating users
About certificate authentication configuration
If you select this option, you must specify the common name (CN) value for the user in the Common Name (CN)
field. The CN value appears in the Subject field of the user's certificate, which is generated by the PKI. Common
names generally use the format, first_name last_name identification_number.
The Enforce Server uses the CN value to map the certificate to this user account. If an authenticated certificate
contains the specified CN value, all other attributes of this user account, such as the default role and reporting
preferences, are applied when the user logs on.
Note: You cannot specify the same Common Name (CN) value in multiple Enforce Server user accounts.
Account Disabled Select this option to lock the user out of the Enforce Server administration console. This option disables access
for the user account regardless of which authentication mechanism you use.
For security, after a certain number of consecutive failed logon attempts, the system automatically disables the
account and locks out the user. In this case the Account Disabled option is checked. To reinstate the user
account and allow the user to log on to the system, clear this option by unchecking it.
5. Optionally enter an Email Address and select a Language for the user in the General section of the page. The
Language selection depends on the language pack(s) you have installed.
6. In the Report Preferences section of the Users screen you specify the preferences for how this user is to receive
incident reports, including Text File Encoding and CSV Delimiter.
If the role grants the privilege for XML Export, you can select to include incident violations and incident history in the
XML export.
611
7. In the Roles section, select the roles that are available to this user to assign data and incident access privileges.
You must assign the user at least one role to access the Enforce Server administration console.
Configuring roles
8. Select the Default Role to assign to this user at log on.
The default role is applied if no specific role is requested when the user logs on.
For example, the Enforce Server administration console uses the default role if the user uses single sign-on with
certificate authentication or uses the logon page.
NOTE
Individual users can change their default role by clicking Profile and selecting a different option from the
Default Role menu. The new default role is applied at the next logon.
About authenticating users
9. Click Save to save the user configuration.
NOTE
Once you have saved a new user, you cannot edit the user name.
10. Manage users and roles as necessary.
Manage and add roles
Manage and add users
Steps to use AD to provide user access to the Enforce Server administration console
The following table lists the process to use AD to provide user access to the Enforce Server.
Table 261: Steps to use AD to provide user access to the Enforce Server administration console
Step Action
612
Step Action
613
7. Save your changes.
Create an AD-managed role
Configuring roles
Import the AD users using a sync job
-
Create an AD-managed role
Adding an AD login source
After you create an AD-managed role, you import the AD users using a sync job. When you create the sync job, you name
the job and include a custom filter on the Add AD Login User Source dialog.
Related Links
Create an AD-managed role on page 614
Configuring user authentication and role assignment using Active Directory on page 612
614
1. Go to the System > Login Management > DLP Users screen and review the users.
2. Click a user name to go to the Roles area to confirm that the correct role is applied.
NOTE
The AD role (under the Roles area) cannot be changed, but you can apply other roles that you create.
615
To reset the Administrator password for forms-based logon
1. Log on to the Enforce Server computer using the account that you created during Symantec Data Loss Prevention
installation.
NOTE
Do not change permissions or ownership on any configuration file from another root or Administrator
account.
2. Change directory to the /opt/Symantec/DataLossPrevention/EnforceServer /16.0.10000/
Protect/bin (Linux) or c:\Program Files\Symantec\DataLossPrevention\EnforceServer
\16.0.10000\Protect\bin (Windows) directory. If you installed Symantec Data Loss Prevention into a different
directory, substitute the correct path.
3. Execute the AdminPasswordReset utility using the following syntax:
AdminPasswordReset -dbpass oracle_password -newpass new_administrator_password
Replace oracle_password with the password to the Enforce Server database, and replace
new_administrator_password with the password you want to set.
616
• User Name – The name the user enters to log on to the Enforce Server
• Email – The email address of the user
• Access – The role(s) in which the user is a member
Assuming that you have the appropriate privileges, you can add, edit, or delete user accounts as follows:
• Add a new user account, or modify an existing one.
Click Add to begin adding a new user to the system.
Click anywhere in a row or the pencil icon (far right) to view and edit that user account.
Configuring user accounts
• Click the red X icon (far right) to delete the user account; a dialog box confirms the deletion.
NOTE
The Administrator account is created on install and cannot be removed from the system.
NOTE
When you delete a user account, you also delete all private saved reports that are associated with that user.
Manage and add roles
617
5. Configure Symantec Data Loss Prevention to use Active Directory authentication.
Configuring the Enforce Server for Active Directory authentication
The [libdefaults] section identifies the default domain. (Note that Kerberos realms correspond to Active Directory
domains.) The [realms] section defines an Active Directory server for each domain. In the previous example, the Active
Directory server for ENG.COMPANY.COM is engAD.eng.company.com.
To create the krb5.ini or krb5.conf file
1. Go to SymantecDLP\Protect\config and locate the sample krb5.ini file. For example, locate the file in
\Program Files\Symantec\DataLossPrevention\EnforceServerProtect\config (on Windows) or /
opt/Symantec/DataLossPrevention/EnforceServer/16.0.10000/Protect/config (on Linux).
2. Copy the sample krb5.ini file to the c:\windows directory (on Windows) or the /etc directory (on Linux). If you
are running Symantec Data Loss Prevention on Linux, plan to verify the Active Directory connection using the kinit
command-line tool. Rename the file as krb5.conf.
Verifying the Active Directory connection
618
3. Open the krb5.ini or krb5.conf file in a text editor.
4. Replace the sample default_realm value with the fully qualified name of your default domain. (The value for
default_realm must be all capital letters.) For example, modify the value to look like the following:
default_realm = MYDOMAIN.LAB
5. Replace the other sample domain names with the names of your actual domains. (Domain names must be all capital
letters.) For example, replace ENG.COMPANY.COM with ADOMAIN.COMPANY.COM.
6. Replace the sample kdc values with the host names or IP addresses of your Active Directory servers. (Be sure to
follow the specified format, in which opening brackets are followed immediately by line breaks.) For example, replace
engAD.eng.company.com with ADserver.eng.company.com, and so on.
7. Remove any unused kdc entries from the configuration file. For example, if you have only two domains besides the
default domain, delete the unused kdc entry.
8. Save the file.
The first time you contact Active Directory you may receive an error that it cannot find the krb5.ini or krb5.conf
file in the expected location. On Windows, the error looks similar to the following:
krb_error 0 Could not load configuration file c:\winnt\krb5.ini
(The system cannot find the file specified) No error.
In this case, copy the krb5.ini or krb5.conf file to the expected location and then rerun the kinit command that
is previously shown.
3. Depending on how the Active Directory server responds to the command, take one of the following actions:
• If the Active Directory server indicates it has successfully created a Kerberos ticket, continue configuring Symantec
Data Loss Prevention.
• If you receive an error message, consult with your Active Directory administrator.
619
Integrating Active Directory for user authentication
To configure the Enforce Server to use Active Directory for authentication:
1. Make sure all users other than the Administrator are logged out of the system.
2. In the Enforce Server administration console, go to System > Settings > General and click Configure (at top left).
3. At the Edit General Settings screen that appears, locate the Active Directory Authentication section near the bottom
and select (check) Perform Active Directory Authentication.
The system then displays several fields to fill out.
4.
Creating the configuration file for Active Directory integration
5. If your environment has more than one Active Directory domain, click Configure and enter the domain names
(separated by commas) in the Active Directory Domain List field.
The system displays Active Directory domains in a drop-down list on the user logon page. Users then select the
appropriate domain at logon. Do not list the default domain, as it already appears in the drop-down list by default.
6. Click Save.
7. Go to the operating system services tool and restart the Symantec Data Loss Prevention Manager service.
620
Table 262: Steps to configure certificate authentication
1 Enable certificate authentication on the Enforce Server You can configure an existing Enforce Server to enable
computer. authentication. Enforce Servers have form-based
authentication by default.
Configuring certificate authentication for the Enforce
Server administration console
2 Add certificate authority (CA) certificates to establish the You can add CA certificates to the Tomcat trust store with
trust chain. the Java keytool utility to manually add certificates to
an existing Enforce Server.
Adding certificate authority (CA) certificates to the Tomcat
trust store
3 (Optional) Change the Tomcat trust store password. The Symantec Data Loss Prevention installer configures
each new Enforce Server installation with a default
Tomcat trust store password. Follow these instructions to
configure a secure password.
Changing the Tomcat trust store password
4 Map certificate common name (CN) values to Enforce Mapping Common Name (CN) values to Symantec Data
Server user accounts. Loss Prevention user accounts
5 Configure the Enforce Server to check for certificate About certificate revocation checks
revocation.
6 Verify Enforce Server access using certificate-based Troubleshooting certificate authentication
single sign-on.
7 (Optional) Disable forms-based logon. If you want to use certificate-based single sign-on for all
access to the Enforce Server, disable forms-based logon.
Disabling password authentication and forms-based
logon
621
Protect/tomcat/conf/server.xml (Linux) and change the certificateVerification value from none to
optional. Change the revocationEnabled value from true to false. Save the file.
4. Restart the Enforce Server. This change to the server.xml file that you edited in the previous step enables the Use
Certificate authentication check box in the Enforce Server administration console user interface.
5. Logon to the Enforce Server administration console and go to System > Login Management > DLP Users.
6. Check Use Certificate authentication and indicate the corresponding CN mapping.
7. Add the CA certificates to the Tomcat trust store using the Java keytool utility.
Adding certificate authority (CA) certificates to the Tomcat trust store
Ensure that you have installed all necessary certificates and that users can log on with certificate authentication.
Now the end user has both form-based authentication and certificate authentication.
About certificate revocation checks
Follow this procedure to enable certificate authentication on Symantec Data Loss Prevention.
To enable certificate authentication for users of the Enforce Server administration console
8. Log on to the Enforce Server computer using the account that you created during Symantec Data Loss Prevention
installation.
NOTE
Do not change permissions or ownership on any configuration file from another root or Administrator
account.
9. Copy the corresponding springSecurityContext.xml file into the Tomcat WEB-INF directory.
10. Edit C:\Program Files\Symantec\DataLossPrevention\EnforceServer\16.0.10000\Protect\tomcat
\conf\server.xml (Windows) or /opt/Symantec/DataLossPrevention/EnforceServer/16.0.10000/
Protect/tomcat/conf/server.xml (Linux) and change thecertificate verification value from false to
optional. Save the file.
11. Restart the Enforce Server. This change to the server.xml file that you edited in the previous step enables the Use
Certificate authentication check box in the Enforce Server administration console user interface.
12. Logon to the Enforce Server administration console and go to System > Login Management > DLP Users.
13. Check Use Certificate authentication and indicate the corresponding Common Name (CN) mapping.
14. Add the CA certificates to the Tomcat trust store using the Java keytool utility.
Adding certificate authority (CA) certificates to the Tomcat trust store
Ensure that you have installed all necessary certificates and that users can log on with certificate authentication.
15. For certificate authentication only, copy the springSecurityContext-Certificate.xml file from C:
\Program Files\Symantec\DataLossPrevention\EnforceServer\16.0.10000\Protect\tomcat
\webapps\ProtectManager\security\template (Windows) or opt/Symantec/DataLossPrevention/
EnforceServer//Protect/tomcat/webapps/ProtectManager/WEB-INF (Linux) and rename it to
springSecurityContext.xml.
16. Edit the C:\Program Files\Symantec\DataLossPrevention\EnforceServer\16.0.10000\Protect
\tomcat\conf\server.xml (Windows) or /opt/Symantec/DataLossPrevention/
EnforceServer/16.0.10000/Protect/tomcat/conf/server.xml file and change the
certificateVerification value from optional to required.
622
Adding certificate authority (CA) certificates to the Tomcat trust store
623
Changing the Tomcat Trust Store Password
When you install Symantec Data Loss Prevention, the Tomcat trust store uses protect as the default password. Follow
this procedure to assign a secure password to the Tomcat trust store when you use certificate authentication.
1. Log on to the Enforce Server computer using the account that you created during Symantec Data Loss Prevention
installation.
NOTE
Do not change permissions or ownership on any configuration file from another root or Administrator
account.
2. Change directory to the /opt/Symantec/DataLossPrevention/EnforceServer/16.0.10000/jre/bin/
(Linux) or c:\Program Files\Symantec\DataLossPrevention\EnforceServer\16.0.10000\Protect
\config\ (Windows) directory. If you installed Symantec Data Loss Prevention to a different directory, substitute the
correct path.
3. Use the keytool utility that is installed with Symantec Data Loss Prevention to change the Tomcat truststore
password. For Windows systems, enter:
c:\Program Files\Symantec\DataLossPrevention\ServerJRE\1.8.0_162\bin\
keytool - storepasswd -new new_password -keystore ./truststore.jks
For Linux systems, enter:
/opt/Symantec/DataLossPrevention/EnforceServer/16.0.10000/jre/bin/keytool -
storepasswd
-new new_password -keystore ./truststore.jks
Replace new_password with a secure password.
4. Enter the current password to the keystore when the keytool utility prompts you to do so. The default password is
protect.
Replace protect with the new password that you defined in the keytool command.
8. Save your changes and exit the text editor.
9. Change directory to the /opt/Symantec/DataLossPrevention/EnforceServer/16.0.10000/
Protect/config (Linux) or c:\Program Files\Symantec\DataLossPrevention\EnforceServer
624
\16.0.10000\Protect\config (Windows) directory. If you installed Symantec Data Loss Prevention into a
different directory, substitute the correct path.
10. Open the Manager.properties file with a text editor.
Add the following line in the file to specify the new password:
com.vontu.manager.tomcat.truststore.password = password
Replace password with the new password. Do not enclose the password in quotation marks.
11. Save your changes and exit the text editor.
12. Open the Protect.properties file with a text editor.
13. Edit (or if not present, add) the following line in the file to specify the new password:
com.vontu.manager.tomcat.truststore.password = password
Replace password with the new password. Do not enclose the password in quotation marks.
14. Save your changes and exit the text editor.
15. Stop and then restart the Symantec DLP Manager service to apply your changes.
Mapping Common Name (CN) values to Symantec Data Loss Prevention user accounts
Each user that accesses the Enforce Server administration console using certificate-based single sign-on must have an
active user account in the Enforce Server configuration. The user account associates the common name (CN) value from
the user's client certificate to one or more roles in the Enforce Server administration console. You can map a CN value to
only one Enforce Server user account.
The user account that you create does not require a separate Enforce Server administration console password. You can
optionally configure a password if you want to allow the user to also log on from the Enforce Server administration console
log-on page. If you enable password authentication and the user does not provide a certificate when the browser asks for
one, then the Enforce Server displays the log-on page. A log-on failure is displayed if password authentication is disabled
and the user does not provide a certificate.
An active user account must identify a user's CN value and have a valid role assigned in the Enforce Server to log on
using single sign-on with certificate authentication. You can disable or delete the associated Enforce Server user account
to prevent a user from accessing the Enforce Server administration console without revoking their client certificate.
Configuring user accounts
625
Distribution Point Name:
Full Name: URL=http://my_crldp
NOTE
Symantec Data Loss Prevention does not support specifying the CRLDP using an LDAP URL.
If the CRL distribution point is defined in each certificate and the Enforce Server can directly access the server, then no
additional configuration is required to perform revocation checks. If the CRL distribution point is accessible only by a proxy
server, then you must configure the proxy server settings in the Symantec Data Loss Prevention configuration.
Accessing the CRLDP with a proxy
Regardless of which revocation checking method you use, you must enable certificate revocation checks on the Enforce
Server computer. Certificate revocation checks are enabled by default if you select certificate installation during the
Enforce Server installation. If you upgraded an existing Symantec Data Loss Prevention installation, certificate revocation
is not enabled by default.
Configuring certificate revocation checks
When you enable certificate revocation checks, Symantec Data Loss Prevention uses a CRLDP to determine the
revocation status.
Follow this procedure to enable certificate revocation checks.
1. Ensure that the CRLDP is defined in the CRL distribution point field of each client certificate.
2. Log on to the Enforce Server computer using the account that you created during Symantec Data Loss Prevention
installation.
NOTE
Do not change permissions or ownership on any configuration file from another root or Administrator
account.
3. Navigate to the c:\Program Files\Symantec\DataLossPrevention\EnforceServer
\16.0.10000\Protect\tomcat\conf\server.xml (Windows) or /opt/Symantec/DataLossPrevention/
EnforceServer/16.0.10000/Protect/tomcat/conf/server.xml (Linux) directory and update the
revocationEnabled value from false to true.
4. To enable revocation checking using a CRLDP, add or uncomment the following line in the file:
wrapper.java.additional.22=-Dcom.sun.security.enableCRLDP=true
This option is enabled by default for new Symantec Data Loss Prevention installations.
5. If you use CRLDP revocation checks, optionally configure the cache lifetime using the property:
wrapper.java.additional.22=-Dsun.security.certpath.ldap.cache.lifetime=30
This parameter specifies the length of time, in seconds, to cache the revocation lists that are obtained from a CRL
distribution point. After this time is reached, a lookup is performed to refresh the cache the next time there is an
authentication request. The default cache lifetime 30 seconds. Specify 0 to disable the cache, or -1 to store cache
results indefinitely.
626
6. Stop and then restart the Symantec DLP Manager service to apply your changes.
Accessing the CRLDP with a Proxy
Symantec recommends that you allow direct access from the Enforce Server computer to all CRLDP servers that are
required to perform certificate revocation checks. If the CRLDP servers are accessible only through a proxy, then you
must configure the proxy settings on the Enforce Server computer.
When you configure a proxy, the Enforce Server uses your proxy configuration for all HTTP connections, such as those
connections that are created to connect to a CRLDP server to fetch certificate revocation lists. Check with your proxy
administrator before you configure these proxy settings, and consider allowing direct access to CRLDP servers if at all
possible.
To configure proxy settings for a CRLDP server
1. Ensure that the CRLDP is defined in the CRL distribution point field of each client certificate.
2. Log on to the Enforce Server computer using the account that you created during Symantec Data Loss Prevention
installation.
NOTE
Do not change permissions or ownership on any configuration file from another root or Administrator
account.
3. Change directory to the /opt/Symantec/DataLossPrevention/EnforceServer/16.0.10000/
Protect/config (Linux) or c:\Program Files\Symantec\DataLossPrevention\EnforceServer
\16.0.10000\Protect\config (Windows) directory. If you installed Symantec Data Loss Prevention into a
different directory, substitute the correct path.
4. Open the SymantecDLPManager.conf file with a text editor.
5. Add or edit the following configuration properties to identify the proxy:
wrapper.java.additional.22=-Dhttp.proxyHost=myproxy.mydomain.com
wrapper.java.additional.23=-Dhttp.proxyPort=8080
wrapper.java.additional.24=-Dhttp.nonProxyHosts=hosts
Replace myproxy.mydomain.com and 8080 with the host name and port of your proxy server. You can include server
host names, fully qualified domain names, or IP addresses separated with a pipe character. For example:
wrapper.java.additional.24=-Dhttp.nonProxyHosts=crldp-server|
127.0.0.1|DataInsight_Server_Host
627
wrapper.java.additional.90=-Djava.security.debug=certpath
628
NOTE
If you use a directory server that contains a self-signed authentication certificate, you must add the certificate
to the Enforce Server or the Discover Server. If your directory server uses a pre-authorized certificate, it is
automatically added to the Enforce Server or Discover Server. Importing SSL certificates to Enforce or Discover
servers
To create a group directory connection
1. Navigate to the System > Settings > Directory Connections screen.
2. Click Add Connection.
3. Configure the directory connection.
Configuring directory server connections
1 Navigate to the Directory Connections page (if This page is available at System > Settings > Directory
not already there). Connections.
2 Click Create New Connection. This action takes you to the Configure Directory Connection page.
3 Enter a Name for the directory server The Connection Name is the user-defined name for the connection.
connection. It appears at the Directory Connections home page once the
connection is configured.
4 Specify the Network Parameters for the Directory connection network parameters provides details on these
directory server connection. parameters.
Enter or specify the following parameters:
• The Hostname of the computer where the directory server is
installed.
• The Port on the directory server that supports connections.
• The Base DN (distinguished name) of the directory server.
• The Encryption Method for the connection, either None or
Secure.
5 Specify the Authentication mode for connecting Directory connection authentication parameters provides details on
to the directory server. configuring the authentication parameters.
6 Click Test Connection to verify the connection. If there is anything wrong with the connection, the system displays
an error message describing the problem.
7 Click Save to save the direction connection The system automatically indexes the directory server after you
configuration. successfully create, test, and save the directory server connection.
8 Select the Index and Replication Status tab. Verify that the directory server was indexed. After some time
(depending on the size of the directory server query), you should
see that the Replication Status is "Completed <date> <time>". If
you do not see that the status is completed, verify that you have
configured and tested the directory connection properly. Contact
your directory server administrator for assistance.
629
Step Action Description
9 Select the Index Settings tab. You can adjust the directory server indexing schedule as necessary
at the Index Settings tab.
Scheduling directory server indexing
Authentication Description
Authentication Select the Authentication option to connect to the directory server using authentication mode.
Check Connect with Credentials to add your username and password to authenticate to the
directory server.
Username To authenticate with Active Directory, use one of the following methods:
• Domain and user name, for example: Domain\username
• User name and domain, for example: username@domain.com
• Fully distinguished user name and domain (without spaces), for example:
cn=username,cn=Users,dc=domain,dc=com
To authenticate with another type of directory server:
• A different syntax may be required, for example: uid=username,ou=people,o=company
Password Enter the password for the user name that was specified in the preceding field.
The password is obfuscated when you enter it.
630
Each directory server connection automatically indexes the configured User Groups that are hosted in the directory server
once at 12:00 AM. The indexing starts the day after you create the initial connection.
After you create, test, and save the directory server connection, the system automatically indexes all User Groups that are
hosted in the directory whose connection you have established. You can modify this setting, and schedule indexing to run:
• minute
• by the hour
• daily
• weekly
• monthly
1. Select an existing group directory server connection from the System > Settings > Directory Connections screen.
Or, create a connection.
Configuring directory server connections
2. Adjust the Index Settings to the desired schedule.
Schedule group directory server indexing and view status
Table 266: Schedule group directory server indexing and view status
Index the directory server once. The Once setting is selected by default and automatically indexes the director server at 12:00
AM the day after you create the initial connection. You can use the On and At settings to select a
specific date and time.
Use the following index settings to modify the default Once indexing schedule to specify when and
how often the index is rebuilt.
Index the directory server daily. Select the Daily option to schedule the index daily.
Specify the At time. Optionally, specify the Until duration for this schedule.
Index the directory server Select the Weekly option to schedule the index to occur once a week.
weekly. Specify the day of the week to index.
Specify the time to index.
Optionally, specify the Until duration for this schedule.
Index the directory server Specify the day of the month to index the directory and the time.
monthly. Optionally, specify the Until duration for this schedule.
Set up a custom indexing Specify a custom frequency, in hours and minutes, to index the directory. You can schedule the
schedule. index to run from every one to 59 minutes. You can also schedule the index to run from every 1 hour
to every 23 hours.
Optionally, specify the Until duration for this schedule. Overlapping indexing jobs for the same
directory connection or profile are not allowed to run concurrently. Queued jobs consume
memory. To reduce memory consumption, don not overlap indexing jobs.
View the indexing and Select the Index and Replication Status tab to view the status of the indexing process.
replication status. • Indexing Status
Displays the next scheduled index, date, and time.
• Detection Server Name
Displays the detection server where the User Group profile is deployed.
• Replication Status
• Displays the data and time of the most recent synchronization with the directory group server.
Credential Store
The credential store simplifies management of user name and password changes.
631
An authentication credential can be stored as a named credential in a central credential store. It can be defined once, and
then referenced by any number of servers or endpoints. Passwords are encrypted before they are stored.
You can add, delete, or edit stored credentials.
Adding new credentials to the credential store
Managing credentials in the credential store
The Credential Management screen is accessible to users with the "Credential Management" privilege.
Stored credentials can be used when you edit or create a Discover target.
3. Click Save.
4. You can later edit or delete credentials from the credential store.
632
1. Go to: System > Settings > General.
2. Click Configure.
3. Under the Credential Management section, ensure that the Allow Saved Credentials on Endpoint Agent checkbox
is selected.
4. Click Save.
5. Go to: System > Settings > Credentials.
6. Click Add Credential.
7. Under the General section, enter the details of the credential you want to add.
8. Under Usage Permission, select Servers and Endpoint agents.
9. Click Save.
633
Re-enter Access Password Re-enter the password.
3. Click Save.
634
You can use Audit Logs to view the activities that are performed by users on Enforce. The Audit Logs page includes
information about events and event details. You can also download Audit Log reports from the Audit Logs page. These
reports are exported in CSV format.
Some of the Audit Logs columns can be resorted using the arrows next to the item name. Sortable columns include:
• Time
• IP Address
• User Name
• Role
• Entity
• Action
User ID, User Status, and Detail columns are not sortable.
The default Audit Logs page is set to:
• Time - last 30 days
• Items per page - 50
• Sort order - descending, with latest items first
Use the drop-downs in the Filter By area on the left of the page to change these filter conditions:
• Date - Select from All Dates, Today, Yesterday, Last 7 Days, Last 30 Days, Last Quarter, Last Year, or Custom.
• IP Address - Start typing to select from the list of available IP addresses or scroll down and select an IP address.
• User Name - Start typing to select from the list of available User Names or scroll down and select User Names.
Multiple names are allowed.
• Role - Start typing to select from the list of available Roles or scroll down and select Roles. Multiple roles are allowed.
• Entity - Start typing to select from the list of available entities or scroll down and select entities. Multiple entities are
allowed.
• Action - Start typing to select from a list of available Actions or scroll down and select an action. The Action options
are related to Entities. Each Entity has at least one action. Multiple entities are allowed.
• Click Clear All to clear all filters. The filter is reset to the default Only Last 30 Days condition
• Click Apply to view the filtered data. When you click Apply, the table order does not change. The page resets to the
first page. The number of Items per page won't change.
• Click Export To CSV at the top right of the page to download the filtered CSV Audit Logs data from the page that is
displayed.
The Action filter is updated when you select any entity filter options. If no Entity is selected, you can see all of the options
of the Action filter.
System Events
Review system events to
System events related to your Symantec Data Loss Prevention installation are monitored, reported, and logged. System
events include notifications from Cloud Operations for cloud services.
System event reports are viewed from the Enforce Server administration console:
• The five most recent system events of severity Warning or Severe are listed on the Overview screen (System >
Servers and Detectors > Overview).
About the Overview screen
See #unique_744/unique_744_Connect_42_v15599810 for information on the Servers Overview screen.
• Reports on all system events of any severity can be viewed by going to System > Servers and Detectors > Events.
635
System Events Reports
• Recent system events for a particular detection server or cloud service are listed on the Server/Detector Detail screen
for that server or detector.
Server/Detector Detail screen
See for information on the Server Detail screen.
• Click on any event in an event list to go to the Event Details screen for that event. The Event Details screen provides
additional information about the event.
Server and Detectors Event Detail
There are three ways that system events can be brought to your attention:
• System event reports displayed on the administration console
• System alert email messages
System Alerts
• Syslog functionality
Enabling a Syslog Server
Some system events require a response.
About System Svent Responses
To narrow the focus of system event management you can:
• Use the filters in the various system event notification methods.
System Events Reports
• Configure the system event thresholds for individual servers.
Configuring Event Thresholds and Triggers
Events Description
Type The type (severity) of the event. Type may be any one of those listed in the "System event types" folder.
Time The date and time of the event.
Server The name of the server on which the event occurred.
Host The IP address or host name of the server on which the event occurred.
Code A number that identifies the kind of event.
See System event codes and messages for information on event code numbers.
Summary A brief description of the event. Click on the summary for more detail about the event.
636
Table 268: System event types
Event Description
System
information
Warning
Severe
637
6. (Optional) Specify additional advanced filters if needed.
7. When you have finished specifying a filter or set of filters, click Apply.
Click the red X to delete an advanced filter.
The Applied Filters bar lists the filters that are used to produce the list of events that is displayed. Note that multiple
filters are cumulative. For an event to appear on the list it must pass all the applied filters.
The following advanced filters are available:
Filter Description
Event Code Filter events by the code numbers that identify each kind of event.
You can filter by a single code number or multiple code numbers
separated by commas (2121, 1202, 1204). Filtering by code
number ranges, or greater than, or less than operators is not
supported.
Event type Filter events by event severity type (Info, Warning, or Severe).
Server Filter events by the server on which the event occurred.
NOTE
A small subset of the parameters that trigger system events have thresholds that can be configured. These
parameters should only be adjusted with advice from Symantec Support. Before changing these settings, you
should have a thorough understanding of the implications that are involved. The default values are appropriate
for most installations.
Configuring event thresholds and triggers
Related Links
on page 469
638
Delivery Schedule Options for Incident and System Reports
• Delete the report. Click the red X to the right of the report name to delete the report.
1. Go to one of the following screens:
• System Events (System > Events)
• Agents Overview (System > Agents > Overview)
• Agents Events (System > Agents > Events)
About the Enforce Server administration console
2. Select the filters and summaries for your custom report.
About custom reports and dashboards
3. Select Report > Save As.
4. Enter the saved report information.
Saving custom incident reports
5. Click Save.
Item Description
Item Description
639
About system events
System events reports
About system alerts
BoxMonitor.DiskUsageError Indicates the amount of filled disk space (as a Low disk space
percentage) that triggers a severe system event.
For example, a Severe event occurs if a detection
server is installed on the C drive and the disk
space error value is 90. The detection server
creates a Severe system event when the C drive
usage is 90% or greater. The default is 90.
BoxMonitor.DiskUsageWarning Indicates the amount of filled disk space (as Low disk space
a percentage) that triggers a Warning system
event. For example, a Warning event occurs if the
detection server is installed on the C drive and the
disk space warning value is 80. Then the detection
server generates a Warning system event when
the C drive usage is 80% or greater. The default is
80.
BoxMonitor.MaxRestartCount Indicates the number of times that a system Process name restarts
process can be restarted in one hour before a excessively
Severe system event is generated. The default is
3.
IncidentDetection.MessageWaitSevere Indicates the number of minutes messages need Long message wait time
to wait to be processed before a Severe system
event is sent about message wait times. The
default is 240.
IncidentDetection.MessageWaitWarning Indicates the number of minutes messages need Long message wait time
to wait to be processed before sending a Severe
system event about message wait times. The
default is 60.
640
Parameter Description Event
Related Links
System Events on page 466
Review system events to
Low disk space If this event is reported on a detection server, recycle the Symantec Data Loss Prevention services
on the detection server. The detection server may have lost its connection to the Enforce Server.
The detection server then queues its incidents locally, and fills up the disk.
If this event is reported on an Enforce Server, check the status of the Oracle and the Symantec DLP
Incident Persister services. Low disk space may result if incidents do not transfer properly from the
file system to the database. This event may also indicate a need to add additional disk space.
Tablespace is almost full Add additional data files to the database. When the hard disk is at 80% of capacity, obtain a bigger
disk instead of adding additional data files.
Licensing and versioning Contact Symantec Support.
641
System event or category Appropriate response
Monitor not responding Restart the Symantec DLP Detection Server service. If the event persists, check the network
connections. Make sure the computer that hosts the detections server is turned on by connecting
to it. You can connect with terminal services or another remote desktop connection method. If
necessary, contact Symantec Support.
Symantec Data Loss Prevention Services
Alert or scheduled report Go to System > Settings > General and ensure that the settings in the Reports and Alerts and
sending failed SMTP sections are configured correctly. Check network connectivity between the Enforce Server
and the SMTP server. Contact Symantec Support.
Auto key ignition failed Contact Symantec Support.
Cryptographic keys are Contact Symantec Support.
inconsistent
Long message wait time Increase detection server capacity by adding more CPUs or replacing the computer with a more
powerful one.
Decrease the load on the detection server. You can decrease the load by applying the traffic filters
that have been configured to detect fewer incidents. You can also re-route portions of the traffic to
other detection servers.
Increase the threshold wait times if all of the following items are true:
• This message is issued during peak hours.
• The message wait time drops down to zero before the next peak.
• The business is willing to have such delays in message processing.
process_name restarts Check the process by going to System > Servers > Overview. To see individual processes on this
excessively screen, Process Control must be enabled by going to System > Settings > General > Configure.
N incidents in queue Investigate the reason for the incidents filling up the queue.
The most likely reasons are as follows:
• Connection problems. Response: Make sure the communication link between the Endpoint
Server and the detection server is stable.
• Insufficient connection bandwidth for the number of generated incidents (typical for WAN
connections). Response: Consider changing policies (by configuring the filters) so that they
generate fewer incidents.
642
Syslog functionality is an on or off option. If syslog is turned on, all Severe events are sent to the syslog server.
1. Go to the \Program Files\Symantec\DataLossPrevention\EnforceServer\16.0.10000\Protect
\config directory on Windows or the /opt/Symantec/DataLossPrevention/EnforceServer/16.0.10000/
Protect/config directory on Linux.
2. Open the Manager.properties file.
3. Uncomment the #systemevent.syslog.protocol = line by removing the # symbol from the beginning of the line, and
enter [ udp | tcp | tls ] to secure communications sent from the Enforce Server to the syslog server.
4. Uncomment the #systemevent.syslog.host= line by removing the # symbol from the beginning of the line, and enter
the hostname or IP address of the syslog server.
5. Uncomment the #systemevent.syslog.port= line by removing the # symbol from the beginning of the line. Enter the
port number that should accept connections from the Enforce Server server. The default is 514.
NOTE
If you are using TCP or TLS communication, ensure that the port you enter correctly corresponds to the port
that is configured on the syslog server.
6. Uncomment the #systemevent.syslog.format= [{0}] {1} - {2} line by removing the # symbol from the
beginning of the line. Then define the system event message format to be sent to the syslog server:
If the line is uncommented without any changes, the notification messages are sent in the format: [server name]
summary - details. The format variables are:
• {0} - the name of the server on which the event occurred
• {1} - the event summary
• {2} - the event detail
For example, the following configuration specifies that Severe system event notifications are sent to a syslog host
named server1 which uses port 600.
systemevent.syslog.protocol = TCP
systemevent.syslog.host=server1
systemevent.syslog.port=600
systemevent.syslog.format= [{0}] {1} - {2}
Using this example, a low disk space event notification from an Enforce Server on a host named server1 would look like:
server1 Low disk space - Hard disk space for
incident data storage server is low. Disk usage is over 82%.
System Events
System Alerts
Configure system alerts to notify Symantec Data Loss Prevention administrators about a wide variety of system
conditions.
System alerts are email messages that are sent to designated addresses when a particular system event occurs. You
define what alerts (if any) that you want to use for your installation. Alerts are specified and edited on the Configure Alert
screen, which is reached by System > Servers and Detectors > Alerts > Add Alert.
Alerts can be specified based on event severity, server name, or event code, or a combination of those factors. Alerts can
be sent for any system event.
643
The email that is generated by the alert has a subject line that begins with Symantec Data Loss Prevention System
Alert followed by a short event summary. The body of the email contains the same information that is displayed by the
Event Detail screen to provide complete information about the event.
Configuring the Enforce Server to send email alerts
Configuring system alerts
Server and Detectors event detail
644
5. In the SMTP section, identify the SMTP server to use for sending out alerts and reports.
Enter the relevant information in the fields as described in the following table:
6. Click Save.
645
• Is any of.
• Is none of.
For each kind of condition, you can specify appropriate parameters:
• Event type. You can select one, or a combination of, Information, Warning, Severe. Click on an event type to specify
it. To specify multiple types, hold down the Control key while clicking on event types. You can specify one, two, or all
three types.
• Server. You can select one or more servers from the list of available servers. Click on the name of the server to specify
it. To specify multiple servers, hold down the Control key while clicking on server names. You can specify as many
different servers as necessary.
• Event code. Enter the code number. To enter multiple code numbers, separate them with commas or use the Return
key to enter each code on a separate line.
System event codes and messages
By combining multiple conditions, you can define alerts that cover a wide variety of system conditions.
NOTE
If you define more than one condition, the conditions are treated as if they were connected by the Boolean
"AND" operator. This means that the Enforce Server only sends the alert if all conditions are met. For example,
if you define an event type condition and a server condition, the Enforce Server only sends the alert if the
specified event occurs on the designated server.
1. Go to the Alerts screen (System > Servers and Detectors > Alerts).
2. Click the Add Alert tab to create a new alert, or click on the name of an alert to modify it.
The Configure Alert screen is displayed.
3. Fill in (or modify) the name of the alert. The alert name is displayed in the subject line of the email alert message.
4. Fill in (or modify) a description of the alert.
5. Click Add Condition to specify a condition that will trigger the alert.
Each time you click Add Condition you can add another condition. If you specify multiple conditions, every one of the
conditions must be met to trigger the alert.
Click on the red X next to a condition to remove it from an existing alert.
6. Enter the email address that the alert is to be sent to. Separate multiple addresses by commas.
7. Limit the maximum number of times this alert can be sent in one hour by entering a number in the Max Per Hour box.
If no number is entered in this box, there is no limit on the number of times this alert can be sent out. The
recommended practice is to limit alerts to one or two per hour, and to substitute a larger number later if necessary. If
you specify a large number, or no number at all, recipient mailboxes may be overloaded with continual alerts.
8. Click Save to finish.
The Alerts list is displayed.
646
About log files
See Log filesfor additional information about working with logs.
647
Table 276: Detection configuration events
1200 Loaded policy "{0}" Policy "{0}" v{1} ({2}) has been successfully loaded.
1201 Loaded policies {0} None
1202 No policies loaded No relevant policies are found. No incidents will be detected. 1203
Unloaded policy "{0}" Policy "{0}" has been unloaded.
1204 Updated policy "{0}" Policy "{0}" has been successfully updated. The current policy version
is {1}. Active channels: {2}.
1205 Incident limit reached for Policy "{0}" The policy "{0}" has found incidents in more than {1} messages within
the last {2} hours. The policy will not be enforced until the policy is
changed, or the reset period of {2} hours is reached.
1206 Long message wait time Message wait time was {0}:{1}:{2}:{3}.
1207 Failed to load Vector Machine Failed to load [{0}] Vector Machine Learning profile. See server logs
Learning profile for more details.
1208 Failed to unload Vector Machine Failed to unload [{0}] Vector Machine Learning profile. See server
Learning profile logs for more details.
1209 Loaded Vector Machine Learning Loaded [{0}] Vector Machine Learning profile.
profile
1210 Unloaded Vector Machine Learning Unloaded [{0}] Vector Machine Learning profile.
profile
1211 Vector Machine Learning training Training succeeded for [{0}] Vector Machine Learning profile.
successful
1212 Vector Machine Learning training Training failed for [{0}] Vector Machine Learning profile.
failed
1213 {0} messages timed out in Detection {0} messages timed out in Detection in the last {1} minutes. Enable
recently Detection execution trace logs for details.
1214 Detected regular expression rules Policy set contains regular expression rule(s) with invalid patterns.
with invalid patterns See FileReader.log for details.
1216 The Execution Matrix has reached The Execution Matrix has reached the memory limit of 200 MBs, or
the memory limit of 200 MBs, or the Endpoint Server did not have sufficient memory for the Execution
the Endpoint Server did not have Matrix.
sufficient memory for the Execution Legacy agents do not receive new policies until they are upgraded to
Matrix. the latest agent version or if the policy set is simplified.
648
Code Summary Description
1500 Invalid license The SMTP Prevent channel is not licensed or the license has expired.
No incidents will be detected or prevented by the SMTP Prevent
channel.
1501 Bind address error Unable to bind {0}. Please check the configured address or the
RequestProcessor log for more information. 1502 MTA restriction
error Unable to resolve host {0}.
1503 All MTAs restricted Client MTAs are restricted, but no hosts were resolved. Please check
the RequestProcessor log for more information and correct the
RequestProcessor.AllowHosts setting for this Prevent server.
1504 Downstream TLS Handshake failed TLS handshake with downstream MTA {0} failed. Please check
SmtpPrevent and RequestProcessor logs for more information.
1505 Downstream TLS Handshake TLS handshake with downstream MTA {0} was successfully
successful completed.
1600 Override folder invalid Monitor channel {0} has invalid source folder: {1} Using folder: {2}.
1601 Source folder invalid Monitor channel {0} has invalid source folder: {1} The channel is
disabled.
649
Table 281: File scan events
1700 Scan start failed Discover target with ID {0} does not exist. 1701 Scan terminated {0}
1702 Scan completed Scan completed. Discover Target Name - "{0}"
1703 Scan start failed {0}
1704 Share list had errors {0}
1705 Scheduled scan failed Failed to start a scheduled scan of Discover target {0}. {1}
1706 Scan suspend failed {0}
1707 Scan resume failed {0}
1708 Scheduled scan suspension failed Scheduled suspension failed for scan of Discover target {0}. {1}
1709 Scheduled scan resume failed Scheduled suspension failed for scan of Discover target {0}. {1}
1710 Maximum Scan Duration Timeout Discover target "{0}" timed out because of Maximum Scan Duration.
Occurred
1711 Maximum Scan Duration Timeout Maximum scan time duration timed out for scan: {0}. However, an
Failed error occurred while trying to abort the scan.
1712 Scan Idle Timeout Occurred Discover target "{0}" timed out because of Scan Idle Timeout.
1713 Scan Idle Timeout Failed Maximum idle time duration timed out for scan: {0}. However, an error
occurred while trying to abort the scan.
1714 Scan terminated - Invalid Server State Scan of discover target "{0}" has been terminated from the state
of "{1}" because the associated discover server {2} entered an
unexpected state of "{3}".
1715 Scan terminated - Server Removed Scan of discover target "{0}" has been terminated because the
associated discover server {1} is no longer available.
1716 Scan terminated - Server Reassigned Scan of discover target "{0}" has been terminated because the
associated discover server {1} is already scanning discover target(s)
"{2}".
1717 Scan terminated - Transition Failed Failed to handle the state change of discover server {1} while
scanning discover target "{0}". See log files for details.
1718 Scan start failed Scan of discover target "{0}" has failed to start. See log files for
detailed error description.
1719 Scan start failed due to unsupported Scan of discover target "{0}" has failed, as its target type is no longer
target type supported.
1720 Scan started Scan started. Discover Target Name - "{0}"
1721 Scan paused Scan paused. Discover Target Name - "{0}"
1722 Scan stopped Scan stopped. Discover Target Name - "{0}"
1723 Scan queued Scan queued. Discover Target Name - "{0}"
1724 Scan failed Scan failed. Discover Target Name - "{0}"
650
Table 282: Incident attachment external storage events
1750 Incident attachment migration started Migration of incident attachments from database to external storage
directory has started.
1751 Incident attachment migration Completed migrating incident attachments from database to external
completed storage directory.
1752 Incident attachment migration failed One or more incident attachments could not be migrated from
database to external storage directory. Check the incident persister
log for more details. Once the error is resolved, restart the
SymantecDLPIncidentPersisterService service to resume the
migration.
1753 Incident attachment migration error. One or more incident attachments migration from database to
external storage directory has encountered error. Check the incident
persister log for more details. Migration will continue and will retry
erred attachment later.
1754 Failed to update incident attachment Failed to update the schedule to delete incident attachments in the
deletion schedule external directory. Check the incident persister log for more details.
1755 Incident attachment deletion started Deletion of obsolete incident attachments from the external storage
directory has started.
1756 Incident attachment deletion Deletion of obsolete incident attachments from the external storage
completed directory has completed.
1757 Incident attachment deletion failed One or more incident attachments could not be deleted from the
external storage directory. Check the incident persister log for more
details.
1758 Incident attachment external storage Incident attachment external storage directory is not accessible.
directory is not accessible Check the incident persister log for more details.
Incident attachment external storage Incident attachment external storage directory is accessible.
directory is accessible
1800 Incident Persister is unable to process Persister ran out of memory processing incident {0}.
incident Incident
1801 Incident Persister failed to process
incident {0}
1802 Corrupted incident received A corrupted incident was received, and renamed to {0}.
1803 Policy misconfigured Policy "{0}" has no associated severity.
1804 Incident Persister is unable to start Incident Persister cannot start because it failed to access the incident
folder {0}. Check folder permissions.
1805 Incident Persister is unable to access Incidents folder The Incident Persister is unable to access the
incident folder {0}. Check folder permissions.
1806 Response rule processing failed to Response rule processing failed to start: {0}.
start
1807 Response rule processing execution Response rule command runtime execution failed from error: {0}.
failed
1808 Unable to write incident Failed to delete old temporary file {0}.
651
Code Summary Description
1809 Unable to write incident Failed to rename temporary incident file {0}.
1810 Unable to list incidents Failed to list incident files in folder {0}. Check folder permissions.
1811 Error sending incident Unexpected error occurred while sending an incident. {0} Look in the
incident writer log for more information.
1812 Incident writer stopped Failed to delete incident file {0} after it was sent. Delete the file
manually, correct the problem and restart the incident writer.
1813 Failed to list incidents Failed to list incident files in folder {0}. Check folder permissions.
1814 Incident queue backlogged There are {0} incidents in this server's queue.
1815 Low disk space on incident server Hard disk space for the incident data storage server is low. Disk
usage is over {0}%.
1816 Failed to update policy statistics Failed to update policy statistics for policy {0}.
1817 Daily incident maximum exceeded The daily incident maximum for policy {0} has been exceeded.\n No
further incidents will be generated.
1818 Incident is oversized, has been Incident is oversized, has been partially persisted with messageID
persisted with a limited number of {0}, Incident File Name {1}.
components and/or violations
1821 Failure to process an incident Unexpected error occurred while sending an incident {0}
received from the cloud gateway
1900 Failed to load update package Database connection error occurred while loading the software
update package {0}.
1901 Software update failed Failed to apply software update from package {0}. Check the update
service log.
2000 Key ignition error Failed to ignite keys with the new ignition password. Detection
against Exact Data Profiles will be disabled.
2001 Unable to update key ignition The key ignition password won't be updated, because the
password. cryptographic keys aren't ignited. Exact Data Matching will be
disabled.
2099 Administrator password reset The Administrator password has been reset by the password reset
tool.
652
Table 287: Manager administrator and policy events
653
Code Summary Description
2130 Directory Connection source removed The directory connection source with ID {0} was removed by {1}.
2131 Directory Connection source saved The {0} directory connection source was saved by {1}.
2132 Agent Troubleshooting Task Agent Troubleshooting task of type {0} created by user {1}.
2133 Certificate authority file generated. Certificate authority file {0} generated.
2134 Certificate authority file is corrupt. Certificate authority file {0} is corrupt.
2135 Password changed for certificate Password changed for certificate authority file {0}. New certificate
authority file. authority file is {1}.
2136 Server keystore generated. Server keystore {0} generated for endpoint server {1}.
2137 Server keystore is missing or corrupt. Server keystore {0} for endpoint server {1} is missing or corrupt.
2138 Server truststore generated. Server truststore {0} generated for endpoint server {1}.
2139 Server truststore is missing or corrupt. Server truststore {0} for endpoint server {1} is missing or corrupt.
2140 Client certificates and key generated. Client certificates and key generated.
2141 Agent installer package generated. Agent installer package generated for platforms {0}.
2200 End User License Agreement The Symantec Data Loss Prevention End User License Agreement
accepted was accepted by {0}, {1}, {2}.
2201 License is invalid None
2202 License has expired One or more of your product licenses has expired. Some system
feature may be disabled. Check the status of your licenses on the
system settings page.
2203 License about to expire One or more of your product licenses will expire soon. Check the
status of your licenses on the system settings page.
2204 No license The license does not exist, is expired or invalid. No incidents will be
detected.
2205 Keys ignited The cryptographic keys were ignited by administrator logon.
2206 Key ignition failed Failed to ignite the cryptographic keys manually. Please look in the
Enforce Server logs for more information. It will be impossible to
create new exact data profiles.
2207 Auto key ignition The cryptographic keys were automatically ignited.
2208 Manual key ignition required The automatic ignition of the cryptographic keys is not configured.
Administrator logon is required to ignite the cryptographic keys. No
new exact data profiles can be created until the administrator logs on.
2300 Low disk space Hard disk space is low. Symantec Data Loss Prevention Enforce
Server disk usage is over {0}%.
2301 Tablespace is almost full Oracle tablespace {0} is over {1}% full.
2302 {0} not responding Detection Server {0} did not update its heartbeat for at least 20
minutes.
654
Code Summary Description
2303 Monitor configuration changed The {0} monitor configuration was changed by {1}.
2304 System update uploaded A system update was uploaded that affected the following
components: {0}.
2305 SMTP server is not reachable. SMTP server is not reachable. Cannot send out alerts or schedule
reports.
2306 Enforce Server started The Enforce Server was started.
2307 Enforce Server stopped The Enforce Server was stopped.
2308 Monitor status updater exception The monitor status updater encountered a general exception. Please
look at the Enforce Server logs for more information.
2309 System statistics update failed Unable to update the Enforce Server disk usage and database
usage statistics. Please look at the Enforce Server logs for more
information.
2310 Statistics aggregation failure The statistics summarization task encountered a general exception.
Refer to the Enforce Server logs for more information.
2311 Version mismatch Enforce version is {0}, but this monitor's version is {1}.
2312 Incident deletion failed Incident Deletion failed.
2313 Incident deletion completed Incident deletion ran for {0} and deleted {1} incident(s).
2314 Endpoint data deletion failed Endpoint data deletion failed.
2315 Incident deletion started Incident deletion process started.
2316 Over {0} incidents currently contained Persisting over {0} incidents can decrease database performance.
in the database
2318 Incident deletion flagging process Incident deletion flagging process started.
started.
2319 Incident deletion flagging process Incident deletion flagging process ended.
ended.
2320 Version obsolete Detection server is not supported when two major versions older
than Enforce server version. Enforce version is {0}, and this detection
server's version is {1}. This detection server must be upgraded.
2321 Version older than Enforce version Enforce will not have visibility for this detection server and will not be
able to send updates to it. Detection server incidents will be received
and processed normally. Enforce version is {0}, and this detection
server's version is {1}.
2322 Version older than Enforce version Functionality introduced with recent versions of Enforce relevant to
this type of detection server will not be supported by this detection
server. Enforce version is {0}, and this detection server's version is
{1}.
2323 Minor version older than Enforce Functionality introduced with recent versions of Enforce relevant to
minor version this type of detection server will not be supported by this detection
server and might be incompatible with this detection server. Enforce
version is {0}, and this detection server's version is {1}. This detection
server should be upgraded.
655
Code Summary Description
2324 Version newer than Enforce version Detection server is not supported when its version is newer than the
Enforce server version. Enforce version is {0}, and this detection
server's version is {1}. Enforce must be upgraded or detection server
must be downgraded.
2400 Export web archive finished Archive "{0}" for user {1} was created successfully.
2401 Export web archive canceled Archive "{0}" for user {1} was canceled.
2402 Export web archive failed Failed to create archive "{0}" for user {1}. The report specified had
over {2} incidents.
2403 Export web archive failed Failed to create archive "{0}" for user {1}. Failure occurred at incident
{2}.
2404 Unable to run scheduled report The scheduled report job {0} was invalid and has been removed.
2405 Unable to run scheduled report The scheduled report {0} owned by {1} encountered an error: {2}.
2406 Report scheduling is disabled The scheduled report {0} owned by {1} cannot be run because report
scheduling is disabled.
2407 Report scheduling is disabled The scheduled report cannot be run because report scheduling is
disabled.
2408 Unable to run scheduled report Unable to connect to mail server when delivery scheduled report {0}
{1}.
2409 Unable to run scheduled report User {0} is no longer in role {1} which scheduled report {2} belongs to.
The schedule has been deleted.
2410 Unable to run scheduled report Unable to run scheduled report {0} for user {1} because the account
is currently locked.
2411 Scheduled report sent The schedule report {0} owned by {1} was successfully sent.
2412 Export XML report failed XML Export of report by user [{0}] failed XML Export of report by user
[{0}] failed.
2420 Unable to run scheduled data owner Unable to distribute report {0} (id={1}) by data owner because
report distribution sending of report data has been disabled.
2421 Report distribution by data owner Report distribution by data owner for report {0} (id={1}) failed.
failed
2422 Report distribution by data owner Report distribution by data owner for report {0} (id={1}) finished with
finished {2} incidents for {3} data owners. {4} incidents for {5} data owners
failed to be exported.
2423 Report distribution to data owner The report distribution {1} (id={2}) for the data owner "{0}" exceeded
truncated the maximum allowed size. Only the first {3} incidents were sent to
"{0}".
656
Table 292: Messaging events
2500 Unexpected Error Processing {0} encountered an unexpected error processing a message. See the
Message log file for details.
2501 Memory Throttler disabled {0} x {1} bytes need to be available for memory throttling. Only {2}
bytes were available. Memory Throttler has been disabled.
2600 Communication error Unexpected error occurred while sending {1} updates to {0}. {2}
Please look at the monitor controller logs for more information.
2650 Communication error(VML) Unexpected error occurred while sending profile updates config
set {0} to {1} {2}. Please look at the monitor controller logs for more
information.
657
Table 295: Packet capture events
2800 Bad spool directory configured for Packet Capture has been configured with a spool directory: {0}. This
Packet Capture directory does not have write privileges. Please check the directory
permissions and monitor configuration file. Then restart the monitor.
2801 Failed to send list of NICs. {0} {0}.
658
Code Summary Description
2922 Couldn't find registered content Registered content with ID {0} wasn't found in database during
indexing.
2923 Database error Database error occurred during indexing. {0}
2924 Process shutdown during indexing The process has been shutdown during indexing. Some registered
content may have failed to create.
2925 Policy is inaccurate Policy "{0}" has one or more rules with unsatisfactory detection
accuracy against {1}.{2}
2926 Created exact data profile Created {0} from file "{1}".\nRows processed: {2}\nInvalid rows:
{3}\nThe exact data profile will now be replicated to all Symantec
Data Loss Prevention Servers.
2927 User Group "{0}" synchronization The following User Group directories have been removed/renamed
failed in the Directory Server and could not be synchronized: {1}.Please
update the "{2}" User Group page to reflect such changes.
2928 One or more EDM profiles are out of Check the "Manage > Data Profiles > Exact Data" page for more
date and must be reindexed details. The following EDM profiles are out of date: {0}.
659
Code Summary Description
3017 Created document profile Created "{0}" from "{1}". There are {2} accessible files in the content
root. {3} The profile contains index for {4} document(s). {5} The
document profile will now be replicated to all Symantec Data Loss
Prevention Servers.
3018 Document profile {0} has reached maximum size. Only {1} out of {2} documents are
indexed.
3019 Nothing to index Document source "{0}" found no files to index.
3020 Created document profile Created "{0}" from "{1}". There are {2} accessible files in the content
root. {3} The profile contains index for {4} document(s). Comparing to
last indexing run: {5} new document(s) were added, {6} document(s)
were updated, {7} documents were unchanged, and {8} documents
were removed. The document profile will now be replicated to all
Symantec Data Loss Prevention servers.
3021 Nothing to index The new remote IDM profile for source "{0}" was identical to the
previous imported version.
3022 Profile conversion IDM profile {0} has been converted to {1} on the endpoint.
3023 Endpoint IDM profiles memory usage IDM profile {0} size plus already deployed profiles size are too large
to fit on the endpoint, only exact matching will be available.
3100 Invalid Attributes detected with Script Invalid or unsafe Attributes passed from Standard In were removed
Lookup Plugin during script execution. Please check the logs for more details.
3101 Invalid Attributes detected with Script Invalid or unsafe Attributes passed to Standard Out were removed
Lookup Plugin during script execution. Please check the logs for more details.
660
Table 300: Packet capture events
3400 Couldn't add files to zip The files requested for collection could not be written to an archive
file.
3401 Couldn't send log collection The files requested for collection could not be sent.
3402 Couldn't read logging properties A properties file could not be read. Logging configuration changes
were not applied.
3403 Couldn't unzip log configuration The zip file containing logging configuration changes could not be
package unpacked. Configuration changes will not be applied.
3404 Couldn't find files to collect There were no files found for the last log collection request sent to
server.
3405 File creation failed Could not create file to collect endpoint logs.
3406 Disk usage exceeded File creation failed due to insufficient disk space.
3407 Max open file limit exceeded File creation failed as max allowed number of files are already open.
661
Table 302: Enforce SPC events
3500 SPC Server successfully registered. SPC Server successfully registered. Product Instance Id [{0}].
3501 SPC Server successfully SPC Server successfully unregistered. Product Instance Id [{0}].
unregistered.
3502 A self-signed certificate was A self-signed certificate was generated. Certificate alias [{0}].
generated.
3600 User import completed successfully. User import from source {0} completed successfully.
3601 User import failed. User import from data source {0} has failed.
3602 Updated user data linked to incidents. Updated user data linked to {0} existing incident events.
3700 Unable to write catalog item Failed to delete old temporary file {0}.
3701 Unable to rename catalog item Failed to rename temporary catalog item file {0}.
3702 Unable to list catalog items Failed to list catalog item files in folder {0}.Check folder permissions.
3703 Error sending catalog items Unexpected error occurred while sending an catalog item.{0}Look in
the file reader log for more information.
3704 File Reader failed to delete files. Failed to delete catalog file {0} after it was sent.\nDelete the file
manually, correct the problem and restart the File Reader.
3705 Failed to list catalog item files Failed to list catalog item files in folder {0}.Check folder permissions.
3706 The configuration is not valid. The property {0} was configured with invalid value {1}. Please make
sure that this has correct value provided.
3707 Scan failed: Remediation detection Remediation detection catalog update timed out after {0} seconds for
catalog could not be updated target {1}.
662
Table 306: Endpoint communication layer events
3900 Internal communications error. Internal communications error. Please see {0} for errors. Search for
the string {1}.
3901 System events have been System event throttle limit exceeded. {0} events have been
suppressed. suppressed. Internal error code = {1}.
4000 Agent Handshaker error Agent Handshaker error. Please see {0} for errors. Search for the
string {1}.
Table 308: Monitor controller replication communication layer application error events
4050 Agent data batch persist error Unexpected error occurred while agent data being persisted : {0}.
Please look at the monitor controller logs for more information.
4051 Agent status attribute batch persist Status attribute data for {0} agent(s) could not be persisted. Please
error look at the monitor controller logs for more information.
4052 Agent event batch persist Event data for {0} agent(s) could not be persisted. Please look at the
monitor controller logs for more information.
4101 Response Rule Execution Service Request fetch failed even after {0} retries. Database connection still
Database failure on request fetch down. The service will be stopped.
4200 Cloud Service enrollment: Cloud Service enrollment: successfully received client certificate from
successfully received client certificate Symantec Managed PKI Service.
from Symantec Managed PKI Service
4201 Cloud Service enrollment: error ERROR {0}.
requesting client certificate from
Symantec Managed PKI Service
4205 Symantec Managed PKI certificate Symantec Managed PKI certificate expires in {0} days.
expires in {0} days
4206 Symantec Managed PKI Service Symantec Managed PKI Service certificate has expired.
certificate has expired
4210 Cloud Service enrollment bundle error Invalid enrollment file content.
4211 Cloud Service enrollment bundle error Enrollment file missing from ZIP bundle.
663
Code Summary Description
4212 Invalid Cloud Detector enrollment Detector info doesn't match the existing configuration.
bundle
4300 Cloud Detector created in Enforce Cloud detector {0} created in Enforce.
4400 One or more User Group profiles are Check the System > Users > User Groups page for more details.
out of date and must be reindexed. The following User Group profiles are out of date: {0}.
4701 Cloud operations events or Cloud operations issued an event or notification about the cloud
notifications service.
4800 OCR service is busy Request not processed. OCR server's request queue is full.
4801 Request failed to connect to OCR Please verify OCR server's address, port, and that it is reachable.
server Check logs for more detail.
4802 OCR server had an internal server Please check OCR server logs for details about what went wrong.
error
4803 OCR request was not successful {0}
4804 Failed to initialize OCR Client {0}
4805 An Unknown error encountered {0}
4807 The client and/or OCR server are not Unable to verify client and server with each other as authorized
authorized with each other endpoints. Please verify that the client and server keystores are
configured correctly. Check logs on detection server and OCR server
for more details.
2705 Configuration file {0} delivery Transferred configuration file {0} to detection server.
complete
2726 Connected to detection server Connected to detection server.
2727 Detection server connection Error [FAILURE_TO_CONNECT]. Check your network settings.
disconnected
664
Code Summary Description
665
Code Summary Description
6110 Detector process recycle requested The Detector process will be restarted as per the recycle request.
6111 Discover cluster node {cluster node The Discover cluster node {cluster node Id} will restart based on a
Id} recycle requested recycle request.
Field Description
666
Field Description
Extendable To (MB) The size to which the tablespace can be extended. This
value is based on the Autoextend settings of the files within
the tablespace.
Status The current status of the tablespace according to the percentage
of the tablespace currently in use, depending on the warning
thresholds. If you are using the default warning threshold settings,
the status is:
• OK: The tablespace is under 80% full, or the tablespace can
be automatically extended.
• Warning: The tablespace is between 80% and 90% full .
If you see a warning on a tablespace, you may consider
enabling Autoextend on the data files in the tablespace or
extending the maximum value for data file auto-extensibility.
• Severe: The tablespace is more than 90% full. If you
see a severe warning on a tablespace, you should
enable Autoextend on the data files in the tablespace, extend
the maximum value for data file auto-extensibility, or determine
whether you can purge some of the data in the tablespace.
667
com.vontu.manager.tablespaceThreshold.severe=95
668
Tab and description Field and description
% Full
The percentage of the table currently in use.
Other Tables Table Name
This tab lists all other tables in the schema. The name of the table.
In Tablespace
The name of the tablespace that contains the table.
Size (MB)
The size of the table, in megabytes.
% Full
The percentage of the table currently in use.
Indices Index Name
This table lists all of the indexes in the schema. The name of the index.
Table Name
The name of the table that contains the index.
In Tablespace
The name of the tablespace that contains the table.
Size (MB)
The size of the table, in megabytes.
% Full
The percentage of the table currently in use.
LOB Segments Table Name
This table lists all of the large object (LOB) tables in the schema. The name of the table.
Column Name
The name of the table column containing the LOB data.
In Tablespace
The name of the tablespace that contains the table.
LOB Segment Size (MB)
The size of the LOB segment, in megabytes.
LOB Index Size
The size of the LOB index, in megabytes.
% Full
The percentage of the table currently in use.
NOTE
The percentage used value for each table displays the percentage of the table currently in use as reported by
the Oracle database in dark blue. It also includes an additional estimated percentage used range in light blue.
Symantec Data Loss Prevention calculates this range based on tablespace utilization.
669
The public certificates and keys are securely stored in the Enforce Server database. The DLP Agent initiates connections
to one of the Endpoint Prevent Servers or load balancer servers and authenticates the server certificate.
When you deploy an Endpoint Prevent Server, the system generates the server public-private key pair that is signed by
the DLP root CA certificate. These files are versioned. When you generate the agent package, the system generates the
agent public-private key pair and the agent certificate, also signed by the DLP root CA.
You can view which CA version is in use at the System > Settings > General screen. The password for the DLP root CA
is randomly generated and used by the system. Changing the root CA password is reserved for internal use.
670
Table 318: Configuring Endpoint Prevent Servers to Use Custom Certificates
1 Upload a keystore that contains the custom Adding and Modifying Custom Keystores
certificate for identifying the Endpoint for Endpoint Prevent Servers
Prevent Server.
Make sure that the custom certificate
specifies 'Server Authentication' as the
intended purpose.
2 Upload a truststore with the CA public Adding and Modifying Custom Truststores
certificate that agents can use to validate for Endpoints and Endpoint Prevent
the custom Endpoint Prevent Server Servers
certificate.
3 Generate an agent installation package that Generating agent installation packages
contains the custom truststore.
4 Do one of the following actions: • Installing the DLP Agent on Windows
• If you have not yet deployed any • Installing the DLP Agent for macOS
DLP Agents, follow the installation • Installing the DLP Agent on Linux
instructions. • Using the
• If you have already deployed agent_communication_updater utility
DLP Agents, use the
agent_communication_updater tool
to update the truststore in the agent
database.
For information about the limitations of using custom certificates, see Limitations of DLP support for custom certificates.
671
Table 319: Configuring DLP Agents to Use Custom Certificates
For information about the limitations of using custom certificates, see Limitations of DLP support for custom certificates.
672
4. In the dialog box, enter or modify the following values:
Setting Description
NAME The unique name of the custom keystore.
DESCRIPTION The description of the custom keystore.
UPLOAD FILE Click Browse and then specify the location of the keystore file
(.jks) that you want to upload.
PASSWORD The password for the uploaded .jks file.
Make sure that the storepass and keypass are the same.
5. Click Save.
If you modified an existing custom keystore, recycle all the Endpoint Prevent Servers that use the updated custom
keystore.
Adding and Modifying Custom Truststores for Endpoints and Endpoint Prevent
Servers
On the Certificate Management page of the Enforce Server administration console, you can add and modify custom
truststores.
Symantec Data Loss Prevention supports custom truststores in the Java TrustStore (JKS) file format.
To add or modify custom truststores, do the following steps:
1. In the Enforce Server administration console, navigate to System > Settings > Certificate Management.
2. On the Certificate Management page, click the TrustStore tab.
3. On the TrustStore tab, do one of the following steps:
• To add a custom truststore, click the Add button. The Add TrustStore File dialog box appears.
• To modify an existing truststore, click the ellipsis button (three vertical dots) on the far-right side of the truststore
that you want to modify and then click Edit. The Edit TrustStore File dialog box appears.
4. In the dialog box, enter or modify the following values:
Setting Description
NAME The unique name of the custom truststore.
DESCRIPTION The description of the custom truststore.
UPLOAD FILE Click Browse and then specify the location of the truststore file
(.jks) that you want to upload.
PASSWORD The password for the uploaded .jks file.
NOTE
If you upload a new .jks file, make sure that endpoints use the corresponding custom certificate that the
Endpoint Prevent Server can recognize.
5. Make sure that Include DLP Root CA is checked.
6. Click Save.
If you modified an existing custom truststore, recycle all the Endpoint Prevent Servers that use the updated custom
truststore.
Deleting Custom Keystores and Truststores
On the Certificate Management page of the Enforce Server administration console, you can delete custom keystores
and truststores that are used by endpoints and Endpoint Servers.
673
Before you delete a custom keystore or truststore, make sure that it is not in use.
1. In the Enforce Server administration console, navigate to System > Settings > Certificate Management.
2. On the Certificate Management page, do one of the following steps:
• To delete a custom keystore, click the KeyStore tab.
• To delete a custom truststore, click the TrustStore tab.
Depending on your choice, the list of custom keystores or the list of custom truststores is displayed.
3. Select the custom keystore or truststore that you want to delete. Click an item once to select it; click the item again to
deselect it. You can select only one item for deletion at a time.
4. After you select the custom keystore or truststore that you want to delete, click Delete.
5. In the confirmation dialog box, click OK.
674
Command parameter Description
-p The agent tools password that you specified when you
generated the agent package.
-truststore The file path of the agent truststore
(endpoint_truststore.pem file) that you extracted from
the agent package.
For example: -truststore=/User/temp/
endpoint_truststore.pem
EndpointCommunications.AllowLegacyAgentToConnect
0 Specifies whether DLP Agents earlier
than version 16.0 are allowed to connect
to Endpoint Prevent Servers that use a
custom truststore.
• 0 - Not allowed (Default)
• 1 - Allowed
EndpointCommunications.CertificateRevocationCheckProtocol
CRL The protocol used to verify the revocation
status of custom endpoint certificates.
Accepted values are None, OCSP, CRL,
and OCSP+CRL.
• None
• CRL (Default)
• OCSP
• OCSP+CRL
EndpointCommunications.ClientAuthSessionTimeoutInSeconds
86400 The time in seconds during which custom
endpoint certificates are exempted from
revocation checks.
During this interval, the DLP Agent does not
send the endpoint certificate to Endpoint
Prevent Server.
675
Revocation Checks For Custom Certificates
DLP supports revocation checks for endpoint certificates over the Online Certificate Status Protocol (OCSP) or through
a Certificate Revocation List (CRL). DLP does not support revocation checks for custom Endpoint Prevent Server
certificates.
If the CRL Distribution Point includes both HTTP and LDAP URLs, do the following actions to prioritize HTTP revocation
checks:
• Place the HTTP URLs before the LDAP URLs.
• Configure an LDAP connection timeout of 1 second in the jndi.properties file. This property minimizes the delay
in performing revocation checks over HTTP if the LDAP connections fail.
Certificate Management
The Certificate Management page of the Enforce Server administration console enables you to manage custom
certificates that are used to authenticate and secure communications between DLP Agents and Endpoint Servers. You
can add, modify, and delete keystores and truststores that contain the custom certificates and keys that you want to use.
For more information about using custom certificates, see:
• Secure Communications Between DLP Agents and Endpoint Servers
• Configuring Endpoint Prevent Servers to Use Custom Certificates
• Configuring DLP Agents to Use Custom Certificates
• Adding and Modifying Custom Keystores for Endpoint Prevent Servers
• Adding and Modifying Custom Truststores for Endpoints and Endpoint Prevent Servers
• Deleting Custom Keystores and Truststores
• Limitations of DLP support for custom certificates
The following table describes the settings on the Certificate Management page of the Enforce Server administration
console.
Setting Description
KeyStore tab Click the KeyStore tab to view the list of custom keystores.
TrustStore tab Click the TrustStore tab to view the list of custom keystores.
Add Click Add to add a new keystore or truststore depending on which
tab is open.
Delete Click Delete to delete the selected keystore or truststore. The
Delete button appears only after you select an item for deletion.
Ellipsis button (three vertical dots) Click the ellipsis button on the far right side of a keystore or
truststore to access the following menu options:
• Edit—Click Edit to modify the keystore or truststore.
• Delete—Click Delete to delete the keystore or truststore.
676
Deploy Symantec Data Loss Prevention servers on Amazon Web Services
System Readiness and Appliances Update
Working with Microsoft Information Protection
Configuring the connection between the Enforce Server and Data Insight
The Current License list displays the following information for each product license:
• Product – The individual Symantec Data Loss Prevention product name
• Count – The number of users licensed to use the product
• Status – The current state of the product
• Expiration – The expiration date of license for the product
A month before Expiration of the license, warning messages appear on the System > Servers > Overview screen.
When you see a message about the expiration of your license, contact Symantec to purchase a new license key before
the current license expires.
677
• You have knowledge and experience with Symantec Data Loss Prevention. See Introducing Symantec Data Loss
Prevention.
• You have an existing AWS account. To create an AWS account, go to http://www.aws.amazon.com.
• You have knowledge and experience with AWS and its key features EC2, VPCs, and Security Groups. To access the
AWS documentation, go to http://www.aws.amazon.com/documentation.
Symantec Data Loss Prevention two- and three-tier deployments are supported on Amazon Web Services Virtual Private
Cloud (VPC). That enables you to use a cloud infrastructure for one or more of your Data Loss Prevention servers. You
can also use a hybrid architecture for your AWS cloud deployment. With hybrid architectures, you deploy an Enforce
Server and Oracle database on premises and deploy detection servers on the AWS infrastructure. You can deploy the
Enforce Server, the Oracle database (or Oracle RDS), and detection servers on AWS. You can use Transport Layer
Security (TLS) to encrypt all data that is transmitted between the Enforce Server and the database server or Oracle RDS.
See About securing communications between the Enforce Server and Amazon RDS for Oracle.
Some examples of AWS deployments include:
• A Network Discover detection server on AWS. This server discovers sensitive data residing on Microsoft SharePoint,
Microsoft Exchange, and CIFS-compliant file share servers residing in the cloud.
• A Network Prevent for Email detection server on AWS. This server controls the transmission of sensitive email from a
Microsoft Exchange mail server residing in the cloud.
• An Enforce Server with the Oracle database and the Cloud Prevent for Email Server in the AWS cloud. This server
prevents data loss from Microsoft 365 email traffic.
See Supported Data Loss Prevention servers on AWS.
The Amazon Virtual Private Cloud (VPC) lets you provision a logically isolated region of the AWS cloud in a virtual
network that you define.
To deploy Data Loss Prevention on AWS, you must use a VPC. Symantec only supports connecting an on-premises
Enforce Server to a detection server that is deployed to an EC2 instance with a VPC.
If you created an AWS account after December 2013, when you provision an EC2 instance you either use the default VPC
or one you define.
678
If you created an AWS account before December 2013, note the following. When you provision an EC2 instance you are
given the option of creating an EC2 "Classic" instance. An EC2 Classic instance is EC2 without VPC, or EC2 with VPC. If
this situation applies to you, you must make sure you provision the EC2 instance with VPC.
Symantec Data Loss Prevention supports the deployment of the following servers on the AWS infrastructure:
• Two-tier deployment of Enforce Server and the Oracle database on the same server
• Three-tier deployment with the Oracle database or the Oracle RDS
• Enforce Server with Oracle database on the same computer
• Cloud Prevent for Email
• Network Prevent for Web
• Endpoint Prevent
• Network Discover
• Network Prevent for Email
If you want to deploy the Enforce Server on the AWS infrastructure, Symantec supports two- and three-tier deployments
of Symantec Data Loss Prevention on AWS. Two-tier deployments are where the Oracle database and the Enforce Server
are deployed on a single system. In three-tier deployments, the Oracle database is deployed on a separate system from
the Enforce Server system.
Symantec Data Loss Prevention supports the scanning of the following Network Discover targets in the AWS cloud:
• Microsoft Exchange Server
• Microsoft SharePoint Server
• File share server (CIFS)
See Network Discover compatibility for the supported versions of these targets.
The Amazon Elastic Cloud Compute (EC2) is a web service that provides virtual servers in the cloud. You deploy
supported Data Loss Prevention detection servers to EC2 instances.
EC2 instances can be provisioned in three different ways: on demand, reserved, and spot. On demand and reserved EC2
instances guarantee performance corresponding with the specifications of the Amazon machine image (AMI) provided
by the instance. EC2 spot instances, on the other hand, allow users to bid on unused EC2 capacity at a lower price. Spot
instances are only appropriate for the tasks that can withstand frequent or intermittent interruption. Your detection servers
must run without foreseeable interruption. As such, Symantec Data Loss Prevention does not support the use of EC2 spot
instances for your Data Loss Prevention on AWS deployments.
Figure 14: No support for EC2 Spot Instances shows the EC2 instance details.
679
Figure 14: No support for EC2 Spot Instances
AWS provides various types of EC2 instances. For example, there are t2.* instance types, m3.* instance types, c3*
instance types, and more. In addition, for each EC2 instance type there are various sizes (micro, small, medium, and
large). Be aware that t2.* instance types, including micro, small, and medium, are Burstable Performance Instances
(http://aws.amazon.com/ec2/faqs/). Because the baseline CPU performance for t2.* burstable performance instances are
only allocated a small percentage of a single CPU core, Symantec Data Loss Prevention does not recommend the use
of t2.* instances for detection server deployments on AWS. You may use a t2.* instance type for deploying a data source
host, such as a Discover scan target or server, but you should not use t2.micro. You may use t2.small or t2.medium to
host a data source.
To summarize, the following EC2 instance types are not supported or recommended:
• EC2 spot instances are not supported for any Data Loss Prevention on an AWS deployment.
• t2.micro instances are not supported for the Data Loss Prevention detection server on AWS deployments.
• t2.small and t2.medium instances are not recommended, but may be used to host Data Loss Prevention data sources,
such as Discover scan targets.
Figure 15: EC2 instance types shows some of the various EC2 instance types. Symantec Data Loss Prevention does not
recommend the use of t2.* instances types for deploying detection servers on AWS.
680
Figure 15: EC2 instance types
When you provision an EC2 instance, you choose the type of Amazon machine image (AMI) to use. AWS provides
several AMIs, and you can go to the AWS Marketplace for third-party provided AMIs. At a minimum, each AMI provides
a host operating system. Some AMIs also provide storage, database, directory, and other services. The components of
the AMI you choose depend on your business requirements.
See Operating system requirements for servers for a complete list of supported operating systems for Data Loss
Prevention.
See Required Linux dependencies for a list of dependencies required for Linux servers. Confirm the file dependencies for
RPM files when you install a detection server.
NOTE
The RHEL 7.x AWS AMI distributions require an additional package. See About configuring the Red Hat
Enterprise Linux version 7.x AMI.
See Minimum System Requirements for Symantec Data Loss Prevention Servers for a list of the minimum hardware
requirements for detection servers.
AWS terminology refers to a CPU as vCPU. Each vCPU is single-core. Therefore, 4 vCPU is equivalent to 2 x 2 two-
core CPU. Keep in mind, however, that these are the minimum size requirements. Your sizing requirements may vary
depending on the types of detection conditions you deploy to Data Loss Prevention servers.
681
• About securing your EC2 instances in the AWS cloud
• About Endpoint Prevent and the AWS Elastic Load Balancer
• About securing your Data Loss Prevention servers in the AWS cloud
• About configuring AWS security groups
• About Generating a Unique, Self-signed SSL Certificate for Data Loss Prevention Servers
• About configuring the Red Hat Enterprise Linux version 7.x AMI
• About installing supported server software on an AMI
• About registering a detection server deployed on AWS with an Enforce Server
• About Network Prevent for Email and AWS Simple Email Service
When you deploy an EC2 instance in the AWS cloud, initially it is open to the entire Internet. Such a configuration is not
recommended because it is not secure. To secure the EC2 instance and protect the integrity of the system, you need to
configure an AWS Security Group.
Related Links
About configuring AWS security groups on page 683
Symantec Data Loss Prevention Endpoint Prevent on AWS Elastic Load Balancer (ELB) does not support SSL session
affinity. SSL session affinity (also known as a "sticky session") is only for HTTP/HTTPS load balancer listeners. For more
information, refer to the AWS document at: http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/
US_StickySessions.html
NOTE
"Instance" is the AWS term for virtual machine.
ELB is used to balance the Endpoint client connections to the Endpoint Server. When configuring a new ELB instance,
follow the AWS instructions and use the following settings:
• Configure the Endpoint clients to connect to the IP or the host name of ELB computer (not to the Endpoint Servers).
• Listeners tab: Set Load Balancer Protocol to TCP and set Load Balancer Port to any port number (for example,
443).
• Instance Protocol tab: Configure Instance Protocol to TCP.
• Instance Port: For Linux Endpoint detection servers, the value of the TCP Instance Port cannot be under 1024.
• Health Check tab: Set Ping Protocol to TCP and set Ping Port to the port that Endpoint client servers listen on.
About securing your Data Loss Prevention servers in the AWS cloud
Symantec Data Loss Prevention servers communicate securely using SSL. When you deploy a detection server, the
Enforce Server generates a default SSL certificate for secure server communications. While the default server certificate
is suitable for pure on-premises deployments, the default certificate is not secure for hosted or cloud deployments.
Someone familiar with Data Loss Prevention can use the default certificate to compromise the detection server you have
deployed to AWS. This system might be vulnerable to man-in-the-middle attacks and other security threats.
You must generate a unique custom SSL certificate for your Data Loss Prevention servers to secure your Data Loss
Prevention on AWS deployment.
About generating a unique, self-signed SSL certificate for Data Loss Prevention servers
682
About configuring AWS security groups
An AWS Security Group is a virtual firewall that controls inbound and outbound traffic for one or more EC2 instances.
When you launch an EC2 instance, you associate one or more security groups with the instance. You add inbound and
outbound rules to each security group that allow traffic to or from its associated instances. You can modify the rules for a
security group at any time. The new rules are automatically applied to all instances that are associated with the security
group. AWS checks the security group rules before it allows traffic to or from the EC2 instance.
Symantec recommends that you harden each AWS Security Group to which the detection server belongs. This hardening
results in minimal open ports. We also recommend that you safe list the source IP to at least the third octet, for example:
x.x.x.0/24.
Figure 16: Example AWS Security Group configuration for a detection server: Inbound Rules shows an example AWS
Security Group with inbound rules. Notice that only the necessary ports are opened, and the IP addresses are limited to
the third octet.
Figure 16: Example AWS Security Group configuration for a detection server: Inbound Rules
About Generating a Unique, Self-signed SSL Certificate for Data Loss Prevention Servers
The default Enforce Server certificate that is generated when you install a detection server is not secure for cloud
deployments.
You need to generate a custom server certificate using the SSL certificate generation tool that is provided with the Data
Loss Prevention installation. Then, you deploy this custom certificate to both the on-premises Enforce Server and each
detection server in the AWS cloud.
A custom SSL certificate secures communication between your Data Loss Prevention servers. To generate a custom SSL
certificate, see Configuring certificates for secure server communications.
Related Links
About installing supported server software on an AMI on page 684
About configuring the Red Hat Enterprise Linux version 7.x AMI
To install a Data Loss Prevention detection server on Red Hat Enterprise Linux version 7.x, see Installing a detection
server on Linux.
• Verify that the following x64_64 bit packages are installed. If these packages are not installed, you must install them:
683
• compat-openldap-1:2.3.43-5.el7
• compat-db47-4.7.25-28.e17
• openssl098e
• apr
• expat
• libpng12
• compat-libtiff3
• libjpeg
For the AMI version of Red Hat Enterprise Linux 7.x, you must verify that the apr-util.x86_64 package is installed.
This package must be installed on the EC2 instance for the detection server FileReader process to start.
When you install Symantec Data Loss Prevention on the RHEL 7.x AMI image in AWS, make sure the libjpeg
package is installed. If the package is not installed, you may get this error: java.lang.UnsatisfiedLinkError: /opt/
SymantecDLP/Protect/lib/native/libImageUtilitiesJNI.so: libjpeg.so.62: cannot open shared object
file: No such file or directory.
To install the additional 7.x package that is required for EC2 instances:
1. Configure Red Hat Enterprise Linux to connect to a valid distribution repository.
2. Issue the following command: yum install apr-util.x86_64.
3. Verify that FileReader starts.
NOTE
You must also verify that the firewalld package is installed on RHEL 7.x before you install Data Loss
Prevention. The standard RHEL 7.x AMI does not contain the firewalld package. The Data Loss Prevention
installer does not install it automatically.
About installing supported server software on an AMI
When you install a server on an AWS EC2 instance, you must be sure to select the Hosted Network Prevent option.
Ignore the description in the installer screen indicating that this option only applies to Network Prevent. This option applies
to any detection server you deploy in the cloud.
Selecting this option prevents the system from generating a default SSL certificate for connecting between the detection
server and the Enforce Server. If you select this option, you cannot connect the detection server to the Enforce Server
until you generate a custom SSL server certificate.
Related Links
About Generating a Unique, Self-signed SSL Certificate for Data Loss Prevention Servers on page 683
When you register a detection server with the Enforce Server, you provide the connection TCP port. The Enforce Server
administration console only accepts registered port numbers in the range of 1024 through 49151. Well-known ports (0
through 1023) and private ports (49152 to 65535) are not supported. You must open the port you enter on the detection
server. You can open a port by creating an inbound rule for a Security Group and apply that Security Group to the EC2
instance.
Related Links
About configuring AWS security groups on page 683
684
About Network Prevent for Email and AWS Simple Email Service
Network Prevent for Email on AWS does not support AWS Simple Email Service (SES) as a downstream Mail Transfer
Agent (MTA). It does not work because SES relies on a user name and password credential, while Data Loss Prevention
STMP Prevent relies on an anonymous connection.
The next hop (downstream) MTA can be configured either in reflect mode or forward mode. With forward mode, a next
hop MTA such as sendmail can be used to forward SMTP traffic.
This section provides the workflow for deploying a supported Data Loss Prevention detection server on the AWS
infrastructure. The purpose of this section is to provide you with an example test deployment on which you can base
other deployments for production purposes.
These instructions are specific to the Windows Server 2012 operating system and the Network Discover detection server.
However, the general workflow for deploying a supported Data Loss Prevention detection server on AWS is the same.
After you have gone through the basic workflow, you can extrapolate these steps to other supported detection servers and
operating systems. For example, similar steps work for deploying a Network Prevent for Email detection server on Red
Hat Enterprise Linux 7.x.
Related Links
Deploying a supported Data Loss Prevention server on AWS on page 685
About configuring the Red Hat Enterprise Linux version 7.x AMI on page 683
Implementing Network Prevent for Email on page 1795
This section provides instructions for deploying a supported Data Loss Prevention detection server (Oracle database,
Enforce Server, or detection server) on an AWS EC2 instance. It also details how to connect this detection server to an
on-premises Enforce Server. These instructions assume that you have deployed an on-premises Enforce Server and that
this server is available.
See About the deployment workflow.
The deployment workflow includes AWS-specific tasks and tasks specific to Symantec Data Loss Prevention.
685
Table 321: Deploying a supported Data Loss Prevention detection server on AWS
1 Choose an AMI. Log on to the AWS Console and select an AMI that provides an operating system
that Data Loss Prevention supports.
See Supported Data Loss Prevention servers on AWS.
For example: Microsoft Windows Server 2012 Base - ami-3b83c20b
2 Choose an instance type. Select an EC2 instance type that is suitable for your business requirements.
See Supported AWS EC2 instance types.
For example:
• Family: General purpose
• Type: m3.large
• vCPUs: 2
• Memory (GB): 7.5
• Instance Storage: 1 x 32 (SSD)
• Network Performance: Moderate
Note: Symantec Data Loss Prevention does not recommend the use of t2.* instance
types.
See Estimated sizing guidelines for EC2 instances.
3 Configure instance details. Do not select Request Spot Instances. Spot instances are not supported.
Verify that the Network is VPC. EC2 Classic (non-VPC) instance types are not
supported.
See Supported AWS EC2 instance types.
4 Add storage. Skip this step. You do not need external storage for a Data Loss Prevention
detection server.
5 Tag the instance. Optionally you can add metadata tags to help yourself or other administrators
organize and locate your EC2 instances.
6 Configure the security group. Specify and configure your own security group. Initially the EC2 instance is open to
the Internet and is not secure. You secure the instance by configuring a TCP port
that the Enforce Server connects to. You also need to poke a hole in the firewall all
so you can connect using RDP.
See About configuring AWS security groups.
7 Review and launch. Review the EC2 instance details and click Launch when you are ready.
Back at the console, the instance displays Initializing.
8 Create and download the private Select Create a new key pair. This key pair lets you decrypt the Windows password
key, or use an existing one that you used to log on to the system.
previously generated. Download the key pair. You use the key to log on to the system the first time.
If you already generated a key pair, you can use it to log on to the EC2 instance.
9 Use the private key to decrypt the Right click the instance and select Get Windows Password.
Windows password. Select the *.pem file you downloaded.
Click Decrypt Password.
Write down the decrypted password. You need it to log on to the EC2 instance.
10 RDP to the EC2 instance. RDP to the EC2 instance and logon using the password key you decrypted.
Note: You may have to disable the operating system firewall to be able to connect
using RDP.
11 Change the host password. Alternatively, to avoid having to using the key password each time, you can change
the password.
686
Step Action Description
12 Copy the Data Loss Prevention You must copy the Data Loss Prevention installation software to the EC2 instance.
installer to the EC2 instance. You can get the software at Symantec FileConnect using a web browser running on
the EC2 instance. Alternatively you can place the software in a cloud or FTP storage
site and download it to the EC2 instance.
13 Install the Data Loss Prevention Make sure that you select the Hosted Network Prevent option.
software. See About installing supported server software on an AMI
14 Register the detection server. Go to the Enforce Server administration console and register the detection server
with the Enforce Server by specifying the port. The port must be a registered TCP
port in the range of 1024 to 49151. The Enforce Server does not accept well-known
ports (0 through 103) or private ports (49152 through 65535). You must have added
this port to an inbound rule for the Security Group.
See About registering a detection server deployed on AWS with an Enforce Server.
15 Generate custom server The default Data Loss Prevention server certificate is not secure. With Hosted
certificates. Network Prevent option as recommended (step 13), you do not have a server
certificate. Either way, you must generate a unique, self-signed server certificate to
ensure secure communications between the on-premises Enforce Server and the
detection server on AWS.
16 Verify your Data Loss Prevention Once you deploy the custom certificate, the Enforce Server should be able to
on AWS deployment. connect to the detection server.
Deploying the Oracle database and Enforce Server in a two- or three-tier environment
Symantec Data Loss Prevention supports two- and three-tier deployments on AWS IAAS. See "Oracle database
requirements" in the Symantec Data Loss Prevention Help Center for a list of supported Oracle Database software
versions.
You estimate sizing requirements to best fit your implementation. See Estimated sizing guidelines for EC2 instances.
Install the Oracle database before you install the Enforce Server.
See Implementing the Database.
See Installing DLP.
687
Table 322: Steps to deploy the Oracle database and Enforce Server in a two- or three-tier environment
1 Configure the Oracle RDS instance. Confirm that the Oracle RDS instance meets the following configuration
requirements:
• DB Edition: Standard or Enterprise
• DB Engine version: See "Oracle database requirements" in the
Symantec Data Loss Prevention Help Center for a list of supported Oracle
Database software versions
• DB Instance Class: db.m4.2x large or higher
• Storage Type: Provisioned IOPS(SSD) 100 GiB or more
• Master User: “protect” with a complex password of at least 8 characters
• Public Accessibility: “Yes”, if the Enforce Server is deployed outside of
RDS VPC
• Database name: “protect”
• Database port: “1521”
• Character set name: “AL32UTF8”
2 Create the database user and table Complete the following steps:
spaces for the Symantec Data Loss
1. Connect to Oracle RDS using SQL*Plus use the following syntax:
Prevention installation.
sqlplus master_user/password@fqdn_oracle_rds:db_port/
db_name
For example, the following command uses protect for the master_user,
1521 for the database port, and protect for the database name:
sqlplus protect/password@fqdn_oracle_rds:1521/protect
2. Run the following command to grant the Master User protect the required
credentials:
GRANT create session ,alter session ,create
synonym ,create view ,create table ,create sequence TO
protect;
GRANT create table ,create cluster ,create
sequence ,create trigger ,create procedure ,create
type ,create indextype ,create operator TO protect;
GRANT create materialized view TO protect;
3. (Optional) Run the SQL script to create a user to manage the database.
The user can access the database without using the Oracle RDS Master
user.
sqlplus master_user/password@fqdn_oracle_rds:db_port/
db_name SQL> @oracle_create_user_oracle_rds.sql
4. Create the required tablespaces by running the following command:
create smallfile tablespace LOB_TABLESPACE datafile
size 32767M autoextend on next 100M maxsize 32767M;
alter tablespace LOB_TABLESPACE add datafile size
1024M autoextend on next 100M maxsize 32767M;
alter tablespace LOB_TABLESPACE add datafile size
1024M autoextend on next 100M maxsize 32767M;
688
Setting up a CIFS file share scan target on AWS
Symantec Data Loss Prevention supports the deployment of Network Discover Servers in the AWS cloud. It also supports
the scanning of targets that are deployed in the AWS cloud, including Exchange and SharePoint servers and CIFS file
shares.
As with any Data Loss Prevention deployment, you should test it to ensure that it is production ready. You must create
some detection rules that are typical for your organization and generate some incidents. In addition, you should test the
performance of your EC2 instance under some representative load.
Configuring certificates for securing communications between the Enforce Server and
Amazon RDS for Oracle
You can use SSL/Transport Layer Security (TLS) to encrypt all data that is transmitted between the Enforce Server and
the Oracle database hosted with Amazon RDS in a three-tier environment.
These steps assume that you have already set up an AWS account that you can use to manage the Oracle database. See
Deploy Symantec Data Loss Prevention servers on Amazon Web Services .
The following table describes the process to secure communications between the Enforce Server and the database.
Table 323: Steps to secure communications between the Enforce Server and the Oracle database hosted with
Amazon RDS
1 Configure the AWS Oracle RDS SSL Configuring Oracle RDS Option Group with
connector. SSL
2 Configure the server certificate on the Configuring the Server Certificate on the
Enforce Server. Enforce Server
3 Configure the AWS Oracle RDS for Secure Setting up an SSL connection over JDBC
Sockets Layer (SSL) connection over
JDBC.
4 Verify the AWS Oracle RDS certificate Verifying the Enforce Server-Oracle RDS
usage. database certificate usage
You enable SSL encryption for an Oracle RDS database instance by adding the Oracle SSL option to the option group
associated with an Oracle DB instance. You specify the port you want to communicate over using SSL.
689
See Oracle Secure Sockets Layer in the AWS Oracle RDS documentation for steps to complete this process.
After you configure the AWS Oracle RDS Option Group with SSL, you configure the Enforce Server JDBC driver and the
server certificate. You import the AWS Oracle RDS certificatte into the Enforce Server Java keystore. Last, you configure
the JDBC driver to use the Oracle RDS SSL/TLS connection and port.
NOTE
The following process assumes that the SSL Option is configured with TCP port 2484.
1. Locate the Jdbc.properties file at the following location (based on your platform):
• Windows: C:\Program Files\Symantec\DataLossPrevention\EnforceServer\16.0.10000\Protect
\config
• Linux: /opt/Symantec/DataLossPrevention/EnforceServer/16.0.10000/protect/config
2. Modify the following communication port and connection information:
• Update the jdbc.dbalias.oracle-thin line to use TCPS.
• Change the port number to 2484.
The updated communication port and connection information should display as follows:
jdbc.dbalias.oracle-thin=@(description=(address=(host=[oracle host name])
(protocol=tcps)(port=2484))(connect_data=(service_name=protect))
(SSL_SERVER_CERT_DN="CN=oracleserver"))
The following is an example of what the completed communication port and connection information might look
like. The information you use differs based on your system. Using the following information as-is may cause the
configuration to fail.
NOTE
The example uses "protect" for the database SID and "2484" for the TLS port.
jdbc.dbalias.oracle-thin=@(description=(address=(host=oracle-rds-dns-name)
(protocol=tcps)(port=2484))(connect_data=(service_name=protect)
(SSL_SERVER_CERT_DN="C=US,ST=Washington,L=Seattle,O=Amazon.com,OU=RDS,
CN=oracle-rds-dns-name")))
The certificate details provided above are valid for rds-ca-2015-root and rds-ca-2019-root certificates, but you
replace the port number with the number used for the SSL port in the option group.
3. Add the certificate to the cacerts file that is located on the Enforce Server by completing the following steps:
Replace <version> with the OpenJRE version running on your system.
a) Copy the Oracle RDS certificate (rds-ca-2015-root.der or rds-ca-2019-root.der) file to the following
location (based on your platform):
• Windows: C:\Program Files\AdoptOpenJRE\jdk8u<version>-b10-jre\lib\security
• Linux: opt/AdoptOpenJRE/jdk8u<version>-b10-jre/lib/security
b) Change the directory by running the following command (based on your platform):
• Windows: cd C:\Program Files\AdoptOpenJRE\jdk8u<version>-b10-jre\lib\security
• Linux: cd opt/AdoptOpenJRE/jdk8u<version>-b10-jre/lib/security
c) Insert the certificate into the cacerts file by running the following command as an administrator (on Windows) ora
root user (on Linux):
keytool -import -alias oracleservercert -keystore cacerts -file rds-ca-2015-root.der
or
690
keytool -import -alias oracleservercert2019 -keystore cacerts -file rds-ca-2019-root.der
To set up an SSL connection over JDBC you download the Amazon RDS root CA certificate, convert the certificate format
to .der, then import the certificate into the keystore.
Refer to Setting up an SSL connection over JDBC in the AWS Oracle RDS documentation for steps to complete this
process.
To confirm that certificates are configured correctly and the Enforce Server is communicating with the Oracle RDS
database, log on to the Enforce Server administration console. If you can log on, the Enforce Server and database are
communicating over a secure communication.
If you cannot log on, verify the SSL Java application connection of Jdbc.properties. To confirm the SSL Java
application connection, check the listener status on the Oracle RDS. In the listener status, the TCPS protocol and port
2484 should be in use. If the listener status does not display these connection statuses, re-complete the process to enable
Oracle RDS group with SSL.
For full details on how to configure SSL/TLS communication between Oracle RDS, and the Enforce Server, see the
documentation for AWS Oracle RDS Option Group, available from the Amazon Relational Database Service User Guide:
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Appendix.Oracle.Options.SSL.html
To upgrade the Enforce Server in Amazon RDS for Oracle you must first confirm that the Oracle Amazon RDS is ready for
upgrade. Then you can upgrade to the latest version of the Enforce Server.
691
Steps to upgrade the Enforce Server in Amazon RDS for Oracle
Table 324: Upgrading the Enforce Server in Amazon RDS for Oracle
1 Prepare the Amazon RDS for Oracle for a Symantec Preparing the Amazon RDS for Oracle for a Symantec Data Loss
Data Loss Prevention upgrade. Prevention upgrade
2 Upgrade the Enforce Server. See the Symantec Data Loss Prevention Upgrade Guide available
in the Related Documents section of the Symantec DataLoss
Prevention Help Center.
Preparing the Amazon RDS for Oracle for a Symantec Data Loss Prevention Upgrade
The following Amazon RDS for Oracle-related preparations must be made before you upgrade the Symantec Data Loss
Prevention database schema.
NOTE
The Enforce Server upgrade process does not support a TLS connection to Amazon RDS. Symantec
recommends that you run the Upgrade Readiness Tool and complete the Enforce Server upgrade using Amazon
RDS on a non-TLS listener port. The TLS connection between the previous version Enforce Server and RDS is
not migrated during the upgrade. After you complete the upgrade process, re-establish TLS communication with
RDS.
Symantec recommends that you prepare for the upgrade, including running the Update Readiness Tool, a few weeks
before you plan to complete the upgrade. Preparing helps ensure that any issues that arise can be resolved before the
scheduled upgrade.
Table 325: Preparing the Amazon RDS for Oracle for a Symantec Data Loss Prevention upgrade
1 Back up the Amazon RDS for Oracle database before you See Backing up and restoring an Amazon RDS DB instance
start the upgrade. You cannot recover from an unsuccessful at the Amazon Relational Database Service User Guide.
upgrade without a backup of your Amazon RDS for the Oracle
database.
2 Set Oracle variables. Setting variables in the Amazon RDS for Oracle database
3 Prepare to run the Update Readiness Tool. Preparing to run the Update Readiness Tool for Amazon
RDS for Oracle
4 Create the Update Readiness Tool database account. Creating the Update Readiness Tool database account for
Amazon RDS for Oracle
5 Run the Update Readiness Tool for Amazon RDS for Oracle. Running the Update Readiness Tool for Amazon RDS for
Oracle
6 Review update readiness results. Reviewing Update Readiness Results
692
Setting variables in the Amazon RDS for Oracle database
You set the ORACLE_HOME, ORACLE_SID, and java CLASSPATH: ORACLE_HOME variables before you begin the
upgrade process. If you do not set these variables, you cannot complete the migration process during the Enforce Server
upgrade process.
1. Log on as a domain user.
2. In the command prompt, run the following command to set the ORACLE_HOME variable. Confirm your Oracle version
and installation path before setting this variable. For example:
set ORACLE_HOME=c:\oracle\product\19.3.0.0\db_1
3. Run the following command to set the java CLASSPATH: ORACLE_HOME variable:
• For Windows:
set CLASSPATH=%CLASSPATH%;JAVA_HOME\lib;.;
echo %CLASSPATH%
• For Linux:
export CLASSPATH=${CLASSPATH}:.
echo $CLASSPATH
Preparing to run the Update Readiness Tool for Amazon RDS for Oracle
Preparing the Update Readiness Tool includes downloading the tool and moving it to the Enforce Server.
1. Obtain the current version of the tool (for both major or minor release versions of Symantec Data Loss Prevention)
from Product Downloads at the Broadcom Support Portal.
The current version of the Update Readiness Tool includes important fixes and improvements, and should be the
version that you use before attempting any upgrade.
Symantec recommends that you download the tool to the DLPDownloadHome\DLP\16.0 (for Windows) or
DLPDownloadHome/DLP/16.0.1 (for Linux) directory on the Enforce Server.
2. Unzip the tool, then copy the contents of the unzipped folder to the following location on the Enforce Server.
NOTE
Do not unzip the tool as a folder. The contents of the folder must reside directly in the URT folder.
• Windows: \Program Files\Symantec\DataLossPrevention\EnforceServer\16.0.10000\Protect
\Migrator\URT\
• Linux: opt/Symantec/DataLossPrevention/EnforceServer/16.0.10000/Protect/Migrator/URT
3. Copy oracle_create_user_aws_oracle_rds.sql to the to the following location on the Enforce Server:
• Windows: ..URT\script
• Linux: ../URT/script
This SQL script creates a schema with necessary privileges to the Amazon RDS for Oracle.
Creating the Update Readiness Tool database account for Amazon RDS for Oracle
You can run the Update Readiness Tool from the command prompt on the Enforce Server host computer.
693
3. Run the following script to grant full access to the DATA_PUMP_DIR to the "protect" user:
SQL> GRANT read,write on DIRECTORY DATA_PUMP_DIR to protect;
4. Run the following script to logon to the Amazon RDS for Oracle:
sqlplus Oracle RDS username/password@endpoint_name.rds.amazonaws.com:1521/RDS Servicename
Replace Oracle RDS username, password, and RDS Servicename with information specific to your implementation.
5. Run the following script to create the Update Readiness Tool database account:
SQL> @oracle_create_user_aws_oracle_rds.sql
Status Description
Pass Items that display under this section are confirmed and ready for update.
Warning If not fixed, items that display under this section may prevent the database from upgrading properly.
694
Status Description
Error These items prevent the upgrade from completing and must be fixed.
Related Links
Resolving the error "Data Foreign Key Constraint Validation for EndPointProtocolFilter" on page 363
Resolving the error "Data Foreign Key Constraint Validation for EndPointProtocolFilter"
When running the Update Readiness Tool before an upgrade from Symantec Data Loss Prevention 14.6 to the current
version, the tool returns results in its log file with the error below.
Start: Data Foreign Key Constraint Validation - [date and time] Data violations are detected on your schema,
please use the below query(s) to retrieve the invalid data.
SELECT DISTINCT protocolFilterId AS "PROTOCOLFILTERID" FROM ENDPOINTPROTOCOLFILTER
WHERE protocolFilterId IS NULL OR protocolFilterId NOT IN (SELECT acv.protocolFilterId FROM
AgentConfigurationVersion acv WHERE acv.protocolFilterId IS NOT NULL);
End : Data Foreign Key Constraint Validation - elapsed 0s - FAILED (1 violation)
Complete the following steps to resolve the error "Data Foreign Key Constraint Validation for EndPointProtocolFilter":
1. Run the following command to create a data backup:
create table EndpointProtocolFilter_nomatch as
select * from EndpointProtocolFilter where protocolFilterId not in (select acv.protocolFilterId FROM
AgentConfigurationVersion acv where acv.protocolFilterId IS NOT NULL);
2. Run the following command to confirm the record count:
select count(*) from EndpointProtocolFilter where protocolFilterId not in (select acv.protocolFilterId
FROM AgentConfigurationVersion acv where acv.protocolFilterId IS NOT NULL);
3. Note the record count.
4. Run the following command to delete data that causes the upgrade to fail:
DELETE FROM EndpointProtocolFilter WHERE protocolFilterId NOT IN (SELECT acv.protocolFilterId FROM
AgentConfigurationVersion acv WHERE acv.protocolFilterId IS NOT NULL);
5. Confirm that the number of records deleted matches the record count. See step 3. If the record counts do not match,
contact Symantec Support.
6. Run the following command to complete the delete operation:
commit;
7. Run the following command to confirm that the number of records match:
select count(*) from EndpointProtocolFilter where protocolFilterId not in (select acv.protocolFilterId
FROM AgentConfigurationVersion acv where acv.protocolFilterId IS NOT NULL);
Related Links
Reviewing Update Readiness Results on page 363
695
Table 327: Upgrading the Enforce Server on Windows
1 Install the Java Runtime See Install the Java Runtime Environment on the Enforce Server on Windows.
Environment
2 Install the Enforce Server See Install an Enforce Server on Windows.
3 Run the Migration Utility See Migrate Data on the Enforce Server on Windows.
1 Install the Java Runtime See Install the Java Runtime Environment on the Enforce Server on Linux.
Environment.
2 Install the Enforce Server See Install an Enforce Server on Linux.
3 Run the Migration Utility See Migrate Data on the Enforce Server on Linux
696
You and the users in your organization can continue to secure information using Azure RMS in the way that you’re
accustomed; with the Symantec integration with MIP for DLP deployed, your InfoSec team can gain visibility to sensitive
information in RMS-encrypted files and email messages, including messages sent using Microsoft Exchange on-premises
and Exchange Online.
This solution works on both Linux and Windows detection servers, in the Cloud, and on DLP Agents. It is supported on
any platform on which you can install a Data Loss Prevention detection server and on Windows and macOS endpoints.
Features of the Symantec integration with MIP for DLP include:
• DLP Storage support for inspecting files and emails encrypted by MIP. Network Discover supports the inspection of
encrypted documents and emails for file shares, Microsoft SharePoint repositories, and Microsoft Exchange Server
only.
• Ability to import MIP labels to the Enforce Server administration console
• Support for authoring an MIP classification-based Data Loss Prevention policy condition that reads existing MIP
labels for the Endpoint, Network, and Storage
• DLP Agent inspection of files that are encrypted by MIP
• Ability to configure DLP Agents to allow or block files that are encrypted by MIP
• Support for the DLP Agent to use a network proxy to connect to the MIP portal
• Support for the DLP Agent to recommend labels or automatically apply labels for the Microsoft Office applications that
contain confidential information.
• Support for the DLP Agent to recommend labels or automatically apply labels for emails that confidential information
that are sent using Microsoft Outlook. Labels are applied to the email body only.
NOTE
MIP classification for Microsoft Outlook is available only on Windows endpoints. If an email already has a
label that enforces MIP encryption, DLP does not inspect the email again for classification.
• Support for the Enforce Server and detection server to use a network proxy to connect to the MIP portal
For details about supported server platforms, see Operating system requirements for servers .
The Symantec integration with MIP for DLP is available for use on Data Loss Prevention 15.8 and later versions.
Previous versions, named AIP Insight for DLP Cloud and Symantec AIP Insight for Data Loss Prevention, have been
available for use with Data Loss Prevention 15.1, 15.5, and 15.7x.
Implementing MIP capabilities for DLP Agents and on-premises detection servers
The high-level steps for implementing MIP capabilities for endpoints and on-premises detection servers are provided
in the following table.
Table 329: Overview of implementing MIP capabilities for DLP Agents and on-premises detection servers
1 On the Azure portal, authorize DLP to connect to the MIP service Authorizing Symantec Data Loss Prevention on the
and generate the credentials that Data Loss Prevention uses to Microsoft Azure portal
connect to the MIP service.
2 In the Enforce Server administration console, configure the MIP Managing MIP credential profiles for agents and on-
credentials that you generated using the Azure portal. These premises detection servers
credentials are used by the Enforce Server, on-premises detection
servers, and DLP Agents to connect to the MIP service.
697
Step Action Details
3 In the Enforce Server administration console, synchronize Integrating MIP classification labels in the Enforce Server
the labels that have been defined in MIP. The labels can then administration console
be used by DLP Agents to classify documents and outgoing
emails. MIP classification for Microsoft Outlook is available
only on Windows endpoints. If an email already has a label that
enforces MIP encryption, DLP does not inspect the email again for
classification.
4 Using the Classification tab in agent configurations, enable DLP Classification settings
Agents to use MIP classification to label confidential documents and
outgoing emails in supported applications.
5 Using the Microsoft Information Protection section of the Microsoft Information Protection settings
Settings tab in agent configurations, configure DLP Agents to
decrypt and inspect documents that have been encrypted by MIP.
6 Using the PostProcessor.AIP_DEFAULT_ACTION.int Advanced agent settings
advanced setting in agent configurations, configure DLP Agents
to either block or allow user actions when users attempt to copy or
transfer files that are encrypted by MIP.
Optionally, you can also configure the following agent advanced
settings:
• MIP.HTTP_OPERATION_TIMEOUT.int
• MIP.MIP_AUTHENTICATION.int
• PostProcessor.MIP_APPLY_LABEL_MAX_RETRY_COUNT.int
7 Configure a policy to inspect documents and emails. Creating a policy from a template
8 Configure the Endpoint: MIP Classification response action to Configuring the Endpoint: MIP Classification action
enable DLP Agents to either suggest or automatically apply labels
for documents that contain sensitive information.
You can also configure the Endpoint: MIP Classification response
action to to either suggest or automatically apply labels for emails
that are sent using Microsoft Outlook on Windows endpoints.
9 Customize or translate endpoint notifications for prompting users to About Endpoint Notifications
authenticate with MIP using their Azure AD credentials when DLP
Agents need to use MIP capabilities.
10 Configure a policy that looks for MIP labels on documents and Using the Content Matches MIP Tag rule
emails using the Content Matches MIP Tag rule.
11 (Optional) Create an MDM configuration profile to ensure that DLP Enable MIP classification notifications on macOS
Agent notifications about label suggestions and label enforcement endpoints
are always displayed on macOS endpoints.
12 (Optional) Using the Proxy section of the Settings tab in agent Agent proxy settings
configurations, configure DLP Agents to use a network proxy to
connect to the MIP service.
Make sure that you add the required Microsoft URLs to the list of
allowed URLs.
13 (Optional) In the the General settings of the Enforce Server Configuring proxy server details for AIP Insight
administration console, configure the Enforce Server and on- Deployment
premises detection servers to use a network proxy to connect to the
MIP service.
Make sure that you add the required Microsoft URLs to the list of
allowed URLs.
698
Step Action Details
14 (Optional) In the the General settings of the Enforce Server Configuring the Enforce Server to use a proxy to connect
administration console, configure the Enforce Server and cloud to cloud services
services to use a network proxy to connect to the MIP service.
Make sure that you add the required Microsoft URLs to the list of
allowed URLs.
699
Authorizing Symantec Data Loss Prevention on the Microsoft Azure portal
You must register an application on the Microsoft Azure portal before you can connect Symantec Data Loss Prevention to
the MIP service.
1. Log on to http://portal.azure.com/ with administrator privileges.
2. Navigate to Azure Active Directory > App Registrations > New Registration.
3. Provide a display name for the new application.
4. Under Supported account types, select Accounts in any organizational directory (Any Azure AD directory -
Multitenant).
5. Leave the Redirect URI field empty.
6. Click Register.
7. After the application is registered, go to the applications page and select Authentication in the navigation pane.
8. Click Add a platform, and select add Windows and macOS as supported platforms.
a) In the Bundle ID field for iOS/macOS, enter com.microsoft.DLPMacApp. The Azure portal then uses this
information to generate a Redirect URI.
b) In the Redirect URI field for Mobile and desktop applications (for Windows), enter https://
login.microsoftonline.com/common/oauth2/nativeclient.
9. In the navigation pane, select API permissions and click Add a permission.
10. Select Azure Rights Management Services from the Microsoft APIs tab.
11. Choose the Delegated Permissions scope.
12. Select the user_impersonation permission and click Add a permission.
13. On the API permissions page, click Add a permission.
14. Select Microsoft Information Protection Sync Service from the APIs my organization uses tab.
15. Choose the Application Permissions scope.
16. Select the UnifiedPolicy.Tenant.Read permission and click the Add permissions button.
17. On the API permissions page, click Add a permission.
18. Select Microsoft Information Protection Sync Service from the APIs my organization uses tab.
19. Choose the Delegated Permissions scope.
20. Select the UnifiedPolicy.User.Read permission and click the Add permissions button.
21. Click Grant Admin Consent and then click Yes.
22. In the navigation pane, select Certificates & secrets.
23. Under Client secrets, click New client secret.
24. Add a description.
25. Choose a validity period and click Add.
26. Save a copy of the client secret immediately as it is not visible later. You use this client secret later to configure MIP
credential profiles that Symantec Data Loss Prevention uses to authenticate with the MIP service.
27. In the navigation pane, select Overview, and copy the Application (client) ID and Directory (tenant) ID values. You
use these details later to configure MIP credential profiles that Symantec Data Loss Prevention uses to authenticate
with the MIP service.
If you have a proxy server in your environment, follow these steps to make AIP Insight work in with your proxy. Symantec
supports both transparent and explicit proxy types for AIP decryption.
• Proxies can be configured either to tunnel, or to use TLS termination of the AIP Insight traffic.
• Proxy authentication is not supported. If a proxy is configured with authentication, you must add a bypass rule to
exclude AIP Insight traffic from proxy authentication. See "Configure proxy authentication bypass (for authenticated
proxies)" below.
Provide the proxy hostname/IP and port number on the detection server (for explicit proxies only):
1. Open the plugin_settings.txt file.
For Linux, it is located in /opt/Symantec/DataLossPrevention/ContentExtractionService/
<DLP version>/Plugins/Protect/plugins/contentextraction/
MicrosoftInformationProtectionPlugin/.
For Windows, it is located in C:\Program Files\Symantec\DataLossPrevention
\ContentExtractionService\<DLPversion>\Plugins\Protect\plugins\contentextraction
\MicrosoftInformationProtectionPlugin.
2. Enter the following lines:
proxy=http://<Proxy IP or DNS name>
proxyPort=<proxy port>
NOTE
Note: The "http://" in the previous syntax is the protocol used to connect to the proxy before a TLS
connection is established between the client and the origin server. For more information, see the curl article
about proxies at https://ec.haxx.se/libcurl/libcurl-proxies. This protocol scheme is optional, so the following
syntax should also work: proxy=<Proxy IP or DNS name>:<proxy port>.
Changes in this file are picked up automatically and the plugin will be re-initialized. There is no need to restart the
detection server.
Configure a TLS terminating proxy
701
NOTE
Since the proxy is terminating TLS connections, the DLP detection server needs to trust the proxy and the proxy
needs to trust the origin server (the Azure service). The following example is for illustration purposes only, and is
based on the assumption that proxy's certificate is self-signed.
Import the proxy certificates to the detection server trust store
1. Obtain the ProxySG certificate in .pem format.
2. Add the certificate to the trust store:
– On Linux, add the .pem file to the directory /usr/local/share/ca-certificates (RHEL 6.x) or /etc/pki/
ca-trust/source/anchors (RHEL 7.x).
– Run the # /bin/update-ca-trust command to update the certificate authority file.
3. Type # trust list | more to validate that the certificate was added.
s:/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/
CN=Microsoft Secure Server CA 2011
i:/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/
CN=Microsoft Root Certificate Authority 2011
3. Follow the steps in the documentation for the proxy to import the Microsoft Secure Server CA 2011 certificate to the
proxy.
Configure the TLS non-terminating proxy (Tunneling Mode)
1. Use the URL list from https://docs.microsoft.com/en-us/azure/azure-portal/azure-portal-safelist-urls?tabs=public-cloud
to exclude the Azure destination hosts from TLS termination on the proxy.
2. Add the following items to the list:
api.aadrm.com
13.107.6.181
13.107.9.181
Managing MIP credential profiles for agents and on-premises detection servers
Symantec Data Loss Prevention uses MIP credential profiles to authenticate with the MIP service. On the System >
Settings > MIP Credential Profiles page of the Enforce Server administration console, you can configure two types of
MIP credential profiles for agents and on-premises detection servers:
702
• An MIP classification credential profile – Used by the Enforce Server and DLP Agents to synchronize classification
labels with the MIP service. You can configure only one MIP classification credential profile at a time.
• MIP decryption credential profiles – Used by detection servers to inspect documents and emails that have been
encrypted by MIP. You can configure multiple MIP decryption credential profiles.
NOTE
Before you can configure an MIP credential profile, you must first enable authorizeSymantec Data Loss
Prevention to access the MIP service on the Azure portal. The application that you register on the Azure portal
must possess the necessary permissions for enabling the functionality that you want to use, such as labeling
confidential documents or inspecting MIP-encrypted files.
For more information, see Authorizing Symantec Data Loss Prevention on the Microsoft Azure portal.
After you register an application, you gain access to the information that must be included in an MIP credential
profile.
When you view the MIP Credential Profiles page, you can see the Tenant ID that was authorized for use by MIP Insight for
Symantec Data Loss Prevention. You can also see when a particular credential profile was last modified.
For more information about managing MIP credential profiles, refer to the following topics:
Creating an MIP credential profile for agents and on-premises detection servers
Editing an MIP credential profile for agents and on-premises detection servers
Deleting MIP credential profiles for agents and on-premises detection servers
For your MIP integration to work, you'll need to configure your detection servers with MIP access credentials in the
Enforce Server administration console. You set up the credentials in Enabling MIP on the Azure Portal. You can add only
one tenant to a Classification Credential Decryption. You can add multiple tenants to a Decryption Credential profiles. The
example below shows how to add a Decryption Credential Profile; the process is the same for both types.
To configure detection servers with MIP access credentials
1. Go to System > Settings > MIP Credential Profile.
2. Click Add Profile in the Microsoft Information Protection Decryption Credential Profile section.
3. Add a Profile Name (maximum of 100 characters).
4. Add a Tenant ID (maximum of 36 characters).
5. Add an Application ID from Microsoft Azure AD.
6. Add an Application Secret. You created this secret in Enabling MIP on the Azure portal.
7. Click Save.
Creating an MIP credential profile for agents and on-premises detection servers
703
Depending on your selection, either the Add Classification Credential Profile dialog box or the Add Decryption
Credential Profile dialog box is displayed.
3. In the dialog box, type a name for the profile in the Profile Name field.
4. Fill the Tenant ID, Application ID, and Application Secret (client secret) fields using the information that you copied
when you registered an application on the Azure portal.
For more information, see Authorizing Symantec Data Loss Prevention on the Microsoft Azure portal.
5. Click Save.
Editing an MIP credential profile for agents and on-premises detection servers
704
5. Click Next.
6. Enter a Rule Name in the General section.
7. Select a severity level under Severity. To add more severity levels, click Add Severity.
8. Under Conditions, in the Content Matches MIP Classification section, click Content is classified, Content is not
classified, Content matches, or Content does not match.
9. Choose a Label in the Select Label menu. You can choose multiple labels using the OR operator.
10. Choose a Sub-Label in the Select Sub-Label menu.
11. Select what to match on: Envelope or Attachment. You may choose more than one.
12. Click OK on the Configure Policy page to save the rule.
Table 330: Expected Behaviors for Emails and Attachments with the Symantec integration with MIP for DLP
Outlook Email / Network Monitor for Email / Content matches on Incident is not generated.
SMTP Prevent with no MIP classification Content not classified Incident is generated
and with no attachment Content classified Incident is not generated.
Outlook Email / Network Monitor for Email / Content matches on Incident is generated if there is a match for
SMTP Prevent with MIP classification for Content not classified both the Site ID and the Label GUID in the
this tenant Content classified email header
Attachments, if present, follow the same
Incident is not generated.
rules as files.
Incident is generated if a label matching the
site ID is found in the email header
Outlook Email / Network Monitor for Email / Content matches on Incidents are generated incident if there a
SMTP Prevent with MIP classification for Content not classified match for both the Site ID and the Label
this tenant and RMS protection Content classified GUID is found in the email header
Attachments are inside the rpmsg Incident is not generated.
envelope, so they won't trigger incidents
Incident is generated if a label matching the
until the email body can be decrypted.
site ID is found in the email header
Outlook Email / Network monitor for email / Content matches on Incident is not generated.
SMTP Prevent with MIP classification for Content not classified Incident is generated
a second tenant (that is, no classification Content classified Incident is not generated.
from the target tenant)
Attachments, if present, follow the same
rules as files.
Unsupported email client Content matches on Incident is not generated (pass through)
Content not classified
Content classified
When content extraction fails to extract Content matches on Incident is not generated (pass through)
metadata due to an error (for example, Content not classified
files with corrupted metadata, files not Content classified
supported by a third-party library, or a
content extraction timeout).
Configuring response rules using MIP Classification labels in the Enforce Server
administration console
To configure Response rules using MIP Classification labels in the Enforce Server administration console
1. Go to the Manage > Policies > Response Rule page.
705
2. Click Add Response Rule and click Automated Response Rule.
3. Click Next.
4. Provide a Rule Name and Description.
5. Go to the Action section and scroll to Endpoint > MIP Classification.
6. Click Add Action.
7. Use the dropdown lists to select the classification labels and select sub-labels under Endpoint Notification Content.
8. Click Save.
For detailed information about configuring the Endpoint: MIP Classification, response rule, see Configuring the Endpoint:
MIP Classification action .
The Response Rule is saved.
706
Table 331: MIP Incident matches behaviors
Incident behavior
Behavior Rule Files encountered
and what displays ( )
1 Match on labels A or B File has labels A and C. Incident is created: Highlight Label name
of A (label, parent, and GUID)
2 Match on labels A or B (For example: 2 rules: File has labels A and B. Incident is created: - Highlight Label
1 matches on the parent and another matches name of A (label, parent, and GUID), but
the child) shows 2 matches: for A and B.
3 Does not match on label A File has labels A and B. No incident is created.
4 Keyword "confidential" AND Does not contain File has the keyword 1 keyword match and 1 match for the
label "Confidential" "confidential" but does not have classification rule. Reports a hard-coded,
confidential label applied. localized string: "Did not find expected
label(s)."
5 Does not match on labels A or B File has label C. Generates an incident: 1 match. Reports
a hard-coded, localized string: "Did not
find expected label(s)."
6 Does not match on labels A or B File has label C (from a different Generates incident: 1 match. Reports a
tenancy). hard-coded, localized string: "Did not find
expected label(s)."
7 Does not match on labels A or B File has labels C, D, E, and F. Generates an incident: 1 match. Reports
a hard-coded, localized string: "Did not
find expected label(s)."
8 Does not match on labels A or B File has no label. Generates an incident: 1 match. Reports
a hard-coded, localized string: "Did not
find expected label(s)."
9 Match when not AIP classified File has no label. Generates an incident: 1 match. Reports
a hard-coded, localized string: "No labels
were found."
10 Match when not AIP classified File contains label A from No incident is generated.
taxonomy and label B not
belonging to the taxonomy
11 Match when not AIP classified File contains labels A and - 1 match (since no labels are to be
B, neither of which are in displayed)
taxonomy
12 Match on any label (in tenancy) File has label from said tenancy - 1 match
Report <Parent-Label-Name> \ <Child-
Label-Name> \ <GUID>
13 Match on any label File has multiple labels from the Multiple matches: one for each label
taxonomy found belonging to the taxonomy.
707
Troubleshooting the Symantec integration with MIP for DLP
For troubleshooting issues with the Symantec integration with MIP for DLP, verbose-level logging for the content
extraction service (ContextExtractionHost_fileReader.log) and the MIP SDK can be enabled by performing the
following steps.
1. Open <installation_dir>/Symantec/DataLossPrevention/DetectionServer/<version>/Protect/
config/log4cxx_config_filereader.xml.
2. Change the default value from info to trace in the following XML section in the file:
<category name="cehost">
<priority value ="info"/>
<appender-ref ref="cehostAppender"/>
</category>
3. Open <installation_dir>/Symantec/DataLossPrevention/ContentExtractionService/<version>/
Plugins/Protect/plugins/ contentextraction/MicrosoftInformationProtectionPlugin/
plugin_settings.txt.
4. Set the value of mip_log_level to Trace.
NOTE
On Windows, the mip SDK log file is created under
C:\Users\<dlp user>\AppData\Local\Temp
\DetectionServerContentExtractionTemporary<temp id>\mip\logs.
On Linux, the mip SDJ log file is created under
/tmp/DetectionServer/ContentExtractionTemporary<temp id>/mip/logs.
Share the steps to reproduce the issue and the verbose logs with Symantec Enterprise Security Support. If possible,
share the original, unprotected email or file with Support.
Configuring the connection between the Enforce Server and Data Insight
Before you can use the information from Veritas Data Insight, you need to configure the connection to the Veritas Data
Insight Management Server.
You can also optionally configure the risk score and other options for the report of folders at risk. The risk score is based
on relevant information from the Symantec Data Loss Prevention incidents plus the information from the Veritas Data
Insight Management Server.
1. Click System > Settings > Data Insight from the Enforce Server administration console.
The Data Insight page in the Enforce Server administration console is now accessible to all Network Discover
customers without a license file. After adding a Network Discover license, you will be able to configure the Data Insight
connection and lookup plugins. For this, you should restart the Symantec DLP Manager and Symantec Incident
Persister services.
2. Click Configure.
3. Enter the Host Name of the Veritas Data Insight Management Server. The Host Name may need to match the host
name in the certificate.
4. Enter the Port number of the Veritas Data Insight Management Server. The default is 443.
5. Click Retrieve Certificate.
This retrieval sends a request to the specified Veritas Data Insight Management Server to obtain its SSL certificate.
708
6. Click Yes to trust the certificate.
Verify that the certificate is returned from the Veritas Data Insight Management Server and that is the correct
certificate.
7. Enter the log on information to the Veritas Data Insight Management Server.
• Select Use Saved Credentials to use a credential that is saved in the credential store.
Then enter the name of the saved credential.
• Select Use These Credentials to enter the credentials here.
• Enter the Username and Password, and Re-enter Password.
8. Click Test Connection to verify the connection to the Veritas Data Insight Management Server.
This tests the connection to the Veritas Data Insight Management Server using the specified credentials. This Test
Connection operation is available only after the server certificate is verified. If the test is successful, the system
displays the message: "The test connection succeeded." If the test is not successful, verify the connection parameters
and credentials.
9. Optionally, you can configure the risk score and timeframes for the report of folders at risk. Generally, the defaults are
acceptable.
Configuring the risk score and timeframes for the report of folders at risk
10. Optionally, you can also configure the data refresh schedule to retrieve the information from the Data Insight
Management Server.
Changing Data Insight refresh intervals
709
Viewing Local Telemetry Reports
Local telemetry reports are saved as CSV files that you can download.
To download and view a local telemetry report, follow these steps:
1. In the Enforce Server administration console, navigate to System > Telemetry Report.
2. In the Generated Reports pane of the Telemetry Reporting page, click the download button next to the report that
you want to view.
3. When prompted, save the CSV file to the desired location.
4. Open the downloaded file to view the collected telemetry data.
For information about the metrics that are included in local telemetry reports, see Telemetry Reporting.
Related Links
Generating Local Telemetry Reports on page 709
The Telemetry Report page of the Enforce Server administration console enables you to generate granular reports about
various aspects of your DLP environment. The collected data is stored locally and is not shared with Broadcom.
Telemetry Reporting
The Telemetry Reporting page of the Enforce Server administration console enables you to generate granular reports
about various aspects of your DLP environment. The collected data is stored locally and is not shared with Broadcom.
Local telemetry reports are saved as CSV files that you can download.
For information about generating and viewing local telemetry reports, see:
• Generating Local Telemetry Reports
• Viewing Local Telemetry Reports
The following table describes the reporting options on the Telemetry Reporting page.
Setting Description
Enforce Reporting toggle button Enables and disables telemetry for the Enforce Server.
Enforce Reporting section Expand the Enforce Reporting section to view list of Enforce
Server-related metrics that you can include in the local telemetry
report.
Data Profile Metrics toggle button Adds the following metrics to the local telemetry report:
• Total number of EDM profiles
• Total number of EMDI profiles
• Total number of IDM profiles
• Total number of VML profiles
• Total number of form recognition profiles
Detection Rule Metrics toggle button Adds the following metrics to the local telemetry report:
• Number of active policies by detection condition type
Detection Server Metrics toggle button Adds the following metrics to the local telemetry report:
• Number of active policies by detection server
• Number of detection servers by server type
• Number of policy groups by detection server
• Number of active policies by detection server
• Total number of detection servers
710
Setting Description
Enforce Server Metrics toggle button Adds the following metrics to the local telemetry report:
• Enforce server ID
• Enforce server version
• OS version
• Total number of CPUs
• Total amount of RAM (GB)
Group Rule Metrics toggle button Adds the following metrics to the local telemetry report:
• Number of active policies by group rule type
Incident Metrics toggle button Adds the following metrics to the local telemetry report:
• Is Data Access Governance being used?
• Is Data Insight being used?
• Total number of custom attributes
• Total number of incidents
• Total number of incidents in database
• Total number of incidents in external storage
• Total number of lookup plugins
Policy Group Metrics toggle button Adds the following metrics to the local telemetry report:
• Total number of policy groups
• Number of policies per policy group
Policy Metrics toggle button Adds the following metrics to the local telemetry report:
• Is OCR enabled?
• Number of active policies
• Number of keywords per keyword condition
• Number of patterns per sender/recipient pattern condition
• Total number of policies
• Total number of policy exceptions
• Total number of policy rules
• Total number of recipient patterns
• Total number of sender patterns
Response Rule Metrics toggle button Adds the following metrics to the local telemetry report:
• Number of automated response rules
• Number of smart response rules
• Total number of response rules
User/Role Metrics Adds the following metrics to the local telemetry report:
• Number of user logins
• Total number of roles
• Total number of users
711
NOTE
Using ICA with Network Discover and Endpoint Discover detection is not supported.
Complete the following steps to implement user risk with Symantec Data Loss Prevention:
1. Create an API user in ICA to enable the connection between ICA and DLP. See Create an API user in ICA.
2. Connect Symantec Data Loss Prevention to ICA. See Adding ICA User Source Data.
3. Create a policy that detects on user risk.
You can use the following policy features to detect on user risk:
• Add a User Risk Score context match condition to a policy. See Adding a Rule to a Policy.
• Add a User Risk response rule condition. See Configuring the User Risk Response Condition.
4. Review incidents. See Reviewing the User Risk in Incidents.
Where <username> and <password> are values you define. After you create the user name and password, you can
add ICA user source data to Symantec Data Loss Prevention.
See Adding ICA User Source Data.
712
Managing Detection Servers
Manage your detection servers.
Installing and managing detection servers and cloud detectors
Managing Log Files
Using Symantec Data Loss Prevention utilities
Increasing the inspection content size
713
About managing Symantec Data Loss Prevention servers
Symantec Data Loss Prevention servers and cloud detectors are managed from the System > Servers and Detectors >
Overview screen. This screen provides an overview of your system, including server status and recent system events. It
displays summary information about all Symantec Data Loss Prevention servers, a list of recent error and warning events,
and information about your license. From this screen you can add or remove detection servers.
• Click on the name of a server to display its Server/Detector Detail screen, from which you can control and configure
that server.
Installing a new license file
About the Enforce Server administration console
About the Overview screen
Server/Detector Detail screen
Adding a detection server
Adding a cloud detector
Removing a server
Server controls
Server configuration—basic
MIP Encryption The MIP Encryption Insight solution supports Azure RMS file and email monitoring on both Windows and Linux
Insight detection servers.
Complete the prerequisite tasks and install the AIP Insight plugin on the detection server.
See About the Symantec integration with MIP for DLP for more details on deployment.
Azure RMS The Azure RMS solution supports file monitoring on Windows detection servers only.
Install the RMS client, version 2.1, on the detection server.
See Enabling Microsoft Rights Management file monitoring for more details on deployment.
AD RMS The AD RMS solution supports file monitoring on Windows detection servers only.
• Install the RMS client, version 2.1, on the detection server using a domain service user that is added to the
AD RMS Super Users group. Only file monitoring is available with this client.
• Provide both the AD RMS Service User and the DLP Service User with Read and Execute permissions to
access ServerCertification.asmx. Refer to the Microsoft Developer Network for additional details:
https://docs.microsoft.com/en-us/azure/information-protection/what-is-azure-rms?redirectedfrom=MSDN.
• Add the detection server to the AD RMS server domain.
• Run the detection server services using a domain user that is a member of the AD RMS Super Users group.
See Enabling Microsoft Rights Management file monitoring for more details on deployment.
714
Enabling Microsoft Rights Management file monitoring
Symantec Data Loss Prevention can detect files that are encrypted using Microsoft Rights Management (RMS)
administered by Azure or Active Directory (AD).
Before you enable Microsoft Rights Management file monitoring, confirm that prerequisites for the RMS environment and
the detection server have been completed.
Enabling RMS detection for Azure-managed RMS
For Azure RMS, complete the following on each detection server to enable RMS file monitoring:
1. Locate the plugin Enable-Plugin.ps1 located on the detection server at the following path:
C:\Program Files\Symantec\DataLossPrevention\ContentExtractionService
\16.0.10000\Plugins\Protect\plugins\contentextraction
2. Run the plugin by executing the following command:
C:\Program Files\Symantec\DataLossPrevention\ContentExtractionService
\16.0.10000\Plugins\Protect\plugins\contentextraction\MicrosoftRightsManagementPlugin
\ConfigurationCreator.exe
Do you want to configure ADAL authentication [y/n]: n
Do you want to configure symmetric key authentication [y/n]: y
Enter your symmetric key (base-64): [user's Azure RMS symmetric key]
Enter your app principal ID: [user's Azure RMS app principal ID]
Enter your BPOS tenant ID: [user's Azure RMS BPOS tenant ID]
After running this script, the following files are created in the MicrosoftRightsManagementPlugin at \Program
Files\Symantec\DataLossPrevention\ContentExtractionService\16.0.10000\Plugins\Protect
\plugins\contentextraction:
• rightsManagementConfiguration
• rightsManagementConfigurationProtection
4. Restart each detection server to complete the process.
NOTE
You can confirm that Symantec Data Loss Prevention is monitoring RMS content by reviewing
the ContentExtractionHost_FileReader.log file (located at \ProgramData\Symantec
\DataLossPrevention\DetectionServer\16.0.10000\logs\debug). Error messages that display
for the MicrosoftRightsManagementPlugin.cpp item indicate that the plugin is not monitoring RMS
content.
715
Enabling RMS detection for AD-managed RMS
For AD RMS, complete the following on each detection server to enable RMS file monitoring:
1. Run the plugin, Enable-Plugin.ps1, which is located at located at \Program Files\Symantec
\DataLossPrevention\Protect\bin on the Enforce Server.
powershell.exe -ExecutionPolicy RemoteSigned -File
"C:\Program Files\Symantec\DataLossPrevention\ContentExtractionService
\16.0.10000\Plugins\Protect\plugins\contentextraction\MicrosoftRightsManagementPlugin
\Enable-Plugin.ps1"
2. Restart each detection server to complete the process.
NOTE
You can confirm that Symantec Data Loss Prevention is monitoring RMS content by reviewing
the ContentExtractionHost_FileReader.log file (located at \ProgramData\Symantec
\DataLossPrevention\DetectionServer\16.0.10000\logs\debug). Error messages that display
for the MicrosoftRightsManagementPlugin.cpp item indicate that the plugin is not monitoring RMS
content.
Table 333: Advanced processes describes the individual processes and the servers on which they run once advanced
process control is enabled.
Monitor Controller The Monitor Controller process controls The MonitorController Status is available for the Enforce
detection servers. Server.
File Reader The File Reader process detects incidents. The FileReader Status is available for all detection servers.
Incident Writer The Incident Writer process sends incidents The IncidentWriter Status is available for all detection
to the Enforce Server. servers, unless they are part of a single-tier installation, in
which case there is only one Incident Writer process.
Packet Capture The Packet Capture process captures The PacketCapture Status is available for Network Monitor.
network streams.
716
Process Description Control
Request Processor The Request Processor processes SMTP The RequestProcessor Status is available for Network
requests. Prevent for Email.
Endpoint Server The Endpoint Server process interacts with The EndpointServer Status is available for Endpoint
Symantec DLP Agents. Prevent.
Detection Server The Detection Server Database process is The DetectionServerDatabase Status is available for
Database used for automated incident remediation Network Discover.
tracking.
Server configuration—basic
Server controls
Servers and their processes are controlled from the Server/Detector Detail screen.
• To reach the Server/Detector Detail screen for a particular server, go to the System > Servers and Detectors >
Overview screen and click a server name, detector name, or appliance name in the list.
Server/Detector Detail screen
The status of the server and its processes appears in the General section of the Server/Detector Detail screen. The
Start, Recycle and Stop buttons control server and process operations.
Current status of the server is displayed in the General section of the Server/Detector Detail screen. The possible values
are:
Icon Status
Running Selected - Some processes on the server are stopped or have errors. To see the statuses of individual
processes, you must first enable Advanced Process Control on the System Settings screen.
Stopping - In the process of stopping.
717
• To update the status, click the refresh icon in the upper-right portion of the screen, as needed.
About Symantec Data Loss Prevention administration
About the Overview screen
Server/Detector Detail screen
Server configuration—basic
System events reports
Server and Detectors event detail
Server configuration—basic
Enforce Servers are configured from the System > Settings > General menu.
Working with General Settings
Detection servers and detectors are configured from each server's individual Configure Server screen.
To configure a server
1. Go to the System > Servers and Detectors > Overview screen.
2. Click on the name of the server in the list.
That server's Server/Detector Detail screen is displayed. The following buttons are in the upper-left portion of a
Server/Detector Detail:
• Done. Click Done to return to the previous screen.
• Configure. Click Configure to specify a basic configuration for this server.
• Server Settings. Click Server Settings to specify advanced configuration parameters for this server. Use caution
when modifying advanced server settings. It is recommended that you check with Symantec Support before
changing any of the advanced settings.
Server and detector configuration—advanced
For cluster, the Discover Cluster Details screen is displayed. See View Information on the Discover Cluster
Details Screen.
3. Click Configure or Server Settings to display a configuration screen for that type of server.
4. Specify or change settings on the screen as needed, and then click Save.
Click Cancel to return to the previous screen without changing any settings.
NOTE
A server must be recycled before new settings take effect.
Server controls
The Configure Server screen contains a General section for all detection servers that contains the following parameters:
• Name. The name you choose to give the server. This name appears in the Enforce Server administration console
(System > Servers and Detectors > Overview). The name is limited to 255 characters.
For Network Discover Cluster, enter the name of the cluster in Discover Cluster Name.
• Host. The host name or IP address of the system hosting the server. Host names must be fully qualified. If the host
has more than one IP address, specify the address on which the detection server listens for connections to the Enforce
Server.
For Network Discover Cluster, enter the host name or IP address of the data node in Data Node Host.
718
NOTE
You can update the cluster name and IP address of the data node in the Discover Cluster Name and Data
Node Host fields only when there are no scans running.
• Port. The port number used by the detection server to communicate with the Enforce Server. The default is 8100.
For Single Tier Monitors, the Host field on the Configure Server page is pre-populated with the local IP address
127.0.0.1. You cannot change this value.
The next portions of a Configure Server screen vary according to the type of server, except for the OCR Engine and
Detection tabs, which are common to all servers.
Click the OCR Engine tab to set up a connection to an OCR server.
About content detection with OCR Sensitive Image Recognition
Click the Detection tab to customize the Inspection Content Size.
Network Discover Server and Network Protect—basic configuration
Endpoint Server—basic configuration
Single Tier Monitor — basic configuration
Server/Detector Detail screen
Field Description
Source Folder Override The source folder is the directory that the server uses to buffer network streams before it
processes them. The recommended setting is to leave the Source Folder Override field
blank to accept the default. If you want to specify a custom buffer directory, type the full
path to the directory.
Network Interfaces Select the network interface card to use for monitoring. To monitor a NIC, Npcap
software must be installed on the Network Monitor Server.
719
To override the inherited filtering settings for a protocol, click the name of the protocol. The following custom settings are
available (some settings may not be available for some protocols):
• IP filter
• L7 sender filter
• L7 recipient filter
• Content filter
• Search Depth (packets)
• Sampling rate
• Maximum wait until written
• Maximum wait until dropped
• Maximum stream packets
• Minimum stream size
• Maximum stream size
• Segment Interval
• No traffic notification timeout (The maximum value for this setting is 360000 seconds.)
Use the SMTP Copy Rule to modify the source folder where this server retrieves SMTP message files. You can modify
the Source Folder by entering the full path to a folder.
In addition to the settings available through the Configure Server screen, you can specify advanced settings for this
server. To specify advanced configuration parameters, click Server Settings on the Server/Detector Detail screen.
Use caution when modifying advanced server settings. Check with Symantec Support before you change any advanced
setting.
720
For instructions on setting up the Secure ICAP client configuration with ProxySG, see the ProxySG documentation at
https://techdocs.broadcom.com/us/en/symantec-security-software/web-and-network-security/proxysg/7-3.html
• The Request Filtering section configures traffic filtering criteria:
Field Description
Ignore Requests Smaller Than Specify the minimum body size of HTTP requests to inspect on this server. The
default value is 4096 bytes. HTTP requests with bodies smaller than this number are
not inspected.
Ignore Requests from Hosts or Domains Enter the host names or domains whose requests should be filtered out (ignored).
Enter one host or domain name per line.
Ignore Requests from User Agents Enter the names of user agents whose requests should be filtered out (ignored).
Enter one agent per line.
• The Response Filtering section configures the filtering criteria to manage HTTP responses:
Field Description
Ignore Responses Smaller Than Enter the minimum body size of HTTP responses to inspect on this server. The
default value is 4096 bytes. HTTP responses with bodies smaller than this number
are not inspected.
Inspect Content Type MIME types Specify the MIME content types that you want this server to monitor. By default,
this field contains content type values for standard Microsoft Office, PDF, and plain-
text formats. You can add other MIME content type values. Enter separate content
types on separate lines. For example, to inspect Excel files enter application/
ynd.ms-excel.
Ignore Responses from Hosts or Domains Enter the host names or domains whose responses are to be ignored. Enter one
host or domain name per line.
Ignore Responses to User Agents Enter the names of user agents whose responses are to be ignored. Enter one user
agent per line.
• Click the OCR Engine tab to add an OCR Engine Configuration profile. Scroll to select a configuration.
• Click the Detection tab to change the Inspection Content Size.
• The Connection section configures settings for the ICAP connection between an HTTP proxy server and the Network
Prevent for Web Server:
Field Description
TCP Port Specify the TCP port number that this server is to use to listen to ICAP requests.
The same value must be configured on the HTTP proxy sending ICAP requests to
this server. The recommended value is 1344.
Maximum Number of Requests Enter the maximum number of simultaneous ICAP request connections. The default
is 25.
Maximum Number of Responses Enter the maximum number of simultaneous ICAP response connections from the
HTTP proxy or proxies that are allowed. The default is 25.
Connection Backlog Enter the maximum number of waiting connections allowed. Each waiting connection
means that a user waits at their browser. The minimum value is 1.
721
caution when modifying Advanced Server settings. Check with Symantec Support before you change any advanced
setting.
A Network Discover Server's Configure Server screen is divided into a the following sections:
• General section. This section is for specifying the server's name, host, and port.
Server configuration—basic
• Discover tab. This tab is for modifying the number of parallel scans that run on this Discover Server.
The maximum count can be increased at any time. After it is increased, any queued scans that are eligible to run on
the Network Discover Server are started. The count can be decreased only if the Network Discover Server has no
running scans. Before you reduce the count, pause, or stop, all scans running on the server.
To view the scans running on Network Discover Servers, go to Manage > Discover Scanning > Discover Targets.
About Symantec Data Loss Prevention administration
Server/Detector Detail screen
Server configuration—basic
Server controls
In addition to the settings available through the Configure Server screen, you can also specify advanced settings for
this server. To specify advanced configuration parameters, click Server Settings on the Server/Detector Detail screen.
Use caution when modifying advanced server settings. It is recommended that you check with Symantec Support before
changing any of the advanced settings.
Advanced server settings
722
• Agent Listener section. Use this section to configure the Endpoint Prevent Server to listen for connections
from Symantec DLP Agents.
• Certificate Configuration section. Use this section to specify which certificate is used to authenticate and secure
communications with DLP Agents.
Agent Listener Bind address Enter the IP address on which the Endpoint Prevent
Server listens for communications from the Symantec
DLP Agents. The default IP address is 0.0.0.0 which
allows the Endpoint Prevent Server to listen on all
host IP addresses.
Port Enter the port over which the Endpoint Prevent
Server listens for communications from the Symantec
DLP Agents.
Note: Many Linux systems restrict ports below 1024
to root access. The Endpoint Prevent Server cannot
be configured to listen for connections from Symantec
DLP Agents to these restricted ports on Linux systems.
Certificate KeyStore Select the keystore that contains the certificate and key
Configuration that identify the Endpoint Prevent Server.
For information You can select either the DLP Default KeyStore that
about the contains the self-signed certificate and key or a custom
limitations of keystore that you added.
using custom TrustStore Select the truststore that contains the certificate and
certificates, see key that the Endpoint Prevent Server uses to validate
Limitations of endpoint certificates.
DLP support You can select either the DLP Default TrustStore that
for custom contains the self-signed certificate and key or a custom
certificates. truststore that you added.
NOTE
If you are using FIPS 140-2 mode for communication between the Endpoint Prevent Server and DLP Agents,
do not use Diffie-Hellman (DH) cipher suites. Mixing cipher suites prevents the agent and Endpoint
Prevent Server from communicating. You can confirm the current cipher suit setting by referring to the
EndpointCommunications.SSLCipherSuites setting on the Server Settings page. Advanced server settings
723
About Symantec Data Loss Prevention administration
About the Overview screen
Server/Detector Detail screen
Server configuration—basic
Server controls
Advanced server settings
Related Links
Advanced Server Settings on page 734
Editing a detector
You can change the name of your detector on the Server/Detector Detail screen.
Editing the name of a detector
1. Go to System > Servers and Detectors > Overview and click on the name of the detector.
The Server/Detector Detail screen appears.
2. Click Edit.
The Edit Detector page appears.
3. Enter a new name for the detector in the Detector Name field.
4. Click Save.
Server configuration—basic
724
You can add the following types of servers:
• Network Monitor Server, which monitors network traffic.
• Network Discover Server, which inspects stored data for policy violations.
• Network Prevent for Email Server, which prevents SMTP violations.
• Cloud Prevent for Email Server, which prevents Microsoft Office 365 Exchange traffic violations.
• Network Prevent for Web Server, which prevents ICAP proxy server violations such as FTP, HTTP, and HTTPS.
• Endpoint Prevent Server, which controls Symantec DLP Agents that monitor and scan endpoints.
• Network Discover Cluster Server, which inspects stored data for policy violations.
• Single-Tier Server: By selecting the Single-Tier Server option, the detection servers that you have licensed are
installed on the same host as the Enforce Server. The single-tier server performs detection for the following products
(you must have a license for each): Network Monitor, Network Discover, Network Prevent for Email, Network Prevent
for Web, and Endpoint Prevent.
NOTE
Symantec recommends that you apply the same hardware and software configuration to all of the detections
servers that you intend to use for grid scans. Symantec Data Loss Prevention supports grid scans that have up
to 11 participating detection servers.
To add a detection server
1. Go to the System Overview screen (System > Servers and Detectors > Overview).
About the Overview screen
2. Click Add Server.
The Software Server screen appears.
3. Select the type of server you want to install and click Next.
The Configure Server screen for that detection server appears.
4. To perform the basic server configuration, use the Configure Server screen, then click Save when you are finished.
See Network Monitor Server—basic configuration
See Network Prevent for Email Server—basic configuration
See Symantec Data Loss Prevention Cloud Prevent for Microsoft 365 Implementation Guide for more details.
See Network Prevent for Web Server—basic configuration
See Network Discover Server and Network Protect—basic configuration
See Endpoint Prevent Server—basic configuration
5. In addition to the configuration steps specific to each server, you can configure the OCR Engine or Detection server
Inspection Content Size from tabs on this screen.
See Creating an OCR Configuration
See Increasing the inspection content size
6. To return to the System Overview screen, click Done.
Your new server is displayed in the Servers and Detectors list with a status of Unknown.
7. Click on the server to display its Server/Detector Detail screen.
See Server/Detector Detail screen
See View Information on the Discover Cluster Details Screen
725
8. Click [Recycle] to restart the server.
9. Click Done to return to the System Overview screen.
When the server is finished restarting, its status displays Running.
10. If necessary, click Server Settings on the Server/Detector Detail screen to perform Advanced Server configuration.
Advanced server settings
Server configuration—basic
See the documentation for your cloud detector for more detailed information about the enrollment process.
After you have saved the enrollment bundle, register your cloud detector to enable communication between it and your
on-premises Enforce Server.
To register a cloud detector
1. Log on to the Enforce Server as Administrator.
2. Navigate to System > Servers and Detectors > Overview.
The Overview page appears.
3. Click Add Cloud Detector.
The Add Cloud Detector page appears.
4. Click Browse in the Enrollment Bundle File field.
5. Locate your saved enrollment bundle file, then enter a name in the Detector Name field.
6. Click Enroll Detector.
The Server/Detector Detail screen appears.
7. If necessary, click Detector Settings on the Server/Detector Detail screen to perform advanced detector
configuration.
Advanced detector settings
8. Click Done.
It may take several minutes for the Enforce Server administration console to show that the cloud detector is running. To
verify that the detector was added, check the System > Servers and Detectors > Overview page. The detector should
appear in the Servers and Detectors list with the Connected status.
726
Adding an appliance
After you have set up the appliance, you can register your detection appliance at the Enforce Server administration
console.
To add a detection appliance
1. Log on to the Enforce Server administration console as administrator.
2. Go to System > Servers and Detectors.
3. Click Add Server...Appliance.
4. The Add an Appliance screen appears.
5. Choose a detection appliance type to add, then click Next.
Configuring an appliance
Configuring an appliance
After you add an appliance and choose a detection appliance type, you can configure the appliance detection type.
Some of the configuration steps vary, depending on the server license you have purchased.
To configure the appliance identity, network information, and administrator credentials
1. Add a name for this appliance in the Appliance Name field.
2. Enter the 10-digit serial number that you received from Symantec in the Serial Number field.
3. Enter the host name or the IP address in the Hostname or IP Address field.
4. Enter admin in the User Name field.
5. Enter your administration password in the Password field.
6. Re-enter your password in the Re-enter Password field.
NOTE
This password is your console logon password that you configured previously. It is not your enable
password.
After you have set up the identity, network information, and administrator credentials, you can move on to enter
information specific to your detection appliance type.
727
Configuring the API Detection for Developer Apps Appliance
After you add the API Detection for Developer Apps Appliance, follow these configuration steps:
1. In the Enforce Server administration console, navigate to System > Servers and Detectors > Overview > Configure
Appliance
2. Add a name for this appliance in the Appliance Name field.
3. Enter the 10-digit serial number that you received from Symantec in the Serial Number field.
4. Enter the host name or the IP address in the Hostname or IP Address field.
5. Enter the port number in the Port field.
6. Enter admin in the User Name field.
7. Enter your administration password in the Password field.
8. Re-enter your password in the Re-enter Password field.
NOTE
This password is your console logon password that you configured previously. It is not your enable
password.
9. In the Upload keystore for SSL certificate field, click Browse to select your PKCS12 keystore file.
10. Enter the keystore password in the Keystore password field.
11. To enable TLS client authentication, check the Enable TLS client authentication box. Leave this box unchecked to
disable TLS client authentication.
12. Optional: If you enabled TLS client authentication, click Browse in the Upload truststore to validate client
certificate field to select your PKCS12 truststore file.
13. If you enabled TLS client authentication, enter the truststore password in the Truststore password field.
14. Click Save.
Removing a server
An Enforce Server administration console lists the detection servers registered with it on the System > Servers and
Detectors > Overview screen. If Symantec Data Loss Prevention is uninstalled from a detection server, or that server is
stopped or disconnected from the network, its status is shown as Unknown on the console.
NOTE
See Uninstalling a server for information about uninstalling Symantec Data Loss Prevention from a server.
A detection server can be removed (de-registered) from an Enforce Server administration console. When a detection
server is removed from an Enforce Server, its Symantec Data Loss Prevention services continue to operate. This means
that even though a detection server is de-registered from Enforce, it continues to function unless some action is taken
to halt it. In other words, even though it is removed from an Enforce Server administration console, a detection server
continues to operate. Incidents it detects are stored on the detection server. If a detection server is re-registered with an
Enforce Server, incidents detected and stored are then forwarded to Enforce.
1. Go to System > Servers and Detectors > Overview.
About the Overview screen
2. In the Servers and Detectors section of the screen, click the red X on a server's status line to remove it from this
Enforce Server administration console.
Server controls
728
3. Click OK to confirm.
The server's status line is removed from the System Overview list.
Step Description
1 Copy the certificate file you want to import to the Enforce Server or Discover Server computer.
2 Change the directory to where the JRE is located on the Enforce Server or Discover Server computer.
Locate the path based on the JRE type and the platform where your system is running:
• ServerJRE:
– Windows: C:\Program Files\Symantec\DataLossPrevention\ServerJRE\<version>\lib
\security
– Linux: /opt/Symantec/DataLossPrevention/ServerJRE/<version>/bin/java
• OpenJRE:
– Windows: C:\Program Files\AdoptOpenJRE\jdk8u<version>-jre
– Linux: /opt/AdoptOpenJRE/jdk8u<version>-jre
Where <version> represents the installed JRE version.
3 Execute the keytool utility with the -importcert option to import the public key certificate to the Enforce Server or
Discover Server keystore:
keytool -importcert -alias new_endpointgroup_alias
-keystore ..\lib\security\cacerts -file my-domaincontroller.crt
In this example command, new_endpointgroup_alias is a new alias to assign to the imported certificate and my-
domaincontroler.crt is the path to your certificate.
4 When you are prompted, enter the password for the keystore.
By default, the password is changeit. If you want you can change the password when prompted.
To change the password, use: keytool -storepassword -alias new_endpointgroup_alias -keystore ..\lib\security\cacerts
5 Answer Yes when you are asked if you trust this certificate.
6 Restart the Enforce Server or Discover Server.
729
Adding a detection server
• The Cloud Detector button is used to register a cloud detector. When this screen is first viewed after installation, only
the Enforce Server is listed. You must register your cloud detectors with the Cloud Detector button. After you register
cloud detectors, they are listed in the Servers and Detectors section of the screen.
• The Appliance button is used to register and appliance. When this screen is first viewed after installation, on the
Enforce Server is listed. You must register your appliances with the Appliance button. After you register your
appliances, they are listed in the Servers and Detectors section of the screen.
• The System Readiness and Appliances Update button is used to access the System Readiness and Appliances
Update screen where you can run tests to confirm that database update readiness and update appliances.
System Readiness and Appliances Update
• The Servers and Detectors section of the screen displays summary information about the status of each server,
detector, appliance, or Network Discover Cluster. It can also be use to remove (de-register) a server, detector,
appliance, or Network Discover Cluster.
Server and detector status overview
• The Recent Error and Warning Events section shows the last five events of error or warning severity for any of the
servers listed in the Servers and Detectors section.
Recent error and warning events list
• The License section of the screen lists the Symantec Data Loss Prevention individual products that you are licensed
to use.
Server configuration—basic
About Symantec Data Loss Prevention administration
NOTE
For information about making sure that your network proxy is configured correctly for Microsoft Information
Protection, refer to the Microsoft documentation.
730
https://docs.microsoft.com/en-us/information-protection/develop/faqs-known-issues#error-proxyautherror-
exception
https://docs.microsoft.com/en-us/azure/information-protection/requirements#firewalls-and-network-infrastructure
You can add local hosts to the Cloud Proxy safelist using the com.vontu.enforce.nonproxy.hosts property in the
Manager.properties file.
1. Open the Manager.properties file in a text editor.
2. Add a safelist entry to the file using the com.vontu.enforce.nonproxy.hosts property.
For example, to safelist the hosts 20.20.20.20 and 30.30.30.30, include this entry in your Manager.properties:
com.vontu.enforce.nonproxy.hosts=20.20.20.20|30.30.30.30
This setting does not perform DNS resolution or reverse IP lookup. If you have configured hostnames, you must
explicitly define both the hostname and IP address in your safelist. For example, if you have a host that is named
forty.com at the IP address 40.40.40.40, the safelist entry would be as follows:
com.vontu.enforce.nonproxy.hosts=40.40.40.40|forty.com
You can safelist Enforce Server direct connections to bypass the Cloud Proxy. Safelisting is defined in the property setting
nonproxy.hosts in the Enforce Server Protect.properties file.
731
Table 337: Server and detector statuses
Running Some Symantec Data Loss Prevention processes on the server are stopped or have errors. To see the
Selected statuses of individual processes, you must first enable Advanced Process Control on the System
Settings screen.
Enabling Advanced Process Control
Connected The Network Discover Cluster is connected, when the data node is able to establish the connection with
Monitor Controller.
Stopping The server is in the process of stopping Symantec Data Loss Prevention services.
Symantec Data Loss Prevention Services
Stopped All Symantec Data Loss Prevention processes are stopped.
For each server and cluster, the following additional information appears. You can also click on any server name to
display the Server/Detector Detail screen for that server. You can also click on any cluster name to display the Network
Discover Cluster Detailsscreen for that cluster.
Messages (Last 10 sec) The number of messages processed in the last 10 seconds.
Messages (Today) The number of messages processed since 12:00 AM today.
Incidents (Today) The number of incidents processed since 12:00 AM today.
For Endpoint Servers, the Messages and Incidents are not aligned. This is because messages are being
processed at the Endpoint and not the Endpoint Server. However, the incident count still increases.
Incident Queue For the Enforce Server, this is the number of incidents that are in the database, but do not yet have an
assigned status. This number is updated whenever this screen is generated.
For the other types of servers, this is the number of incidents that have not yet been written to the Enforce
Server. This number is updated approximately every 30 seconds. If the server is shut down, this number is
the last number updated by the server. Presumably the incidents are still in the incidents folder.
Message Wait Time The amount of time it takes to process a message after it enters the system. This data applies to the last
message processed. If the server that processed the last message is disconnected, this is N/A.
732
2. Click the red X for that server or cluster, and then confirm your decision.
NOTE
Removing (de-registering) a server only disconnects it from this Enforce Server, it does not stop the detection
server from operating.
Removing a server
Type
The yellow triangle indicates a warning, the red octagon indicates an error.
Time The date and time when the event occurred.
Server The name of the server on which the event occurred.
Host The IP address or name of the machine where the server resides. The server and host names may be the same.
Code The system event code. The Messagecolumn provides the code text. Event lists can be filtered by code number.
Message A summary of the error or warning message that is associated with this event code.
• To display a list of all error and warning events, click Show all.
• To display the Event Detail screen for additional information about that particular event, click an event.
About the Overview screen
System events reports
Server and Detectors event detail
733
Table 340: Server Detail screen display information
Server Detail
Description
display sections
General The General section identifies the server, displays system status and statistics, and provides controls
for starting and stopping the server and its processes.
Server controls
Configuration The Configuration section displays the Channels, Policy Groups, Agent Configuration, User Device,
and Configuration Status for the detection server.
All Agents The All Agents section displays a summary of all agents that are assigned to an Endpoint Server.
Click the number next to an agent status to view agent details on the System > Agents > Overview >
Summary Reports screen.
Note: The system only displays the Agent Summary section for an Endpoint Server.
Recent Error and Warning The Recent Error and Warning Events section displays the five most recent Warning or Severe
Events events that have occurred on this server.
Click on an event to show event details. Click show all to display all error and warning events.
About system events
All Recent Events The All Recent Events section displays all events of all severities that have occurred on this server
during the past 24 hours.
Click on an event to show event details. Click show all to display all detection server events.
Deployed Exact Data Profiles The Deployed Exact Data Profile section lists any Exact Data or Document Profiles you have
deployed to the detection server. The system displays the version of the index in the profile.
Protocols screen
734
Click Server Settings on the System > Servers and Detectors > Overview > Server/Detector Detail screen to modify
the settings on that server.
Use caution when modifying these settings on a server. Contact Broadcom Support before changing any of the settings on
this screen. Changes to these settings normally do not take effect until after the server has been restarted.
You cannot change settings for the Enforce Server from the Server/Detector Detail screen. The Server/Detector Detail -
Advanced Settings screen only displays for detection servers and detectors.
NOTE
If you change advanced server settings to Endpoint Prevent Servers in a load-balanced environment, you must
apply the same changes to all Endpoint Prevent Servers in the load-balanced environment.
735
Setting Default Description
736
Setting Default Description
737
Setting Default Description
738
Setting Default Description
739
Setting Default Description
740
Setting Default Description
741
Setting Default Description
DiscoverCluster.ContentFetcherTimeoutInSeconds
1800 The time interval (in seconds) to fetch the
content of an item. If the item cannot be
downloaded within the specified time and
if the allowed number of retry attempts
to download the item exceeds, then it is
reported as failed.
DiscoverCluster.ContainerFetcherTimeoutInSeconds
10800 The time interval (in seconds) to download
the content of a PST item. If the item cannot
be downloaded within the specified time
and if the allowed number of retry attempts
to download the item exceeds, then it is
reported as failed.
EndpointCommunications.AllowLegacyAgentToConnect
0 Specifies whether DLP Agents earlier
than version 16.0 are allowed to connect
to Endpoint Prevent Servers that use a
custom truststore:
• 0 - Not allowed (Default)
• 1 - Allowed
EndpointCommunications.CertificateRevocationCheckProtocol
CRL The protocol used to verify the revocation
status of custom endpoint certificates.
Accepted values are None, OCSP, CRL,
and OCSP+CRL.
• None
• CRL (Default)
• OCSP
• OCSP+CRL
EndpointCommunications.ClientAuthSessionTimeoutInSeconds
86400 The time in seconds during which custom
endpoint certificates are not subjected to
revocation checks.
During this interval, the DLP Agent does not
send the endpoint certificate to Endpoint
Prevent Server.
EDM.HighlightAllMatchesInProximity false If false (default), the system highlights the
minimum number of matches, starting from
the leftmost. For example, if the EDM policy
is configured to match 3 out of 8 column
fields in the index, only the first 3 matches
are highlighted in the incident snapshot.
If true, the system highlights all matches
occurring in the proximity window, including
duplicates. For example, if the policy is
configured to match 3 of 8 and there are
7 matches occurring within the proximity
window, the system highlights all 7 matches
in the incident snapshot.
EDM.MatchCountVariant 3 Specifies how matches are counted.
• 1 - Counts the total number of token
sets matched.
• 2 - Counts the number of unique token
sets matched.
• 3 - Counts the number of unique super
sets of token sets. (default)
742
Setting Default Description
743
Setting Default Description
744
Setting Default Description
745
Setting Default Description
746
Setting Default Description
747
Setting Default Description
748
Setting Default Description
749
Setting Default Description
750
Setting Default Description
751
Setting Default Description
752
Setting Default Description
753
Setting Default Description
754
Setting Default Description
755
Setting Default Description
756
Setting Default Description
757
Setting Default Description
758
Setting Default Description
759
Setting Default Description
UDS.DataNode.Detector.Debug Xrunjdwp:transport=dt_socket,address=5010,server=y,suspend=n
Specifies the setting to enable the debugger
settings of the Detector Server Service on
the data node.
UDS.DataNode.Detector.InitMemory 1024 Specifies the initial memory size of the
Detector Server Service on the data node.
UDS.DataNode.Detector.MaxMemory 10240 Specifies the maximum memory size of the
Detector Server Service on the data node.
UDS.DataNode.EnforceConnector.Debug Xrunjdwp:transport=dt_socket,address=5010,server=y,suspend=n
Specifies the setting to enable the debugger
settings of the Enforce Connector Service
on the data node.
UDS.DataNode.EnforceConnector.InitMemory
1200 Specifies the initial memory size of the
Enforce Connector Service on the data
node.
UDS.DataNode.EnforceConnector.MaxMemory
6144 Specifies the maximum memory size of
Enforce Connector Service on the data
node.
UDS.Detector.LargeFile.InitMemory 0 Specifies the additional initial memory
size that is required by the worker node
for scanning large files. If the file size is
greater than 30 MB, then this setting helps
to provide extra required initial memory.
UDS.Detector.LargeFile.MaxMemory 0 Specifies the additional maximum memory
size that is required by the worker node for
scanning large files.
UDS.WorkerNode.Detector.Debug Xrunjdwp:transport=dt_socket,address=5010,server=y,suspend=n
Specifies the setting to enable the debugger
settings of the Detector Server Service on
the worker node.
UDS.WorkerNode.Detector.InitMemory 1200 Specifies the initial memory size of the
Detector Server Service on the worker
node.
UDS.WorkerNode.Detector.MaxMemory 8192 Specifies the maximum memory size of
the Detector Server Service on the worker
node.
UnicodeNormalizer.AsianCharRanges default Can be used to override the default
definition of characters that are
considered Asian by the detection engine.
Must be either default, or a comma-
separated list of ranges, for example:
11A80-11F9,3200-321E
UnicodeNormalizer.Enabled on Can be used to disable Unicode
normalization.
Enter off to disable.
UnicodeNormalizer.Newline on Can be used to disable newline elimination
EliminationEnabled for Asian languages.
Enter off to disable.
760
Server configuration—basic
Server controls
761
Setting Default Description
762
Setting Default Description
763
flushed, a new SSL session is negotiated. Negotiating a new SSL session may cause the agent to connect to a different
monitor more frequently which may interfere with agent status updates on the Enforce Server.
You review agent connection settings if the load balancer idle connection settings is not set to default. The load balancer
idle connection setting can also be called connection timeout interval, clean idle connection, and so-on depending on the
load balancer brand.
You can assess your Symantec Data Loss Prevention and load balancer settings by considering the following two
scenarios:
• Default DLP settings. Default Symantec Data Loss Prevention settings scenario
• Non-default DLP settings. Non-default Symantec Data Loss Prevention settings scenario
NOTE
Contact Symantec Support before changing default advanced agent and advanced server settings.
Description Resolution
Symantec Data Loss Prevention uses non-persistent Consider how the agent idle timeout coincides with the load balancer close idle
connections by default. Using non-persistent connection setting. If the load balancer is configured to close idle connections
connections means that Endpoint Servers close after less than 30 seconds, agents are prematurely disconnected from Endpoint
connections to agents after agents are idle for 30 Servers.
seconds. To resolve the issue, complete one of the following:
• Change the agent idle timeout setting (EndpointCommunications.
IDLE_TIMEOUT_IN_SECONDS.int) to less than the close idle connection
setting on the load balancer.
• Increase the agent heartbeat setting
(EndpointCommunications.HEARTBEAT_INTERVAL_IN_SECONDS.int)
to be less than the load balancer close idle connections setting.
The user must also increase the no traffic timeout setting
(CommLayer.NO_TRAFFIC_TIMEOUT_IN_SECONDS.int) to a value
greater than the agent heartbeat setting.
Description Resolution
Consider how changes to default Symantec To resolve the issue, complete one of the following:
Data Loss Prevention settings affect how the • Change the agent heartbeat
load balancer handles idle and persistent agent (EndpointCommunications.HEARTBEAT_INTERVAL_IN_SECONDS.int)
connections. For example, if you change the and no traffic timeout settings
idle timeout setting to 0 to create a persistent (CommLayer.NO_TRAFFIC_TIMEOUT_IN_SECONDS.int) to less than the
connection and you leave the default agent load balancer idle connection setting.
heartbeat setting (270 seconds), you must consider • Verify that the no traffic timeout setting is greater than the heartbeat setting.
the idle connection setting on the load balancer. If
the idle connection setting on the load balancer is
less than 270 seconds, then agents are prematurely
disconnected from Endpoint Servers.
764
Endpoint Prevent Server Support For Deploying An NGINX Server As A Reverse
Proxy
Endpoint Prevent Servers support configuring an NGINX server as a reverse proxy to manage network traffic and perform
load balancing.
Endpoint Prevent Servers support only reverse proxies that are running in transparent mode. As a result, SSL and TLS
connections cannot be terminated on the reverse proxy.
Broadcom recommends that you implement measures to protect the NGINX reverse proxy server from DDoS attacks. For
more information, refer to the official NGINX documentation at https://www.nginx.com/blog/mitigating-ddos-attacks-with-
nginx-and-nginx-plus/ .
Log files
Symantec Data Loss Prevention provides a number of different log files that record information about the behavior of the
software. Log files fall into these categories:
• Operational log files record detailed information about the tasks the software performs and any errors that occur while
the software performs those tasks. You can use the contents of operational log files to verify that the software functions
765
as you expect it to. You can also use these files to troubleshoot any problems in the way the software integrates with
other components of your system.
For example, you can use operational log files to verify that a Network Prevent for Email Server communicates with a
specific MTA on your network.
Operational Log Files
• Debug log files record fine-grained technical details about the individual processes or software components that
comprise Symantec Data Loss Prevention. The contents of debug log files are not intended for use in diagnosing
system configuration errors or in verifying expected software functionality. You do not need to examine debug log files
to administer or maintain an Symantec Data Loss Prevention installation. However, Symantec Support may ask you to
provide debug log files for further analysis when you report a problem. Some debug log files are not created by default.
Symantec Support can explain how to configure the software to create the file if necessary.
Debug Log Files
• Installation log files record information about the Symantec Data Loss Prevention installation tasks that are performed
on a particular computer. You can use these log files to verify an installation or troubleshoot installation errors.
Installation log files reside in the following locations:
– installdir\SymantecDLP\.install4j\installation.log stores the installation log for Symantec Data
Loss Prevention.
– installdir\oracle_home\admin\protect\ stores the installation log for Oracle.
766
Log file name Description Server
detection_operational_trace_0.log The detection trace log file provides details All detection
about each message that the detection servers
server processes. The log file includes
information such as:
• The policies that were applied to the
message
• The policy rules that were matched in
the message
• The number of incidents the message
generated.
machinelearning_training_operational_0.log This log records information about the Enforce Server
tasks, logs, and configuration files called
on startup of the VML training process.
manager_operational_0.log. Logs information about the Symantec Enforce Server
Data Loss Prevention manager process,
which implements the Enforce Server
administration console user interface.
monitorcontroller_operational_0.log Records a detailed log of the connections Enforce Server
between the Enforce Server and all
detection servers. It provides details about
the information that is exchanged between
these servers including whether policies
have been pushed to the detection servers
or not.
SmtpPrevent_operational0.log This operational log file pertains to SMTP Prevent
SMTP Prevent only. It is the primary detection servers
log for tracking the health and activity
of a Network Prevent for Email system.
Examine this file for information about the
communication between the MTAs and the
detection server.
WebPrevent_Access0.log This access log file contains information Network Prevent
about the requests that are processed for Web detection
by Network Prevent for Web detection servers
servers. It is similar to web access logs for
a proxy server.
WebPrevent_Operational0.log This operational log file reports on the Network Prevent
operating condition of Network Prevent for for Web detection
Web, such as whether the system is up or servers
down and connection management.
Network Prevent for Web operational log files and event codes
Network Prevent for Web access log files and fields
Network Prevent for Email log levels
Network Prevent for Email operational log codes
Network Prevent for Email originated responses and codes
767
Debug Log Files
The Enforce Server and the detection servers store debug log files in the c:\ProgramData\Symantec
\DataLossPrevention\<Enforce Server or Detection Server>\16.0.10000\logs\ directory on
Windows installations and in the /var/log/Symantec/DataLossPrevention/<Enforce Server or Detection
Server>/16.0.10000/ directory on Linux installations. A number at the end of the log file name indicates the count
(shown as 0 in debug log files).
The following table lists and describes the Symantec Data Loss Prevention debug log files.
768
Log file name Description Server
769
Log file name Description Server
770
Log file name Description Server
MonitorController0.log This log file is a detailed log of the connections Enforce Server
between the Enforce Server and the detection
servers. It gives details around the information that is
exchanged between these servers including whether
policies have been pushed to the detection servers or
not.
PacketCapture.log This log file pertains to the packet capture process that Network Monitor
reassembles packets into messages and writes to the
drop_pcap directory. Look at this log if there is a
problem with dropped packets or traffic is lower than
expected. PacketCapture is not a Java process, so
it does not follow the same logging rules as the other
Symantec Data Loss Prevention system processes.
PacketCapture0.log This log file describes issues with PacketCapture Network Monitor
communications.
RequestProcessor0.log This log file pertains to SMTP Prevent only. SMTP Prevent
The log file is primarily for use in cases where detection servers
SmtpPrevent_operational0.log is not
sufficient.
ScanDetail-target-0.log Where target is the name of the scan target. All white Discover detection
spaces in the target's name are replaced with hyphens. servers
This log file pertains to Discover server scanning. It is
a file by file record of what happened in the scan. If the
scan of the file is successful, it reads success, and then
the path, size, time, owner, and ACL information of the
file scanned. If it failed, a warning appears followed by
the file name.
tomcat\localhost.date.log These Tomcat log files contain information for any Enforce Server
action that involves the user interface. The logs include
the user interface errors from red error message box,
password failures when logging on, and Oracle errors
(ORA –#).
SymantecDLPIncidentPersister.log This log file contains minimal information: stdout and Enforce Server
stderr only (fatal events).
SymantecDLPManager.log This log file contains minimal information: stdout and Enforce Server
stderr only (fatal events).
SymantecDLPMonitor.log This log file contains minimal information: stdout and All detection servers
stderr only (fatal events).
SymantecDLPMonitorController.log This log file contains minimal information: stdout and Enforce Server
stderr only (fatal events).
SymantecDLPNotifier.log This log file pertains to the Notifier service and its Enforce Server
communications with the Enforce Server and the
MonitorController service. Look at this file to
see if the MonitorController service registered
a policy change.
SymantecDLPUpdate.log This log file is populated when you update Symantec Enforce Server
Data Loss Prevention.
771
Log collection and configuration screen
Use the System > Servers and Detectors > Logs screen to collect log files or to configure logging behavior for any
Symantec Data Loss Prevention server. The Logs screen contains two tabs that provide the following features:
• Collection—Use this tab to collect log files and configuration files from one or more Symantec Data Loss Prevention
servers.
Collecting server logs and configuration files
• Configuration—Use this tab to configure basic logging behavior for a Symantec Data Loss Prevention server, or to
apply a custom log configuration file to a server.
Configuring server logging behavior
About log files
772
Table 347: Preconfigured log settings for the Enforce Server
Select a Diagnostic
Description
Log Setting value
Restore Defaults Restores log file parameters to their default values.
Custom Attribute Lookup Logs diagnostic information each time the Enforce Server uses a lookup plug-in to populate
Logging custom attributes for an incident. Lookup plug-ins populate custom attribute data using
LDAP, CSV files, or other data repositories. The diagnostic information is recorded in the
IncidentPersister_0.log file and Tomcat log file. The Tomcat log file is located at the
following locations:
• Windows: c:\ProgramData\Symantec\DataLossPrevention\EnforceServer\
16.0.10000\logs\tomcat\localhost.date.log
• Linux: /var/log/Symantec/DataLossPrevention/
EnforceServer/16.0.10000/logs/tomcat/localhost.date.log
Select a Diagnostic
Detection server uses Description
Log Setting value
Restore Defaults All detection servers Restores log file parameters to their default values.
Discover Trace Logging Network Discover Servers Enables informational logging for Network Discover scans. These
log messages are stored in FileReader0.log.
Detection Trace Logging All detection servers Logs information about each message that the detection server
processes. This includes information such as:
• The policies that were applied to the message
• The policy rules that were matched in the message
• The number of incidents that the message generated.
When you enable Detection Trace Logging,
the resulting messages are stored in the
detection_operational_trace_0.log file.
Note: Trace logging can produce a large amount of data, and the
data is stored in clear text format. Use trace logging only when
you need to debug a specific problem.
Packet Capture Debug Network Monitor Servers Enables basic debug logging for packet capture with
Logging Network Monitor. This setting logs information in the
PacketCapture.log file.
While this type of logging can produce a large amount of data, the
Packet Capture Debug Logging setting limits the log file size to
50 MB and the maximum number of log files to 10.
If you apply this log configuration setting to a server, you must
restart the server process to enable the change.
Email Prevent Logging Network Prevent for Email Enables full message logging for Network Prevent for Email
servers servers. This setting logs the complete message content and
includes execution and error tracing information. Logged
information is stored in the RequestProcessor0.log file.
Note: Trace logging can produce a large amount of data, and the
data is stored in clear text format. Use trace logging only when
you need to debug a specific problem.
Network Prevent for Email operational log codes
Network Prevent for Email originated responses and codes
773
Select a Diagnostic
Detection server uses Description
Log Setting value
ICAP Prevent Message Network Prevent for Web Enables operational and access logging for Network Prevent for
Processing Logging servers Web. This setting logs information in the FileReader0.log
file.
Network Prevent for Web operational log files and event codes
Network Prevent for Web access log files and fields
Table 349: Preconfigured log settings for the Network Discover Cluster
Detection Trace Logging Enables informational logging for Network Discover scans. These
log messages are stored in FileReader0.log .
When you select Detection Trace Logging, the zip file containing
the debug logs for the detection service are copied to the data
node and all the worker nodes at the following location:
C:\ProgramData\Symantec\DataLossPrevention
\DetectionServer\<product_version>
\LoggingConfigurationOverwrite
The following properties are used to enable trace logging:
• com.symantec.dlp.clouddetectionserver.logging.Uni
in UDSDetectorLogging.properties .
• UDSEnforceConnectorLogging.properties for the
enforce connector process in data node
Change the Log Configuration for a Symantec Data Loss Prevention Server
Follow this procedure to change the log configuration for a Symantec Data Loss Prevention server.
1. Click the Configuration tab if it is not already selected.
2. If you want to configure logging properties for a detection server, select the server name from the Select a Detection
Server menu.
3. If you want to apply preconfigured log settings to a server, select the configuration name from the Select a Diagnostic
Configuration menu next to the server you want to configure.
See Preconfigured log settings for the Enforce Server and Preconfigured log settings for detection servers for a
description of the diagnostic configurations.
774
4. To customize log configuration, do one of the following:
• If you instead want to use a customized log configuration file, click Choose File next to the server you want to
configure. Then select the logging configuration file to use from the File Upload dialog, and click Open. You upload
only logging configuration files, and not configuration files that affect other server features.
• For the Network Discover Cluster, you can customize the following files and upload them by choosing Choose file
in the Log Configuration File section and then the customized files are downloaded to the data node and worker
nodes. Based on the customization done, the logs are collected for the data node and worker nodes:
– UDSDetectorLogging.properties
– UDSEnforceConnectorLogging.properties
NOTE
For the customization of the UDSEnforceConnectorLogging.properties file to take
effect, restart the Enforce Connector Service.
NOTE
If the Choose File button is unavailable because of a previous menu selection, click Clear Form.
5. Click Configure Logs to apply the preconfigured setting or custom log configuration file to the selected server.
6. Check for any system event warnings that indicate a problem in applying configuration changes on a server.
Location/Targets Description
All Detection Servers, except Network Discover Cluster The Enforce Server administration console stores all log and
configuration files that you collect in a single ZIP file on the
Enforce Server computer. If you retrieve files from multiple
Symantec Data Loss Prevention servers, each server's files are
stored in a separate subdirectory of the ZIP file.
775
Network Discover Cluster For Network Discover Cluster log collection, when you select the
Operational Logs, Debug and Trace Logs, or Configuration
Files checkbox, the File Path and Credentials fields are
displayed. Enter the file share path and credentials for a file share
folder where you want to upload the cluster log files. You must
have read and write permissions for this file share folder. The
cluster logs are uploaded to this file share and they are not stored
on the Enforce Server. The data node and all the worker nodes in
the cluster upload their logs to this file share.
Checkboxes on the Collection tab enable you to collect different types of files from the selected servers. File types for
collection describes each type of file.
Operational Logs Operational log files record detailed information about the tasks the software performs
and any errors that occur while the software performs those tasks. You can use the
contents of operational log files to verify that the software functions as you expect it
to. You can also use these files to troubleshoot any problems in the way the software
integrates with other components of your system.
For example, you can use operational log files to verify that a Network Prevent for Email
Server communicates with a specific MTA on your network.
Debug and Trace Logs Debug log files record fine-grained technical details about the individual processes or
software components that comprise Symantec Data Loss Prevention. The contents
of debug log files are not intended for use in diagnosing system configuration errors
or in verifying expected software functionality. You do not need to examine debug log
files to administer or maintain a Symantec Data Loss Prevention installation. However,
Symantec Support may ask you to provide debug log files for further analysis when you
report a problem. Some debug log files are not created by default. Symantec Support
can explain how to configure the software to create the file if necessary.
Configuration Files Use the Configuration Files option to retrieve both logging configuration files and server
feature configuration files.
Logging configuration files define the overall level of logging detail that is recorded in
server log files. Logging configuration files also determine whether specific features or
subsystem events are recorded to log files.
You can modify many common logging configuration properties by using the presets that
are available on the Configuration tab.
If you want to update a logging configuration file by hand, use the Configuration Files
checkbox to download the configuration files for a server. You can modify individual
logging properties using a text editor and then use the Configuration tab to upload the
modified file to the server.
Configuring server logging behavior
The Configuration Files option retrieves the active logging configuration files and also
any backup log configuration files that were created when you used the Configuration
tab. This option also retrieves server feature configuration files. Server feature
configuration files affect many different aspects of server behavior, such as the location
of a syslog server or the communication settings of the server. You can collect these
configuration files to help diagnose problems or verify server settings. However, you
cannot use the Configuration tab to change server feature configuration files. You can
only use the tab to change logging configuration files.
776
File type Description
Agent Logs Use the Agent Logs option to collect DLP agent service and operational log files from
an Endpoint Prevent detection server. This option is available only for Endpoint Prevent
servers. To collect the DLP Agent logs, you must have already pulled the log files from
individual agents to the Endpoint Prevent detection server using a Pull Logs action.
Use the Agent List screen to select individual agents and pull selected log files to the
Endpoint Prevent detection server. Then use the Agent Logs option on this page to
collect the log files.
When the logs are pulled from the endpoint, they are stored on the Endpoint Server in
an unencrypted format. After you collect the logs from the Endpoint Server, the logs are
deleted from the Endpoint Server and are stored only on the Enforce Server. You can
only collect logs from one endpoint at a time.
Operational, debug, trace log files are stored in the server_identifier/logs subdirectory of the ZIP file.
server_identifier identifies the server that generated the log files, and it corresponds to one of the following values:
• If you collect log files from the Enforce Server, Symantec Data Loss Prevention replaces server_identifier with the
string Enforce. Note that Symantec Data Loss Prevention does not use the localized name of the Enforce Server.
• If a detection server’s name includes only ASCII characters, Symantec Data Loss Prevention uses the detection server
name for the server_identifier value.
• If a detection server’s name contains non-ASCII characters, Symantec Data Loss Prevention uses the string
DetectionServer-ID-id_number for the server_identifier value. id_number is a unique identification number for
the detection server.
If you collect agent service log files or operational log files from an Endpoint Prevent server, the files are placed in the
server_identifier/agentlogs subdirectory. Each agent log file uses the individual agent name as the log file prefix.
Follow this procedure to collect log files and log configuration files from Symantec Data Loss Prevention servers.
To collect log files from one or more servers
1. Click the Collection tab if it is not already selected.
2. Use the Date Range menu to select a range of dates for the files you want to collect. Note that the collection process
does not truncate downloaded log files in any way. The date range limits collected files to those files that were last
updated in the specified range.
3. To collect log files from the Enforce Server, select one or more of the checkboxes next to the Enforce Server entry to
indicate the type of files you want to collect.
4. To collect log files from one or all detection servers, use the Select a Detection Server menu to select either the
name of a detection server or the Collect Logs from All Detection Servers option. Then select one or more of the
checkboxes next to the menu to indicate the type of files you want to collect.
5. Click Collect Logs to begin the log collection process.
• For the Enforce Server log collection, the administration console adds a new entry for the log collection process in
the Previous Log Collections list at the bottom of the screen. If you are retrieving many log files, you may need to
refresh the screen periodically to determine when the log collection process has completed.
• For Network Discover Cluster log collection, when the logs are successfully collected, the success message is
added in the Previous Log Collections list at the bottom of the screen. Navigate to the file share folder where the
cluster logs were uploaded. The file share folder has subfolders for each data node (DN) and worker node (WN),
that contain the logs for each of these nodes.
A system event is generated in case there is a failure for Network Discover Cluster log collection.
The default timeout interval for the log collection command is 30 minutes.
NOTE
You can run only one log collection process at a time.
777
6. To cancel an active log collection process, click Cancel next to the log collection entry. You may need to cancel log
collection if one or more servers are offline and the collection process cannot complete.
When you cancel the Enforce Server log collection, the ZIP file contains only those files that were successfully
collected.
7. To download the Enforce Server collected logs to your local computer, click Download next to the log collection entry.
The Download option is not available for Network Discover Cluster log collection.
8. For the Enforce Server collected logs, to remove ZIP files stored on the Enforce Server, click Delete next to a log
collection entry.
The Delete option is not available for Network Discover Cluster log collection.
• Network Prevent for Web operational log files and event codes
• Network Prevent for Email operational log codes
• Network Prevent for Email originated responses and codes
Network Prevent for Web Operational Log Files and Event Codes
Network Prevent for Web log file names use the format of WebPrevent_OperationalX.log (where X is a
number). The number of files that are stored and their sizes can be specified by changing the values in the
FileReaderLogging.properties file. This file is in the c:\Program Files\Symantec\DataLossPrevention
\DetectionServer\16.0.10000\Protect\config (Windows) or /opt/Symantec/DataLossPrevention/
DetectionServer/16.0.10000/Protect/config (Linux) directory. By default, the values are:
• com.vontu.icap.log.IcapOperationalLogHandler.limit = 5000000
• com.vontu.icap.log.IcapOperationalLogHandler.count = 5
Status codes for Network Prevent for Web operational logs lists the Network Prevent for Web-defined operational logging
codes by category. The italicized part of the text contains event parameters.
Table 352: Status codes for Network Prevent for Web operational logs
Operational Events
1100 Starting Network Prevent for Web
Connectivity Events
778
Code Text and Description
779
client_port action_code icap_method_code traffic_source_code
Network Prevent for Web access log fields lists the fields. The values of fields that are enclosed in quotes in this example
are quoted in an actual message. If field values cannot be determined, the message displays - or "" as a default value.
Field Explanation
780
Network Prevent for Web protocol debug log files
To enable ICAP trace logging, set the Icap.EnableTrace advanced setting to true and use the Icap.TraceFolder
advanced setting to specify a directory to receive the traces. Symantec Data Loss Prevention service must be restarted
for this change to take effect.
Trace files that are placed in the specified directory have file names in the format: timestamp-conn_id. The first line of a
trace file provides information about the connecting host IP and port along with a timestamp. File data that is read from the
socket is displayed in the format <<timestamp number_of_bytes_read. Data that is written to the socket is displayed in the
format >>timestamp number_of_bytes_written. The last line should note that the connection has been closed.
NOTE
Trace logging produces a large amount of data and therefore requires a large amount of free disk storage
space. Trace logging should be used only for debugging an issue because the data that is written in the file is in
clear text.
About log files
Level Guidelines
INFO General events: connect and disconnect notices, information on the messages that are processed per connection.
FINE Some additional execution tracing information.
FINER Envelope command streams, message headers, detection results.
FINEST Complete message content, deepest execution tracing, and error tracing.
781
Table 355: Status codes for Network Prevent for Email operational log
Code Description
Core Events
1100 Starting Network Prevent for Email
Connectivity Errors
5200 Connection is rejected from the unauthorized host (tid=id
local=hostname:port
remote=hostname:port)
782
Code Description
Message Events
1300 Message complete (cid=N message_id=3 dlp_id=message_identifier
size=number sender=email_address recipient_count=N
disposition=response estatus=statuscode rtime=N
dtime=N mtime=N
Where:
• Recipient_count is the total number of addressees in the To, CC, and BCC fields.
• Response is the Network Prevent for Email response which can be one of: PASS, BLOCK,
BLOCK_AND_REDIRECT, REDIRECT, MODIFY, or ERROR.
• Thee status is an Enhanced Status code.
Network Prevent for Email originated responses and codes
• The rtime is the time in seconds for Network Prevent for Emailto fully receive the message from the sending MTA.
• The dtime is the time in seconds for Network Prevent for Email to perform detection on the message.
• The mtime is the total time in seconds for Network Prevent for Email to process the message Message Errors.
Message Errors
783
Code Description
Enhanced
Code Text Description
Status
250 2.0.0 Ok: Carry on. Success code that Network Prevent for Email uses.
221 2.0.0 Service The normal connection termination code that Network Prevent for Email
closing. generates if a QUIT request is received when no forward MTA connection is
active.
451 4.3.0 Error: This “general, transient” error response is issued when a (potentially)
Processing recoverable error condition arises. This error response is issued when a more
error. specific error response is not available. Forward connections are sometimes
closed, and their unexpected termination is occasionally a cause of a code 451,
status 4.3.0. However sending connections should remain open when such a
condition arises unless the sending MTA chooses to terminate.
421 4.3.0 Fatal: This “general, terminal” error response is issued when a fatal, unrecoverable
Processing error condition arises. This error results in the immediate termination of any
error. sender or receiver connections.
Closing
connection.
421 4.4.1 Fatal: That an attempt to connect the forward MTA was refused or otherwise failed to
Forwarding establish properly.
agent
unavailable.
421 4.4.2 Fatal: Closing connection. The forwarded MTA connection is lost in a state where
Connection further conversation with the sending MTA is not possible. The loss usually
lost to occurs in the middle of message header or body buffering. The connection is
terminated immediately.
forwarding
agent.
784
Enhanced
Code Text Description
Status
451 4.4.2 Error: The forward MTA connection was lost in a state that may be recoverable if the
Connection connection can be re-established. The sending MTA connection is maintained
lost to unless it chooses to terminate.
forwarding
agent.
421 4.4.7 Error: The last command issued did not receive a response within the time window
Request that is defined in the RequestProcessor.DefaultCommandTimeout. (The time
timeout window may be from RequestProcessor.DotCommandTimeout if the command
issued was the “.”). The connection is closed immediately.
exceeded.
421 4.4.7 Error: The connection was idle (no commands actively awaiting response) in excess of
Connection the time window that is defined in RequestProcessor.DefaultCommandTimeout.
timeout
exceeded.
501 5.5.2 Fatal: A fatal violation of the SMTP protocol (or the constraints that are placed
Invalid on it) occurred. The violation is not expected to change on a resubmitted
transmission message attempt. This message is only issued in response to a single
command or data line that exceeds the boundaries that are defined in
request.
RequestProcess.MaxLineSize.
502 5.5.1 Error: Defined but not currently used.
Unrecognized
command.
550 5.7.1 User This combination of code and status indicates that a Blocking response rule has
Supplied. been engaged. The text that is returned is supplied as part of the response rule
definition.
Note that a 4xx code and a 4.x.x enhanced status indicate a temporary error. In such cases the MTA can resubmit the
message to the Network Prevent for Email Server. A 5xx code and a 5.x.x enhanced status indicate a permanent error. In
such cases the MTA should treat the message as undeliverable.
About log files
785
Table 357: Symantec Data Loss Prevention utilities describes how and when to use each utility.
Name Description
DBPasswordChanger Changes the encrypted password that the Enforce Server uses to connect to the Oracle
database.
sslkeytool Generates custom authentication keys to improve the security of the data that
is transmitted between the Enforce Server and detection servers. The custom
authentication keys must be copied to each Symantec Data Loss Prevention server.
See About the sslkeytool utility and server certificates.
SQL Preindexer Indexes an SQL database or runs an SQL query on specific data tables within the
database. This utility is designed to pipe its output directly to the Remote EDM Indexer
utility.
Remote EDM Indexer Converts a comma-separated or tab-delimited data file into an exact data matching
index. The utility can be run on a remote machine to provide the same indexing
functionality that is available locally on the Enforce Server.
This utility is often used with the SQL Preindexer. The SQL Preindexer can run an SQL
query and pass the resulting data directly to the Remote EDM Indexer to create an EDM
index.
Name Description
Service_Shutdown.exe This utility enables an administrator to turn off both the agent and the watchdog services
on an endpoint. (As a tamper-proofing measure, it is not possible for a user to stop either
the agent or the watchdog service.)
Vontu_sqlite3.exe This utility provides an SQL interface that enables you to view or modify the encrypted
database files that the Symantec DLP Agent uses. Use this tool when you want to
investigate or make changes to the Symantec Data Loss Prevention files.
Logdump.exe This tool lets you view the Symantec DLP Agent extended log files, which are hidden for
security reasons.
Start_agent This utility enables an administrator to start agents running on Mac endpoints that have
been shut down using the shutdown task.
DBPasswordChanger
Symantec Data Loss Prevention stores encrypted passwords to the Oracle database in a file that is called
DatabasePassword.properties.
Locate DatabasePassword.properties in C:\Program Files\Symantec\DataLossPrevention
\EnforceServer\16.0.10000\Protect\config (Windows) or /opt/Symantec/DataLossPrevention/
EnforceServer/16.0.10000/Protect/config (Linux).
Because the contents of the file are encrypted, you cannot directly modify the file. Use the DBPasswordChanger utility to
change the stored Oracle database passwords that the Enforce Server uses.
786
Complete the following before you use DBPasswordChanger to change the password to the Oracle database:
• Shut down the Enforce Server.
• Change the Oracle database password using Oracle utilities.
Related Links
Example of using DBPasswordChanger on page 787
DBPasswordChanger Syntax
The DBPasswordChanger utility uses the following syntax:
DBPasswordChanger password_file new_oracle_password
All command-line parameters are required. The following table describes each command-line parameter.
Parameter Description
password_file Specifies the file that contains the encrypted password. By default, this file is named
DatabasePassword.properties and is stored in
C:\Program Files\Symantec\DataLossPrevention\EnforceServer
\16.0.10000\Protect\config (Windows) or
/opt/Symantec/DataLossPrevention/EnforceServer/16.0.10000/
Protect/config (Linux).
new_oracle_password Specifies the new Oracle password to encrypt and store.
DBPasswordChanger syntax
787
• The content inspection value indicates the maximum allowed size of the original file or message that is to be inspected.
• The largest content inspection size is 2 GB. This limitation applies to container type files (for example, zip, docx, and
so on).
However, the largest text extraction size for the files (and sub-files from a container) can only be 1 GB. For example,
we can still take a 2 GB zip file for extraction, but within that zip file if there are text files that are greater than 1 GB,
these files are not extracted.
• The largest non-container file (or sub-file) for text extraction is 1 GB.
• Each slider position sets the ContentExtraction.MaxContentSize setting. This setting indicates the buffer
needed to hold all the extracted data, including sub-files and their extracted text.
• If the extracted data buffer exceeds 2 GB, additional data cannot be extracted. In this case, detection is performed on
content in the buffer.
• The maximum value for the ContentExtraction.MaxContentSize setting is 2 GB, which is same as the
maximum file size.
• The extracted data buffer stores extracted text in UTF-16 regardless of what the source document was stored in.
There are different content inspection file size limits for different channels. Channel-specific content inspection file size
limits lists the different channels that Symantec has tested and the corresponding supported file size limits.
Increasing the maximum inspection size limit for files means that larger files are inspected. Inspection of larger files takes
longer and requires more memory for the inspection to complete. Also, timeout limits increase, so the detection engine
takes longer to timeout in the case of detection failures.
Depending on the content inspection size you choose, certain advanced settings are automatically adjusted. The
Inspection Content Size feature only shows the inspection size options that you can enable based on your existing system
memory.
NOTE
To complete the update, you must restart the service after you have increased the maximum inspection size limit
using the slider or edited any properties files.
The behavior of the "Increasing the maximum inspection size limit" feature is enabled or disabled depending on many
factors:
788
• For a new detection server, the slider is disabled by default and the box is not checked.
• For a new Agent, the slider is enabled at 30 MB by default and the box is checked.
• Memory limits on the server are different from memory limits on the agent.
• You cannot use the slider to increase the maximum inspection size limit if the detection server is not connected an
Enforce Server.
NOTE
The maximum inspection size limit for the DLP cloud services is not customer-configurable. These limits are
enumerated in the Service Description for the DLP cloud services. This feature is only available for detection
servers, appliances, and the DLP Agent.
To customize the inspection content size
1. Go to System > Servers and Detectors > Configure a Server for detection servers or System > Agents > Agent
Configuration > Settings for DLP Agents.
2. Click the Detection tab for detection servers or go to the Setting section for DLP Agents.
3. Click Customize settings, under Inspection Content Size.
Move the slider to the size you want. These values that follow are examples only; you only see the options that can be
enabled based on your system memory.
• 30 MB, 50 MB, 100 MB, or 150 MB for DLP Agents
• 30 MB, 100 MB, 150 MB, 500 MB, or 2 GB for detection servers and appliances
When you select a new size, Symantec Data Loss Prevention automatically updates Advanced Server or Advanced
Agent settings to implement your selection. If your settings are different from the preferred and recommended settings,
a link to Preview updated settings appears.
4. Click Preview updated settings to see the Advanced Setting Name, Current Value, and Preferred Value.
5. For the detection servers only, if you need to change properties file settings, a Tuning Guidelines link appears. You
can click the link and review the tuning guidelines per your requirements. See Related Documents. You do not need to
edit properties files for the DLP Agent.
6. Restart the service. To complete the update, you must restart the service after you have adjusted the maximum
inspection size limit using the slider or edited any properties files.
Table 361: System Events for changes in Advanced Settings for larger files.
789
System event code Description/Message Server or Agent
If you choose a setting of 500 MB or greater on the detection server, Symantec recommends that you enable external
storage for incident attachments (blob externalization). To enable external storage for incident attachments during
installation or upgrade, see "External storage for incident attachments,” in the Symantec Data Loss Prevention Installation
Guide and Symantec Data Loss Prevention Upgrade Guide.
To enable external storage for incident attachments after installation or upgrade, see "About the incident attachment
external storage directory" in the Symantec Data Loss Prevention System Maintenance Guide.
Related Documents
Table 362: Minimum System Memory Required for File Sizes and Corresponding Number of Chains
30 MB 6 GB 7 GB 8 GB 16 GB
100 MB 16 GB 20 GB 24 GB 44 GB
150 MB 24 GB 30 GB 36 GB 72 GB
500 MB 54 GB 64 GB 74 GB 148 GB
2 GB 130 GB 178 GB 226 GB 452 GB
As the table indicates, the amount of extra system memory that is required for every two extra message chains varies
according to the file size:
790
• 1-GB RAM for a 30-MB file
• 4-GB RAM for a 100-MB file
• 6-GM RAM for a 150-MB file
• 10-GB RAM for a 500-MB file
• 48-GB RAM for a 2-GB file
NOTE
The guidelines in Minimum system memory required for file sizes and corresponding number of chains may not
work for detection servers with profiles or indexes.
See The Effect of Scale on System Requirements.
Refer to General performance tuning recommendations for detection servers for more information on how to configure the
appropriate number of message chains.
791
Table 363: General Performance Tuning Recommendations for Detection Servers
792
About Data Loss Prevention Policy Authoring
Use Symantec Data Loss prevention policy authoring features to detect and prevent data loss. DLP provides seven key
features that enable you to create policies that protect your organization from data loss.
You implement policies to detect and prevent data loss. A Symantec Data Loss Prevention policy combines detection
rules and response actions. If a policy rule is violated, the system generates an incident that you can report and act
on. The policy rules that you implement are based on your information security objectives. The actions that you take in
response to policy violations are based on your compliance requirements. The Enforce Server administration console
provides an intuitive, centralized, web-based interface for authoring policies.
Workflow for implementing policies
Policy authoring features describes the policy authoring features that are provided by Symantec Data Loss Prevention.
Feature Description
Intuitive policy building The policy builder interface supports Boolean logic for the detection configuration.
You can combine different detection methods and technologies in a single policy.
Detecting data loss
Best practices for authoring policies
Decoupled response The system stores response rules and policies as separate entities.
rules You can manage and update response rules without having to change policies; you can reuse response rules
across policies.
Fine-grained policy The system provides severity levels for policy violations.
reporting You can report the overall severity of a policy violation by the highest severity.
Policy severity
Centralized data and The system stores data and group profiles separate from policies.
group profiling This separation enables you to manage and update profiles without changing policies.
Data Profiles
User Groups
Template-based policy The system provides 65 pre-built policy templates.
detection You can use these templates to quickly configure and deploy policies.
Policy templates
Policy sharing The system supports policy template import and export.
You can share policy templates across environments and systems.
Policy template import and export
Role-based access The system provides role-based access control for various user and administrative functions.
control You can create roles for policy authoring, policy administration, and response rule authoring.
Policy authoring privileges
793
Using the Update Readiness Tool
When you upgrade from DLP 16.0 to 16.0.1 using the Upgrade Readiness Tool (URT), policies and data identifiers (DIs)
containing non-BMP characters are logged verbosely and update fails. You can use the Upgrade logs to identify which
policies and data identifiers contain non-BMP characters.
You must remove the characters and then must rerun the URT. Consult the following topics to learn more about non-
BMP characters and the update process.
Finding Non-BMP Unicode Characters in Policies
Running the Update Readiness Tool at the Command Line
Detection Resiliency
During detection, Symantec DLP now handles non-BMP characters in several ways.
• Non-BMP characters in the content that DLP scans are replaced by the Unicode Replacement
Character OxFFFD before scanning.
• Condition matches are regularly detected with a correct offset or span across all platforms.
• For Conditions that allow partial string matching, you can match strings containing non-BMP Unicode points. For
example, the regular expression "sensitive.*" matches "sensitive#file" and the highlight is shown as "sensitive��file".
Policy Authoring
The Enforce user interface restricts you from entering non-BMP Unicode characters into relevant fields that are used for
message scanning for detection. Non-BMP characters are flagged when you try to Save. An error message identifies
fields containing non-BMP Unicode characters, so that you can remove them.
Incident Snapshots
In Incident Snapshots, the extracted content for files containing non-BMP characters is replaced by the Unicode
replacement characters �� (Unicode 0xFFFD).
Policy components
A valid policy has at least one detection or group rule with at least one match condition. Response rules are optional
policy components.
Policy components describes Data Loss Prevention policy components.
794
Table 365: Policy components
Policy templates
Symantec Data Loss Prevention provides policy templates to help you quickly deploy detection policies in your enterprise.
You can share policies across systems and environments by importing and exporting policy rules and exceptions as
templates.
Using policy templates saves you time and helps you avoid errors and information gaps in your policies because the
detection methods are predefined. You can edit a template to create a policy that precisely suits your needs. You can also
export and import your own policy templates.
Some policy templates are based on well-known sets of regulations, such as the Payment Card Industry Security
Standard, Gramm-Leach-Bliley, California SB1386, and HIPAA. Other policy templates are more generic, such as
Customer Data Protection, Employee Data Protection, and Encrypted Data. Although the regulation-based templates can
help address the requirements of the relevant regulations, consult with your legal counsel to verify compliance.
Creating a policy from a template
System-defined policy templates describes the system-defined policy templates provided by Symantec Data Loss
Prevention.
795
Table 366: System-defined policy Templates
Solution packs
Symantec Data Loss Prevention provides solution packs for several industry verticals. A solution pack contains configured
policies, response rules, user roles, reports, protocols, and the incident statuses that support a particular industry or
organization. For a list of available solution packs and instructions, see Importing a solution pack. You can import one
solution pack to the Enforce Server.
Once you have imported the solution pack, start by reviewing its policies. By default the solution pack activates the
policies it provides.
Manage and add policies
Policy groups
You deploy policies to detection servers using policy groups. Policy groups limit the policies, incidents, and detection
mechanisms that are accessible to specific users.
Each policy belongs to one policy group. When you configure a policy, you assign it to a policy group. You can change the
policy group assignment, but you cannot assign a policy to more than one policy group. You deploy policy groups to one
or more detection servers.
The Enforce Server is configured with a single policy group called the Default Policy Group. The system deploys the
default policy group to all detection servers. If you define a new policy, the system assigns the policy to the default policy
group, unless you create and specify a different policy group. You can change the name of the default policy group. A
solution pack creates several policy groups and assigns policies to them.
After you create a policy group, you can link policies, Discover targets, and roles to the policy group. When you create a
Discover target, you must associate it with a single policy group. When you associate a role with particular policy groups,
you can restrict users in that role. Policies in that policy group detect incidents and report them to users in the role that is
assigned to that policy group.
The relationship between policy groups and detection servers depends on the server type. You can deploy a policy group
to one or more Network Monitor, Network Prevent, or Endpoint Servers. Policy groups that you deploy to an Endpoint
Server apply to any DLP Agent that is registered with that server. The Enforce Server automatically associates all policy
groups with all Network Discover Servers.
For Network Monitor and Network Prevent, each policy group is assigned to one or more Network Monitor Servers,
Network Prevent for Email Servers, or Network Prevent for Web Servers. For Network Discover, policy groups are
assigned to individual Discover targets. A single detection server may handle as many policy groups as necessary to
scan its targets. For Endpoint Monitor, policy groups are assigned to the Endpoint Server and apply to all registered DLP
Agents.
796
Manage and add policy groups
Creating and modifying policy groups
Policy deployment
You can use policy groups to organize and deploy your policies in different ways. For example, consider a situation in
which your detection servers are set up across a system that spans several countries. You can use policy groups to
ensure that a detection server runs only the policies that are valid for a specific location.
You can dedicate some of your detection servers to monitor internal network traffic and dedicate others to monitor network
exit points. You can use policy groups to deploy less restrictive policies to servers that monitor internal traffic. At the same
time, you can deploy stricter policies to servers that monitor traffic leaving your network.
You can use policy groups to organize policies and incidents by business units, departments, geographic regions, or
any other organizational unit. For example, policy groups for specific departments may be appropriate where security
responsibilities are distributed among various groups. In such cases, policy groups provide for role-based access control
over the viewing and editing of incidents. You deploy policy groups according to the required division of access rights
within your organization (for example, by business unit).
You can use policy groups for detection-server allocation, which may be more common where security departments are
centralized. In these cases, you would carefully choose the detection server allocation for each role and reflect the server
name in the policy group name. For example, you might name the groups Inbound and Outbound, United States and
International, or Testing and Production.
In more complex environments, you might consider some combination of the following policy groups for
deploying policies:
• Sales and Marketing - US
• Sales and Marketing - Europe
• Sales and Marketing - Asia
• Sales and Marketing - Australia, New Zealand
• Human Resources - US
• Human Resources - International
• Research and Development
• Customer service
Lastly, you can use policy groups to test policies before deploying them in production, to manage legacy policies, and to
import and export policy templates.
Policy groups
Policy severity
When you configure a detection rule, you can select a policy severity level. You can then use response rules to take action
based on a severity level.
About response rule conditions
The default severity level is set to "High," unless you change it. The default severity level applies to any condition that the
detection rule matches. For example, if the default severity level is set to "High," every detection rule violation is labeled
with this severity level. If you do not want to tag every violation with a specific severity, you can define the criteria by which
a severity level is established. In this case the default behavior is overridden. For example, you can define the "High"
severity level to be applied only after a specified number of condition matches have occurred.
Defining rule severity
797
In addition, you can define multiple severity levels to layer severity reporting. For example, you can set the "High" severity
level after 100 matches, and the medium severity level to apply after 50 matches.
Data Profiles
Data Profiles are user-defined configurations that you create to implement Exact Match Data Identifier (EMDI), Exact
Data Matching (EDM), Indexed Document Matching (IDM), Form Recognition, and Vector Machine Learning (VML) policy
conditions.
Data Loss Prevention policy detection technologies
Types of Data Profiles describes the types of Data Profiles that the system supports.
798
Table 369: Types of Data Profiles
Exact Match Data An Exact Match Data Identifier Profile is used for Exact Match Data Identifier (EMDI ) policies. The Exact
Identifier Profile Match Data Identifier Profile contains data that has been indexed from a structured data source, such
as a CSV file. An important concept for EMDI is the "key column." When using EMDI, you must specify
two or more columns with at least one "key column" that has highly unique and discriminatory values that
matches a distinctive pattern (that is expressible with a data identifier).
About using EMDI to protect content
About EMDI and key columns
Configuring Exact Match Data Identifier profiles
Exact Data Profile An Exact Data Profile is used for Exact Data Matching (EDM) policies. The Exact Data Profile contains
data that has been indexed from a structured data source, such as a database, directory server, or CSV
file. The Exact Data Profile runs on the detection server. If an EDM policy is deployed to an endpoint, the
DLP Agent sends the message to the detection server for evaluation (two-tier detection).
About the Exact Data Profile and index
Introducing profiled Directory Group Matching (DGM)
About two-tier detection for EDM on the endpoint
Indexed Document Profile An Indexed Document Profile is used for Indexed Document Matching (IDM) policies. The Indexed
Document Profile contains data that has been indexed from a collection of confidential documents. The
Indexed Document Profile runs on the detection server. If an IDM policy is deployed to an endpoint, the
DLP Agent sends the message to the detection server for evaluation (two-tier detection).
About the Indexed Document Profile
Vector Machine Learning A Vector Machine Learning Profile is used for Vector Machine Learning (VML) policies. The Vector
Profile Machine Learning Profile contains a statistical model of the features (keywords) extracted from content
that you want to protect. The VML profile is loaded into memory by the detection server and DLP Agent.
VML does not require two-tier detection.
About the Vector Machine Learning Profile
Form Recognition Profile A Form Recognition Profile is used for Form Recognition policies. The Form Recognition Profile contains
blank images of forms you want to detect.
When you configure a profile, yoo specify a numeric value to represent the Fill Threshold. This number is
a value from 1-10. 1 represents a form that has been filled out minimally and 10 a form that is completely
filled in. If the Fill Threshold is met or exceeded, an incident is opened.
Managing Form Recognition profiles
User Groups
You define User Groups on the Enforce Server. User Groups contain user identity information that you populate by
synchronizing the Enforce Server with a group directory server (Microsoft Active Directory).
You must have server administrator privileges to define User Groups. You must define the User Groups before you
synchronize users.
Once you define a User Group, you populate it with users, groups, and business units from your directory server. After
the user group is populated, you associate it with the User/Sender and Recipient detection rules or exceptions. The policy
only applies to members of that User Group.
Introducing synchronized Directory Group Matching (DGM)
799
Policy template import and export
You can export and import policy templates to and from the Enforce Server. This feature lets you share policy templates
across environments, version existing policies, and archive legacy policies.
Consider a scenario where you author and refine a policy on a test system and then export the policy as a template. You
then import this policy template to a production system for deployment to one or more detection servers. Or, if you want to
retire a policy, you export it as a template for archiving, then remove it from the system.
Importing policy templates
Exporting policy detection as a template
A policy template is an XML file. The template contains the policy metadata, and the detection and the group rules and
exceptions. If a policy template contains more than one condition that requires a Data Profile, the system imports only one
of these conditions. A policy template does not include policy response rules, or modified or custom data identifiers.
Components included in policy templates describes policy template components.
Policy metadata (name, description, The name of the template has to be less than 60 characters or it does YES
label) not appear in the Imported Templates list.
Described Content Matching (DCM) If the template contains only DCM methods, it imports as exported YES
rules and exceptions without changes.
Exact Data Matching (EDM) and If the template contains multiple EDM or IDM match conditions, only one YES
Indexed Document Matching (IDM) is exported.
conditions If the template contains an EDM and an IDM condition, the system drops
the IDM.
User Group User group methods are maintained on import only if the user groups NO
exist on the target before import.
Policy Group Policy groups do not export. On import you can select a local policy NO
group, otherwise the system assigns the policy to the Default Policy
group.
Response Rules You must define and add response rules to policies from the local NO
Enforce Server instance.
Data Profiles On import you must reference a locally defined Data Profile, otherwise NO
the system drops any methods that require a Data Profile.
Custom data identifiers Modified and custom data identifiers do not export. NO
Custom protocols Custom protocols do not export. NO
Policy state Policy state (Active/Suspended) does not export. NO
800
Table 371: Policy implementation process
Action Description
Familiarize yourself with the different types of detection Detecting data loss
technologies and methods that Symantec Data Loss Data Loss Prevention policy detection technologies
Prevention provides, and considerations for authoring data loss Policy matching conditions
prevention policies. Best practices for authoring policies
Develop a policy detection strategy that defines the type of data Develop a policy strategy that supports your data security objectives
you want to protect from data loss.
Review the policy templates that ship with Symantec Data Loss Policy templates
Prevention, and any templates that you import manually or by Solution packs
solution pack.
Create policy groups to control how your policies are accessed, Policy groups
edited, and deployed. Policy deployment
To detect exact data or content or similar unstructured data, Data Profiles
create one or more Data Profiles.
To detect exact identities from a synchronized directory server User Groups
(Active Directory), configure one or more User Groups.
Configure conditions for detection and group rules and Creating a policy from a template
exceptions.
Test and tune your policies. Test and tune policies to improve match accuracy
Add response rules to the policy to take action when the policy
is violated.
Manage the policies in your enterprise. Manage and add policies
Action Description
View and print details for a single policy. Viewing and printing policy details
Download details for all policies. Downloading policy details
801
data within your enterprise. You define and manage your detection policies from the centralized, Web-based Enforce
Server administration console.
Content that can be detected
Files that can be detected
Protocols that can be monitored
Endpoint events that can be detected
Identities that can be detected
Languages that can be detected
802
For example, the DLP Agent (installed on each endpoint computer) can detect the copying of a confidential file to a USB
device. Or, the DLP Agent can allow the copying of files only to a specific class of USB device that meets corporate
encryption requirements.
Endpoint matching conditions
Technology Description
Exact Data Matching (EDM) Use EDM to detect personally identifiable information.
Introducing Exact Data Matching (EDM)
Exact Match Data Identifiers Use EMDI to detect structured data, especially personally-identifiable information. EMDI provides
(EMDI) better matching performance and greater memory efficiency than EDM.
Introducing Exact Match Data Identifiers (EMDI)
Indexed Document Matching Use IDM to detect exact files and file contents, and derivative content.
(IDM) Introducing Indexed Document Matching (IDM)
Vector Machine Learning (VML) Use VML to detect similar document content.
Introducing Vector Machine Learning (VML)
803
Technology Description
Form Recognition Use Form Recognition to detect images of forms that belong to a gallery associated with a Form
Recognition policy.
About Form Recognition detection
Directory Group Matching (DGM) Use DGM to detect exact identities synchronized from a directory server or profiled from a
database.
Introducing synchronized Directory Group Matching (DGM)
Introducing profiled Directory Group Matching (DGM)
Described Content Matching Use DCM to detect message content and context, including:
(DCM) • Data Identifiers to match content using precise patterns and data validators.
Introducing data identifiers
• Keywords to detect content using key words, key phrases, and keyword dictionaries.
Introducing keyword matching
• Regular Expressions to detect characters, patterns, and strings.
Introducing regular expression matching
• File properties to detect files by type, name, size, and custom type.
Introducing file property detection
• User, sender, and recipient patterns to detect described identities.
Introducing described identity matching
• Protocol signatures to detect network traffic.
Introducing protocol monitoring for network
• Destinations, devices, and protocols to detect endpoint events.
Introducing endpoint event detection
User Risk-based Detection Use User Risk-based detection to trigger policies based on the risk score for a particular user.
See Introducing User Risk Based Detection.
Custom policy detection methods Data Loss Prevention provides methods for customizing and extending detection,
including:
• Custom Data Identifiers
Implement your own data identifier patterns and system-defined validators.
Introducing data identifiers
• Custom script validators for Data Identifiers
Use the Symantec Data Loss Prevention Scripting Language to validate custom data types.
Workflow for creating custom data identifiers
• Custom file type identification
Use the Symantec Data Loss Prevention Scripting Language to detect custom file types.
About custom file type identification
• Custom endpoint device detection
Detect or allow any endpoint device using regular expressions.
About endpoint device detection
• Custom network protocol detection
Define custom TCP ports to tap.
Introducing protocol monitoring for network
• Custom content extraction
Use a plug-in to identify custom file formats and extract file contents for analysis by the
detection server.
Overview of detection file format support
804
The new high-performance and memory-efficient policy evaluation engine enables you to
• Create complex policies with up to 400 compound exceptions
• Create policies with component matching in the Enforce Server administration console for the Endpoint.
When you specify a component that a condition should match, you now get more accurate results.
Consult the following topics for more details:
Changes in the 16.0 Policy Evaluation Engine
Handling Large Policies for Legacy (pre-DLP 16.0) Agents
Detection Messages and Message Components
Two-Tier Detection for DLP Agents
805
One policy with many compound exceptions creates high memory requirements. The Endpoint Server and the legacy
(pre-DLP 16.0) agents might not be able to handle the high memory requirements of the policy.
To solve this issue, alter the policy size value.
Go to the System > Settings > General > Legacy Agents Policy Set Size Limit setting. Alter the value.
This new value applies to all Endpoint Servers. An Endpoint Server processes the policy set only if its size is less than
a predetermined threshold. The threshold is computed based on the estimated agent memory consumption. The legacy
execution engine data is shipped to the legacy agents. The new execution engine data is shipped to the DLP 16.0 agents.
Compound Exceptions and Policy Set Upgrades
If you have an environment with legacy and DLP 16.0 agents and define policies with many compound exceptions, only
the DLP 16.0 agents receive a policy set upgrade. The legacy agents do not receive a policy set upgrade. They keep
using the latest policy set that fits the memory threshold. Other entities such as indexes and data identifiers are still
received. TTD requests from those endpoints are also dropped on the Endpoint Server because the policy sets may be
incompatible.
A system event informs you that a policy set was not shipped to legacy agents. The event also informs you that you
should take the appropriate action. You must either update the legacy agents or separate the legacy agents from the 16.0
agents using policy targeting.
The system posts a warning if:
• The Enforce database contains legacy agents, and
• Legacy agents are configured to connect to Enforce when you save a policy that generates a legacy execution engine,
and
• The legacy execution engine is estimated as larger than the defined threshold.
806
Content matching conditions
Symantec Data Loss Prevention provides several conditions to match message content. Certain content conditions
require an associated Data Profile and index. For content detection, you can match on individual message components,
including header, body, attachments, and subject for some conditions.
Detection Messages and Message Components
Content that can be detected
Content matching conditions lists the content matching conditions that you can use without a Data Profile and index.
Index-based content matching conditions lists the content matching conditions that require a Data Profile and index.
Data Profiles
Two-tier detection for DLP Agents
Content Matches Exact Data From Match exact data profiled from a structured data source such as a database or CSV file.
an Exact Data Profile (EDM) Introducing Exact Data Matching (EDM)
Configuring the Content Matches Exact Data policy condition for EDM
Note: This condition requires two-tier detection on the endpoint. About two-tier detection for
EDM on the endpoint
Content Matches Document Match files and file contents exactly or partially using fingerprinting
Signature From an Indexed Introducing Indexed Document Matching (IDM)
Document Profile (IDM) Configuring the Content Matches Document Signature policy condition
Note: This condition requires two-tier detection on the endpoint. About the Indexed Document
Profile
Detect using Vector Machine Match file contents with features similar to example content you have trained.
Learning profile (VML) Introducing Vector Machine Learning (VML)
Configuring the Detector using Vector Machine Learning Profile condition
807
File property matching conditions
Symantec Data Loss Prevention provides several conditions to match file properties, including file type, file size, and file
name.
Files that can be detected
Message Attachment or File Type Match specific file formats and document attachments.
Match About file type matching
Configuring the Message Attachment or File Type Match condition
Message Attachment or File Size Match files or attachments over or under a specified size.
Match About file size matching
Configuring the Message Attachment or File Size Match condition
Message Attachment or File Name Match files or attachments that have a specific name or match wildcards.
Match About file name matching
Configuring the Message Attachment or File Name Match condition
Message/Email Properties and Classify Microsoft Exchange email messages based on specific message attributes (MAPI
Attributes attributes).
Custom File Type Signature Match custom file types based on their binary signature using scripting.
About custom file type identification
Enabling the Custom File Type Signature condition in the policy console
Protocol Monitoring Match incidents on the network transmitted using a specified protocol, including SMTP, FTP,
HTTP/S, IM, and NNTP.
Introducing protocol monitoring for network
Configuring the Protocol Monitoring condition for network detection
808
Table 379: Endpoint matching conditions
Condition Description
Protocol or Endpoint Monitoring Match endpoint messages transmitted using a specified transport protocol or when data is
moved or copied to a particular destination.
Introducing endpoint event detection
Configuring the Endpoint Monitoring condition
Endpoint Device Class or ID Match endpoint events occurring on specified hardware devices.
Introducing endpoint event detection
Configuring the Endpoint Device Class or ID condition
Endpoint Location Match endpoint events depending if the DLP Agent is on or off the corporate network.
Introducing endpoint event detection
Configuring the Endpoint Location condition
Sender/User Matches Pattern Match message senders and users by email address, user ID, IM screen name, and IP
address.
Introducing described identity matching
Configuring the Sender/User Matches Pattern condition
Recipient Matches Pattern Match message recipients by email or IP address, or Web domain.
Introducing described identity matching
Configuring the Recipient Matches Pattern condition
Sender/User based on a Directory Match message senders and users from a synchronized directory server.
Server Group Introducing synchronized Directory Group Matching (DGM)
Configuring the Sender/User based on a Directory Server Group condition
Sender/User based on a Directory Match message senders and users from a profiled directory server.
from: an Exact Data Profile Introducing profiled Directory Group Matching (DGM)
Configuring the Sender/User based on a Profiled Directory condition
Note: This condition requires two-tier detection on the endpoint. About two-tier detection for
profiled DGM
809
Group rule Description
Recipient based on a Directory Match message recipients from a synchronized directory server.
Server Group Introducing synchronized Directory Group Matching (DGM)
Configuring the Recipient based on a Directory Server Group condition
Note: This condition requires two-tier detection on the endpoint. About two-tier detection for
synchronized DGM
Recipient based on a Directory Match message recipients from a profiled directory server.
from: an Exact Data Profile Configuring Exact Data profiles for DGM
Configuring the Recipient based on a Profiled Directory condition
Note: This condition requires two-tier detection on the endpoint. About two-tier detection for
profiled DGM
NOTE
Definitions:
810
• “File” on the endpoint applies to file operations (for example, copy to USB) and to EDAR (Endpoint Data at
Rest) scans.
• The Endpoint does not have a subject component, so the subject component is mapped to the envelope.
• A “Generic” component is a virtual endpoint component that matches on Subject, Body, Attachment, or File.
Enforcing component matching on the endpoint can significantly alter the functional behavior for those policies that are not
set to match on all components.
Rules
Policies that have rules set to match on a subset of the components generate fewer incidents. They generate fewer
incidents because only the rules that have matches in the specified components are evaluated to true.
Exceptions
Policies that have rules set to match on a subset of the components generate more incidents. These policies generate
more incidents because only the exceptions that have matches in the specified components exclude either the
components or the entire message. If they are defined as a matched component only (MCO) or Entire Message,
respectively.
Enabling component matching on the Endpoint gives a more consistent policy enforcement among the Server, Cloud,
and the Endpoint. However, since the subject on the Server is mapped to the envelope on the Endpoint, you can still see
slightly different incident results.
Two-Tier Detection (TTD) on the DLP Agent
Unlike the previous DLP 15.8 execution engine, the DLP 16.0 execution engine evaluates all TTD policies on the server.
The DLP 16.0 execution engine does not perform a partial policy evaluation on the Agent.
With the new engine, you do not see duplicate incidents because of TTD. Also, you do not see any incidents using a
policy that requires TTD on the Agent.
When the New DLP 16.0 Execution engine is Enabled on the DLP 16.0 Endpoint Server
A DLP 16.0 Endpoint server receives the same information from both the DLP 15.8 and DLP 16.0 agents. If the Agent
is DLP 16.0, the DLP 16.0 Endpoint server evaluates the TTD request using the DLP 16.0 execution engine logic. If the
Agent is pre-DLP 16.0, the DLP 16.0 Endpoint server evaluates the TTD request using the pre-DLP 16.0 execution logic.
When the New Execution Engine is Disabled on the DLP 16.0 Endpoint Server
The DLP 16.0 Endpoint server receives the same information from both types of agents and evaluates the TTD request
using the pre-DLP 16.0 execution logic.
NOTE
Future major versions of Symantec Data Loss Prevention will not support the pre-DLP 16.0 execution engine.
Selecting Components to Match On
Message Components to Match On summarizes the component matching that is supported by each match condition type.
811
Condition Type Envelope Subject Body Attachments
Exception Conditions
Symantec Data Loss Prevention provides policy exceptions to exclude messages and message components from
matching. You can use multiple exception conditions to refine the scope of your detection and group rules. The policy
engine in DLP 16.0 allows you to create a many compound exceptions without large memory usage, both on the server
and on the agent.
The system evaluates an inbound message or message component in this order:
1. First, the message, or message component, is evaluated against rules.
2. Second, the entire message is evaluated against "entire message" exceptions, if present.
3. Third, only the matched components are evaluated against "matched components only" exceptions, if present.
If the exception supports cross-component matching (content-based exceptions), the exception can be configured to
match on individual message components "matched component only" exceptions, if present. Otherwise, the exception
matches on the entire message.
If an exception is met, the system ejects the entire message or message component containing the content that triggered
the exception. The ejected message or message component is no longer available for an evaluation against policy
rules. The system discards the entire message or message component that contained the excepted item. The system
does not discard only the matched content or data item.
NOTE
Symantec Data Loss Prevention does not support match-level exceptions, only component or message-level
exceptions.
For example, consider a policy that has a detection rule with one condition and an exception with one condition. The rule
matches messages containing Microsoft Word attachments and generates an incident for each match. The exception
excludes from matching messages from ceo@company.com. An email from ceo@company.com that contains a Word
attachment is excepted from matching and does not trigger an incident. The detection exception condition excluding
ceo@company.com messages take precedence over the detection rule match condition that would otherwise match on the
message. If the content is from the same category, VML can be used as an exception.
Use a limited number of exceptions to narrow detection scope
Policy detection execution
Adding an Exception to a Policy
CAN-SPAM Act policy template
Safe Listing File Contents to Exclude from Partial Matching
812
Compound rules
A valid policy must declare at least one rule that defines at least one match condition. The condition matches input data
to detect data loss. A rule with a single condition is a simple rule. Optionally, you can declare multiple conditions within a
single detection or group rule. A rule with multiple conditions is a compound rule.
For compound rules, each condition in the rule must match to trigger a violation. Thus, for a single policy that declares
one rule with two conditions, if one condition matches but the other does not, detection does not report a match. If both
conditions match, detection reports a match, assuming that the rule is set to count all matches. In programmatic terms,
two or more conditions in the same rule are ANDed together.
As with rules, you can declare multiple conditions within a single exception. In this case, all conditions in the exception
must match for the exception to apply.
Policy detection execution
Use compound rules to improve match accuracy
Exception conditions
Compound rules AND If a single rule or exception in a policy contains two or more match
conditions, all conditions must match.
Rules or exceptions of the same OR If there are two detection rules in a single policy, or two group rules in a
type single policy, or two exceptions of the same type (detection or group),
the rules or exceptions are independent of each other.
Rules of a different type AND If one or more detection rules are combined with one or more group
rules in a single policy, the rules are dependent.
813
Policy configuration Logic Description
Exceptions of a different type OR If one or more detection exceptions are combined with one or more
group exceptions in a single policy, the exceptions are independent.
Exact Data Matching (EDM) Content Matches Exact Data from an Introducing Exact Data Matching (EDM)
Exact Data Profile About two-tier detection for EDM on the
endpoint
Profiled Directory Group Matching (DGM) Sender/User based on a Directory from Introducing profiled Directory Group
an Exact Data Profile Matching (DGM)
Recipient based on a Directory from an About two-tier detection for profiled DGM
Exact Data Profile
Synchronized Directory Group Matching Recipient based on a Directory Server Introducing synchronized Directory Group
(DGM) Group Matching (DGM)
About two-tier detection for synchronized
DGM
814
Detection Technology Match Condition Description
Indexed Document Matching (IDM) Content Matches Document Signature Introducing Indexed Document Matching
from an Indexed Document Profile (IDM)
Two-tier IDM detection
Note: Two-tier detection for IDM only
applies if it is enabled on the Endpoint
Server (two_tier_idm = on). If Endpoint IDM
is enabled (two_tier_idm = off), two-tier
detection is not used.
Action Description
815
Action Description
Edit the policy name or description If you intend to modify a system-defined template, you may want to change the name so you
(optional). can distinguish it from the original.
Configuring policies
Note: If you want to export the policy as a template, the policy name must be less than 60
characters. If it is more, the template does not appear in the Imported Templates section of
the Template List screen.
Select a policy group (if necessary). If you have defined a policy group, select it from the Policy Group list.
Creating and modifying policy groups
If you have not defined a policy group, the system deploys the policy to the Default Policy
Group.
Edit the policy rules or exceptions (if The Configure Policy screen displays the rules and exceptions (if any) provided by the policy.
necessary). You can modify, add, and remove policy rules and exceptions to meet your requirements.
Configuring Policy Rules
Configuring policy exceptions
Save the policy and export it Click Save to save the policy.
(optional). You can export policy detection as a template for sharing or archiving.
Exporting policy detection as a template
For example, if you changed the configuration of a system-defined policy template, you may
want to export it for sharing across environments.
Test and tune the policy Test and tune the policy using data the policy should and should not detect.
(recommended). Review the incidents that the policy generates. Refine the policy rules and exceptions as
necessary to reduce false positives and false negatives.
Add response rules (optional). Add response rules to the policy to report and remediate violations.
Implementing response rules
Note: Response rules are not included in policy templates.
Policy templates
Policy template import and export
California Consumer Privacy Act Deals with the handling and protection of sensitive personal information
that individuals provide in the course of everyday transactions.
california-
California Consumer Privacy Act Policy Template
CAN-SPAM Act Establishes requirements for sending commercial email.
CAN-SPAM Act policy template
Defense Message System (DMS) GENSER Detects information classified as confidential.
Classification Defense Message System (DMS) GENSER Classification policy template
Export Administration Regulations (EAR) Enforces the U.S. Department of Commerce Export Administration
Regulations (EAR).
Export Administration Regulations (EAR) policy template
816
Policy template Description
FACTA 2003 (Red Flag Rules) Enforces sections 114 and 315 (or Red Flag Rules) of the Fair and
Accurate Credit Transactions Act (FACTA) of 2003.
FACTA 2003 (Red Flag Rules) policy template
Gramm-Leach-Bliley This policy limits sharing of consumer information by financial institutions.
Gramm-Leach-Bliley policy template
HIPAA and HITECH (including PHI) This policy enforces the US Health Insurance Portability and Accountability
Act (HIPAA).
HIPAA and HITECH (including PHI) policy template
International Traffic in Arms Regulations (ITAR) This policy enforces the US Department of State ITAR provisions.
International Traffic in Arms Regulations (ITAR) policy template
Medicare and Medicaid (including PHI) This policy detects protected health information (PHI) associated with the
United States Medicare and Medicaid programs.
Medicare and Medicaid (including PHI)
NASD Rule 2711 and NYSE Rules 351 and 472 This policy protects the name(s) of any companies that are involved in an
upcoming stock offering.
NASD Rule 2711 and NYSE Rules 351 and 472 policy template
NASD Rule 3010 and NYSE Rule 342 This policy monitors brokers-dealers communications.
NASD Rule 3010 and NYSE Rule 342 policy template
NERC Security Guidelines for Electric Utilities This policy detects the information that is outlined in the North American
Electric Reliability Council (NERC) security guidelines for the electricity
sector.
NERC Security Guidelines for Electric Utilities policy template
Office of Foreign Assets Control (OFAC) This template detects communications involving targeted OFAC groups.
Office of Foreign Assets Control (OFAC) policy template
OMB Memo 06-16 and FIPS 199 Regulations This template detects information that is classified as confidential.
OMB Memo 06-16 and FIPS 199 Regulations policy template
Payment Card Industry Data Security Standard This template detects credit card number data.
Payment Card Industry (PCI) Data Security Standard policy template
Sarbanes-Oxley This template detects sensitive financial data.
Sarbanes-Oxley policy template
SEC Fair Disclosure Regulation This template detects data disclosure of material financial information.
SEC Fair Disclosure Regulation policy template
State Data Privacy This template detects breaches of state-mandated confidentiality.
State Data Privacy policy template
US States Drivers License Number This template detects the Driving License Numbers for US States.
US Intelligence Control Markings (CAPCO) and DCID This template detects authorized terms to identify classified information in
1/7 the US Federal Intelligence community.
US Intelligence Control Markings (CAPCO) and DCID 1/7 policy template
Virginia Consumer Data Protection Act This template establishes a framework for controlling and processing
personal data in the US State of Virginia.
Virginia Consumer Data Protection Act Policy Template
817
primary objectives of the GDPR are to give citizens back the control of their personal data and to simplify the regulatory
environment for international business by unifying the regulation within the EU. The GDPR replaces the EU Data
Protection Directives as of 25 May 2018.
Symantec Data Loss Prevention provides several policy template for General Data Protection Regulation (GDPR)
compliance.
Table 386:
General Data Protection Regulations (Banking and Finance) This policy protects personal identifiable information related to
banking and finance.
General Data Protection Regulation (Banking and Finance)
General Data Protection Regulation (Digital Identity) This policy protects personal identifiable information related to
digital identity.
General Data Protection Regulation (Digital Identity
General Data Protection Regulation (Government This policy protects personal identifiable information related to
Identification) government identification.
General Data Protection Regulation (Government Identification)
General Data Protection Regulation (Healthcare and This policy protects personal identifiable information related to
Insurance) healthcare and insurance.
General Data Protection Regulation (Healthcare and Insurance)
General Data Protection Regulation (Personal Profile) This policy protects personal identifiable information related to
personal profile data.
General Data Protection Regulation (Personal Profile)
General Data Protection Regulation (Travel) This policy protects personal identifiable information related to
travel.
General Data Protection Regulation (Travel)
Human Rights Act 1998 This policy enforces Article 8 of the act for UK citizens.
Human Rights Act 1998 policy template
818
Policy template Description
Canadian Social Insurance Numbers This policy detects patterns indicating Canadian social insurance numbers.
Canadian Social Insurance Numbers policy template
Credit Card Numbers This policy detects patterns indicating credit card numbers.
Credit Card Numbers policy template
Customer Data Protection This policy detects customer data.
Customer Data Protection policy template
Employee Data Protection This policy detects employee data.
Employee Data Protection policy template
Enhanced Credit Card Numbers with Individual This policy detects enhanced patterns indicating credit card numbers at risk of
Issuers exposure.
Enhanced Credit Card Numbers with Individual Users PolicyProfile Template
Individual Taxpayer Identification Numbers (ITIN) This policy detects IRS-issued tax processing numbers.
Individual Taxpayer Identification Numbers (ITIN) policy template
SWIFT Codes This policy detects codes banks use to transfer money across international
borders.
SWIFT Codes policy template
UK Drivers License Numbers This policy detects UK Drivers License Numbers.
UK Drivers License Numbers policy template
UK Electoral Roll Numbers This policy detects UK Electoral Roll Numbers.
UK Electoral Roll Numbers policy template
UK National Insurance Numbers This policy detects UK National Insurance Numbers.
UK National Insurance Numbers policy template
UK National Health Service Number This policy detects personal identification numbers issued by the NHS.
UK National Health Service (NHS) Number policy template
UK Passport Numbers This policy detects valid UK passports.
UK Passport Numbers policy template
UK Tax ID Numbers This policy detects UK Tax ID Numbers.
UK Tax ID Numbers policy template
US Social Security Numbers This policy detects patterns indicating social security numbers.
US Social Security Numbers policy template
819
Table 389: Confidential or Classified Data Protection policy Templates
Common Spyware Upload Sites This policy detects access to common spyware upload Web sites.
Common Spyware Upload Sites policy template
Network Diagrams This policy detects computer network diagrams.
Network Diagrams policy template
Network Security This policy detects evidence of hacking tools and attack planning.
Network Security policy template
Password Files This policy detects password file formats.
Password Files policy template
820
Creating a policy from a template
821
Table 392: Columbia Personal Data Regulatory Enforcement Policy Template
Columbian Personal Data Protection Law 1581 This policy detects violations of the Columbian Personal Data
Protection Law 1581.
Colombian Personal Data Protection Law 1581 Policy Template
NOTE
When the system prompts you to select an Exact Data Profile, the display lists the data columns to include in the
profile to provide the highest level of accuracy. If data fields in your Exact Data Profile are not represented in the
selected policy template, the system displays those fields for content matching when you define the detection
rule
Table 393: Policy templates that implement Exact Data Matching (EDM)
822
Policy template Description
General Data Protection Regulations General Data Protection Regulation (Government Identification)
(Government Identification)
General Data Protection Regulations General Data Protection Regulation (Healthcare and Insurance)
(Healthcare and Insurance)
General Data Protection Regulations (Personal General Data Protection Regulation (Personal Profile)
Profile)
General Data Protection Regulations (Travel) General Data Protection Regulation (Travel)
Gramm-Leach-Bliley Gramm-Leach-Bliley policy template
HIPAA and HITECH (including PHI) HIPAA and HITECH (including PHI) policy template
Human Rights Act 1998 Human Rights Act 1998 policy template
International Traffic in Arms Regulations (ITAR) International Traffic in Arms Regulations (ITAR) policy template
Payment Card Industry Data Security Standard Payment Card Industry (PCI) Data Security Standard policy template
PIPEDA PIPEDA policy template
Price Information Price Information policy template
Resumes Resumes policy template
State Data Privacy SEC Fair Disclosure Regulation policy template
If you do not have a Document Profile, you can cancel policy creation and define the Document Profile. Or, you can
choose to not use a Document Profile. In this case the system disables any IDM rules or exceptions for the policy
instance. If the policy template contains DCM rules or exceptions, you may use them.
About the Indexed Document Profile
Table 394: Policy templates that implement Indexed Document Matching (IDM)
823
Policy template Description
Configuring policies
The Manage > Policies > Policy List > Configure Policy screen is the home page for configuring policies.
Configuring policies describes the workflow for configuring policies.
824
Table 395: Configuring policies
Action Description
Define a new policy, or edit an existing policy. Add a new blank policy.
Adding a new policy or policy template
Create a policy from a template.
Creating a policy from a template
Select an existing policy at the Manage > Policies > Policy List screen
to edit it.
Manage and add policies
Enter a policy Name and Description. The policy name must be unique in the policy group you deploy the
policy to.
Input character limits for policy configuration.
Select the Policy Group from the list where the policy is to The Default Policy Group is selected if there is no policy group
be deployed. configured.
Creating and modifying policy groups
Set the Status for the policy. You can enable (default setting) or disable a policy. A disabled policy is
deployed but is not loaded into memory to detect incidents.
Manage and add policies
Add a rule to the policy, or edit an existing rule. Click Add Rule to add a rule.
Adding a Rule to a Policy
Select an existing rule to edit it.
Configure the rule with one or more conditions. For a valid policy, you must configure at least one rule that declares at
least one condition. Compound rules and exceptions are optional.
Configuring Policy Rules
Optionally, add one or more policy exceptions, or edit an Click Add Exception to add it.
existing exception. Adding an Exception to a Policy
Select an existing exception to edit it.
Configure any exception(s). Configuring policy exceptions
Save the policy configuration. Click Save to save the policy configuration to the Enforce Server
database.
Policy components
Export the policy as a template. Optionally, you can export the policy rules and exceptions as a template.
Exporting policy detection as a template
Add one or more response rules to the policy. You configure response rules independent of policies.
Adding an automated response rule to a policy
825
Adding an Exception to a Policy
1. Go to Manage > Policies > Policy List > Configure Policy – Add Rule.
2. Choose the type of rule (detection or group) to add to the policy.
• To add a detection rule, select the Detection tab and click Add Rule.
• To add a group (identity) rule, select the Groups tab and click Add Rule.
Policy matching conditions
3. Select the detection or the group rule that you want to implement from the list of rules.
Adding policy rules
4. Select the prerequisite component, if necessary.
If the policy rule requires a Data Profile, Data Identifier, or User Group select it from the list.
5. Click Next to configure the policy rule.
Configuring Policy Rules
You can add the following types of rules:
826
Rule Prerequisite For more information
Custom File Type Signature Rule enabled About custom file type identification
Custom script Enabling the Custom File Type Signature condition in the policy
console
Protocol and Endpoint match conditions
Protocol Monitoring Custom protocols (if any) Introducing protocol monitoring for network
Endpoint Monitoring About endpoint protocol monitoring
Endpoint Device Class or ID Custom devices About endpoint device detection
Endpoint Location About endpoint location detection
Form Recognition
Detect using Form Recognition Profile Form Recognition Profile About Form Recognition detection
Configuring the Form Recognition detection rule
Groups (Identities) match conditions
Sender/User Matches Pattern Introducing described identity matching
Recipient Matches Pattern
Sender/User based on a Directory User Group Introducing synchronized Directory Group Matching (DGM)
Server Group Configuring User Groups
Recipient based on a Directory Server
Group
Sender/User based on a Directory Exact Data Profile Introducing profiled Directory Group Matching (DGM)
from: Configuring Exact Data profiles for DGM
Recipient based on a Directory from:
827
Step Action Description
Step 6 Select components to match on (if If the rule is content-based, select one or more available content rules to match on.
available). Selecting components to match on
Step 7 Add and configure one or more To define a compound rule, Add another match condition from the Also Match list.
additional match conditions Configure the additional condition according to its type (Step 4).
(optional). Configuring compound rules
Note: All conditions in a single rule must match to trigger an incident.
Note: Policy detection execution
Step 8 Save the policy configuration. When you are done configuring the rule, click OK.
This action returns you to the Configure Policy screen where you can Save the
policy.
Manage and add policies
The following table lists each of the available match conditions and provides links to topics for configuring each condition.
828
Rule For more information
829
Table 398: Configuring match counting parameters and conditions
Check for existence Simple Reports a match count of 1 if there are one or more matches; it does not count multiple
matches.
Compound Reports a match count of 1 if there are one or more matches; it does not count multiple
matches.
Count all matches Simple Reports a match count of the exact number of matches detected by the condition. For
example, one incident with 10 matches.
Compound Reports a match count of the sum of all condition matches in the rule. The default is one
incident per policy. The default applies if any condition is set to count all matches. The
configuration counts all the matches for all the conditions and reports them in one incident.
Exception matches are never reported.
For example, in a rule has two conditions and one is set to count all matches and detects four
matches. The other condition is set to check for existence. As a result, the reported match
count is five: four matches for the first rule that counts all matches, and one match for the
second rule that checks for existence.
Only report You can change the default of at least one match by specifying the minimum number of
incidents with at matches required to report an incident.
least _ matches For example, in a rule with two conditions, you should get an incident with five matches:
four for the first rule that counts all matches, and one for the second rule that checks for
existence. You must select this option for each condition in the rule or exception to achieve
this behavior.
Note: The count all matches setting applies to each message component you match on.
For example, consider a policy where you specify a match count of three. You configure a
keyword rule that matches on all four message components (default setting for this condition).
If a message is received with two instances of the keyword in the body and one instance of
the keyword in the envelope, the system does not report this as a match. However, if three
instances of the keyword appear in an attachment (or any other single message component),
the system reports it as a match.
Count all unique Only count Unique match counting is available for Data Identifiers, keyword matching, and regular
matches unique matches expression matching.
About unique match counting
Condition Description
830
Selecting components to match on
The availability of one or more message components to match on depends on the type of rule or exception condition you
implement.
Detection Messages and Message Components
Component Description
Envelope If the condition supports matching on the Envelope component, select it to match on the message metadata. The
envelope contains the header, transport information, and the subject if the message is an SMTP email.
If the condition does not support matching on the Envelope component, this option is grayed out.
If the condition matches on the entire message, the Envelope is selected and cannot be deselected, and the
other components cannot be selected. This occurs because certain conditions, such as sender and recipient, are
locked to match on the envelope.
Subject Certain detection conditions match on the Subject component for some types of messages. The subject is
mapped on the header for the endpoint agent.
Detection Messages and Message Components
For the detection conditions that support subject component matching, you can match on the Subject for
the following types of messages:
• SMTP (email) messages from Network Monitor or Network Prevent for Email.
• NNTP messages from Network Monitor.
To match on the Subject component, you must select (check) the Subject component and uncheck (deselect)
the Envelope component for the policy rule. If you select both components, the system matches the subject
twice because the message subject is included in the envelope as part of the header.
Body If the condition matches on the Body message component, select it to match on the text or content of the
message.
Attachment(s) If the condition matches on the Attachment(s) message component, select it to detect content in files sent by,
downloaded with, or attached to the message. The attachment applies to single files as well as Discover scans
(server), eDar (agent), and file operations (agent).
831
3. Select the exception conditions to implement.
The Add Detection Exception screen lists all available detection exceptions that you can add to a policy.
The Add Group Exception screen lists all available group exceptions that you can add to a policy.
Selecting a policy exception
4. If necessary, choose the profile, data identifier, or user group.
5. Click Next to configure the exception.
You can add the following types of exception conditions:
Content
Content Matches Regular Introducing regular expression matching
Expression
Content Matches Keyword Introducing keyword matching
Content Matches Document Indexed Document Choosing an Indexed Document Profile
Signature Profile
Content Matches Data Identifier Data Identifier Introducing data identifiers
Selecting a data identifier breadth
Detect using Vector Machine VML Profile Configuring VML policy exceptions
Learning profile Configuring VML profiles and policy conditions
Context
Contextual Attributes (Cloud Cloud Detection Introducing contextual attributes for cloud applications
Applications and API Detection Service
Appliance only) or API Detection
Appliance
User Risk Score ICA as a user data Introducing Contextual Attributes for User Risk Scores
source
File Properties
Message Attachment or File Type About file type matching
Match
Message Attachment or File Size About file size matching
Match
Message Attachment or File Name About file name matching
Match
Custom File Type Signature Condition enabled About custom file type identification
Custom script added
Protocol and Endpoint
Network Protocol Introducing protocol monitoring for network
Endpoint Protocol, Destination, About endpoint protocol monitoring
Application
Endpoint Device Class or ID About endpoint device detection
Endpoint Location About endpoint location detection
Form Recognition
Detect using Form Recognition Form Recognition About Form Recognition detection
Profile Profile Configuring the Form Recognition exception rule
832
Exception Prerequisite For more information
Group (identity)
Sender/User Matches Pattern Introducing described identity matching
Recipient Matches Pattern
Sender/User based on a Directory User Group Introducing synchronized Directory Group Matching (DGM)
Server Group Configuring User Groups
Recipient based on a Directory
Note: Network Prevent for Web does not support this type of
Server Group
exception. Use profiled DGM instead.
Sender/User based on a Directory Exact Data Profile Introducing profiled Directory Group Matching (DGM)
from: Configuring Exact Data profiles for DGM
Recipient based on a Directory
from:
Step 3 Select the components to apply the If the exception is content-based, you can match on the entire message or on
exception to (if available). individual message components.
Detection Messages and Message Components
Select one of the Apply Exception to options:
• Entire Message
This option applies the exception to the entire message.
• Matched Components Only
This option applies the exception to each matching message component
that you select from the Match On options in the Conditions section of the
exception.
Step 4 Configure the exception condition. In the Conditions section of the Configure Policy - Edit Exception screen,
define the condition for the policy exception. The configuration of a condition
depends on the exception type.
Policy exception conditions available for configuration
833
Step Action Description
Step 5 Add one or more conditions to the You can add conditions until the exception is structured as desired.
exception (optional). Configuring compound rules
To add another condition to an exception, select the condition from the Also
Match list.
Click Add and configure the condition.
Step 6 Save and manage the policy. Click OK to complete the exception definition process.
Click Save to save the policy.
Manage and add policies
Policy exception conditions available for configuration lists the exception conditions that you can configure, with links to
configuration details.
Exception Description
Content
Content Matches Regular Expression Configuring the Content Matches Regular Expression condition
Content Matches Keyword Configuring the Content Matches Keyword condition
Content Matches Document Signature Configuring the Content Matches Document Signature policy condition
Content Matches Data Identifier Configuring the Content Matches data identifier condition
Detect using Vector Machine Learning Profile Configuring VML policy exceptions
Context
Contextual Attributes (Cloud Applications and Introducing contextual attributes for cloud applications
API Detection Appliance only)
File Properties
Message Attachment or File Type Match Configuring the Message Attachment or File Type Match condition
Message Attachment or File Size Match Configuring the Message Attachment or File Size Match condition
Message Attachment or File Name Match Configuring the Message Attachment or File Name Match condition
Custom File Type Signature Configuring the Custom File Type Signature condition
Protocol and Endpoint
Network Protocol Configuring the Protocol Monitoring condition for network detection
Endpoint Protocol or Destination Configuring the Endpoint Monitoring condition
Endpoint Device Class or ID Configuring the Endpoint Device Class or ID condition
Endpoint Location Configuring the Endpoint Location condition
Form Recognition
Detect using Form Recognition profile Configuring the Form Recognition exception rule
Group (identity)
Sender/User Matches Pattern Configuring the Sender/User Matches Pattern condition
Recipient Matches Pattern Configuring the Recipient Matches Pattern condition
Sender/User based on a Directory Server Configuring the Sender/User based on a Directory Server Group condition
Group
Recipient based on a Directory Server Group Configuring the Recipient based on a Directory Server Group condition
834
Exception Description
Sender/User based on a Directory from an EDM Configuring the Sender/User based on a Profiled Directory condition
Profile
Recipient based on a Directory from and EDM Configuring the Recipient based on a Profiled Directory condition
Profile
Step 1 Modify or configure an existing You can add one or more additional match conditions to a policy rule at the Configure
policy rule or exception. Policy – Edit Rule screen.
You can add one or more additional match conditions to a rule or exception at the
Configure Policy – Edit Rule or Configure Policy – Edit Exception screen.
Step 2 Select an additional match Select the additional match condition from the Also Match list.
condition. This list appears at the bottom of the Conditions section for an existing rule or
exception.
Step 3 Review the available The system lists all available additional conditions you can add to a policy rule or
conditions. exception.
Adding a Rule to a Policy
Adding an Exception to a Policy
Step 4 Add the additional condition. Click Add to add the additional match condition to the policy rule or exception.
Once added, you can collapse and expand each condition in a rule or exception.
Step 5 Configure the additional Configuring Policy Rules
condition. Configuring policy exceptions
Step 6 Select the same or any If the condition supports component matching, specify where the data must match to
component to match. generate or except an incident.
Same Component – The matched data must exist in the same component as the other
condition(s) that also support component matching to trigger a match.
Any Component – The matched data can exist in any component that you have
selected.
About cross-component matching
Step 6 Repeat this process to You can add as many conditions to a rule or exception as you need.
additional match conditions to All conditions in a single rule or exception must match to trigger an incident, or to trigger
the rule or exception. the exception.
Step 7 Save the policy. Click OK to close the rule or exception configuration screen.
Click Save to save the policy configuration.
835
Use compound conditions to improve match accuracy
Action Description
Sort policies Click any column header to sort the policy list.
Filter policies You can filter your policy list by Status, Name, Description, or Policy Group.
To filter your policy list, click Filter in the policy list toolbar, then select or enter your filter criteria in
the appropriate column or columns.
To remove filters from your policy list, click Clear in the policy list toolbar.
836
Action Description
Remove a policy Select the policy or policies you want to remove, then click Delete in the policy list toolbar.
You can also click the red X icon at the end of the policy row to delete an individual policy.
Note: You cannot remove a policy that has active incidents.
Removing policies and policy groups
Import and export policies You can import and export policies using the Import and Export buttons in the policy list toolbar.
Importing policies
Exporting policies
Export and import policy You can export and import policy templates for reuse when authoring new policies.
templates Importing policy templates
Exporting policy detection as a template
Download policy details Click Download Details in the policy list toolbar to download details for the selected policies in
the Policy List. Symantec Data Loss Prevention exports the policy details as HTML files in a ZIP
archive. Open the archive to view and print policy details.
Downloading policy details
View and print policy details To view policy details for a single policy, click the printer icon at the end of the policy row. To print the
policy details, use the print feature of your web browser.
Viewing and printing policy details
Clone a policy Select the policy or policies you want to clone, then click Clone in the policy list toolbar.
Cloning policies
Assign policies to a policy group You can assign individual or multiple policies to a policy group from the policy list page.
Select the policy or policies you want to assign to a policy group, then click Assign Group in the
policy list toolbar. Select the policy group from the drop-down list.
Policy groups
Policy List screen display fields lists and describes the display fields at the Policy List screen.
Column Description
Status The status column displays one of three states for the policy:
• Misconfigured Policy:
The policy icon is a yellow caution sign.
Policy components
• Active Policy:
The policy icon is green. An active policy can detect incidents.
• Suspended Policy
The policy icon is red. A suspended policy is deployed but does not detect incidents.
Name View and sort by the name of the policy.
About Data Loss Prevention policies
Description View the description of the policy.
Policy templates
Policy Group View and sort by the policy group to which the policy is deployed.
Policy groups
Last Modified View and sort by the date the policy was last updated.
Policy authoring privileges
837
Manage and add policy groups
The System > Servers and Detectors > Policy Groups screen lists the configured policy groups in the system.
From the Policy Groups screen you manage existing policy groups and add new ones.
Action Description
Column Description
838
3. Enter a Description of the policy group, or modify an exiting description of an existing policy group.
4. Select one or more Servers and Detectors to assign the policy group to.
The system displays a check box for each detection server currently configured and registered with the Enforce
Server.
• Select the All Servers or Detectors option to assign the policy group to all detection servers and cloud detectors
in your system. If you leave this checkbox unselected, you can assign the policy group to individual servers.
The All Discover Servers entry is not configurable because the system automatically assigns all policy groups to
all Network Discover Servers. This feature lets you assign policy groups to individual Discover targets.
• Deselect the All Servers or Detectors option to assign the policy group to individual detection servers.
The system displays a check box for each server currently configured and registered with the Enforce Server.
Select each individual detection server to assign the policy group.
5. Click Save to save the policy group configuration.
NOTE
The Policies in this Group section of the Polices Group screen lists all the policies in the policy group. You
cannot edit these entries. When you create a new policy group, this section is blank. After you deploy one or
more policies to a policy group (during policy configuration), the Policies in this Group section displays each
policy in the policy group.
Configuring policies
Policy deployment
Importing policies
You can export policies from an Enforce Server and import them to another Enforce Server. This feature makes it easier
to move policies from one environment to another. For example, you can export policies from your test environment and
import them into your production environment.
839
the imported policy will be assigned to a newly created policy group on the target system, and will not overwrite the
existing policy.
• When you import a policy, you can choose whether or not to import its response rules if those rules conflict with
existing response rules on the target system.
• The Policy Import Preview page will display warnings about any policy elements that will be created or overwritten
when you import the policy.
• You can only import one policy at a time.
To import a policy
1. Navigate to Manage > Policies > Policy List.
2. Click Import.
The Import Policy page appears.
3. Click Browse to select the exported policy file you want to import.
4. Click Import Policy.
The Policy import preview page appears. This page will warn you of any policy elements that may be overwritten
when you import this policy. If the policy you are importing includes any response rules among the elements that may
be overwritten, you can exclude those response rules from import on this page.
5. Click Proceed with import.
The policy is imported. If the policy has any unresolved references, the Policy References Check page appears.
You can resolve any unresolved policy references on this page.
About policy references
Policy group where no detection server is specified: Select detection servers for the policy group.
Directory connection with missing credentials: Provide the credentials for the directory connection.
EDM profile with missing source file and index: Specify the correct data source file.
IDM profile with missing import path and file name: Specify the correct data source.
Remote IDM profile with missing credentials: Provide the credentials for the remote IDM profile.
VML profile with trained profile and related data missing: Provide the trained profile and its related data, train and accept
the VML profile.
840
Unresolved Policy Reference Resolution
Form Recognition profile with missing gallery ZIP archive: Provide the gallery ZIP archive.
Endpoint quarantine response rule with missing saved credentials: Provide the credentials for the endpoint quarantine response rule.
Exporting policies
You can export your policy data to an XML file to easily share policies between Enforce Servers.
Cloning policies
You can clone policies from the Policy List page.
Cloned policies are exact copies of the original policy. They include the following items:
• Modified policy name, description, and policy group.
841
Cloned policies appear in the Policy List as Copy N of original policy name.
• Policy rules, including Form Recognition, EDM, IDM, and VML definitions
• Endpoint locations and devices
• Sender and recipient patterns
• Response rules
• Data identifiers
• Custom protocols
NOTE
You must have policy authoring privileges to clone policies.
For information about importing and exporting policies and policy templates, see these topics:
Exporting policies
Importing policies
Exporting policy detection as a template
Importing policy templates
842
1. Log on to the Enforce Server administration console with administrator privileges.
2. Navigate to the Manage > Policies > Policy List > Configure Policy screen for the policy you want to export.
3. At the bottom of the Configure Policy screen, click the Export this policy as a template link.
4. Save the policy to a local or network destination of your choice.
For example, the system exports a policy named Webmail to the policy template file Webmail.xml which you can
save to your local drive.
NOTE
Smart response rules are executed manually and are not deployed with policies.
To add an automated response rule to a policy
1. Log on to the Enforce Server administration console with policy authoring privileges.
Policy authoring privileges
2. Navigate to the Manage > Policies > Policy List > Configure Policy screen for the policy you want to add a
response rule to.
3. Select the response rule you want to add from those available in the drop-down menu.
Policies and response rules are configured separately. To add a response rule to a policy, the response rule must first
be defined and saved independently.
4. Click Add Response Rule to add the response rule to the policy.
5. Repeat the process to add additional response rules to the policy.
6. Save the policy when you are done adding response rules.
7. Verify that the policy status is green after adding the response rule to the policy.
Manage and add policies
NOTE
If the policy status is a yellow caution sign, the policy is misconfigured. The system does not support certain
pairings of detection rules and automated response rule actions.
843
Table 410: Guidelines for removing policies and policy groups
Remove a policy If you attempt to delete a policy that has If you want to delete a policy, you must first delete all incidents that
associated incidents, the system does not let are associated with that policy from the Enforce Server.
you remove the policy. Manage and add policies
An alternative is to create an undeployed policy group (one that
is not assigned to any detection servers). This method is useful to
maintain legacy policies and incidents for review without keeping
these policies in a deployed policy group.
Policy template import and export
Remove a policy If you attempt to delete a policy group that Before you delete a policy group, remove any policies from that
group contains one or more policies, the system group by either deleting them or assigning them to different policy
displays an error message. And, the policy groups.
group is not deleted. Manage and add policy groups
If you want to remove a policy group, create a maintenance
policy group and move the policies you want to remove to the
maintenance group.
Creating and modifying policy groups
844
1. Navigate to Manage > Policies > Policy List, select the policy or policies you want, then click Download Details.
2. In the Open File dialog box, click select Save File, then click OK.
3. To view details for a policy, extract the files from the ZIP archive, then open the file you want to view. Use the index file
to search through the downloaded policies by policy name, description, status, policy group, or last modified date.
The Policy Snapshot screen appears.
4. To print the policy details, use the Print command in your web browser from the Policy Snapshot screen.
Troubleshooting policies
Log files for troubleshooting policies lists log files to consult for troubleshooting policies.
SymantecDLPDetectionServer.log Logs when policies and profiles are sent from the Enforce Server to detection
servers and endpoint servers. Displays JRE errors.
detection_operational.log Log the loading of policies and detection execution.
detection_operational_trace.log
FileReader.log Logs when an index file is loaded into memory. For EDM, look for the line
"loaded database profile." For IDM look for the line: "loaded document profile."
Indexer.log Logs the operations of the Indexer process to generate EDM and IDM indexes.
845
Table 412: Reindexing requirements for EDM and IDM data profiles
Exact Data Matching (EDM) If you have existing Exact Data profiles supporting EDM Updating EDM indexes to the latest version
• Multi-token matching policies and you want to use new EDM features, before
• Proportional proximity range upgrading the detection server(s) you must:
• Reindex each structured data source using the
latest EDM indexer, and
• Load each index into a newly-generated Exact Data
profile.
Indexed Document Matching If you have existing Indexed Document profiles
(IDM) supporting IDM policies and you want to use Agent
• Exact match IDM on the IDM, after upgrading you must:
endpoint (Agent IDM) • Disable two-tier detection on the Endpoint Server,
and
• Reindex each document data source so that the
endpoint index is generated and deployed to the
Endpoint Server for download by the DLP Agent.
Table 413: Policy templates updated in Data Loss Prevention version 12.5
General Data Protection Data identifiers This policy protects personal identifiable information related
Regulations (Banking and Keyword lists to banking and finance.
Finance) General Data Protection Regulation (Banking and Finance)
General Data Protection Data identifiers This policy protects personal identifiable information related
Regulation (Digital Identity) Keyword lists to digital identity.
General Data Protection Regulation (Digital Identity)
General Data Protection Data identifiers This policy protects personal identifiable information related
Regulation (Government Keyword lists to government identification.
Identification) General Data Protection Regulation (Government
Identification)
846
Updated template Updated component(s) Policy description
General Data Protection Data identifiers This policy protects personal identifiable information related
Regulation (Healthcare and Keyword lists to healthcare and insurance.
Insurance) General Data Protection Regulation (Healthcare and
Insurance)
General Data Protection Data identifiers This policy protects personal identifiable information related
Regulation (Personal Profile) Keyword lists to personal profile data.
General Data Protection Regulation (Personal Profile)
General Data Protection Data identifiers This policy protects personal identifiable information related
Regulation (Travel) Keyword lists to travel.
General Data Protection Regulation (Travel)
847
Using the graphical user interface method to install does not generate log information. To generate log information, run the
installation using the following command:
C:\msiexec /i Indexers.msi /L*v c:\indexers_install.log
You can complete the installation silently from the command line. Enter values with information specific to your installation
for the following:
Command Description
The following is an example of what the completed command might look like:
msiexec /i Indexers.msi /qn /norestart /L*v Indexers.log
FIPS_OPTION=Disabled
INSTALLATION_DIRECTORY="C:\Program Files\Symantec\DataLossPrevention"
DATA_DIRECTORY="C:\ProgramData\Symantec\DataLossPrevention\Indexer\"
848
7. In the JRE Directory panel, accept the default JRE location (or click Browse to locate it), and click Next.
8. In the FIPS Cryptography Mode panel, select whether to disable or enable FIPS encryption.
9. Click Next.
10. Click Install.
6. Run the following command to install all RPM files in the folder:
rpm -ivh *.rpm
Command Description
The following is an example of what the completed command might look like:
849
./IndexersConfigurationUtility -silent
-jreDirectory=/opt/Symantec/DataLossPrevention/Server\ JRE/1.8.0_202/
-fipsOption=Disabled
Develop a policy strategy that supports your data security Develop a policy strategy that supports your data security
objectives. objectives
Use a limited number of policies to get started. Use a limited number of policies to get started
Use policy templates but modify them to meet your requirements. Use policy templates but modify them to meet your requirements
Use policy groups to manage the policy lifecycle. Use policy groups to manage policy lifecycle
Use the appropriate match condition for your data loss prevention Use the appropriate match condition for your data loss prevention
objectives. objectives
Test and tune policies to improve match accuracy. Test and tune policies to improve match accuracy
Start with high match thresholds to reduce false positives. Start with high match thresholds to reduce false positives
850
Best practice Description
Use a limited number of exceptions to narrow detection scope. Use a limited number of exceptions to narrow detection scope
Use compound rules to improve match accuracy. Use compound conditions to improve match accuracy
Author policies to limit the potential effect of two-tier detection. Author policies to limit the potential effect of two-tier detection
Follow detection-specific best practices. Follow detection-specific best practices
Approach Description
Information-driven With this approach you start by identifying specific data items and data combinations you want to protect.
Examples of such data may include fields profiled from a database, a list of keywords, a set of users, or a
combination of these elements. You then group similar data items together and create policies to identify
and protect them. This approach works best when you have limited access to the data or no particular
concerns about a given regulation.
Regulation-driven With this approach you begin with a policy template based on the regulations with which you must comply.
Examples of such templates may include HIPAA or FACTA. Also, begin with a large set of data (such as
customer or employee data). Use the high-level requirements stipulated by the regulations as the basis
for this approach. Then, decide what sensitive data items and documents in your enterprise meet these
requirements. These data items become the conditions for the detection rules and exceptions in your
policies.
851
You should use the system-provided policy templates as starting points for your policies. Doing so will save time and
help you avoid errors and information gaps in your policies since the detection methods are predefined. However, for
most situations you will want to modify the policy template and tailor it for your specific environment. Deploying a policy
template out-of-the-box without configuring it for your environment is not recommended.
Creating a policy from a template
Use the appropriate match condition for your data loss prevention
objectives
To prevent data loss, it is necessary to accurately detect all types of confidential data wherever that data is stored, copied,
or transmitted. To meet your data security objectives, you need to implement the appropriate detection methods for the
type of data you want to protect. The recommendation is to determine the detection methods that work best for you, and
tune the policies as necessary based on the results of your detection testing.
Match conditions compared describes the primary use case for each type of policy match condition provided by Data Loss
Prevention.
Personally Identifiable Information (PII), such as SSNs, EDM Exact profiled data
CCNs, and Driver's License numbers Data Identifiers Described, validated data patterns
Confidential documents, such as Microsoft Word, IDM Exact file contents
PowerPoint, PDF, etc. Partial file contents (derivative)
VML Similar file contents
Confidential files and images, such as CAD drawings IDM Exact file
File Properties File context (type, name, size)
Words and phrases, such as "Confidential" or "Proprietary" Keywords Exact words, phrases, proximity
Characters, strings, text Regular Expressions Described text
Network and endpoint communications Protocol and Endpoint Protocols, destinations, monitoring
Determined by the identity of the user, sender, recipient Synchronized DGM Exact identity from LDAP server
Profiled DGM Exact profiled identity
Sender/user, recipient Described identity patterns
Describes a document, such as author, title, date, etc. Content-based conditions File type metadata
852
make the detection rule(s) more specific by fine-tuning the existing match conditions, adding additional match conditions,
and creating policy exceptions. If the policy does not detect some incidents, make the detection condition(s) less specific.
As your policies mature, it is important to continuously test and tune them to ensure ongoing accuracy.
Follow detection-specific best practices
False positives Policy rules too False positives create high costs in time and resources that are required to investigate and
general or broad resolve apparent incidents that are not actual incidents. Since many organizations do not
have the capacity to manage excess false positives, it is important that your policies define
contextual rules to improve accuracy.
For example, a policy is designed to protect customer names and generates an incident for
anything that contains a first and last name. Since most messages contain a name—in many
cases both first and last names—this policy is too broad and general. Although it may catch
all instances of customer names being sent outside the network, this policy will return too
many false positives by detecting email messages that do not divulge protected information.
First and last names require a much greater understanding of context to determine if the data
is confidential
False negatives Policy rules too tight False negatives obscure gaps in security by allowing data loss, the potential for financial
or narrow losses, legal exposure, and damage to the reputation of an organization. False negatives are
especially dangerous because you do not know you have lost sensitive data.
For example, a policy that contains a keyword match on the word "confidential" but also
contains a condition that excludes all Microsoft Word documents would be too narrow and
be suspect to false negatives because it would likely miss detecting many actual incidents
contained in such documents
853
exception. There is no support for match-level exceptions. Once the message or message component is discarded by
meeting an exception, the data is no longer available for policy evaluation.
Exception conditions
Use compound rules to improve match accuracy
Exact Data Matching (EDM) For EDM policies, consider including Data Identifier rules OR'd with EDM rules. For example,
for a policy that uses an EDM condition to match social security numbers, you could add
a second rule that uses the SSN Data Identifier condition. The Data Identifier does not
require two-tier detection and is evaluated locally by the DLP Agent. If the DLP Agent is not
connected to the Endpoint Server when the DLP Agent receives the data, the DLP Agent can
still perform SSN pattern matching based on the Data Identifier condition.
Combine Data Identifiers with EDM rules to limit the impact of two-tier detection
For example, policy configurations, each of the policy templates that provide EDM conditions
also provide corresponding Data Identifier conditions.
Choosing an Exact Data Profile
Indexed Document Matching (IDM) For IDM policies that match file contents, consider using VML rules OR'd with IDM rules. VML
rules do not require two-tier detection and are executed locally by the DLP Agent. If you do
not need to match file contents exactly, you may want to use VML instead of IDM.
Use the appropriate match condition for your data loss prevention objectives
If you are only concerned with file matching, not file contents, consider using compound file
property rules instead of IDM. File property rules do not require two-tier detection.
Use compound file property rules to protect design and multimedia files
854
Two-tier match condition Policy configuration
Directory Group Matching (DGM) For the synchronized DGM Recipient condition, consider including a Recipient Matches
Pattern condition OR'd with the DGM condition. The pattern condition does not require two-tier
detection and is evaluated locally by the DLP Agent.
About two-tier detection for synchronized DGM
855
Structured Data Identifiers are a powerful and convenient method of detecting private or proprietary personally identifiable
information (PII), and other identity information, in tabular documents. Data structured in the form of tables that is
embedded in an otherwise unstructured document can be detected. With this new feature, you don't have to go through
the iterative process of tuning your policies to catch PII, financial information, and healthcare data. Structured data
matching also reduces false positives for such data.
Using Structured Data Identifiers helps you to meet compliance regulations for protecting personally identifiable
information, healthcare data, and sensitive financial information. SDI detection helps you to comply with standards such
as GDPR, HIPAA, PCI, and so on.
You can create detection rules using Structured Data Identifiers. You can also specify a combination of structured
identifiers and other conditions to create rules. You can specify a narrow, wide, or medium breadth for each structured
identifier in the rule.
Incidents that are created with the SDI rules are listed in incident reports. Columns with data matches are highlighted.
• Structured Data Identifiers Requirements and Options
• Creating a Content Matches Structured Data Identifier Rule
• Advanced Configuration Settings for Structured Data Matching
Structured Data Identifiers Requirements and Options
Use Symantec Data Loss Prevention Structured Data Identifiers (SDIs) to detect personally identifiable information (PII),
healthcare information, and financial information.
NOTE
Some terms that are used with SDIs are specific to Structured Data Matching (SDM) detection. For example, the
breadth setting in an SDI rule is a threshold for detection. The SDI breadth determines how much of the table
must contain matching data to generate an incident. Matches in an SDI incident represent the number of rows in
a table that contain data that matches the SDI.
Symantec Data Loss Prevention provides four structured data identifiers for detecting personally identifiable and other
information. You can select Structured Data Identifiers to detect the following information.
856
Document Types Supported for SDI Detection
SDI supports popular document types and structured data (in a tabular format) in text formatted email bodies. Limited
support is available for email bodies. Currently, we support email bodies in text format.
NOTE
SDI is not supported on the endpoint channel.
Document types include:
• Excel (.xlsx)
• Comma-Separated Values (.csv)
• PDF (.pdf)
Other document types such as legacy Office (.doc and .xls) are not fully supported because of the way that they handle
tables.
Table Layouts Supported for SDI Detection
The following figures show two examples of supported table layouts. An example of another layout that is partially
supported is included.
Figure 17: Supported: Multiple tables laid out one after another in the same document
Multiple tables with symmetric rows are also supported.
857
858
Figure 18: Supported: Tables with interspersed text
859
Viewing SDI Matches in Incident Reports
In SDI incident reports, all columns that contain an SDI match are highlighted. In the following figure, you can see that the
columns containing SDI matches are highlighted. One column to the right and one column to the left of the highlighted
matching columns are provided for context.
The match count that is displayed is the number of total rows present in the table where SDI matches are found. Unlike in
other rules, match count is not the total number of keyword matches or data identifier matches detected on the table.
Figure 20:
Viewing SDI Matches in the Enforce Server administration console
860
Creating a Content Matches Structured Data Identifier Rule
Adding a Content Matches Structured Data Identifier detection rule in the Enforce Server administration console.
You can add a detection rule that automatically detects structured data at the Manage > Policies > Policy List >
Configure Policy page. Click the radio button for the new Content Matches Structured Data Identifier rule.
NOTE
The Content Matches Structured Data Identifier detection rule can currently only be used on DLP servers. SDM
rules are not supported on Endpoints.
Follow this step-by-step procedure for creating an SDI rule for an existing policy on the Add Detection Rule page.
1. Go to Manage > Policies > Policy List.
2. Choose a policy. The Configure Policy screen appears.
3. Scroll down to the Detection tab.
4. Click Add Rule.
5. Select Content Matches Structured Data Identifier in the Rule Type - Content area.
6. Go to the Choose Structured Data Identifier dropdown menu.
7. Choose one of the following options:
– Healthcare Information
– Financial Information
– PII
– Likely PII
– US Social Security Number
– Japan PII
8. Click Next.
9. Add a Rule Name.
10. Set the Severity (High, Medium, Low).
11. Set Conditions.
– Choose a Match Threshold Breadth:
a. Wide
b. Medium
c. Narrow
– Choose what to Match On. SDIs only match on tabular data, so you can only choose Body or Attachments.
Envelopes and Subject do not contain tabular data.
12. Click OK.
See Advanced Configuration Settings for Structured Data Matching.
Default
Setting Name Type of Setting Purpose
Value
StructuredDataIdentifier.MaxViolations 10 Advanced setting Sets the maximum number
of violations for a SDI in a
component.
861
Introducing Exact Match Data Identifiers (EMDI)
Exact Match Data Identifier (EMDI) detection is a powerful exact matching detection technology that enables you to detect
structured data, especially personally-identifiable information (PII), with a high degree of accuracy. You can use EMDI to
exactly match indexed records across all Data Loss Prevention channels. Fast performing and secure, EMDI can help
you reduce false positives when compared to data identifiers and regular expressions. EMDI provides better matching
performance and greater memory efficiency than Exact Data Matching (EDM).
Before you proceed with EMDI, it's important for you to have a good understanding of data identifiers and how they are
used in Symantec Data Loss Prevention.
About using EMDI to protect content
862
before and after the data identifier match. A proximity window of 50 tokens before and 50 tokens after the data identifier
match is the default value and maximum value. This value is configurable; you can change it from 1 to 50.
Policy matching requirements and features of EMDI include the following:
• You must specify one required column that can be matched by a highly discriminating data identifier. This column is
referred to as the "key column."
• The key column must be highly variable (with few repeating values).
• A minimum of two columns are required for a match; a required "key" column and an optional column.
• For highly variable data (with few repeated values in the index) the EMDI algorithm generates fewer than one false
positive per 1000 data identifier matches. Common repeated values in key or non-key columns may result in higher
rates of false positives.
• The number of rows per index is limited to 4 million.
• The system provides match highlighting at the incident snapshot screen. Tokens from matching rows are highlighted,
not only the matching data identifier value.
• EMDI supports single-token and multi-token cell indexing and matching. A multi-token is a cell that contains two or
more words. Since a single CJK (Chinese, Japanese, Korean) character is regarded as a token, two or more CJK
characters are treated as a multi-token.
EMDI compared to EDM
EMDI EDM
EMDI can support EDM detection scenarios that involve matching against two or There is no requirement that EDM must
more columns of a data source when at least one of those columns matches a data match against a column that can be
identifier. EMDI supports both system and custom data identifiers. represented by a data identifier.
EMDI scans an entire data source, within the stated limits. By default, EDM scans only the first 30,000
tokens for inspected content, though this limit
can be increased.
EMDI performs matching locally on the DLP Agent, so there is no need to implement EDM is only available on the DLP Agent in
two-tier detection. two-tier detection mode.
Available on all channels, including detection servers, appliances, the cloud, and DLP EDM is available on detection servers,
Agents (including disconnected DLP Agents). appliances, and the cloud. EDM is only
available on the endpoint in two-tier detection
mode.
Supports blocking, user notification, and encryption on the DLP Agent. EDM is only available on the DLP Agent in
two-tier detection mode. When operating
in two-tier detection mode, the DLP Agent
does not support synchronous response
actions such as blocking, user notification, or
encryption.
The memory footprint for EMDI is 1/5 of the memory footprint for EDM for the same EDM memory footprint is about 5 times that of
indexed data source. the memory footprint for EMDI.
863
EMDI EDM
EMDI supports up to 4 million rows x 32 columns per index up to 128 million cells per EDM supports hundreds of millions of rows x
index. 32 columns up to 6 billion cells per index.
EMDI has a stringent security model that makes it suitable for profile deployment on EDM profiles are never deployed on the DLP
the DLP Agent. Agent.
There is no natural language processing for Chinese, Japanese, and Korean for EMDI EDM supports natural language processing
matching. for Chinese, Japanese, and Korean.
You can use either EMDI or EDM for some exact matching cases that have at least two source columns and where one
column has values that can be expressed with a data identifier. The following recommendations detail when it is better to
use EMDI rather than EDM, and vice versa.
Use EMDI instead of EDM if:
• You already use data identifiers and you want to improve detection accuracy with exact matching.
• You need exact matching and detection-time enforcement on your DLP Agents, such as blocking, user notification, or
encryption.
• You have a need to be more flexible with the identifier detection. For example, you need to detect identifiers with
nonstandard separator characters (for example, match 123*456 or 123/456 or 123_456).
• You need to use exact matching in an exception.
Use EDM instead of EMDI if:
• You need to exclude specific combinations of columns from a match. For example, you need to match three of the
following four columns: Identification Number, Last Name, City, and Postal Code; but you need to exclude the Last
Name, City, and Postal Code combination.
• You need to use more discriminating policy features, such as data owner exception and the where clause.
• You need to protect against indexes with a large number of rows (greater than 4 million).
About the Exact Match Data Identifier profile and index
864
in the index folder on the Enforce Server are deployed to the index folder on the new detection server. You cannot
manually deploy index files to detection servers.
About the Exact Match Data Identifier source file
Non-configurable limits for EMDI: The same value can appear no more than five times in a key column in a given EMDI
index. This is a different number than EMDI.MaxDuplicateCellsPercentage, which instead indicates the total number of
duplicates in the index.
Best practices for using EMDI
NOTE
The format for the data source file should be a text-based format using commas, semicolons, pipes, or tabs as
delimiters. You should avoid using a spreadsheet format for the data source file (such as XLS or XLSX) because
such programs use scientific notation to render numbers.
About cleansing the Exact Match Data Identifier source file
865
Workflow for cleansing the data source file provides the steps you must take to cleanse the data source file for indexing.
1 Prepare the data source file for indexing. Preparing the Exact Match Data Identifier source for indexing
2 Ensure that you have specified a key column that About EMDI and key columns
can be matched by a highly variable data identifier.
Ensure that the key column contains reasonably
unique data.
4 Remove incomplete and duplicate records. Do not
fill empty cells with fake data.
5 Remove improper characters. Remove ambiguous character types from the EMDI data source file
6 Verify that the data source file is below the error Preparing the Exact Match Data Identifier source for indexing
threshold. The error threshold is the maximum
percentage of rows that contain errors before
indexing stops.
866
services, and agents. If you know that the data changes frequently, you need to generate a new data source file regularly
to keep up with the changes to the database. In this case, you can use index scheduling to automate the indexing of
the data source file so you do not have to return to the Enforce Server administration console and reindex the updated
data source. Your only task is to provide an updated and cleansed data source file to the Enforce Server for scheduled
indexing.
Configuring Exact Match Data Identifier profiles
1 Create the data source file. Export the source data from the database (or other data repository) to a tabular
text file with delimited fields.
About the Exact Match Data Identifier source file
Creating the Exact Match Data Identifier source file
2 Prepare the data source file for Cleanse the data source file.
indexing. Cleanse the EMDI data source file of blank columns and duplicate rows
3 Upload the data source file to the You can copy or upload the data source file to the Enforce Server, or access it
Enforce Server. remotely.
Uploading the Exact Match Data Identifier source files to the Enforce Server
4 Edit an existing data identifier or Adding an EMDI check to a built-in or custom data identifier condition in a policy
create a new custom data identifier to
add EMDI as a validator.
5 Create an Exact Match Data Identifier An Exact Match Data Identifier profile is required to use Exact Match Data
profile. Identifier matching. The Exact Match Data Identifier profile specifies the data
source, data field types, and the indexing schedule.
Adding Exact Match Data Identifier Profiles
Creating and modifying the Exact Match Data Identifier profiles
6 Mark each column in the data source Use the slider to mark each index column (data source field) as Ignore,
as Ignore, Optional, or Required, in Optional, or Required. Each index must contain at least one required ("key")
the data source. column that is mapped to a system data identifier or custom data identifier. It
must also contain at least one optional column.
Adding Exact Match Data Identifier Profiles
Creating and modifying the Exact Match Data Identifier profiles
7 Enable the policy as an Exact Match After the policy is created, it must be enabled as an Exact Match Data
Data Identifier check. Identifier Check for data identifier validation.
Adding an EMDI check to a built-in or custom data identifier condition in a policy
8 Index the data source, or schedule Schedule the indexing to keep the index in sync with the data source.
indexing. About EMDI index scheduling
Scheduling EMDI profile indexing
867
Creating the Exact Match Data Identifier source file
The first step in the EMDI indexing process is to create the data source. A data source is a tabular file containing data in a
standard delimited format, with data delimited by commas, semicolons, pipes, or tabs.
See Create the exact match data identifier source file for instructions.
Table 428: Create the exact match data identifier source file
Step Description
1 Export the data you want to protect from a database or other tabular data format, such as an Excel spreadsheet, to a
tabular text file. The data source file you create must be a tabular text file that contains rows of data from the original
source. Each row from the original source is included as a row in the data source file. Delimit columns using a tab,
a comma, a semi-colon, or a pipe. Pipe is preferred. Comma should not be used if your data source fields contain
numbers.
About the exact data source file
The data source file cannot exceed 32 columns or 4 million rows. If you plan to upload the data source file to the
Enforce Server, browser capacity limits the data source size to 2 GB. For file sizes larger than this size you can copy
the file to the Enforce Server using FTP/S, SCP, SFTP, CIFS, or NFS.
2 For all EMDI implementations, make sure that the data source contains at least one column of unique data
values (Required column) and one Optional column. Three or more columns (including one Required column) are
recommended.
3 Prepare the exact match data identifier source file for indexing.
Preparing the Exact Match Data Identifier source for indexing
See Preparing the Exact Match Data Identifier source for indexing for instructions.
868
Table 429: Examples of unique data for EMDI policies
The following data fields are often unique: The following data fields are not unique:
• Account number • First name
• Bank Card number • Last name
• Phone number • City
• Social security number • State
• Tax ID number • ZIP Code
• Drivers license number • Password
• Employee number • PIN
• Insurance number
When you index an EMDI profile, the Enforce Server keeps track of empty cells and any misplaced data which count as
errors. For example, an error may be a name that appears in a column for phone numbers. Errors can constitute a certain
percentage of the data in the profile (five percent, by default). If this default error threshold is met, Symantec Data Loss
Prevention stops indexing. It then displays an error to warn you that your data may be unorganized or corrupted.
To prepare the exact match data identifier source for EMDI indexing
1. Make sure that the data source file is formatted as follows:
• The data source must have at least two columns and at least one column that can be mapped to a data identifier.
One of the columns should contain unique values. For example, credit card numbers, driver’s license numbers, or
account numbers (as opposed to first and last names, which are generic).
Ensure data source has at least one column of unique data (EDM)
• Verify that you have delimited the data source using commas, pipes ( | ), tabs, or semicolons. If the data source file
uses commas as delimiters, remove any commas that do not serve as delimiters.
Do not use the comma delimiter if the data source has number fields (EDM)
• Verify that data values are not enclosed in quotes.
• Remove single-character and abbreviated data values from the data source. For example, remove the column
name and all values for a column in which the possible values are Y and N. You should also remove values such
as "CA" for California, or other abbreviations for states.
• Remove columns with frequently repeating values.
• Optionally, remove any columns that contain numeric values with fewer than five digits, as these can cause false
positives in production deployments.
Remove ambiguous character types from the data source file (EDM)
• A field delimiter should not appear in a field value.
• Eliminate duplicate records.
Cleanse the data source file of blank columns and duplicate rows (EDM)
2. Once you have prepared the exact match data identifier source file, proceed with the next step in the EMDI process:
upload the exact data source file to the Enforce Server for profiling the data you want to protect.
Uploading the Exact Match Data Identifier source files to the Enforce Server
Uploading the Exact Match Data Identifier Source Files to the Enforce Server
After you have prepared the data source file for indexing, load it to the Enforce Server so the data source can be indexed.
Creating and modifying the Exact Match Data Identifier profiles
Listed here are the options you have for making the data source file available to the Enforce Server. Consult with your
database administrator to determine the best method for your needs.
869
Table 430: Uploading the exact match data identifier source file to the Enforce Server for indexing
Upload Data Source to Data source file If you have a smaller data source file (less than 50 MB), upload the data source file to the
Server Now is less than 50 Enforce Server using the Enforce Server administration console. When creating the Exact
MB. Match Data Identifier Profile, you can specify the file path or browse to the directory and
upload the data source file.
Note: Due to browser capacity limits, the maximum file size that you can upload is 2 GB.
However, uploading any file over 50 MB is not recommended, since files over this size
can take a long time to upload. If your data source file is over 50 MB, consider copying
the data source file to the datafiles directory using the next option.
Reference Data Data source file If you have a large data source file (over 50 MB), copy it to the datafiles directory on
Source on Manager is over 50 MB. the host where the Enforce Server is installed.
Host On Windows this directory is located at
C:\ProgramData\Symantec\DataLossPrevention
\16.0.10000ServerPlatformCommon\\datafiles.
On Linux this directory is located at
/var/Symantec/DataLossPrevention/
ServerPlatformCommon/16.0.10000/datafiles.
This option is convenient because it makes the data file available through a drop-down
list during configuration of the Exact Match Data Identifier Profile. If it is a large file, use
a third-party solution (such as Secure FTP) to transfer the data source file to the Enforce
Server.
Note: Ensure that the Enforce Server user (usually called "protect") has modify
permissions (on Windows) or rw permissions (on Linux) for all files in the datafiles
directory.
Use This File Name Data source You may want to create an EMDI profile before you have created the exact match data
file is not yet identifier source file. In this case you can create a profile template and specify the name
created. of the data source file you plan to create. This option lets you define EMDI policies using
the EMDI profile template before you index the data source. The policies do not operate
until the data source is indexed.
When you have created the data source file you place it in the
\ProgramData\Symantec\DataLossPrevention
\ServerPlatformCommon\16.0.10000\datafiles
directory on Windows or
/var/Symantec/DataLossPrevention/
ServerPlatformCommon/16.0.10000/datafiles
on Linux and index the data source immediately on save or schedule indexing.
Creating and modifying the Exact Match Data Identifier profiles
870
Upload option(s) Use case Description
Use This File Name Data source is In some environments it may not be secure or feasible to copy or upload the data source
and to be indexed file to the Enforce Server. In this situation you can index the data source remotely using
Load Externally remotely and the Remote EMDI Indexer.
Generated Index copied to the This utility lets you index an exact match data identifier source on a computer other than
Enforce Server. the Enforce Server host. This feature is useful when you do not want to copy the data
source file to the same computer as the Enforce Server. As an example, consider a
situation where the originating department wants to avoid the security risk of copying the
data to an extra-departmental host. In this case you can use the Remote EMDI Indexer.
First you create an EMDI profile template where you choose the Use this File Name and
the Number of Columns options. You must specify the name of the exact match data
identifier source file and the number of columns it contains.
You then use the Remote EMDI Indexer to remotely index the data source and copy the
index files to the Enforce Server host and load the externally generated index. The Load
Externally Generated Index option is only available after you have defined and saved
the profile. Remote indexes are loaded on Windows from these directories:
\ProgramData\Symantec\DataLossPrevention \EnforceServer
\16.0.10000\index
and on Linux from the
/var/Symantec\DataLossPrevention/EnforceServer/16.0.10000/
index
on the Enforce Server host.
Uploading the Exact Match Data Identifier source files to the Enforce Server
871
If you modify an existing Exact Match Data Identifier profile you can change the profile name.
6. Select one of the following Data Source options to make the data source file available to the Enforce Server:
• Upload Data Source to Server Now
If you want to create a new profile, click Browse and select the data source file, or enter the full path to the data
source file.
If you want to modify an existing profile, select Upload Now.
Uploading the Exact Match Data Identifier source files to the Enforce Server
• Reference Data Source on Manager Host
If you copied the data source file to the datafiles directory on the Enforce Server, it appears in the drop-down
list for selection.
Uploading the Exact Match Data Identifier source files to the Enforce Server
• Use This File Name
Select this option if you have not yet created the data source file but want to configure EMDI policies using a
placeholder EMDI profile. Enter the file name of the data source you plan to create, including the Number of
Columns it is to have. When you do create the data source, you must copy it to the datafiles directory.
NOTE
Use this option with caution. Be sure to remember to create the data source file and copy it to the
datafiles directory. Name the data source file exactly the same as the name you enter here and
include the exact number of columns you specify here.
• Load Externally Generated Index
Select this option if you have created an index on a remote computer using the Remote EMDI Indexer. This
option is only available after you have defined and saved the profile. Profiles are loaded on Windows from the
\ProgramData\Symantec\DataLossPrevention\ServerPlatformCommon\16.0.10000\index directory
and on Linux from the /var/Symantec\DataLossPrevention/ServerPlatformCommon/16.0.10000/
index directory on the Enforce Server host.
7. If the first row of your data source contains Column Names, select Read first row as column names.
8. Specify the Error Threshold, which is the maximum percentage of rows that contain errors before indexing stops.
A data source error is either an empty cell, a cell with the wrong type of data, or extra cells in the data source. For
example, a name in a column for phone numbers is an error. If errors exceed a certain percentage of the overall data
source (by default, 5%), the system quits indexing and displays an indexing error message. The index is not created if
the data source has more invalid records than the error threshold value allows. Although you can change the threshold
value, more than a small percentage of errors in the data source can indicate that the data source is corrupt, is in an
incorrect format, or cannot be read. If you have a significant percentage of errors (10% or more), stop indexing and
cleanse the data source.
Preparing the Exact Match Data Identifier source for indexing
9. Select the Column Separator Char (delimiter) that you have used to separate the values in the data source file. The
delimiters you can use are tabs, commas, semicolons, or pipes.
10. Select one of the following encoding values for the content to analyze, which must match the encoding of your data
source:
• ISO-8859-1 (Latin-1) (default value)
Standard 8-bit encoding for Western European languages using the Latin alphabet.
• UTF-8
Use this encoding for all languages that use the Unicode 4.0 standard (all single- and double-byte characters),
including those in East Asian languages.
• UTF-16
872
Use this encoding for all languages that use the Unicode 4.0 standard (all single- and double-byte characters),
including those in East Asian languages.
NOTE
Make sure that you select the correct encoding. The system does not prevent you from creating an EMDI
profile using the wrong encoding. The system only reports an error at run-time when the EMDI policy
attempts to match inbound data. To make sure that you select the correct encoding, after you click Next,
verify that the column names appear correctly. If the column names do not look correct, you chose the wrong
encoding.
11. Click Next to go to the second Add Exact Match Data Identifier Profile screen.
Table 431: Scheduling indexing for Exact Match Data Identifier Profiles
Parameter Description
Submit Indexing Job Select this option to index the Exact Match Data Identifier profile.
on Save
Submit Indexing Job Select this option to schedule an indexing job. The default option is No Regular Schedule. If you want to index
on Schedule according to a schedule, select a desired schedule period, as described.
Index Once On – Enter the date to index the document profile in the format MM/DD/YY. You can also click the date widget
and select a date.
At – Select the hour to start indexing.
By Minute Every– Select the minute frequency to start indexing.
Until – Select this check box to specify a date in the format MM/DD/YY when the indexing should stop. You can
also click the date widget and select a date.
873
Parameter Description
874
Adding an EMDI check to a built-in or custom data identifier condition in a policy
You can add an EMDI validation check to an existing data identifier, or you can create a custom data identifier that
includes an EMDI validation check.
1. Go to Manage > Policies > Policy List.
2. Check the box to choose an existing policy.
3. Double-click the policy to begin editing.
4. Rename the policy to indicate that uses EMDI as a validator.
5. Verify the Wide, Medium, or Narrow breadth.
6. Click Optional Validators.
7. Click Exact Match Data Identifier Check.
8. Select a Profile. When you scroll to view profiles, you only see profiles where the key column matches the data
identifier in use.
9. Select at least one Required column that must be matched.
10. Choose how many other optional columns to match. You must have at least one optional column.
11. Select the desired Proximity using the slider. The maximum proximity for EMDI is 50 tokens before or after the data
identifier or pattern match. You can select a lower level.
12. Verify a Match Counting value. Your options are:
Check for existence (don't count multiple matches)
Count all matches
Count all unique matches.
13. Select a value for Only report incidents with at least [n] matches.
14. Click what to match on:
Envelope
Subject
Body
Attachments.
15. Click OK.
16. Click Save.
You can also create a custom data identifier that includes an EMDI validation check. To review the steps to create a
custom data identifier, see Creating custom data identifiers. Then follow the steps to add an EMDI validator.
Related Links
Configuring policies on page 824
875
Creating an incremental index for EMDI
EMDI indexes are automatically optimized when you reindex.
The tool compares the last modified date of the file. If the file has been modified after the file that was preindexed, the
tool updates the preindex with the changes that were made to the file. If the date the file was modified is the same, the
pre-index is not updated. If you change any include, exclude, or size filters in your existing preindex file, those filters
are applied to any previously indexed files. For example, for a remote data source with ten .docx files and ten .pptx
files, if your first remote indexing job has no filters, all files are indexed. If you add an exclude filter for .docx files (-
exclude_filter=*.docx) and run the indexing job again, the .docx files are removed from the index and only the
.pptx files remain.
When you use an EMDI profile file (.emdi) which meets one of following conditions, a valid incremental index (.inc) file
is created:
• The EMDI profile file is downloaded after the latest index is created on Enforce.
• The same EMDI profile file is reused from a previous creation of a remote index.
876
Configuring parameters for EMDI
You can configure various parameters for EMDI in the Indexer.properties file. Use caution when modifying these
settings. Changes to these settings do not take effect until after the server or endpoint is restarted.
Table 432:
A maximum of 5 values in the key column can have the same value. This is a different number than
EMDI.MaxDuplicateCellsPercentage that instead indicates the total number of duplicates in the index. This is a non-
configurable limit for EMDI.
877
Table 433: Workflow for determining memory requirements for EMDI indexes
1 Determine the memory that Determining requirements for both local indexers and remote indexers for
is required to index the data EMDI
source.
2 Determine the memory that is Detection server memory requirements for EMDI
required to load the index on the
detection server or the endpoint.
3 Increase the detection server or Increasing the memory for the detection server (File Reader) for EMDI
endpoint memory according to Properties file settings for EMDI
your calculations.
4 Repeat for each EMDI index you
want to deploy.
Overview of configuring memory and indexing the data source for EMDI
Overview of configuring memory and indexing the data source for EMDI
Memory requirements for indexing the data source for EMDI provides the steps for determining how much memory is
needed to index the data source.
Table 434: Memory requirements for indexing the data source for EMDI
1 Estimate the memory requirements for the Determining requirements for both local indexers and remote indexers
indexer. for EMDI
2 Increase the indexer memory. The next step is to increase the memory allocated to the indexer. The
procedure for increasing the indexer memory differs depending on
whether you use the EMDI indexer local to the Enforce Server or the
Remote EMDI Indexer.
3 Restart the Symantec DLP Manager You must restart this service after you have changed the memory
service. allocation.
4 Index the data source. The last step is to index the data source. You need to index before you
calculate remaining memory requirements.
Configuring Exact Data profiles for EDM
Determining requirements for both local indexers and remote indexers for EMDI
Determining requirements for both local indexers and remote indexers for EMDI
This topic provides an overview of memory requirements for both the EMDI indexer that is local to the Symantec Data
Loss Prevention Enforce Server and for the Remote EMDI indexer.
You do not need to change the EMDI indexer default value of 2048 MB. Make sure that the system has enough free
additional memory in case of parallel indexing. The additional memory that is required depends on the number of required
and optional columns as well as the number of cells. In the following examples,
R – Number of required columns
P – Number of optional columns
878
B – Bytes per cell
The general formula is: B = 4 * R * P / (P+1)
Example 1
For an index with 5 million cells (1 million rows x 5 columns), 1 required column, and 4 optional columns:
The formula is: B = 4 * 1 * 4/5 = 3.2 bytes x cell
The total memory that is required for this index = 5 million * 3.2 = 16 MB
Example 2
For an index with 40 million cells (4 million rows x 10 columns), 1 required column, and 9 optional columns:
The formula is: B = 4 * 1 * 9/10 = 3.6 bytes x cell
The total memory that is required for this index = 40 million * 3.6 = 144 MB
Example 3
For an index with 128M cells (4M rows x 32 columns), 1 required column, and 31 option columns:
The formula is B = 4 * 1 * 31/32 = 3.875 bytes x cell
The total memory that is required for this index = 128 million * 3.875 = 496 MB
Detection server memory requirements for EMDI
The Java heap memory settings for a detection server are set in the Enforce Server administration console at the Server
Detail - Advanced Server Settings page, using the BoxMonitor.FileReaderMemory property. The format is -Xrs -
Xms1200M -Xmx4G. You don't need to change the system memory setting, but make sure that the detection server has
enough free memory available.
879
NOTE
When you update this setting, only change the -Xmx value in this property. For example, only change "4G." to a
new value, and leave all other values the same.
The examples in EMDI detection server Java heap memory settings and additional system memory examples show the
settings for five different situations.
Table 435: EMDI detection server Java heap memory settings and additional system memory examples
Increasing the memory for the detection server (File Reader) for EMDI
Increasing the memory for the detection server (File Reader) for EMDI
This topic provides instructions for increasing the File Reader memory allocation for a detection server. These instructions
assume that you have performed the necessary calculations.
Determining requirements for both local indexers and remote indexers for EMDI
To increase the memory for detection server processing
1. In the Enforce Server administration console, navigate to the Server Detail - Advanced Server Settings screen for
the detection server where the EMDI index is deployed or to be deployed.
2. Locate the following setting: BoxMonitor.FileReaderMemory.
3. Change the -Xmx4G value in the following string to match the calculations you have made.
-Xrs -Xms1200M -Xmx4G -XX:PermSize=128M -XX:MaxPermSize=256M
For example: -Xrs -Xms1200M -Xmx11G -XX:PermSize=128M -XX:MaxPermSize=256M
4. Save the configuration and restart the detection server.
880
Profile size limitations on the DLP Agent for EMDI
By default, no profiles larger than 100 MB are sent to the DLP Agent. To change this default, edit the
EMDI.MaxEndpointProfileMemoryInMB = in the Protect.properties file.
Table 436: Workflow for determining memory requirements for EMDI indexes
1 Determine the memory that Determining requirements for both local indexers and remote indexers for
is required to index the data EMDI
source.
2 Determine the memory that is Detection server memory requirements for EMDI
required to load the index on the
detection server or the endpoint.
3 Increase the detection server or Increasing the memory for the detection server (File Reader) for EMDI
endpoint memory according to Properties file settings for EMDI
your calculations.
4 Repeat for each EMDI index you
want to deploy.
881
Overview of configuring memory and indexing the data source for EMDI
Protect.properties
On the Enforce Server:
C:\Program Files\Symantec\DataLossPrevention
\EnforceServer\16.0.10000\Protect\config
\Protect.properties (Windows)
/opt/Symantec/DataLossPrevention/EnforceServer/
16.0.10000/Protect/config/Protect.properties (Linux)
On the detection server:
C:\Program Files\Symantec\DataLossPrevention
\DetectionServer\16.0.10000\Protect\config
\Protect.properties (Windows)
/opt/Symantec/DataLossPrevention/
DetectionServer/16.0.10000/Protect/config/
Protect.properties (Linux)
EMDI.EnabledOnAgents = false EMDI is disabled by default on DLP
Agents. To enable EMDI on DLP
Agents, set this property to true.
EMDI.MaxEndpointProfileMemoryInMB = 100 Endpoint EMDI per profile maximum
memory usage in megabytes. This
limit is per profile; not for all profiles
combined.
882
EMDI parameter and file location Default Description
Indexer.properties
On the Enforce Server:
C:\Program Files\Symantec\DataLossPrevention
\EnforceServer\16.0.10000\Protect\config
\Indexer.properties (Windows)
opt/Symantec/DataLossPrevention/
EnforceServer/16.0.10000/Protect/config/
Indexer.properties (Linux)
emdi_indexer_log_max_files = 100 The maximum number of log files for
the EMDI indexer.
MaxDuplicateCellsPercentage = 1 The maximum integer percentage
of duplicate cells in an index as a
function of the number of rows EMDI.
MaxNonMatchingDIPercentage = 1 The maximum integer percentage of
key column values that don't match a
profile data identifier as a function of
the number of rows EMDI.
ProfileIndexConfiguration
On the Enforce Server:
C:\Program Files\Symantec\DataLossPrevention
\EnforceServer\16.0.10000\Protect\config\ProfileIndex
Configuration.properties (Windows)
/opt/Symantec/DataLossPrevention/
EnforceServer/16.0.10000/Protect/config/
ProfileIndexConfiguration.properties (Linux)
On the detection server:
C:\Program Files\Symantec\DataLossPrevention\
DetectionServer\16.0.10000\Protect\config\ProfileIndex
Configuration.properties (Windows)
/opt/Symantec/DataLossPrevention/
EnforceServer/16.0.10000/Protect/config/
ProfileIndexConfiguration.properties (Linux)
emdi_matcher_log_max_files = 100 The maximum number of log files for
the EMDI matcher.
Never use any personally identifiable information (PII) as an Never use a personal identifier as an optional column in EMDI
optional column.
Use three or more columns in a match. Use three or more columns in a match for EMDI
Don’t use EMDI validators as both optional and required for a Don’t use EMDI validators as both optional and required for a
given data identifier in a policy. given data identifier in a policy
Use additional validators with EMDI where possible. Use additional validators with EMDI where possible
883
Best Practice More information
Limit the required number of columns to no more than two or Limit the required number of columns to two or three for EMDI
three.
When matching with only a single optional column, avoid adding When matching with only a single optional column, avoid adding
low-variability values as optional columns. low-variability values as optional columns with EMDI
Use full disk encryption on endpoint deployments. Use full disk encryption on EMDI endpoint deployments
Eliminate duplicate rows and blank columns before indexing. Cleanse the EMDI data source file of blank columns and duplicate
rows
To reduce false positives, avoid single characters, quotes, Remove ambiguous character types from the EMDI data source
abbreviations, numeric fields with fewer than 5 digits, and dates. file
Clean up your data source for multi-token cell matching. Clean up your EMDI data source for multi-token matching
Use the pipe (|) character to delimit columns in your data source. Do not use the comma delimiter if the EMDI data source has
number fields
Ensure that the EMDI data source is clean for indexing. Ensure that the EMDI data source is clean for indexing
Include the column headers as the first row of the data source file. Include column headers as the first row of the EMDI data source
file
Check the system alerts to tune Exact Match Data Identifier Check the EMDI system alerts to tune profile accuracy
profiles.
Automate profile updates with scheduled indexing. Use scheduled indexing to automate EMDI profile updates
Don’t use EMDI validators as both optional and required for a given data
identifier in a policy
Do not use an EMDI validator in-line in a policy for a data identifier condition when the data identifier has already been
configured to use an EMDI validator.
884
When matching with only a single optional column, avoid adding low-variability
values as optional columns with EMDI
When matching with a single optional column, avoid adding very low-variability values such as States or 5-digit ZIP Codes
as optional columns. Low variability values increase the likelihood of false positives.
Cleanse the EMDI data source file of blank columns and duplicate rows
The data source file should be as clean as possible before you create the EMDI index, otherwise the resulting profile may
create false positives.
When you create the data source file, avoid including empty cells or blank columns. Blank columns or fields count as
errors when you generate the EMDI profile. A data source error is either an empty cell or a cell with the wrong type of
data (a name appearing in a phone number column). The error threshold is the maximum percentage of rows that contain
errors before indexing stops. If the errors exceed the error threshold percentage for the profile (by default, 5%), the
system stops indexing and displays an indexing error message.
The best practice is to remove blank columns and empty cells from the data source file, rather than increasing the error
threshold. Keep in mind that if you have many empty cells, it may require a 100% error threshold for the system to create
the profile. If you specify 100% as the error threshold, the system indexes the data source without checking for errors.
In addition, do not fill empty cells or blank fields with fake data so that the error threshold is met. Adding fake or "null" data
to the data source file reduces the accuracy of the EMDI profile and is discouraged. Content you want to monitor should
be legitimate and not null.
Do not use the comma delimiter if the EMDI data source has number fields
Remove ambiguous character types from the EMDI data source file
You cannot have extraneous spaces, punctuation, and inconsistently populated fields in the data source file. You can
use tools such as Stream Editor (sed) and AWK to remove these items from your data source file or files before indexing
them.
Characters to avoid in the EMDI data source file list characters to avoid in the data source file.
Single characters Single character fields should be eliminated from the data source
file. These are more likely to cause false positives, since a single
character appears frequently in normal communications.
Abbreviations Abbreviated fields should be eliminated from the data source file
for the same reason as single characters.
Quotes Text fields should not be enclosed in quotes.
Small numbers Indexing numeric fields that contain fewer than 5 digits is not
recommended because it likely yields many false positives.
885
Characters to avoid Second column header: Explanation
Dates Date fields are also not recommended. Dates are treated like a
string, so if you index a date, such as 12/6/2007, the string has
to match exactly. The indexer only matches 12/6/2007, and not
any other date formats, such as Dec 6, 2007, 12-6-2007, or 6 Dec
2007. It must be an exact match.
Do not use the comma delimiter if the EMDI data source has number fields
Of the four types of column delimiters that you can choose from for separating the fields in the data source file (pipe, tab,
semicolon, or comma), the pipe, semicolon, or tab (default) are recommended. The comma delimiter is ambiguous and
should not be used, especially if one or more fields in your data source contain numbers. If you use a comma-delimited
data source file, make sure there are no commas in the data set other than those used as column delimiters.
NOTE
The system also treats the pound sign, equals sign, plus sign, and colon characters as separators, but you
should not use these because like the comma their meaning is ambiguous.
886
• It contains at least one Required (key) column and one Optional column.
• It is not a single-column data source; it has two or more columns.
• Empty cells and rows and blank columns are removed.
• Incomplete and duplicate records are removed.
• The number of faulty cells is below the default error rate (5%) for indexing.
• Fake data is not used to fill in blank cells or rows.
• Improper and ambiguous characters are removed.
• Multi-tokens comply with space and memory requirements.
• Column fields are validated against the system-defined patterns that are available.
• Mappings are validated against policy templates where applicable.
Include column headers as the first row of the EMDI data source file
When you extract the source data to the data source file, you should include the column headers as the first row in the
data source file. Including the column headers makes it easier for you to identify the data you want to use in your policies.
The column names reflect the column mappings that were created when the exact data profile was added. If there is an
unmapped column, it is called Col X, where X is the column number (starting with 1) in the original data profile.
887
Use three or more columns in a match for EMDI
Use three or more columns in a match to minimize false positives.
Don’t use EMDI validators as both optional and required for a given data
identifier in a policy
Do not use an EMDI validator in-line in a policy for a data identifier condition when the data identifier has already been
configured to use an EMDI validator.
When matching with only a single optional column, avoid adding low-variability
values as optional columns with EMDI
When matching with a single optional column, avoid adding very low-variability values such as States or 5-digit ZIP Codes
as optional columns. Low variability values increase the likelihood of false positives.
Remove ambiguous character types from the EMDI data source file
You cannot have extraneous spaces, punctuation, and inconsistently populated fields in the data source file. You can
use tools such as Stream Editor (sed) and AWK to remove these items from your data source file or files before indexing
them.
Characters to avoid in the EMDI data source file list characters to avoid in the data source file.
Single characters Single character fields should be eliminated from the data source
file. These are more likely to cause false positives, since a single
character appears frequently in normal communications.
Abbreviations Abbreviated fields should be eliminated from the data source file
for the same reason as single characters.
Quotes Text fields should not be enclosed in quotes.
Small numbers Indexing numeric fields that contain fewer than 5 digits is not
recommended because it likely yields many false positives.
888
Characters to avoid Second column header: Explanation
Dates Date fields are also not recommended. Dates are treated like a
string, so if you index a date, such as 12/6/2007, the string has
to match exactly. The indexer only matches 12/6/2007, and not
any other date formats, such as Dec 6, 2007, 12-6-2007, or 6 Dec
2007. It must be an exact match.
Cleanse the EMDI data source file of blank columns and duplicate rows
The data source file should be as clean as possible before you create the EMDI index, otherwise the resulting profile may
create false positives.
When you create the data source file, avoid including empty cells or blank columns. Blank columns or fields count as
errors when you generate the EMDI profile. A data source error is either an empty cell or a cell with the wrong type of
data (a name appearing in a phone number column). The error threshold is the maximum percentage of rows that contain
errors before indexing stops. If the errors exceed the error threshold percentage for the profile (by default, 5%), the
system stops indexing and displays an indexing error message.
The best practice is to remove blank columns and empty cells from the data source file, rather than increasing the error
threshold. Keep in mind that if you have many empty cells, it may require a 100% error threshold for the system to create
the profile. If you specify 100% as the error threshold, the system indexes the data source without checking for errors.
In addition, do not fill empty cells or blank fields with fake data so that the error threshold is met. Adding fake or "null" data
to the data source file reduces the accuracy of the EMDI profile and is discouraged. Content you want to monitor should
be legitimate and not null.
Do not use the comma delimiter if the EMDI data source has number fields
889
Do not use the comma delimiter if the EMDI data source has number fields
Of the four types of column delimiters that you can choose from for separating the fields in the data source file (pipe, tab,
semicolon, or comma), the pipe, semicolon, or tab (default) are recommended. The comma delimiter is ambiguous and
should not be used, especially if one or more fields in your data source contain numbers. If you use a comma-delimited
data source file, make sure there are no commas in the data set other than those used as column delimiters.
NOTE
The system also treats the pound sign, equals sign, plus sign, and colon characters as separators, but you
should not use these because like the comma their meaning is ambiguous.
Include column headers as the first row of the EMDI data source file
When you extract the source data to the data source file, you should include the column headers as the first row in the
data source file. Including the column headers makes it easier for you to identify the data you want to use in your policies.
The column names reflect the column mappings that were created when the exact data profile was added. If there is an
unmapped column, it is called Col X, where X is the column number (starting with 1) in the original data profile.
890
• If you update your data sources occasionally (for example, less than once a month), generally there is no need to
create a schedule. Index the data each time you update the data source.
• Schedule indexing for times of minimal system use. Indexing affects performance throughout the Symantec Data Loss
Prevention system, and large data sources can take time to index.
• Index a data source as soon as you add or modify the corresponding exact data profile, and re-index the data source
whenever you update it. For example, consider a scenario whereby every Wednesday at 2:00 P.M. you generate an
updated data source file. In this case you could schedule indexing every Wednesday at 3:00 P.M. This would give you
enough time to cleanse the data source file and copy it to the Enforce Server.
• Do not index data sources daily, Daily indexing can degrade performance.
• Monitor results and modify your indexing schedule accordingly. If performance is good and you want more timely
updates. For example, schedule more frequent data updates and indexing.
891
EMDI Troubleshooting
Scan the following problems and solutions before you call Symantec support. Also, follow EMDI Best Practices to avoid
problems in your EMDI deployment.
Best practices for using EMDI
The EMDI index doesn’t get published to the Endpoint Agent and the
EnabledOnAgents setting is true
Solution: Verify that the EMDI.MaxEndpointProfileMemoryInMB parameter in the Protect.properties file on each
endpoint server is set to a value larger than the index size.
The EMDI index doesn’t get published to the Endpoint Agent and the
EnabledOnAgents setting is true
Solution: Verify that the EMDI.MaxEndpointProfileMemoryInMB parameter in the Protect.properties file on each
endpoint server is set to a value larger than the index size.
892
Introducing Exact Data Matching (EDM)
Exact Data Matching (EDM) is designed to protect your most sensitive content. You can use EDM to detect structured,
tabular data, including personally identifiable information (PII). EDM is designed to find records that are part of an indexed
data source in either structured or unstructured targets. Some examples are social security numbers, bank account
numbers, and credit card numbers. You can also detect confidential customer and employee records, price list entries,
parts from a parts list, and other confidential data stored in a structured data source, such as a database, directory server,
or a structured data file such as CSV or spreadsheet.
To implement EDM policies, you identify and prepare the data you want to protect. You create an Exact Data Profile and
index the structured data source using the Enforce Server administration console, or remotely using the Remote EDM
Indexer. During the indexing process, the system indexes the data by accessing and extracting the text-based content,
normalizing it, and securing it using a nonreversible hash. You can schedule indexing on a regular basis after you have
pulled current data from the data source to ensure that the EDM index reflects the current data.
Once you have profiled the data, you configure the Content Matches Exact Data condition to match individual pieces
of the indexed data. For increased accuracy you can configure the condition to match combinations of data fields from a
particular record. The EDM policy condition matches on data coming from the same row or record of data. For example,
you can configure the EDM policy condition to look for any three of First Name, Last Name, SSN, Account Number, or
Phone Number occurring together in a message and corresponding to a record from your customer database.
Once the policy is deployed to one or more detection servers, cloud detection services, or appliances, the system can
detect the data fields (or records) that you have profiled in either structured or unstructured format. For example, you
could deploy the EDM policy to a Network Discover Server and scan data repositories for confidential data matching
data records in the index. Your could also deploy the EDM policy to a Network Prevent for Email Server to detect records
in email communications and attachments, such as Microsoft Word files. If the attachment is a spreadsheet, such as
Microsoft Excel, the EDM policy can detect the presence of confidential records there as well.
About the Exact Data Profile and index
You create an Exact Data Profile and index the data source file. When you configure the profile, you map the data field
columns to system-defined patterns and validate the data. You then configure the EDM policy condition that references
the Exact Data Profile. In this example, the condition matches if a message contains all five data fields.
The detection server reports a match if it detects the following in any inbound message:
Bob Smith 123-45-6789 05/26/99 $42500
But, a message containing the following does not match because that record is not in the index:
893
Betty Smith 000-00-0000 05/26/99 $42500
If you limited the condition to matching only the Last Name, SSN, and Salary column fields, the following message is a
match because it meets the criteria:
Robert, Smith, 123-45-6789, 05/29/99, $42500
Finally, the following message contents do not match because the value for the SSN is not present in the profile:
Bob, Smith, 415-789-0000, 05/26/99, $42500
Configuring Exact Data profiles for EDM
894
Data Protection Act 1998 policy template
• Employee Data Protection
Employee Data Protection policy template
• EU Data Protection Directives
Data Protection Directives (EU) policy template
• Export Administration Regulations (EAR)
Export Administration Regulations (EAR) policy template
• FACTA 2003 (Red Flag Rules)
• General Data Protection Regulation (GDPR) Banking and Finance
General Data Protection Regulation (Banking and Finance)
• General Data Protection Regulation (GDPR) Digital Identity
General Data Protection Regulation (Banking and Finance)
• General Data Protection Regulation (GDPR) Government Identification
General Data Protection Regulation (Government Identification)
• General Data Protection Regulation (GDPR) Healthcare and Insurance
General Data Protection Regulation (Healthcare and Insurance)
• General Data Protection Regulation (GDPR) Personal Profile
General Data Protection Regulation (Personal Profile)
• General Data Protection Regulation (GDPR) Travel
General Data Protection Regulation (Travel)
• Gramm-Leach-Bliley
Gramm-Leach-Bliley policy template
• HIPAA and HITECH (including PHI)
HIPAA and HITECH (including PHI) policy template
• Human Rights Act 1998
Human Rights Act 1998 policy template
• International Traffic in Arms Regulations (ITAR)
International Traffic in Arms Regulations (ITAR) policy template
• Payment Card Industry Data Security Standard
Payment Card Industry (PCI) Data Security Standard policy template
• PIPEDA
PIPEDA policy template
• Price Information
Price Information policy template
• Resumes
Resumes policy template
• State Data Privacy
SEC Fair Disclosure Regulation policy template
Creating and modifying Exact Data Profiles for EDM
Leverage EDM policy templates when possible
895
The index that is generated consists of 19 binary DataSource.rdx files, each with space to fit into random access
memory (RAM) on the detection server(s). By default, Symantec Data Loss Prevention stores index files in C:
\ProgramData\Symantec\DataLossPrevention\ServerPlatformCommon\16.0.10000\Protect\index (on
Windows) or in /var/Symantec/DataLossPrevention/ServerPlatformCommon/16.0.10000/Protect/index
(on Linux) on the Enforce Server.
Symantec Data Loss Prevention automatically deploys all EDM indexes (*.rdx files) to the index directory on all
detection servers. When an active policy that references an EDM profile is deployed to a detection server, the detection
server loads the corresponding EDM index into RAM. If a new detection server is added after an index has been created,
the *.rdx f iles in the index folder on the Enforce Server are deployed to the index folder on the new detection server.
You cannot manually deploy index files to detection servers.
At run-time during detection, the system converts extracted content into hashed data values using the same algorithm it
employs for indexes. It then compares data values from input content to those in the appropriate index file(s), identifying
matches.
Creating and modifying Exact Data Profiles for EDM
Memory requirements for EDM
896
Table 441: EDM data source file size limitations
Columns 32 The data source file cannot have more than 32 columns. If it does, the system does not
index it.
Cells 6 billion The data source file cannot have more than 6 billion data cells. If it does, the system does
not index it.
Rows 4,294,967,294 The maximum number of rows supported is 4,294,967,294.
Table 442: Workflow for cleansing the data source file for EDM
1 Prepare the data source file for indexing. Preparing the exact data source file for indexing for EDM
2 Ensure that the data source has at least one column Ensure data source has at least one column of unique data (EDM)
that is unique data.
3 Remove incomplete and duplicate records. Do not Cleanse the data source file of blank columns and duplicate rows
fill empty cells with bogus data. (EDM)
4 Remove improper characters. Remove ambiguous character types from the data source file
(EDM)
5 Verify that the data source file is below the error Preparing the exact data source file for indexing for EDM
threshold. The error threshold is the maximum
percentage of rows that contain errors before
indexing stops.
897
(Credit Card Number, Issuing Bank Name, CVV, Card Expiration Date)
• Detect both of
(Part Number, Part Description)
About EMDI policy features
About using System Fields for data source validation with EDM
Column headings in your data source are useful for visual reference. However, they do not tell Symantec Data Loss
Prevention what kind of data the columns contain. To do this, you use the Field Mappings section of the Exact Data
Profile to specify mappings between fields in your data source. You can also use field mappings to specify fields that
the system recognizes in the system-provided policy templates. The Field Mappings section also gives you advanced
options for specifying custom fields and validating the data in those fields.
Mapping Exact Data Profile fields for EDM
Consider the following example use of field mappings. Your company wants to protect employee data, including employee
social security numbers. You create a Data Loss Prevention policy based on the Employee Data Protection template. The
policy requires an exact data index with fields for social security numbers and other employee data. You prepare your
data source and then create the Exact Data Profile. To validate the data in the social security number field, you map this
column field in your index to the "Social Security Number" system field pattern. The system then validates all data in that
field using the Social Security Number validator to ensure that each data item is a social security number.
Using the system-defined field patterns to validate your data is critical to the accuracy of your EDM policies. If there is no
system-defined field pattern that corresponds to one or more data fields in your index, you can define custom fields and
choose the appropriate validator to validate the data.
Map data source column to system fields to leverage validation (EDM)
The typical use case is as follows. You extract data from a database to a file and cleanse it to create your data source
file. Using the Enforce Server administration console you define an Exact Data Profile and index the data source file. The
system generates the *.rdx index files and deploys them to one or more detection servers. However, if you know that
the data changes frequently, you need to generate a new data source file weekly or monthly to keep up with the changes
to the database. In this case, you can use index scheduling to automate the indexing of the data source file so you do not
have to return to the Enforce Server administration console and reindex the updated data source. Your only task is to drop
an updated and cleansed data source file to the Enforce Server for scheduled indexing.
NOTE
You must reindex after upgrading to the latest version of Symantec Data Loss Prevention.
Configuring Exact Data profiles for EDM
Scheduling Exact Data Profile indexing for EDM
Use scheduled indexing to automate profile updates (EDM)
898
About the Content Matches Exact Data From condition for EDM
The Content Matches Exact Data From an Exact Data Profile condition is the detection component you use to
implement EDM policy conditions. When you define this condition, you select the EDM profile on which the condition is
based. You also select the columns you want to use in your condition, as well as any WHERE clause limitations.
NOTE
You cannot use the Content Matches Exact Data From an Exact Data Profile condition as a policy exception.
Symantec Data Loss Prevention does not support the use of the EDM condition as a policy exception.
Configuring the Content Matches Exact Data policy condition for EDM
899
Creating the exact data source file for profiled DGM for EDM
Include an email address field in the Exact Data Profile for profiled DGM (EDM)
Use profiled DGM for Network Prevent for Web identity detection (EDM)
900
Table 443: Implementing Exact Data Matching with EDM
1 Create the data source file. Export the source data from the database (or other data repository) to a tabular
text file with delimited fields.
If you want to except data owners from matching, you need to include specific
data items in the data source file.
About the exact data source file
If you want to match identities for profiled Directory Group Matching (DGM), you
need to include specific data items in the data source files.
Creating the exact data source file for EDM
Creating the exact data source file for profiled DGM for EDM
2 Prepare the data source file for Cleanse the data source file.
indexing. Preparing the exact data source file for indexing for EDM
3 Upload the data source file to the You can copy or upload the data source file to the Enforce Server, or access it
Enforce Server. remotely.
Uploading exact data source files for EDM to the Enforce Server
4 Create an Exact Data Profile. An Exact Data Profile is required to implement Exact Data Matching (EDM)
policies. The Exact Data Profile specifies the data source, data field types, and
the indexing schedule.
Creating and modifying Exact Data Profiles for EDM
5 Map and validate the data fields. You map the source data fields to system or custom data types that the system
validates. For example, a social security number data field needs to be nine
digits.
About using System Fields for data source validation with EDM
Mapping Exact Data Profile fields for EDM
6 Index the data source, or schedule Schedule the indexing to keep the index in sync with the data source.About
indexing. index scheduling for EDM
Scheduling Exact Data Profile indexing for EDM
7 Configure and tune one or more Configuring the Content Matches Exact Data policy condition for EDM
Content Matches Exact Data policy
conditions.
901
Table 444: Create the exact data source file
Step Description
1 Export the data you want to protect from a database or other tabular data format, such as an Excel spreadsheet, to a
tabular text file. The data source file you create must be a tabular text file that contains rows of data from the original
source. Each row from the original source is included as a row in the data source file. Delimit columns using a tab, a
comma, or a pipe. Pipe is preferred. Comma should not be used if your data source fields contain numbers.
About the exact data source file
You must maintain all the structured data that you exported from the source database table or table-like format in one
data source file. You cannot split the data source across multiple files.
The data source file cannot exceed 32 columns, 4,294,967,294 rows, or 6 billion cells. If you plan to upload the data
source file to the Enforce Server, browser capacity limits the data source size to 2 GB. For file sizes larger than this
size you can copy the file to the Enforce Server using FTP/S, SCP, SFTP, CIFS, or NFS.
2 Include required data fields for specific EDM implementations:
• Unique data
For all EDM implementations, make sure that the data source contains at least one column of unique data.
Ensure data source has at least one column of unique data (EDM)
• Data Owner Exception
Make sure that the data source contains the email address field or domain field, if you plan to use data owner
exceptions.
Creating the exact data source file for Data Owner Exception for EDM
• Directory Group Matching
Make sure that the data source includes one or more sender/recipient identifying fields.
Creating the exact data source file for profiled DGM for EDM
3 Prepare the data source file for indexing.
Preparing the exact data source file for indexing for EDM
Creating the exact data source file for Data Owner Exception for EDM
To implement Data Owner Exception and ignore data owners from detection, you must explicitly include each user's
email address or domain address in the Exact Data Profile. Each expected domain (for example, symantec.com) must
be explicitly added to the Exact Data Profile. The system does not automatically match on subdomains (for example,
support.symantec.com). Each subdomain must be explicitly added to the Exact Data Profile.
To implement the data owner exception feature, you must include either or both of the following fields in your
data source file:
• Email address, such as john_smith@symantec.com
• Domain address, such as symantec.com
About Data Owner Exception for EDM
Configuring Data Owner Exception for EDM policy conditions
902
• IP address
• email address
• user name
• business unit
• department
• managers
• title
• employment status
• consent to be monitored
• access to sensitive information
To implement profiled DGM, you must include at least one required data field in your data source.
About the Exact Data Profile and index
Profiled DGM data source fields for EDM lists the required fields for profiled DGM. The data source file must contain at
least one of these fields.
Field Description
Email address If you use an email address column field in the data source file, the email address appears in the Directory
EDM drop-down list at the incident snapshot screen.
IP address For example: 172.24.56.33
Windows user name If you use a Windows user name field in your data source, the data must be in the following format: domain
\user; for example: ACME\john_smith.
AOL IM name IM screen name
Skype name For example: myscreenname123
Microsoft Office
Communicator name
Preparing the exact data source file for indexing for EDM
Once you create the exact data source file, you must prepare it so that you can efficiently index the data you want to
protect.
When you index an exact data profile, the Enforce Server keeps track of empty cells and any misplaced data which count
as errors. For example, an error may be a name that appears in a column for phone numbers. Errors can constitute a
certain percentage of the data in the profile (five percent, by default). If this default error threshold is met, Symantec Data
Loss Prevention stops indexing. It then displays an error to warn you that your data may be unorganized or corrupt.
To prepare the exact data source for EDM indexing
1. Make sure that the data source file is formatted as follows:
• If the data source has more than 200,000 rows, verify that it has at least two columns of data. One of the columns
should contain unique values. For example, credit card numbers, driver’s license numbers, or account numbers (as
opposed to first and last names, which are generic).
Ensure data source has at least one column of unique data (EDM)
• Verify that you have delimited the data source using pipes ( | ) or tabs. If the data source file uses commas as
delimiters, remove any commas that do not serve as delimiters.
903
Do not use the comma delimiter if the data source has number fields (EDM)
• Verify that data values are not enclosed in quotes.
• Remove single-character and abbreviated data values from the data source. For example, remove the column
name and all values for a column in which the possible values are Y and N.
• Optionally, remove any columns that contain numeric values with less that five digits, as these can cause false
positives in production.
Remove ambiguous character types from the data source file (EDM)
• Verify that numbers, such as credit card or social security, are delimited internally by dashes, or spaces, or none
at all. Make sure that you do not use a data-field delimiter such as a comma as an internal delimiter in any such
numbers. For example: 123-45-6789, or 123 45 6789, or 123456789 are valid, but not 123,45,6789.
Do not use the comma delimiter if the data source has number fields (EDM)
• Eliminate duplicate records, which can cause duplicate incidents in production.
Cleanse the data source file of blank columns and duplicate rows (EDM)
• Do not index common values. EDM works best with values that are unique. Think about the data you want to
index (and thus protect). Is this data truly valuable? If the value is something common, it is not useful as an EDM
value. For example, suppose that you want to look for "US states." Since there are only 50 states, if your exact
data profile has 300,000 rows, the result is a lot of duplicates of common values. Symantec Data Loss Prevention
indexes all values in the exact data profile, regardless of if the data is used in a policy or not. It is good practice to
use values that are less common and preferably unique to get the best results with EDM.
Ensure data source has at least one column of unique data (EDM)
2. Once you have prepared the exact data source file, proceed with the next step in the EDM process: upload the exact
data source file to the Enforce Server for profiling the data you want to protect.
Uploading exact data source files for EDM to the Enforce Server
Uploading Exact Data Source Files for EDM to the Enforce Server
After you have prepared the data source file for indexing, load it to the Enforce Server so the data source can be indexed.
Creating and modifying Exact Data Profiles for EDM
Listed here are the options you have for making the data source file available to the Enforce Server. Consult with your
database administrator to determine the best method for your needs.
904
Table 446: Uploading the data source file for EDM to the Enforce Server for indexing
Upload Data Source to Data source file is If you have a smaller data source file (less than 50 MB), upload the data source
Server Now less than 50 MB file to the Enforce Server using the Enforce Server administration console (web
interface). When creating the Exact Data Profile, you can specify the file path or
browse to the directory and upload the data source file.
Note: Due to browser capacity limits, the maximum file size that you can upload
is 2 GB. However, uploading any file over 50 MB is not recommended since files
over this size can take a long time to upload. If your data source file is over 50 MB,
consider copying the data source file to the datafiles directory using the next
option.
Reference Data Source Data source file is If you have a large data source file (over 50 MB), copy it to the datafiles
on Manager Host over 50 MB. directory on the host where Enforce is installed.
• On Windows this directory is located at C:\ProgramData
\Symantec\DataLossPrevention\ServerPlatformCommon
\16.0.10000\datafiles.
• On Linux this directory is located at /var/Symantec/
DataLossPrevention/ServerPlatformCommon/16.0.10000/
datafiles.
This option is convenient because it makes the data file available through a drop-
down list during configuration of the Exact Data Profile. If it is a large file, use a
third-party solution (such as Secure FTP) to transfer the data source file to the
Enforce Server.
Note: Ensure that the Enforce user (usually called "protect") has modify
permissions (on Windows) or rw permissions (on Linux) for all files in the
datafiles directory.
Use This File Name Data source file is You may want to create an EDM profile before you have created the data
not yet created. source file. In this case you can create a profile template and specify the
name of the data source file you plan to create. This option lets you define
EDM policies using the EDM profile template before you index the data
source. The policies do not operate until the data source is indexed. When
you have created the data source file you place it in the \ProgramData
\Symantec\DataLossPrevention \ServerPlatformCommon
\16.0.10000\datafiles directory (Windows) or /var/Symantec/
DataLossPrevention /ServerPlatformCommon/16.0.10000/
Protect/datafiles (Linux) and index the data source immediately on save
or schedule indexing.
Creating and modifying Exact Data Profiles for EDM
905
Upload option(s) Use case Description
Use This File Name Data source is to be In some environments it may not be secure or feasible to copy or upload the data
and indexed remotely source file to the Enforce Server. In this situation you can index the data source
Load Externally and copied to the remotely using Remote EDM Indexer.
Generated Index Enforce Server. Remote EDM indexing
This utility lets you index an exact data source on a computer other than the
Enforce Server host. This feature is useful when you do not want to copy the
data source file to the same computer as the Enforce Server. As an example,
consider a situation where the originating department wants to avoid the security
risk of copying the data to an extra-departmental host. In this case you can use the
Remote EDM Indexer.
First you create an EDM profile template where you choose the Use this File
Name and the Number of Columns options. You must specify the name of the
data source file and the number of columns it contains.
Creating an EDM profile template for remote indexing
You then use the Remote EDM Indexer to remotely index the data source
and copy the index files to the Enforce Server host and load the externally
generated index. The Load Externally Generated Index option is only available
after you have defined and saved the profile. Remote indexes are loaded
from the \Program Files\Symantec\DataLossPrevention
\16.0.10000\EnforceServer\Protect\index directory on the Enforce
Server host.
Copying and loading remote EDM index files to the Enforce Server
906
If you modify an existing Exact Data Profile you can change the profile name.
7. Select one of the following Data Source options to make the data source file available to the Enforce Server:
• Upload Data Source to Server Now
If you are creating a new profile, click Browse and select the data source file, or enter the full path to the data
source file.
If you are modifying an existing profile, select Upload Now.
Uploading exact data source files for EDM to the Enforce Server
• Reference Data Source on Manager Host
If you copied the data source file to the datafiles directory on the Enforce Server, it appears in the drop-down
list for selection.
Uploading exact data source files for EDM to the Enforce Server
• Use This File Name
Select this option if you have not yet created the data source file but want to configure EDM policies using a
placeholder EDM profile. Enter the file name of the data source you plan to create, including the Number of
Columns it is to have. When you do create the data source, you must copy it to the datafiles directory.
Uploading exact data source files for EDM to the Enforce Server
NOTE
Use this option with caution. Be sure to remember to create the data source file and copy it to the
datafiles directory. Name the data source file exactly the same as the name you enter here and
include the exact number of columns you specify here.
• Load Externally Generated Index
Select this option if you have created an index on a remote computer using the Remote EDM Indexer. This option
is only available after you have defined and saved the profile. Profiles are loaded from the \Program Files
\Symantec\DataLossPrevention\EnforceServer\16.0.10000\Protect\index directory (Windows) or
the /var/Symantec/DataLossPrevention/EnforceServer/16.0.10000/index directory (Linux) on the
Enforce Server host.
Uploading exact data source files for EDM to the Enforce Server
8. If the first row of your data source contains Column Names, select Read first row as column names.
9. Specify the Error Threshold, which is the maximum percentage of rows that contain errors before indexing stops.
A data source error is either an empty cell, a cell with the wrong type of data, or extra cells in the data source. For
example, a name in a column for phone numbers is an error. If errors exceed a certain percentage of the overall data
source (by default, 5%), the system quits indexing and displays an indexing error message. The index is not created if
the data source has more invalid records than the error threshold value allows. Although you can change the threshold
value, more than a small percentage of errors in the data source can indicate that the data source is corrupt, is in an
incorrect format, or cannot be read. If you have a significant percentage of errors (10% or more), stop indexing and
cleanse the data source.
Preparing the exact data source file for indexing for EDM
10. Select the Column Separator Char (delimiter) that you have used to separate the values in the data source file. The
delimiters you can use are tabs, commas, or pipes.
11. Select one of the following encoding values for the content to analyze, which must match the encoding of your data
source:
• ISO-8859-1 (Latin-1) (default value)
Standard 8-bit encoding for Western European languages using the Latin alphabet.
• UTF-8
907
Use this encoding for all languages that use the Unicode 4.0 standard (all single- and double-byte characters),
including those in East Asian languages.
• UTF-16
Use this encoding for all languages that use the Unicode 4.0 standard (all single- and double-byte characters),
including those in East Asian languages.
NOTE
Make sure that you select the correct encoding. The system does not prevent you from creating an EDM
profile using the wrong encoding. The system only reports an error at run-time when the EDM policy
attempts to match inbound data. To make sure that you select the correct encoding, after you click Next,
verify that the column names appear correctly. If the column names do not look correct, you chose the wrong
encoding.
12. Click Next to go to the second Add Exact Data Profile screen.
13. The Field Mappings section displays the columns in the data source and the field to which each column is mapped in
the Exact Data Profile. Field mappings in existing Exact Data Profiles are fixed and, therefore, are not editable.
About using System Fields for data source validation with EDM
Mapping Exact Data Profile fields for EDM
Confirm that the column names in your data source are accurately represented in the Data Source Field column. If
you selected the Column Names option, the Data Source Field column lists the names in the first row of your data
source. If you did not select the Column Names option, the column lists Col 1, Col 2, and so on.
14. In the System Field column, select a field from the drop-down list for each data source field. This step is required if
you use a policy template, or if you want to check for errors in the data source.
For example, for a data source field that is called SOCIAL_SECURITY_NUMBER, select Social Security Number
from the corresponding drop-down list. The values in the System Field drop-down lists include all suggested fields for
all policy templates.
15. Optionally, specify and name any custom fields (that is, the fields that are not pre-populated in the System Field drop-
down lists). To do so, perform these steps in the following order:
• Click Advanced View to the right of the Field Mappings heading. This screen displays two additional columns
(Custom Name and Type).
• To add a custom system field name, go to the appropriate System Field drop-down list. Select Custom, and type
the name in the corresponding Custom Name text field.
• To specify a pattern type (for purposes of error checking), go to the appropriate Type drop-down list and select the
wanted pattern. To see descriptions of all available pattern types, click Description at the top of the column.
16. Check your field mappings against the suggested fields for the policy template you plan to use. To do so, go to the
Check Mappings Against drop-down list, select a template, and click Check now on the right.
The system displays a list of all template fields that you have not mapped. You can go back and map these fields now.
Alternatively, you may want to expand your data source to include as many expected fields as possible, and then re-
create the exact data profile. Symantec recommends that you include as many expected data fields as possible.
17. In the Indexing section of the screen, select one of the following options:
• Submit Indexing Job on Save
Select this option to begin indexing the data source when you save the exact data profile.
• Submit Indexing Job on Schedule
Select this option to index the data source according to a specific schedule. Make a selection from the Schedule
drop-down list and specify days, dates, and times as required.
About index scheduling for EDM
908
Scheduling Exact Data Profile indexing for EDM
18. Click Finish.
After Symantec Data Loss Prevention finishes indexing, it deletes the original data source from the Enforce Server.
After you index a data source, you cannot change its schema. If you change column mappings for a data source after
you index it, you must create a new exact data profile.
After the indexing process is complete you can create new Content Matches Exact Data conditions that can be added
to a rule that references the Exact Data Profile you have created.
Configuring the Content Matches Exact Data policy condition for EDM
Field Description
Data Source Field If you selected the Column Names option at the Add Exact Data Profile screen, this column lists the values
that are found in the first row from the data source. If you did not select this option, this column lists the
columns by generic names (such as Col 1, Col 2, and so on).
Note: If you implement a data owner exception, you must map either or both the email address and domain
fields.
Configuring the Content Matches Exact Data policy condition for EDM
System Field Select the system field for each column.
A system field value (except None Selected) cannot be mapped to more than one column.
Some system fields have system patterns associated with them (such as social security number) and some
do not (such as last name).
Using system-provided pattern validators for EDM profiles
Check mappings against Select a policy template from the drop-down list to compare the field mappings against and then click
policy template Check now.
All policy templates that implement EDM appear in the drop-down menu, including any you have imported.
Choosing an Exact Data Profile
If you plan to use more than one policy template, select one and check it, and then select another and
check it, and so on.
If there are any fields in the policy template for which no data exists in the data source, a message appears
listing the missing fields. You can save the profile anyway or use a different Exact Data Profile.
Advanced View If you want to customize the schema for the exact data profile, click Advanced View to display the
advanced field mapping options.
Advanced View options for EDM lists and describes the additional columns you can specify in the
Advanced View screen.
Indexing Select one of the indexing options.
Scheduling Exact Data Profile indexing for EDM
Finish Click Finish when you are done configuring the Exact Data Profile.
909
From the Advanced View you map the system and data source fields to system patterns. System patterns map the
specified structure to the data in the Exact Data Profile and enable efficient error checking and hints for the indexer.
Field Description
Custom Name If you select Custom Name for a System Field, enter a unique name for it and then select a value for Type.
The name is limited to 60 characters.
Type If you select a value other than Custom for a System Field, some data types automatically select a value
for Type. For example, if you select Birth Date for the System Field, Date is automatically selected as the
Type. You can accept it or change it.
Some data types do not automatically select a value for Type. For example, if you select Account Number
for the System Field, the Type remains unselected. You can specify the data type of your particular account
numbers.
Using system-provided pattern validators for EDM profiles
Description Click the link (description) beside the Type column header to display a pop-up window containing the
available system data types.
Using system-provided pattern validators for EDM profiles
Simple View Click Simple View to return to the Simple View (with the Custom Name and Type columns hidden).
Type Description
Credit Card Number The Credit Card pattern is built around knowledge about various international credit cards, their registered
prefixes, and number of digits in account numbers. The following types of Credit Cards patterns are
validated: MasterCard, Visa, America Express, Diners Club, Discover, Enroute, and JCB.
Optional spaces in designated areas within credit cards numbers are recognized. Note that only spaces
in generally accepted locations (for example, after every 4th digit in MC/Visa) are recognized. Note that
the possible location of spaces differs for different card types. Credit card numbers are validated using
checksum algorithm. If a number looks like a credit card number (that is, it has correct number of digits and
correct prefix), but does not pass checksum algorithm, it is not considered a credit card, but just a number.
Email Email is a sequence of characters that looks like the following: string@string.tld, where string may
contain letters, digits, underscore, dash, and dot, and 'tld' is one of the approved DNS top-level generic
domains, or any two letters (for country domains).
IP Address IP Address is a collection of 4 sequences of between 1 and 3 digits, separated by dots.
Number Number is either float or integer, either by itself or in round brackets (parenthesis).
Percent Percent is a number immediately followed by the percent sign ("%"). No space is allowed between a
number and a percent sign.
910
Type Description
Phone Only US and Canadian telephone numbers are recognized. The phone number must start with any digit but
1, with the exception of numbers that include a country code.
Phone number can be one of the following formats:
• 7 digits (no spaces or dashes)
• Same as above, preceded by 3 digits, or by 3 digits in round brackets, followed by spaces or dashes
• 3 digits, followed by optional spaces or dashes, followed by 4 digits
• Same as above, preceded by the number 1, followed by spaces or dashes
All of these cases can be optionally followed by an extension number, preceded by spaces or dashes. The
extension number is 2 to 5 digits preceded by any of the following (case insensitive): 'x' 'ex' 'ext' 'exten'
'extens' 'extensions' optionally followed by a dot and spaces.
Note: The system does not recognize the pattern XXX-XXX-XXXX as a valid phone number format
because this format is frequently used in other forms of identification. If your data source contains a column
of phone numbers in that format, select None Selected to avoid confusion between phone numbers and
other data.
Postal Code Only US ZIP codes and Canadian Postal Codes are recognized. The US ZIP code is a sequence of 5
digits, optionally followed by dash, followed by another 4 digits. The Canadian Postal Code is a sequence
like K2B 8C8, that is, "letter-digit-letter-space-digit-letter-digit" where space(s) in the middle is optional.
Social Security Number Only US Social Security Numbers are recognized. The SOCIAL SECURITY NUMBER is 3 digits, optionally
followed by spaces or dashes, followed by 2 digits, optionally followed by spaces or dashes, followed by 4
digits.
911
Table 450: Scheduling indexing for Exact Data Profiles for EDM
Parameter Description
Submit Indexing Job Select this option to index the Exact Data Profile when you click Save.
on Save
Submit Indexing Job Select this option to schedule an indexing job. The default option is No Regular Schedule. If you want to index
on Schedule according to a schedule, select a desired schedule period, as described.
Index Once On – Enter the date to index the document profile in the format MM/DD/YY. You can also click the date widget
and select a date.
At – Select the hour to start indexing.
By Minute Every – Select the minute frequency to start indexing.
Until – Select this check box to specify a date in the format MM/DD/YY when the indexing should stop. You can
also click the date widget and select a date.
Hourly Every – Select the hour to start indexing.
Until – Select this check box to specify a date in the format MM/DD/YY when the indexing should stop. You can
also click the date widget and select a date.
Index Weekly Day of the week – Select the day(s) to index the document profile.
At – Select the hour to start indexing.
Until – Select this check box to specify a date in the format MM/DD/YY when the indexing should stop. You can
also click the date widget and select a date.
Index Monthly Day – Enter the number of the day of each month you want the indexing to occur. The number must be 1
through 28.
At – Select the hour to start indexing.
Until – Select this check box to specify a date in the format MM/DD/YY when the indexing should stop. You can
also click the date widget and select a date.
Action Description
Add EDM profile Click Add Exact Data Profile to define a new Exact Data Profile.
Configuring Exact Data profiles for EDM
Edit EDM profile To modify an existing Exact Data Profile, click the name of the profile, or click the pencil icon at the far right
of the profile row.
Creating and modifying Exact Data Profiles for EDM
Remove EDM profile Click the red X icon at the far right of the profile row to delete the Exact Data Profile from the system. A
dialog box confirms the deletion.
Note: You cannot edit or remove a profile if another user currently modifies that profile, or if a policy exists
that depends on that profile.
912
Action Description
Download EDM profile Click the download profile link to download and save the Exact Data Profile.
This is useful for archiving and sharing profiles across environments. The file is in the binary *.edm format.
Refresh EDM profile Click the refresh arrow icon at the upper right of the Exact Data screen to fetch the latest status of the
status indexing process.
If you are in the process of indexing, the system displays the message "Indexing is starting." The system
does not automatically refresh the screen when the indexing process completes.
Column Description
Configuring the Content Matches Exact Data policy condition for EDM
Once you have defined the Exact Data Profile and indexed the data source, you configure one or more Content Matches
Exact Data conditions in policy rules.
About the Content Matches Exact Data From condition for EDM
913
Table 453: Configure the Content Matches Exact Data policy condition for EDM
1 Configure an EDM policy Create a new EDM detection rule in a policy, or modify an existing EDM rule.
detection rule. Configuring policies
Configuring Policy Rules
Match Data Rows when All of these match
2 Select the fields to match. When you configure the EDM condition, first select each data field that you want the
condition to match. You can select all or deselect all fields at once. The system displays all
the fields or columns that were included in the index. You do not have to select all the fields;
you should select at least 2 or 3 fields, One of the fields must be unique, such as social
security number, credit card number, and so forth.
Best practices for using EDM
3 Choose the number of Choose the number of the selected fields to match from the dropdown menu. This number
selected fields to match. represents the number of selected fields that must be present in a message to trigger a
match. You must select at least as many fields to match as the number of data fields you
check. For example, if you choose 2 of the selected fields from the menu, you must have
checked at least two fields present in a message for detection.
Ensure data source has at least one column of unique data (EDM)
4 Select the WHERE clause The WHERE clause option matches on the specified field value. You specify a WHERE
to enter specific field clause value by selecting an exact data field from the menu and by entering a value for that
values to match (optional). field in the adjacent text box. If you enter more than one value, separate the values with
commas.
Use a WHERE clause to detect records that meet specific criteria (EDM)
For example, consider an Exact Data Profile for "Employees" with a "State" field containing
state abbreviations. In this example, to implement the WHERE clause, you select (check)
WHERE, choose "State" from the drop-down list, and enter CA,NV in the text box. This
WHERE clause then limits the detection server to matching messages that contain either CA
or NV as the value for the State field.
Note: You cannot specify a field for WHERE that is the same as one of the selected matched
fields.
914
Steps Action Description
7 Select an incident Enter or modify the minimum number of matches required for the condition to report an
minimum. incident.
For example, consider a scenario where you specify 1 of the selected fields for a social
security number field and an incident minimum of 5. In this situation, the engine must detect
at least five matching social security numbers in a single message to trigger an incident.
Match count variant examples (EDM)
8 Select components to Select one or more message components to match on:
match on. • Envelope – The header of the message.
• Subject – (Not available for EDM.)
• Body – The content of the message.
• Attachments – The content of any files that are attached to the message or transported
by the message.
Selecting components to match on
9 Select one or more Select this option to create a compound rule. All conditions must match for the rule to trigger
conditions to also match. an incident.
You can Add any available condition from the list.
Configuring compound rules
10 Test and troubleshoot the Test and tune policies to improve match accuracy
policy. Troubleshooting policies
NOTE
When you configure DOE for the EDM condition, you cannot select a value for Ignore Sender/Recipient that is
the same as one of the matched fields.
About Data Owner Exception for EDM
915
Configuring the Sender/User based on a Directory from an EDM Profile condition describes the parameters for configuring
the Sender/User based on a Directory from an EDM Profile condition.
Table 454: Configuring the Sender/User based on a Directory from an EDM Profile condition
Parameter Description
Where Select this option to have the system match on the specified field values. Specify the values by selecting a field
from the drop-down list and typing the values for that field in the adjacent text box. If you enter more than one
value, separate the values with commas.
For example, for an Employees directory group profile that includes a Department field, you would select
Where, select Department from the drop-down list, and enter Marketing,Sales in the text box. If the condition is
implemented as a rule, in this example a match occurs only if the sender or user works in Marketing or Sales (as
long as the other input content meets all other detection criteria). If the condition is implemented as an exception,
in this example the system ignores from matching messages from a sender or user who works in Marketing or
Sales.
Is Any Of Enter or modify the information you want to match. For example, if you want to match any sender in the Sales
department, select Department from the drop-down list, and then enter Sales in this field (assuming that your
data includes a Department column). Use a comma-separated list if you want to specify more than one value.
Configuring the Recipient based on a Profiled Directory policy condition for EDM
The Recipient based on a Directory from condition lets you create detection methods based on the identity of the
recipient. This method requires an Exact Data Profile.
Creating the exact data source file for profiled DGM for EDM
After you select the Exact Data Profile, when you configure the rule, the directory you selected and the recipient
identifier(s) appear at the top of the page.
Configuring the Recipient based on a Directory from an EDM profile condition describes the parameters for configuring
Recipient based on a Directory from an EDM profile condition.
Table 455: Configuring the Recipient based on a Directory from an EDM profile condition
Parameter Description
Where Select this option to have the system match on the specified field values. Specify the values by selecting a field
from the drop-down list and typing the values for that field in the adjacent text box. If you enter more than one
value, separate the values with commas.
For example, for an Employees directory group profile that includes a Department field, you would select
Where, select Department from the drop-down list, and enter Marketing, Sales in the text box. For a detection
rule, this example causes the system to capture an incident only if at least one recipient works in Marketing or
Sales (as long as the input content meets all other detection criteria). For an exception, this example prevents the
system from capturing an incident if at least one recipient works in Marketing or Sales.
Is Any Of Enter or modify the information you want to match. For example, if you want to match any recipient in the Sales
department, select Department from the drop-down list, and then enter Sales in this field (assuming that your
data includes a Department column). Use a comma-separated list if you want to specify more than one value.
916
Introducing EDM token matching
Symantec Data Loss Prevention detection servers support natural language processing for Chinese, Japanese, and
Korean (CJK) in policies that use Exact Data Matching (EDM) detection. When natural language processing for CJK
languages is enabled, the detection server validates CJK tokens before reporting a match, which improves matching
accuracy.
Enable keyword token verification for CJK describes how to enable and use token verification for CJK keywords.
Enable EDM token verification for CJK
1. Log on to the Enforce Server as an administrative user.
2. Navigate to the System > Servers and Detectors > Overview > Server/Detector Detail - Advanced Settings
screen for the detection server you want to configure.
Advanced Server Settings
917
3. Locate the parameter EDM.TokenVerifierEnabled.
4. Change the value to true from false (default).
Setting the server parameter EDM.TokenVerifierEnabled = true enables token validation for CJK token detection.
5. Save the detection server configuration.
6. Recycle the detection server.
EDM.SimpleTextProximityRadius 35 Provides the baseline range for proximity checking a matched token. This
value is multiplied by the number of required matches to equal the complete
proximity check range.
To keep the same "required match density," the proximity check range
behaves like a moving window in a text page. D is defined as the
proportionality factor for the window and is set in the policy condition by
choosing how many fields to match on for the EDM condition. N is the
SimpleTextProximityRadius value. A number of tokens are in the proximity
range if the first token in is within N x D words from the last token. The
proximity check range is directly proportional to the number of matches by a
factor of D.
Proximity matching example for EDM
Note: Increasing the radius value higher than the default can negatively affect
system performance and is not recommended.
918
EDM parameter Default Description
Lexer.IncludePunctuationInWords true If true, during detection punctuation characters are considered as part of a
token.
If false, during detection punctuation within a token or multi-token is treated
as white space.
Multi-token with punctuation (EDM)
Note: This setting applies to detection content, not to indexed content.
Lexer.MaximumNumberOfTokens 30000 Maximum number of tokens extracted from each message component for
detection. Applicable to all detection technologies where tokenization is
required (EDM, profiled DGM, and the system patterns supported by those
technologies). Increasing the default value may cause the detection server to
run out of memory and restart.
Lexer.Validate true If true, performs system pattern-specific validation during indexing. Setting
this to false is not recommended.
Using system-provided pattern validators for EDM profiles
MessageChain.NumChains Varies This number varies depending on detection server type. It is either 4 or
8. The number of messages, in parallel, that the filereader processes.
Setting this number higher than 8 (with the other default settings) is not
recommended. A higher setting does not substantially increase performance
and there is a much greater risk of running out of memory. Setting this to less
than 8 (in some cases 1) helps when processing big files, but it may slow
down the system considerably.
NOTE
Maximum tokens per multi-token and stopwords are calculated and evaluated respectively during indexing.
TheLexer.MaxTokensPerMultiToken and Lexer Stopword Languages Advanced Server settings are no longer
necessary. The stopword language on the Enforce Server is specified in the indexer.properties file at
C:\Program Files\Symantec\Data Loss Prevention\Indexer\16.0.10000\Protect\config
\Indexer.properties. In English, the property is stopword_languages = en.
919
Memory requirements for EDM
Characteristic Description
The number of tokens in a single cell is limited to 200 tokens. The number of characters is not limited. In the case of a CJK
token, each character is treated as a single token and the number
of CJK characters is limited to 200 characters.
Whitespace in Latin multi-token cells is considered, but multiple Multi-token with spaces (EDM)
whitespaces are normalized to 1.
Punctuation immediately preceding and following a token or sub- Multi-token with punctuation (EDM)
token is always ignored. Additional examples for multi-token cells with punctuation (EDM)
You can configure how punctuation within a token or multi-token Lexer.IncludePunctuationInWords = true
is treated during detection. For most cases the default setting Configuring Advanced Settings for EDM policies
("true") is appropriate. If set to "false," punctuation is treated as
whitespace.
For proximity range checking the sub-token parts of a multi-token Proximity matching example for EDM
are counted as single tokens.
The system does not consider stopwords when matching multi- Multi-token with stopwords (EDM)
tokens. In other words, stopwords are not excluded.
Multi-tokens are more computationally expensive than single Memory requirements for EDM
tokens and require additional memory for indexing, loading, and
processing.
Cell contains space Bank of America Bank of America Cell with spaces is multi-token.
Multi-token must match exactly.
Cells contains multiple spaces Bank of America Bank of America Multiple spaces are normalized
to one.
Cells contain space between 傠傫 傠傫 傠傫 傠傫 White spaces between CKJ
CKJ characters 傠傫傠傫 characters are ignored.
Cells contain space between EDM 傠傫 EDM 傠傫 White spaces between Latin and
Latin and CJK characters EDM傠傫 CJK characters are ignored.
920
\16.0.10000\config\stopwords), as well as single letters. However, when creating multi-tokens, stopwords and
single letters are not ignored. Instead, they are part of the multi-token.
Cell contains stopwords or single letter or single digit (EDM) shows multi-token matches with stopwords, single letters,
and single digits.
Table 461: Cell contains stopwords or single letter or single digit (EDM)
Cell contains stopword. throw other ball throw other ball Common word ("other") is
filtered out during indexing but
not when it is part of a multi-
token.
Cell contains single letter. throw a ball throw a ball Single letter ("a") is filtered out,
but not when it is part of a multi-
token.
Cell contains single digit. throw 1 ball throw 1 ball Unlike single-letter words that
are stopwords, single digits are
never ignored.
Table 462: Multi-token cell with Latin and CJK characters examples (EDM)
Cell includes Latin and CJK ABC傠傫 ABC傠傫 Mixed Latin-CJK cell is multi-
characters with no spaces. 傠傫ABC 傠傫ABC token.
Also matches with: Whitespace between Latin and
ABC 傠傫 CJK characters is ignored.
傠傥 ABC
EDM ignores whitespace
between the Latin characters
and the CJK token.
Cell includes Latin and CJK with ABC 傠傫 ABC 傠傫 Multiple spaces are ignored.
one or more spaces. 傠傥 ABC 傠傥 ABC
Also matches with:
ABC傠傫
傠傫ABC
Cell contains Latin or CJK with 什仁 仂仃 仄仅 仇仈仉 147(什仂 什仁 仂仃 仄仅 仇仈仉 147(什仂 Single-token cell.
numbers. 仅 51-1) 仅 51-1)
921
NOTE
For convenience purposes the Lexer.IncludePunctuationInWords parameter is referred to by the three-letter
acronym "WIP" throughout this section.
The WIP setting operates at detection-time to alter how matches are reported. For most EDM policies you should not
change the WIP setting. For a few limited situations, such as account numbers or addresses, you may need to set
IncludePunctuationInWords = false depending on your detection requirements.
Indexed Detected
WIP setting Match Explanation
content content
a.b a.b TRUE Yes The indexed content and the detected content are exactly the
same.
FALSE No The detected content is treated as "a b" and is therefore not a
match.
a.b ab TRUE No The indexed content and the detected content are different.
FALSE No The indexed content and the detected content are different.
ab a.b TRUE No The indexed content and the detected content are different.
FALSE Yes The detected content is treated as "a b" and is therefore a
match.
ab ab TRUE Yes The indexed content and the detected content are exactly the
same
FALSE Yes The indexed content and the detected content are exactly the
same
922
Table 464: Additional use cases for multi-token cells with punctuation (EDM)
Cell contains a physical address 346 Guerrero St., Apt. #2 346 Guerrero St., Apt. #2 The indexed content is a multi-
with punctuation. 346 Guerrero St Apt 2 token cell.
Both match because the
punctuation comes at the
beginning or end of the sub-
token parts and is therefore
ignored.
Cell contains internal O'NEAL ST. O'NEAL ST The indexed content is a multi-
punctuation with no space token cell.
before or after. Internal punctuation is included
(assuming WIP is true), and
leading or trailing punctuation
is ignored (assuming there
is a space delimiter after the
punctuation).
Cell contains Asian language 傠傫##傠傫 傠傫##傠傫 (if WIP true) The indexed content is a single
characters (CJK) with indexed token cell.
internal punctuation. During detection, Asian
language characters (CJK) with
internal punctuation is affected
by the WIP setting. Thus, in this
example 傠傫##傠傫 matches
only if the WIP setting is true.
If the WIP setting is false, 傠傫
##傠傫 is considered a multi-
token because the internal
punctuation is treated as
whitespace. Thus, no content
can match.
Cell contains Asian language 傠傫 傠傫 傠傫 傠傫 The indexed content is a multi-
characters (CJK) without 傠傫##傠傫 (if WIP false) token cell.
indexed internal punctuation. The detected content matches
as indexed. If the WIP setting
is false, the detected content
matches 傠傫##傠傫 because
internal punctuation is ignored.
Cell contains mix of Latin and EDM##傠傫 EDM 傠傫 The indexed content is a multi-
CJK characters with punctuation token cell.
separating the Latin and Asian A cell with alternate Latin and
characters. CJK characters is always a
multi-token and punctuation
between Latin and Asian
characters is always treated as
a single white space regardless
of the WIP setting.
923
Description Indexed content Detected content Explanation
Cell contains mix of Latin and DLP##EDM 傠傫##傠傥 DLP##EDM##傠傫##傠傥 (if The indexed content is a multi-
CJK characters with internal WIP true) token cell.
punctuation. DLP##EDM 傠傫##傠傥 (if WIP During detection, punctuation
true) between the Latin and Asian
characters is treated as a single
whitespace and leading and
trailing punctuation is ignored.
If the WIP setting is true the
punctuation internal to the Latin
characters and internal to the
Asian character is retained.
If the WIP setting is false, no
content can match because
internal punctuation is ignored.
Cell contains mix of Latin and DLP EDM 傠傫 傠傥 DLP EDM 傠傫 傠傥 The indexed content is a multi-
CJK characters with internal DLP#EDM 傠傫#傠傥 (if WIP token cell.
punctuation. false) During detection, punctuation
DLP#EDM##傠傫#傠傥 (if WIP between the Latin and Asian
false) characters is treated as a single
whitespace and leading and
trailing punctuation is ignored.
Thus, it matches as indexed.
If the WIP setting is false, it
matches DLP;EDM##傠傫#傠傥
because internal punctuation is
ignored.
924
cell contents conforms to one of the system-recognized patterns, the punctuation rules for that pattern apply and the WIP
setting does not.
Do not use the comma delimiter if the data source has number fields (EDM)
Some special use cases for system-recognized data patterns (EDM) lists and describes examples for detecting system-
recognized data patterns.
CAUTION
This list is not exhaustive. It is provided for informational purposes only to ensure that you are aware that data
that matches system-defined patterns takes precedence and the WIP setting is ignored. Before deploying your
EDM policies into production, you must test detection accuracy and adjust the index accordingly to ensure that
the data that you have indexed matches as expected during detection.
Table 465: Some special use cases for system-recognized data patterns (EDM)
Apostrophe '
Tilde ~
Exclamation point !
925
Punctuation name Character representation
Ampersand &
Dash -
Single quotation mark '
Double quotation mark "
Period (dot) .
Question mark ?
At sign @
Dollar sign $
Percent sign %
Asterisk *
Caret symbol ^
Open parenthesis (
Close parenthesis )
Open bracket [
Close bracket ]
Open brace {
Close brace }
Forward slash /
Back slash \
Pound sign #
Equal sign =
Plus sign +
Match
Inbound message contents count Number of matches Explanation
variant
Kathy Stevens 123-45-6789 1 3 Records matched in the profile: first name,
last name, and SSN.
926
Match
Inbound message contents count Number of matches Explanation
variant
2 1 Number of unique token sets matched.
3 1 Number of unique supersets of token sets.
Kathy Stevens 123-45-6789 1 3 If EDM.HighlightAllMatchesInProximity =
1111-1111-1111-1111 2 1: if EDM.HighlightAllMatchesInProximity false, EDM matches the left-most tokens for
Kathy Stevens 123-45-6789 each profile data row. The token set for each
= false (default)
row is as follows:
2: if EDM.HighlightAllMatchesInProximity
Row # 1: Kathy Stevens 123-45-6789
= true
Row # 2: Kathy Stevens 123-45-6789
3 1 Row # 3: Kathy Stevens 123-45-6789
If EDM.HighlightAllMatchesInProximity = true,
EDM matches all tokens within the proximity
window. The token set for each row is as
follows:
Row # 1: Kathy Stevens 123-45-6789
1111-1111-1111-1111 Kathy Stevens
123-45-6789
Row # 2: Kathy Stevens 123-45-6789 Kathy
Stevens 123-45-6789
Row # 3: Kathy Stevens 123-45-6789 Kathy
Stevens 123-45-6789
1111-1111-1111-1111 Kathy 1 3 If EDM.HighlightAllMatchesInProximity =
Stevens 123-45-6789 2 2 false, EDM matches the left-most tokens for
each profile data row. The token set for each
3 2: if EDM.HighlightAllMatchesInProximity row is as follows:
= false (default) Row # 1: 1111-1111-1111-1111 Kathy Stevens
1: if EDM.HighlightAllMatchesInProximity Row # 2: Kathy Stevens 123-45-6789
= true Row # 3: Kathy Stevens 123-45-6789
If EDM.HighlightAllMatchesInProximity = true,
EDM matches all tokens within the proximity
window. The token set for each row is as
follows:
Row # 1: 1111-1111-1111-1111 Kathy Stevens
123-45-6789
Row # 2: Kathy Stevens 123-45-6789
Row # 3: Kathy Stevens 123-45-6789
927
For example, assuming the default radius of 35 and a policy set to match 3 out of 4 column fields, the proximity range is
105 tokens (3 x 35). If the policy matches 2 out of 3 the proximity range is 70 tokens (35 x 2).
WARNING
While you can decrease the value of the proximity radius, Symantec does not recommend increasing this value
beyond the default (35). Doing so may cause performance issues. Configuring Advanced Settings for EDM
policies
Proximity example for EDM shows a proximity matching example that is based on the default proximity radius setting. In
this example, the detected content produces one unique token set match, described as follows:
• The proximity range window is 105 tokens (35 x 3).
• The proximity range window starts at the leftmost match ("Stevens") and ends at the rightmost match ("123-45-6789").
• The total number of tokens from "Stevens" to the SSN (including both) is 105 tokens.
• The stopwords "other" and "a" are counted for proximity range purposes.
• "Bank of America" is a multi-token. Each sub-token part of a multi-token is counted as a single token for proximity
purposes.
Last_Name | Employer | SSN Match 3 of 3 Radius = 35 Zendrerit inceptors Kathy Stevens lorem ipsum pharetra
Stevens | Bank of America | tokens (default) convallis leo suscipit ipsum sodales rhoncus, vitae dui nisi
123-45-6789 volutpat augue maecenas in, luctus id risus magna arcu
maecenas leo quisque. Rutrum convallis tortor urna morbi
elementum hac curabitur morbi, nunc dictum primis elit
senectus faucibus convallis surfrent. Aptentnour gravida
adipiscing iaculis himenaeos, himenaeos a porta etiam
viverra. Class torquent uni other tristique cubilia in Bank of
America. Dictumst lorem eget ipsum. Hendrerit inceptos
other sagittis quisque. Leo mollis per nisl per felis, nullam
cras mattis augue turpis integer pharetra convallis suscipit
hendrerit? Lubilia en mictumst horem eget ipsum. Inceptos
urna sagittis quisque dictum odio hendrerit convallis suscipit
ipsum wrdsrf 123-45-6789.
928
Update process using the Remote EDM Indexer
• You already have a data source file that is current and cleansed that you can copy to the upgraded Enforce Server for
indexing.
Update process using the Enforce Server for EDM
929
Step Action Description
7 Update the EDM profile by Copy the *.pdx and *.rdx files from the remote host to the latest Enforce Server
loading the latest version of the host file system.
index. Load the index into the EDM profile you created in Step 2.
Copying and loading remote EDM index files to the Enforce Server
8 Upgrade one or more EDM Once you have created the latest-version compliant EDM profiles and upgraded the
detection servers to the latest Enforce Server, you can then upgrade the detection servers.
version. See Upgrading to a new release.
Make sure that you have calculated and verified the memory requirements for loading
and processing multi-token indexes on the detection server.
Memory requirements for EDM
9 Test and verify the updated To test the upgraded system and updated index, you can create a new policy that
index. references the updated index.
10 Remove out-of-date EDM Once you have verified the new EDM index and policy, you can retire the legacy EDM
indexes. index and policy.
930
Step Action Description
5 Calculate the memory You need to calculate how much RAM the detection server requires to load and process the index
that is required to load and run-time. These calculations are required for each EDM index you want to deploy and the
and process the index memory adjustments are cumulative.
at run-time. Adjust the Memory requirements for EDM
memory settings for each
EDM detection server
host.
6 Upgrade the EDM See Upgrading DLP.
detection servers to the Once you have created the latest-version-compliant EDM profile you can then upgrade the detection
latest version. servers.
Make sure that you have calculated and verified the memory requirements for loading and
processing multi-token indexes on the detection server.
Memory requirements for EDM
7 Test and verify the To test the upgraded system and updated index, you can create a new policy that references the
updated index. updated index.
8 Remove out-of-date Once you have verified the new EDM index and policy, you can retire the legacy EDM index and
EDM indexes. policy.
Remote EDM indexing
Enforce Server error event 2928 One or more profiles are out of date and must be reindexed.
Updating EDM indexes to the latest version
Memory requirements for EDM
Enforce Server error event 2928 Check the Manage > Data Profiles > Exact Data page for more details. The
detail following EDM profiles are out of date: Profile X, Profile XY, and so on.
System Event error 2928 One or more profiles are out of date and must be reindexed.
Exact Data Profile error N/A This profile is out of date, and must be reindexed.
931
About memory requirements for EDM
The memory requirements for EDM are related to several factors, including:
• Number of indexes you are building
• Total size of the indexes
• Number of cells in each index
• Number of message chains
These size limitations apply to EDM indexes:
• The maximum number of rows supported is 4,294,967,294.
• The maximum number of supported cells is 6 billion.
Workflow for determining memory requirements for EDM indexes gives an overview of the steps that you can follow to
determine and set memory requirements for EDM.
Table 472: Workflow for determining memory requirements for EDM indexes
1 Determine the memory that Overview of configuring memory and indexing the data source for EDM
is required to index the data
source.
2 Increase the indexer memory Determining requirements for both local and remote indexers for EDM
according to your calculations.
3 Determine the memory that is Detection server memory requirements for EDM
required to load the index on the
detection server.
4 Increase the detection server Increasing the memory for the detection server (File Reader) for EDM
memory according to your
calculations.
5 Repeat for each EDM index you
want to deploy.
Determining requirements for both local and remote indexers for EDM
This topic provides an overview of memory requirements for both the EDM indexer that is local to the Symantec Data Loss
Prevention Enforce Server and for the Remote EDM Indexer.
With the default settings, both EDM indexers can index any data source with 500 million cells or less. For any data source
with more than 500 million cells, an additional 3 bytes per cell is needed to index the data source.
You can schedule indexing for multiple indexes serially (at different times) or in parallel (at the same time). When indexing
serially, you need to allocate memory to accommodate the indexing of the biggest index. When indexing in parallel, you
need to allocate memory to accommodate the indexing of all indexes that you are creating at that time.
Serial indexing
If you create the indexes serially (no two are created in parallel), the memory requirement for the biggest index is:
2 billion cells – 0 .5 billion default x 3 bytes = 4.5 GB rounded to 5 GB additional memory.
This memory requirement includes the 2 GB (2048 MB) default memory for the Enforce Server and the 5 GB additional
system memory.
932
Examples for indexer memory requirements-serial indexing for EDM provides examples for how the data source size
affects indexer memory requirements for serial indexes.
Table 473: Examples for indexer memory requirements-serial indexing for EDM
Indexer memory
Data source size Description
requirement
100 million cells 2048 MB (default) No additional RAM is needed for the indexer.
500 million cells 2048 MB (default) No additional RAM is needed for the indexer.
1 billion cells 4 GB If you have a single data source with 1 billion cells (for example, 10 columns
by 100 million rows), you need extra system memory for 0.5 billion cells
(1 billion cells – 0.5 million default) 0.5 million x 3 bytes, or 1.5 GB of RAM
(rounded to 2 GB) to index the data source. This amount is added to the
default indexer RAM allotment.
2 billion cells 7 GB If you have a single data source with 2 billion cells (for example, 10 columns
by 200 million rows), you need extra system memory for 1.5 billion cells
(2 billion cells – 0.5 million default) 1.5 million x 3 bytes, or 4.5 GB of RAM
(rounded to 5 GB) to index the data source.
Overview of configuring memory and indexing the data source for EDM
Memory requirements for indexing the data source for EDM provides the steps for determining how much memory is
needed to index the data source.
Table 474: Memory requirements for indexing the data source for EDM
1 Estimate the memory requirements for the Determining requirements for both local and remote indexers for EDM
indexer.
2 Increase the indexer memory. The next step is to increase the memory allocated to the indexer. The
procedure for increasing the indexer memory differs depending on
whether you are using the EDM indexer local to the Enforce Server or
the Remote EDM Indexer.
Increasing the memory for the Enforce Server EDM indexer
Increasing the Memory for the Remote EDM Indexer
933
Step Action Details
3 Restart the Symantec DLP Manager You must restart this service after you have changed the memory
service. allocation.
4 Index the data source. The last step is to index the data source. You need to do this before you
calculate remaining memory requirements.
Configuring Exact Data profiles for EDM
Overview of configuring memory and indexing the data source for EDM
To deploy the *.vmoptions file, copy it to the following locations:
For Linux: /opt/Symantec/DataLossPrevention/Indexer/16.0.10000/Protect/bin/
RemoteEDMIndexer.vmoptions
For Windows: \Program Files\Symantec\Data Loss Prevention\Indexer\16.0.10000\Protect\bin
\RemoteEDMIndexer.exe.vmoptions
Generating remote index files for EDM
934
Detection server memory requirements for EDM
The detection server should not use more than 60% of the memory of the computer. For example, if your detection server
needs 6 GB memory to run, make sure you have 10 GB on that server.
Default configuration for a detection server
The default configuration for detection server has 4GB and 8 message chains. See the following formulas and EDM
detection server Java heap memory settings and addition system memory examples to determine how to calculate
your actual memory requirements. In addition, you can use the provided spreadsheet to determine your actual memory
requirements. Click the following link to download a ZIP file that contains the spreadsheet.
EDM_Memory_Requirements_Spreadsheet.zip
To load the index, the detection server needs 13 bytes per cell for system memory plus 1 GB Java heap memory for each
message chain in the detection server. The following examples show scenarios for a customer who has three indexes that
are all under the same schedule.
For Java heap memory requirements, the formula is:
Java heap memory requirement = the number of message chains * 1 GB.
For system memory requirements, the general formula is:
System memory requirement = number of cells * 13 bytes.
Detection Server memory settings for EDM
The Advanced Server Settings property for the number of message chains is:
MessageChain.NumChains.
The Java heap memory settings for a detection server are set in the Enforce Server administration console at the Server
Detail - Advanced Server Settings page, using the BoxMonitor.FileReaderMemory. property. The format is -Xrs -
Xms1200M -Xmx4G. You don't needed to change the system memory setting, but make sure that the detection server has
enough free memory available.
NOTE
When you update this setting, only change the -Xmx value in this property. For example, only change "4G." to a
new value, and leave all other values the same.
The examples in EDM detection server Java heap memory settings and addition system memory examples show the
settings for five different situations.
935
Table 475: EDM detection server Java heap memory settings and addition system memory examples
Increasing the memory for the detection server (File Reader) for EDM
This topic provides instructions for increasing the File Reader memory allocation for a detection server. These instructions
assume that you have performed the necessary calculations.
To increase the memory for detection server processing
936
1. In the Enforce Server administration console, navigate to the Server Detail - Advanced Server Settings screen for
the detection server where the EDM index is deployed or to be deployed.
2. Locate the following setting: BoxMonitor.FileReaderMemory.
3. Change the -Xmx4G value in the following string to match the calculations you have made.
-Xrs -Xms1200M -Xmx4G -XX:PermSize=128M -XX:MaxPermSize=256M
For example: -Xrs -Xms1200M -Xmx11G -XX:PermSize=128M -XX:MaxPermSize=256M
4. Save the configuration and restart the detection server.
937
About the Remote EDM Indexer
The Remote EDM Indexer utility converts a data source file to an EDM index. The utility is similar to the local EDM Indexer
used by the Enforce Server. However, the Remote EDM Indexer is designed for use on a computer that is not part of the
Symantec Data Loss Prevention server configuration.
Using the Remote EDM Indexer to index a data source on a remote machine has the following advantages over
using the EDM Indexer on the Enforce Server:
• It enables the owner of the data, rather than the Symantec Data Loss Prevention administrator, to index the data.
• It shifts the system load that is required for indexing onto another computer. The CPU and RAM on the Enforce Server
is reserved for other tasks.
About the SQL Preindexer for EDM
Workflow for remote EDM indexing
938
Table 476: Steps to use the Remote EDM Indexer
Step 1 Install the Remote EDM Indexer Installing the Remote EDM Indexer
on a computer that is not part
of the Symantec Data Loss
Prevention system.
Step 2 Create an Exact Data Profile on On the Enforce Server, generate an EDM Profile template using the *.edm file name
the Enforce Server to use with extension and specifying the exact number of columns to be indexed.
the Remote EDM Indexer. Creating an EDM profile template for remote indexing
Step 3 Copy the Exact Data Profile Download the profile template from the Enforce Server and copy it to the remote data
file to the computer where the source host computer.
Remote EDM Indexer resides. Downloading and copying the EDM profile file to a remote system
Step 4 Run the Remote EDM Indexer If you have a cleansed data source file, use the RemoteEDMIndexer with the -data, -
and create the index files. profile and -result options.
If the data source is an Oracle database, use the SqlPreindexer and the
RemoteEDMIndexer to index the data source directly with the -alias (oracle DB host),
-username and -password credentials, and the -query string or -query_path
Generating remote index files for EDM
Step 5 Copy the index files from the Copy the resulting *.pdx and *.rdx files from the remote machine to the Enforce
remote machine to the Enforce Server host at C:\ProgramData\Symantec\DataLossPrevention
Server. \EnforceServer\16.0.10000\Protect\index.
Copying and loading remote EDM index files to the Enforce Server
Step 6 Load the index files into the Update the EDM profile by loading the externally generated index.
Enforce Server. Submit the profile for indexing.
Copying and loading remote EDM index files to the Enforce Server
Step 7 Troubleshoot any problems Verify that indexing is started and completes.
that occur during the indexing Check the system events for Code 2926 ("Created Exact Data Profile" and "Data source
process. saved").
The ExternalDataSource.<name>.rdx and *.pdx files are removed
from the index directory and replaced by the file DataSource.<profile
id>.<version>.rdxver.
Troubleshooting remote indexing errors for EDM
Step 8 Create policy with EDM You should see the column data for defining the EDM condition.
condition. Configuring the Content Matches Exact Data policy condition for EDM
About installing and running the Remote EDM Indexer and SQL Preindexer
utilities
The Remote EDM Indexer is installed from the same installation program as the other Symantec Data Loss Prevention
components. The SQL Preindexer is installed automatically when you install the Remote EDM Indexer. Both utilities are
run from the command line and are stored at opt/Symantec/DataLossPrevention/Indexer/15.7/Protect/bin.
Generating remote index files for EDM
To install the Remote EDM Indexer, copy the ProtectInstaller.exe (Windows) or the ProtectInstaller.sh
(Linux) file to the remote computer where the data to be indexed resides. When running the installer, choose to install the
"Indexer" only and no other components. The Linux installer for the Remote EDM Indexer is a program that you run from
the command console.
Installing the Remote EDM Indexer
939
Both the Remote EDM Indexer and the SQL Preindexer run from the command line. If you are on a Linux system, change
users to the “protect” user before running the SQL Preindexer. (The installation program creates the “protect” user.)
Generating remote index files for EDM
NOTE
For two- and three-tier Data Loss Prevention installations, you should not install the Remote EDM Indexer on the
same system that hosts a detection server.
940
10. Click Next to map the column headings from the data source to the profile.
11. In the Field Mappings section, map the Data Source Field to the System Field for each column by selecting the
column name from the System Field drop-down list.
The Data Source Field lists the number of columns you specified at the previous screen. The System Field contains
a list of standard column headings. If any of the column headings in your data source match the choices available in
the System Field list, map each accordingly. Be sure that you match the selection in the System Field column to its
corresponding numbered column in the Data Source Field.
For example, for a data source that you have specified in the profile as having three columns, the mapping
configuration may be:
12. If a Data Source Field does not map to a heading value in the options available from the System Field column, click
the Advanced View link.
In the Advanced View the system displays a Custom Name column beside the System Field column.
Enter the correct column name in the text box that corresponds to the appropriate column in the data source.
Optionally, you can specify the data type for the Custom Name you entered by selecting the data type from the Type
drop-down list. These data types are system-defined. Click the description link beside the Type name for details on
each system-defined data type.
13. If you intend to use the Exact Data Profile to implement a policy template that contains one or more EDM rules, you
can validate your profile mappings for the template. To do this, select the template from the Check mappings against
policy template drop-down list and click Check now. The system indicates any unmapped fields that the template
requires.
14. Do not select any Indexing option available at this screen, since you intend to index remotely.
15. Click Finish to complete the profile creation process.
941
Generating remote index files for EDM
You use the command-line Remote EDM Indexer utility to generate an EDM index for importing to the Enforce Server.
You can use the Remote EDM Indexer to index data source file that you have generated and cleansed. Or you can pipe
the output from the SQL Preindexer to the standard input of the Remote EDM Indexer. The SQL Preindexer requires an
Oracle DB data source and clean data.
When the indexing process completes, the Remote EDM Indexer generates several files in the specified result directory.
These files are named after the data file that was indexed, with one file having the .pdx extension and another file with
the .rdx extension. The system generates 12 .rdx files named ExternalDataSource.<DataSourceName>.rdx.0
- ExternalDataSource.<DataSourceName>.rdx.11.
Remote EDM Indexer with data source file. Specify data source file, EDM profile, output Use when you have a cleansed data source
directory. file; use for upgrading to the latest vesion.
Remote indexing examples using data
source file (EDM)
Remote EDM Indexer with SQL Preindexer Query DB and pipe output to stdin of Requires Oracle DB and clean data.
Remote EDM Indexer. Remote indexing examples using SQL
Preindexer (EDM)
For example:
RemoteEDMIndexer -data=C:\EDMIndexDirectory\CustomerData.dat
-profile=C:\EDMIndexDirectory\RemoteEDMProfile.edm
-result=C:\EDMIndexDirectory\
This command generates an EDM index using the local data source tabular text file CustomerData.dat and the
local RemoteEDMProfile.edm file that you generated and copied from the Enforce Server to the remote host, where
\EDMIndexDirectory is the directory for placing the generated index files.
When the generation of the indexes is successful, the utility displays the message "Successfully created index" as the last
line of output.
In addition, the following index files are created and placed in the -result directory:
• ExternalDataSource.CustomerData.pdx
• ExternalDataSource.CustomerData.rdx
942
Twelve files, named ExternalDataSource.<DataSourceName>.rdx.0 -
ExternalDataSource.<DataSourceName>.rdx.11 are always generated. Copy these files to the Enforce Server
and update the EDM profile using the remote index.
Remote EDM Indexer command options
943
Copying and loading remote EDM index files to the Enforce Server
The following files are created in the -result directory when you remotely index a data source:
• ExternalDataSource.<DataSourceName>.pdx
• ExternalDataSource.<DataSourceName>.rdx.0 - ExternalDataSource.<DataSourceName>.rdx.11
After you create the index files on a remote machine, the files must be copied to the Enforce Server, loaded into the
previously created remote EDM profile, and indexed.
Creating an EDM profile template for remote indexing
To copy and load the files on the Enforce Server
1. Go to the directory where the index files were generated. (This directory is the one specified in the -result option.)
2. Copy all of the index files with .pdx and .rdx extensions to the index directory on the Enforce
Server. This directory is located at C:\ProgramData\Symantec\DataLossPrevention
\ServerPlatformCommon\16.0.10000\index (Windows) or /var/Symantec/DataLossPrevention/
ServerPlatformCommon/16.0.10000/index (Linux).
3. From the Enforce Server administration console, navigate to the Manage > Policies > Exact Data screen.
This screen lists all the Exact Data Profiles in the system.
4. Click the name of the Exact Data Profile you used with the Remote EDM Indexer.
5. To load the new index files, go to the Data Source section of the Exact Data Profile and select Load Externally
Generated Index.
6. In the Indexing section, select Submit Indexing Job on Save.
As an alternative to indexing immediately on save, consider scheduling a job on the remote machine to run the
Remote EDM Indexer on a regular basis. The job should also copy the generated files to the index directory on the
Enforce Server. You can then schedule loading the updated index files on the Enforce Server from the profile by
selecting Load Externally Generated Index and Submit Indexing Job on Schedule and configuring an indexing
schedule.
Use scheduled indexing to automate profile updates (EDM)
7. Click Save.
944
Remote indexing examples using SQL Preindexer (EDM)
SQL Preindexer command options (EDM) lists the command options for the SQL Preindexer.
-alias Oracle DB connect string Specifies the database alias that is used to connect to the database in
Required the following format: @//oracle_DB_host:port/SID
For example:
-alias=@//myhost:1521/ORCL
-alias=@//localhost:1521/CUST
-driver Oracle JDBC driver class Specifies the JDBC driver class, for example:
oracle.jdbc.driver.OracleDriver.
-encoding Character encoding Specifies the character encoding of the data to index. The default is
(iso-8859-1) iso-8859-1.
Data with non-English characters should use UTF-8 or UTF-16.
-password Oracle DB password Specifies the password to the database.
If this option is not specified, the password is read from stdin.
-query-query_path SQL query This option specifies the SQL query to perform. The statement must be
enclosed in quotes.
If you omit the -query option the utility indexes the entire database.
SQL script Specifies the file name and local path that contains a SQL query to
run. Must be full path.
This option can be used as an alternative to the -query option when
the query is a long SQL statement.
-separator Output column separator (tab) Specifies whether the output column separator is a comma, pipe, or
tab. The default separator is a tab.
To specify a comma separator or pipe separator, enclose the separator
character in quotation marks: "," or "|".
-subprotocol Oracle thin driver Specifies the JDBC connect string subprotocol (for example,
oracle:thin).
-username Oracle DB user Specifies the name of the database user.
Required
-verbose Print verbose output for Displays a statistical summation of the operation when it is complete.
debugging. Troubleshooting preindexing errors for EDM
945
• The Remote EDM Indexer requires the -profile and -result arguments.
• If you use a flat data source file as input, you must specify the file name and local path using the -data option.
• The -data option is omitted when you use the SQL Preindexer to pipe the data to the Remote EDM Indexer.
Remote indexing examples using data source file (EDM)
Remote EDM Indexer command options describes the command options for the Remote EDM Indexer.
-data Data source to be indexed Specifies the data source to be indexed. If this option is not specified,
(stdin) the utility reads data from stdin.
Required if you use a tabular Required if using data source file and not the SQL Preindexer.
text file
-encoding Character encoding of data to Specifies the character encoding of the data to index. The default is
be indexed (ISO-8859-1) ISO-8859-1.
Use UTF-8 or UTF-16 if the data contains non-English characters.
-ignore_date Ignore expiration date of the Overrides the expiration date of the Exact Data Profile if the profile
EDM profile has expired. (By default, an Exact Data Profile expires after 30 days.)
-profile File containing the EDM profile Specifies the Exact Data Profile to be used. This profile is the one that
Required is selected by clicking the “download link” on the Exact Data screen in
the Enforce Server management console
-result Directory to place the resulting Specifies the directory where the index files are generated.
indexes
Required
-verbose Display verbose output Displays a statistical summation of the indexing operation when the
index is complete.
Troubleshooting preindexing errors for EDM
946
1. Locate the Indexer.properties file at \Program Files\Symantec\Data Loss Prevention\Indexer
\15.1\Protect\config\Indexer.properties (Windows) or /Symantec/DataLossPrevention/
Indexer/15.1/Protect/config/Indexer.properties (Linux).
2. Open the file in a text editor.
3. Locate the create_error_file property and change the “false” setting to “true.”
4. Save and close the Indexer.properties file.
The Remote EDM Indexer logs errors in a file with the same name as the data file being indexed and the .err suffix.
The rows of data that are listed in the error file are not encrypted. Safeguard the error file to minimize any security risk
from data exposure.
Index files not Use the -verbose option in the Specifying the verbose option when running the Remote EDM Indexer
generated command to reveal error message. provides a statistical summary of information about the indexing
operation after it completes. This information includes the number of
errors and where the errors occurred.
"Failed to create index" Verify file and path names. Verify that you included the full path and proper file name for the -data
"Cannot compute file and the -profile file (*.edm). The paths must be local to the
index" host.
"Unable to generate
index"
"Destination is not a Directory path not correct. Verify that you properly entered the full path to the destination directory
directory" for the required -result argument.
*.idx file instead of Did not use -data argument The -data option is required if you are using a data source file and not
*.rdx file the SQL Preindexer. In other words, the only time you do not use the -
data argument is when you are using the SQL Preindexer.
If you run the Remote EDM Indexer without the -data option and no
SQL Preindexer query, you get an *.idx and *.rdx file that cannot
be used as for the EDM index. Rerun the index using the -data option
or a SQL Preindexer -query or -query-path.
In addition, you may encounter errors when you index large amounts of data. Often the set of data contains a data record
that is incomplete, inconsistent, or incorrectly formatted. Data rows that contain more columns than expected or incorrect
data types often cannot be properly indexed and are unrecognized during indexing. The rows of data with errors cannot
be indexed until those errors are corrected and the Remote EDM Indexer rerun. Symantec provides a couple of ways to
get information about any errors and the ultimate success of the indexing operation.
947
To see the actual rows of data that the Remote EDM Indexer failed to index, modify the Indexer.properties file.
To modify the Indexer.properties file and view remote indexing errors
1. Locate the Indexer.properties file at \Program Files\Symantec\Data Loss Prevention\Indexer
\15.1\Protect\config\Indexer.properties (Windows) or /opt/Symantec/DataLossPrevention/
Indexer/15.1/Protect/config/Indexer.properties (Linux).
2. To edit the file, open it in a text editor.
3. Locate the create_error_file property parameter and change the “false” value to “true.”
4. Save and close the Indexer.properties file.
The Remote EDM Indexer logs errors in a file with the same name as the indexed data file and with an .err
extension. This error file is created in the logs directory.
The rows of data that are listed in the error file are not encrypted. Encrypt the error file to minimize any security risk
from data exposure.
Ensure that the data source file contains at least one column of Ensure data source has at least one column of unique data (EDM)
unique data.
Eliminate duplicate rows and blank columns before indexing. Cleanse the data source file of blank columns and duplicate rows
(EDM)
To reduce false positives, avoid single characters, quotes, Remove ambiguous character types from the data source file
abbreviations, numeric fields with less than 5 digits, and dates. (EDM)
Understand multi-token indexing and clean up as necessary. Understand how multi-token cell matching functions (EDM)
948
Best practice Description
Use the pipe (|) character to delimit columns in your data source. Do not use the comma delimiter if the data source has number
fields (EDM)
Review an example cleansed data source file. Ensure that the data source is clean for indexing (EDM)
Map data source column to system fields to leverage validation Map data source column to system fields to leverage validation
during indexing. (EDM)
Leverage EDM policy templates whenever possible. Leverage EDM policy templates when possible
Include the column headers as the first row of the data source file. Include column headers as the first row of the data source file
(EDM)
Check the system alerts to tune Exact Data Profiles. Check the system alerts to tune profile accuracy (EDM)
Use stopwords to exclude common words from matching. Use stopwords to exclude common words from detection (EDM)
Automate profile updates with scheduled indexing. Use scheduled indexing to automate profile updates (EDM)
Match on two or three columns in an EDM rule. Match on 3 columns in an EDM condition to increase detection
accuracy
Leverage exception tuples to avoid false positives. Leverage exception tuples to avoid false positives (EDM)
Use a WHERE clause to detect records that meet a specific Use a WHERE clause to detect records that meet specific criteria
criteria. (EDM)
Use the minimum matches field to fine tune EDM rules. Use the minimum matches field to fine tune EDM rules
Consider using Data Identifiers in combination with EDM rules. Combine Data Identifiers with EDM rules to limit the impact of two-
tier detection
Include an email address field in the Exact Data Profile for profiled Include an email address field in the Exact Data Profile for profiled
DGM. DGM (EDM)
Use profiled DGM for Network Prevent for Web identity detection Use profiled DGM for Network Prevent for Web identity detection
(EDM)
Ensure data source has at least one column of unique data (EDM)
EDM is designed to detect combinations of data fields that are globally unique. At a minimum, your EDM index must
include at least one column of data that contains a unique value for each record in the row. Column data such as account
number, social security number, and credit card number are inherently unique, whereas state or zip code are not unique,
nor are names. If you do not include at least one column of unique data in your index, your EDM profile will not accurately
detect the data you want to protect.
A unique column field is a column that has mostly unique values. It can have duplicate values, but not more than the
number set in term_commonority_threshold. The default value for this setting is 10.
Examples of unique data for EDM policies describes the various types of unique data to include in your EDM indexes, as
well as fields that are not unique. You can include the non-unique fields in your EDM indexes as long as you have at least
one column field that is unique.
949
Table 482: Examples of unique data for EDM policies
The following data fields are usually unique: The following data fields are not unique:
• Account number • First name
• Bank Card number • Last name
• Phone number • City
• Email address • State
• Social security number • Zip code
• Tax ID number • Password
• Drivers license number • PIN number
• Employee number
• Insurance number
Cleanse the data source file of blank columns and duplicate rows (EDM)
The data source file should be as clean as possible before you create the EDM index, otherwise the resulting profile may
create false positives.
When you create the data source file, avoid including empty cells or blank columns. Blank columns or fields count as
“errors” when you generate the EDM profile. A data source error is either an empty cell or a cell with the wrong type
of data (a name appearing in a phone number column). The error threshold is the maximum percentage of rows that
contain errors before indexing stops. If the errors exceed the error threshold percentage for the profile (by default, 5%),
the system stops indexing and displays an indexing error message.
The best practice is to remove blank columns and empty cells from the data source file, rather than increasing the error
threshold. Keep in mind that if you have many empty cells, it may require a 100% error threshold for the system to create
the profile. If you specify 100% as the error threshold, the system indexes the data source without checking for errors.
In addition, do not fill empty cells or blank fields with bogus data so that the error threshold is met. Adding fictitious or
"null" data to the data source file will reduce the accuracy of the EDM profile and is strongly discouraged. Content you
want to monitor should be legitimate and not null.
About cleansing the exact data source file for EDM
Preparing the exact data source file for indexing for EDM
Ensure that the data source is clean for indexing (EDM)
Remove ambiguous character types from the data source file (EDM)
You cannot have extraneous spaces, punctuation, and inconsistently populated fields in the data source file. You can use
tools such as Stream Editor (sed) and AWK to remove these items from you data source file or files before indexing them.
Single characters Single character fields should be eliminated from the data source file. These are more likely
to cause false positives, since a single character is going to appear frequently in normal
communications.
Abbreviations Abbreviated fields should be eliminated from the data source file for the same reason as single
characters.
Quotes Text fields should not be enclosed in quotes.
950
Characters to avoid Explanation
Small numbers Indexing numeric fields that contain less than 5 digits is not recommended because it will likely
yield many false positives.
Dates Date fields are also not recommended. Dates are treated like a string, so if you are indexing
a date, such as 12/6/2007, the string will have to match exactly. The indexer will only match
12/6/2007, and not any other date formats, such as Dec 6, 2007, 12-6-2007, or 6 Dec 2007. It
must be an exact match.
Do not use the comma delimiter if the data source has number fields (EDM)
Of the three types of column delimiters that you can choose from for separating the fields in the data source file (pipe,
tab, semicolon, or comma), the pipe, semicolon, or tab (default) is recommended. The comma delimiter is ambiguous and
should not be used, especially if one or more fields in your data source contain numbers. If you use a comma-delimited
data source file, make sure there are no commas in the data set other than those used as column delimiters.
NOTE
Although the system also treats the pound sign, equals sign, plus sign, semicolon, and colon characters as
separators, you should not use these because like the comma their meaning is ambiguous.
951
If there is no corresponding system field to map to a data source column, consider creating a custom field to map data
source column data. You can use the description field to annotate both system and custom fields.
Mapping Exact Data Profile fields for EDM
Creating and modifying Exact Data Profiles for EDM
Include column headers as the first row of the data source file (EDM)
When you extract the source data to the data source file, you should include the column headers as the first row in the
data source file. Including the column headers will make it easier for you to identify the data you want to use in your
policies.
The column names reflect the column mappings that were created when the exact data profile was added. If there is an
unmapped column, it is called Col X, where X is the column number (starting with 1) in the original data profile.
If the Exact Data Profile is to be used for DGM, the file must have a column with a heading of email, or the DGM will not
appear in the Directory EDM drop-down list (at the remediation page).
952
Check the system alerts to tune profile accuracy (EDM)
You should always review the system alerts after creating the Exact Data Profile. The system alerts provide very specific
information about problems encountered when creating the profile, such as a SSN in an address field, which will affect
accuracy.
953
Match on 3 columns in an EDM condition to increase detection accuracy
In a structured data format such as a database, each row represents one record, with each record containing related
values for each column data field. Thus, for an EDM policy rule condition to match, all the data must come from the same
row or record of data. When you define an EDM rule, you must select the fields that must be present to be a match.
Although there is no limit to the number of columns you can select to match in a row (up to the total number of columns
in the index, which is a maximum of 32), it is recommended that you match on at least 2 or 3 columns, one of which must
be unique. Generally matching on 3 fields is preferred, but if one of the columns contains a unique value such as SSN or
Credit Card number, 2 columns may be used
Consider the following example. You want to create an EDM policy condition based on an Exact Data Profile that
contains the following 5 columns of indexed data:
• First Name
• Last Name
• Social security number (SSN)
• Phone Number
• Email Address
If you select all 5 columns to be included in the policy, consider the possible results based on the number of fields you
require for each match.
If you choose "1 of the selected fields" to match, the policy will undoubtedly generate a large number of false positives
because the record will not be unique enough. (Even if the condition only matches the SSN field, there may still be false
positives because there are other types of nine-digit numbers that may trigger a match.)
If you choose "2 of the selected fields" to match, the policy will still produce false positives because there are potential
worthless combinations of data: First Name + Last Name, Phone Number + Email Address, or First Name + Phone
Number.
If you choose to match on 4 or all 5 of the column fields, you will not be able to exclude certain data field combinations
because that option is only available for matches on 2 or 3 fields.
Leverage exception tuples to avoid false positives (EDM)
In this example, to ensure that you generate the most accurate match, the recommendation is that you choose "3 of the
selected fields to match." In this way you can reduce the number of false positives while using one or more exceptions to
exclude the combinations that do not present a concern, such as First Name + Last Name + Phone Number
Whatever number of fields you choose to match, ensure that you are including the column with the most unique data, and
that you are matching at least 2-column fields.
954
Use a WHERE clause to detect records that meet specific criteria (EDM)
Another configuration parameter of the EDM policy condition is the "Where" clause option. This option matches on the
exact value you specify for the field you select. You can enter multiple values by separating each with commas. Using a
WHERE clause to detect records that meet specific criteria helps you improve the accuracy of your EDM policies.
For example, if you wanted to match only on an Exact Data Profile for "Employees" with a "State" field containing certain
states, you could configure the match where "State" equals "CA,NV". This rule then causes the detection engine to match
a message that contains either CA or NV as content.
Combine Data Identifiers with EDM rules to limit the impact of two-tier detection
When implementing EDM policies, you should combine Data Identifiers (DIs) rules with the EDM condition to form
compound rules. All system-provided policy templates that implement EDM rules also implement Data Identifier rules in
the same policy.
Data Identifiers and EDM are both designed to protect personally identifiable information (PII). Include Data Identifiers with
your EDM rules to make your policies more robust and reusable across detection servers. Data Identifiers are executed
on the endpoint and do not require two-tier detection. Thus, if an endpoint is off the network, the Data Identifier rules can
protect PII such as SSNs.
Data Identifier rules are also useful to use in your EDM policies while you are gathering and preparing your confidential
data for EDM indexing. For example, a policy might contain the US SSN Data Identifier and an EDM rule for as yet
unindexed or unknown SSNs.
Include an email address field in the Exact Data Profile for profiled DGM (EDM)
You must include the appropriate fields in the Exact Data Profile to implement profiled DGM.
Creating the exact data source file for profiled DGM for EDM
If you include the email address field in the Exact Data Profile for profiled DGM and map it to the email data validator,
email address will appear in the Directory EDM drop-down list (at the remediation page).
Use profiled DGM for Network Prevent for Web identity detection (EDM)
If you want to implement DGM for Network Prevent for Web, use one of the profiled DGM conditions to implement identity
matching. For example, you may want to use identity matching to block all web traffic for a specific users. For Network
Prevent for Web, you cannot use synchronized DGM conditions for this use case.
Creating the exact data source file for profiled DGM for EDM
Configuring the Sender/User based on a Profiled Directory condition
955
merger and acquisition information stored in PDF files, and source code stored in text files. You can also use IDM to
detect binary files, such as JPEG images, CAD designs, and multimedia files. In addition, you can use IDM to detect
derived content such as text that has been copied from a source document to another file.
Supported forms of matching for IDM
About the Indexed Document Profile
Partial file contents Match of discrete passages of extracted and normalized file Detection server
contents. DLP Agent
Using IDM to detect exact and partial file contents
Exact file Match is based on the binary signature of the file. Detection server
Using IDM to detect exact files DLP Agent
Exact file contents Match is an exact match of the extracted and normalized file Detection server
contents.
Note: Symantec recommends that
Using IDM to detect exact and partial file contents you use partial file contents matching
rather than exact file contents
matching.
956
Types of IDM detection
There are three types of IDM detection implementations: agent, server, and two-tier. The type you choose is based on
your data loss prevention requirements.
Types of IDM detection summarizes the three types of IDM detection.
Agent IDM The DLP Agent supports partial contents matching in addition to Agent IDM detection
exact file matching locally on the endpoint.
Server IDM The detection server performs exact file matching, exact file Server IDM detection
contents matching, and partial file contents matching.
Two-tier IDM The DLP Agent sends the data to the detection server for policy Two-tier IDM detection
evaluation.
957
If you use two-tier detection for IDM on the Windows endpoint, make sure that you understand the performance
implications of two-tier detection.
Two-tier detection for DLP Agents
958
During indexing, the system stores the document source by changing \Program Files\Symantec
\DataLossPrevention\ServerPlatformCommon\16.0.10000\Protect\documentprofiles (on Windows) or
/var/Symantec/DataLossPrevention/ServerPlatformCommon/16.0.10000/documentprofiles (on Linux).
The result of the indexing process is four separate indexes: one for detection servers (the server index) and three for
DLP Agents (the endpoint indexes). All indexes are generated regardless of whether or not you are licensed for Endpoint
Prevent or Endpoint Discover. On the Enforce Server, the system stores the indexes in \Program Files\Symantec
\DataLossPrevention\EnforceServer\16.0.10000\Protect\index (on Windows) or /var/Symantec/
DataLossPrevention/EnforceServer/16.0.10000/index (on Linux).
About the server index files and the agent index files
For most IDM deployments there is no need to configure the indexer. If necessary you can configure key settings
for the indexer using the file \Program Files\Symantec\DataLossPrevention\EnforceServer
\16.0.10000\Protect\config\Indexer.properties.
NOTE
Symantec recommends that you contact Symantec Support for guidance if you decide to modify a properties file.
Modifying properties incorrectly can cause serious issues with the operation of Symantec Data Loss Prevention.
About the server index files and the agent index files
When you create an Indexed Document Profile and index a document data source, the system generates four index
files, one for the server and three for the endpoint. The indexes are generated regardless of whether or not you are
licensed for a particular detection server or the DLP Agent.
About index deployment and logging
The server index is a binary file named DocSource.rdx. The server index supports exact file, exact file contents, and
partial file contents matching. If the document data source is large, the server index may span multiple *.rdx files.
The endpoint index is comprised of one secure binary file, either EndpointDocSource.rdx or
LegacyEndpointDocSource.rdx for backward compatibility with 14.0 and 12.5 Agents. The endpoint index supports
exact file and partial file contents matching. EncryptedDocSource.rdx is for endpoint partial matching.
959
Supported forms of matching for IDM
To create the index entries for exact file and exact file contents matching, the system uses the MD5 message-digest
algorithm. This algorithm is a one-way hash function that takes as input a message of arbitrary length and produces
as output a 128-bit message-digest or "fingerprint" of the input. If the message input is a text-based document that the
system can extract contents from, such as a Microsoft Word file, the system extracts all of the file content, normalizes it by
removing whitespace, punctuation, and formatting, and creates a cryptographic hash. Otherwise, if the message input is a
file that the system cannot extract the contents from, such as an image file, small file, or unsupported file type, the system
creates a cryptographic hash based on the binary signature of the file.
NOTE
To improve accuracy across different versions of the Enforce Server and DLP Agent, only binary matching MDF
is supported on the agent, whether or not the file contains text.
Using IDM to detect exact files
Using IDM to detect exact and partial file contents
In addition, for file formats the system can extract the contents from, the indexer creates hashes for discrete sections of
content or text passages. These hashes are used for partial matching for both server and agent indexes. The system uses
a selection method to store hashed sections of partial content so that not all extractable text is indexed. The hash function
ensures that the server index does not contain actual document content. Types of matching supported by the endpoint
and server indexes summarizes the types of matching supported by the endpoint and server indexes.
Table 486: Types of matching supported by the endpoint and server indexes
960
endpoint index. Assuming agent IDM is enabled, the DLP Agent loads the endpoint index into memory when the index is
required by an active local policy.
Estimating endpoint memory use for agent IDM
You cannot manually deploy either the server or endpoint index files by copying the *.rdx file or files from the Enforce
Server to a detection server. The detection server does not monitor the index destination folder for new index files; the
detection server must be notified by the Enforce Server that an index has been deployed. If a detection server is offline
during the index deployment process, the Enforce Server stops trying to deploy the index. When the detection server
comes back online the Enforce Server deploys the index to the detection server. The same is true for DLP Agents. There
is no way to manually copy the endpoint index to the endpoint host and have the DLP Agent recognize the index.
IDM index deployment and logging summarizes how IDM indexes are deployed and the logs files to check to troubleshoot
index deployment.
961
Table 488: Requirements for using IDM to detect files
File format from which the Proprietary or non-supported If the system cannot extract the contents from the file format,
system cannot extract the document format you can use IDM to detect that specific file using exact
contents binary matching.
Do not compress files in the document source
Binary file GIF, MPG, AVI, CAD design, JPEG You can use IDM to detect binary file types from which you
files, audio/video files cannot extract the contents, such as images, graphics,
JPEGs, etc. Binary file detection is not supported on stream-
based channels.
File containing a small amount CAD files and Visio diagrams A file containing a small amount of text is treated as a binary
of text file even if the contents are text-based and can have their
contents extracted.
Using IDM to detect exact and partial file contents
Encapsulated file Any file that is encapsulated when If a document data source file is encapsulated in an archive
indexed (even if text-based and can file, the file contents of the subfile cannot be extracted and
have their contents extracted); for only the binary signature of the file can be fingerprinted. This
example, Microsoft Word file archived does not apply to document archive that are indexes.
in a ZIP file About the document data source
962
Table 489: Requirements for using IDM to detect content
Requirement Description
File formats from which The system must be able to extract the the file format and extract file content. Data Loss Prevention
you can extract the supports content extraction for over 100 file types.
contents Supported formats for content extraction
Unencapsulated file To match file contents, the source file cannot be encapsulated in an archive file when the source file is
indexed. If a file in the document source is encapsulated in an archive file, the system does not index
the file contents of the encapsulated file. Any encapsulated file is considered for exact matches only, like
image files and other unsupported file formats.
Do not compress files in the document source
Note: The exception to this is the main ZIP file that contains the document data source, for those upload
methods that use an archive file. Creating and modifying Indexed Document Profiles
Minimum amount of text For exact file contents matching, the source file must contain at a minimum 50 characters of normalized
text before the extracted coProgram Files\Symantec\DataLossPrevention\EnforceServertent is
indexed. Normalization involves the removal of punctuation and whitespace. A normalized character
therefore is either a number or a letter. This size is set by the min_normalized_size=50 parameter
in the file \Program Files\Symantec\DataLossPrevention \EnforceServer
\16.0.10000\Protect\config\Indexer.properties. If file contains less than 50
normalized characters, the system performs an exact file match against the file binary.
Note: Symantec advises that you consult with Symantec Support for guidance if you need to change
an advanced setting or edit a properties file. Incorrectly updating a properties file can have unintended
consequences.
For partial file contents matching, there must be at least 300 normalized characters. However, the exact
length is variable depending on the file contents and encoding.
Do not index empty documents
Maximum amount of text The default maximum size of the document that can be processed for content extraction at run-time is
30,000,000 bytes. If your document is over 30,000,000 bytes you need to increase the default maximum
size in Advanced server settings. Contact Symantec Support for assistance when changing Advanced
server settings, to avoid any unintended consequences.
963
Table 490: Minimum document exposure settings for the IDM condition
Exact file matching File contents All of the extracted and Microsoft Word
Using IDM to detect exact and normalized file contents, if the
partial file contents file is text-based and from which
the content is not extractable
Exact content matching The endpoint performs binary Microsoft Word, JPG, MP3
matching on all files.
Partial content matching File contents Discrete passages of text Microsoft Word
Using IDM to detect exact and
partial file contents
1 Identify the content you want to protect and collect Using IDM to detect exact and partial file contents
the documents that contain this content. Using IDM to detect exact files
2 Prepare the documents for indexing. Preparing the document data source for indexing
3 Safe list headers, footers, and boilerplate text. Safe Listing File Contents to Exclude from Partial Matching
4 Create an Indexed Document Profile and specify Creating and modifying Indexed Document Profiles
the document source.
5 Configure any document source filters. Filtering documents by file name
6 Schedule indexing as necessary. Scheduling document profile indexing
964
Step Action Description
7 Configure one ore more IDM policy conditions or Configuring the Content Matches Document Signature policy
exceptions. condition
8 Test and troubleshoot your IDM implementation. Troubleshooting policies
1 Collect all of the documents you Collect all of the documents you want to index and put them in a folder.
want to protect. About the document data source
2 Uncompress all the files you The files you index should be in their unencapsulated, uncompressed state. Check the
want to index. document collection to make sure none of the files are encapsulated in an archive file,
such as ZIP, TAR, or RAR. If a file is embedded in an archive file, extract the source
file from the archive file and remove the archive file.
Using IDM to detect exact and partial file contents
3 Separate the documents if you To protect a large amount of content and files, create separate collections for each
have more than 1,000,000 files set of documents over 1,000,000 files in size, with all files in their unencapsulated,
to index. uncompressed state. For example, if you have 15,000,000 documents you want
to index, separate the files by folders, one folder containing 750,000 files, and
another folder containing the remaining 750,000 files. or, you can change the value of
com.vontu.profiles.documents.maxIndexSize in the Indexer.properties to
accommodate larger data sets. The rule of thumb is 2 GB/1 million documents.
Create separate profiles to index large document sources
4 Decide how you are going to The indexing process is a separate process that runs on the Enforce Server. To index
make the document source files the document source you must make the files accessible to the Enforce Server. You
available to the Enforce Server. have several options. Decide which one works best for your needs and proceeding
accordingly.
Uploading a document archive to the Enforce Server
Referencing a document archive on the Enforce Server
Using local path on Enforce Server
Using the remote SMB share option to index file shares
5 Configure the document profile. The next step is to configure the document profile, or, alternatively, if you want to
exclude specific document content from detection, whitelist it.
Creating and modifying Indexed Document Profiles
White listing file contents to exclude from partial matching
965
About Safe Listing Partial File Contents
To exclude content from matching, you copy the content that you want to exclude to a text file and save the file as
safelisted.txt. By default, the file must contain at least 300 non-whitespace characters to have its content
fingerprinted for safe listing purposes. When you index the document source, the Enforce Server or the Remote IDM
Indexer looks for the safelisted.txt file.
Use Safe Listing to Exclude Non-Sensitive Content from Partial Matching
Table 493: Safe Listing Non-Sensitive Content describes the process for excluding document content using safe listing.
1 Copy the content that you want to Copy only noncritical content that you want to exclude, such as standard
exclude from matching into a text file. boilerplate text and document headers and footers, to the text file. By default,
for file contents matching the file to be indexed must contain at least 300
characters. This default setting applies to the safelisted.txt file as
well. You can change this default setting for safe listed text.
Changing the default indexer properties
2 Save the text file as The safelisted.txt file is the source file for storing content that you want
safelisted.txt. to exclude from matching.
3 Save the file to the safelisted Save the file to \ProgramData\Symantec\DataLossPrevention
directory on the Enforce Server host \ServerPlatformCommon\16.0.10000\documentprofiles
file system. (on Windows) or /var/Symantec/DataLossPrevention/
ServerPlatformCommon /16.0.10000/documentprofiles/
safelisted (on Linux).
4 Configure the Indexed Document When you index the document data source, the Enforce Server looks for
Profile and generate the index. the safelisted.txt file. If the file exists, the Enforce Server copies
it to safelisted.x.txt, where x is a unique identification number
corresponding to the Indexed Document Profile. Future indexing of the
profile uses the profile-specific safelisted.txt file, not the generic
safelisted.txt file.
Creating and modifying Indexed Document Profiles
Action Description
Add IDM profile Click Add Document Profile to create a new Indexed Document Profile.
Configuring IDM profiles and policy conditions
Edit IDM profile Click the name of the Document Profile, or click the pencil icon to the far right of the profile, to modify an
existing Document Profile.
Creating and modifying Indexed Document Profiles
Remove IDM profile Click the red X icon next to the far right of the document profile row to delete that profile from the system. A
dialog box confirms the deletion.
Note: You cannot edit or remove a profile if another user currently modifies that profile, or if a policy exists
that depends on that profile.
966
Action Description
Refresh IDM profile Click the refresh arrow icon at the upper right of the Indexed Documents screen to fetch the latest status
status of the indexing process. If you are in the process of indexing, the system displays the message "Indexing is
starting." The system does not automatically update the screen when the indexing process is complete.
Column Description
Data Profiles
Scheduling document profile indexing
Configuring the Content Matches Document Signature policy condition
967
Table 496: Configuring a document profile
1 Navigate to the screen Manage > You must be logged on to the Enforce Server administration console as an
Data Profiles > Indexed Documents. administrator or policy author.
Policy authoring privileges
2 Click Add Document Profile. Select an existing Indexed Document Profile to edit it.
Manage and add Indexed Document Profiles
3 Enter a Name for the Document Choose a name that describes the data content and the index type (for
Profile. example, "Research Docs IDM"). The name is limited to 255 characters.
Input character limits for policy configuration
4 Select the Document Source method Select one of the five options for indexing the document data source,
for indexing. depending on how large your data source is and how you have packaged it.
About the document data source
Options for making the data source available to the Enforce Server.
• Upload Document Archive to Server Now
To use this method, you Browse and select a ZIP file containing the
documents to be indexed. The maximum size of the ZIP file is 50 MB.
Uploading a document archive to the Enforce Server
• Reference Archive on Enforce Server
Use this method if you have copied the ZIP file to the file system host
where the Enforce Server is installed. The maximum size of the ZIP file is 2
GB. This ZIP file is available for selection in the drop-down field.
Referencing a document archive on the Enforce Server
• Use Local Path on Enforce Server
This method lets you index individual files that are local to the Enforce
Server. With this method the files to be indexed cannot be archived in a ZIP
file.
Using local path on Enforce Server
• Use Remote SMB Share
About indexing remote documents
• Import from a remotely created IDM profile
The Remote IDM Indexer is a standalone tool that lets you index your
confidential documents and files locally on the systems where these files
are stored. See Remote IDM Indexing About the Remote IDM Indexer for
more information.
• Using the remote SMB share option to index SharePoint documents
5 Optionally, configure any Filters. You can specify file name and file size filters in the document profile. The filters
tell the system which files to include or ignore during indexing.
Filter documents from indexing to reduce false positives
Enter files to include in the File Name Include Filters field, or enter files to
exclude in the File Name Exclude Filters field.
Filtering documents by file name
Select file sizes to ignore, either Ignore Files Smaller Than or Ignore Files
Larger Than.
Filtering documents by file size
968
Step Action Description
6 Select one of the Indexing options. As part of creating a document profile, you can set up a schedule for indexing
the document source.
You do not have to select an indexing option to create a profile that you
can reference in a policy, but you must select an indexing option to
generate the index and actually detect matches using an IDM policy.
• Select Submit Indexing Job on Save to index the document source
immediately on save of the Document Profile.
• Select Submit Indexing Job on Schedule to display schedule options so
that you can schedule indexing at a later time.
Scheduling document profile indexing
7 Click Save. You must save the document profile.
3 Click the checkbox under Endpoint Note: If a profiles starts re-indexing when you are on this page, and the profile
Partial Matching for all profiles size changes significantly, and if the profile is also selected for partial matching,
that you want to enable for partial the list of selected profiles might be affected.
matching.
4 Click Save. Note: The sum of all deployed profiles on the endpoint cannot exceed the
value of Endpoint Total Profile Size (MB), which is set to a default 60 MB. To
change this value, enter a different value in the Endpoint Total Profile Size
(MB) box.
After you click Save, the profiles that you have selected have partial matching
enabled. Click Refresh to ensure that you have the latest status of the indexing
operation.
969
To upload the document archive to Enforce Server describes the process for using the Upload Document Archive to
Server Now method of indexing.
To upload the document archive to Enforce Server
1. Navigate to the screen Manage > Data Profiles > Indexed Documents > Configure Document Profile.
2. Select the option Upload Document Archive to Server Now.
Click Browse and select the ZIP file. The ZIP file can be anywhere on the same network as the Enforce Server.
Optionally, you can type the full path and the file name if the ZIP file is local to the Enforce Server, for example: c:
\Documents\Research.zip.
Table 498: Requirements for using the Upload Document Archive to Server Now option
Requirement Description
ZIP file only The document archive must be a ZIP file; no other encapsulation formats are supported for this option.
50 MB or less You cannot use this option if the document archive ZIP file is more than 50 MB because files exceeding
that size limit can take too long to upload and slow the performance of the Enforce Server. If the
document archive ZIP file is over 50 MB, use the Reference Archive on Enforce Server method
instead.
UTF-8 file names only The IDM indexing process fails (and presents you with an "unexpected error") if the document archive
(ZIP file) contains non-ASCII file names in encodings other that UTF-8.
If the ZIP file contains files with non-ASCII file names, use one of the following options instead
to make the files available to the Enforce Server for indexing:
• Use the Remote IDM Indexer.
• Use Local Path on Enforce Server
• Use Remote SMB Share
970
To reference the document archive on the Enforce Server
1. Copy the ZIP file to the Enforce Server.
• On Windows, copy the ZIP file to directory \ProgramData\Symantec\DataLossPrevention
\ServerPlatformCommon\16.0.10000\documentprofiles
• On Linux, copy the ZIP file to directory /var/Symantec/DataLossPrevention/
ServerPlatformCommon/16.0.10000/documentprofiles
Requirements to use the option Reference Archive on Enforce Server
NOTE
The system deletes the document data source file after the indexing process completes.
2. Log on to the Enforce Server administration console.
3. Navigate to the screen Manage > Data Profiles > Indexed Documents > Configure Document Profile.
4. Select the file from the Reference Archive on Enforce Server pull-down menu.
NOTE
A document source currently referenced by another Indexed Document Profile does not appear in the list.
5. Specify one or more file name or file size filters (optional).
Filtering documents by file name
6. Select one of the indexing options (optional).
Scheduling document profile indexing
7. Click Save to save the document profile.
Table 499: Requirements to use the option Reference Archive on Enforce Server
Requirement Description
ZIP file only The document archive must be a ZIP file; no other encapsulation formats are supported for this option.
The ZIP file can be at the most 2 GB. Consider using a third-party solution (such as Secure FTP), to
copy the ZIP file securely to the Enforce Server.
About the document data source
subfile not archived Make sure the subfiles are proper and not encapsulated in an archive (other than the top-level profile
archive).
Do not compress files in the document source
Do not index empty documents
UTF-8 file names only Do not use this method if any of the names of the files you are indexing contain non-ASCII file names.
Use either of the following options instead:
• Use the Remote IDM Indexer.
• Use Local Path on Enforce Server
Using local path on Enforce Server
• Use Remote SMB Share
Using the remote SMB share option to index file shares
971
To use the Use Local Path on Enforce Server method of making the document source available to the Enforce Server
for indexing, you enter the local path to the directory that contains the documents to index. For example, if you copied the
files to the file system at directory C:\Documents, you would enter C:\Documents in the field for the Use Local Path
on Enforce Server option. You must specify the exact path, not a relative path. Do not include the actual file names in the
path.
NOTE
If the files you index include a file that is more than 2 GB in size, the system indexes all the files except the 2
GB file. This only applies to the Use Local Path on Enforce Server option. It does not apply to the Reference
Archive on Enforce Server option.
972
Indexing of SharePoint documents provides the procedure for remotely indexing SharePoint documents using WebDAV
3 Access the SharePoint instance. From the computer where your Enforce Server is installed, access SharePoint using your
browser and the following address format:
http://<server_name>:port
For example: http://protect-x64:80
4 Log on to SharePoint as an You do not need to have SharePoint administrative privileges.
authorized user.
5 Locate the documents to scan. In SharePoint, navigate to the documents you want to scan. Often SharePoint documents
are stored at the Home > Shared Documents screen. Your documents may be stored in
a different location.
6 Find the UNC path for the In SharePoint for the documents you want to scan, select the option Library > Open
documents. with Explorer. Windows Explorer should open a window and display the documents.
Look in the Address field for the path to the documents. This address is the UNC path
you need to scan the documents remotely. For example: \\protect-x64\Shared
Documents. Copy this path to the Clipboard or a text file.
7 Create the IDM Index. Creating and modifying Indexed Document Profiles
8 Configure the SharePoint remote To configure the remote indexing source:
indexing source. • For the Document Source field, select the Use Remote SMB Share option.
• For the UNC Path, paste (or enter) the address you copied from the previous step.
For example: \\protect-x64\Shared Documents.
• For the User Credentials, enter your SharePoint user name and password, or select
the same from the Saved Credentials drop-down list.
• Select the option Submit Indexing on Save and click Save.
9 Verify success. At the Manage > Data Profiles > Indexed Documents screen you should see that
the index was successfully created. Check the "Status" and the number of documents
indexed. If the index was successfully created you can now use it to create IDM policies.
Troubleshooting SharePoint document indexing
973
1. Log on to the SharePoint system where you want to enable WebDAV.
2. Open the Internet Information Services (IIS) Manager console.
3. Select the server name in the IIS tree.
4. Expand the tree, click the Web Sites folder and expand it.
5. Select the SharePoint instance from the list.
6. Right-click the SharePoint instance and select New > Virtual Directory.
7. The Virtual Directory Creation Wizard appears. Click Next.
8. Enter a name in the Alias field (such as "WebDAV") and click Next.
9. Enter a directory path in the Web Site Content Directory field. It can be any directory path as long as it exists. Click
Next.
10. Select Read access and click Next.
11. Click Finish.
12. Right-click the virtual directory that you created and select Properties.
13. In the Virtual Directory tab, select the option "A redirection to a URL" and click Create. The alias name is populated
in the Application Name field.
14. Enter the SharePoint site URL in the "Redirect to" field and click OK. WebDAV is now enabled for this SharePoint
instance.
• net use
This command without parameters retrieves and displays a list of network connections.
• net use s: \\sharepoint_server\Shared Documents
This command assigns (maps) the SharePoint server to the local "S" drive.
• net use * \\sharepoint_server\Shared Documents
This command assigns (maps) the SharePoint server to the next available letter drive.
• net use s: /delete
This command removes the network mapping to the specified drive.
974
Filter documents from indexing to reduce false positives
File name filters distinguished describes the differences between the include and exclude filters for file names.
Filter Description
File Name Include Filters If the File Name Include Filters field is empty, matching is performed on all documents in the
document profile. If you enter anything in the File Name Include Filters field, it is treated as an
inclusion filter. In this case the document is indexed only if it matches the filter you specify.
For example, if you enter *.docx in the File Name Include Filters field, the system indexes only the
*.docx files in the document source.
File Name Exclude Filters The Exclude Filters field lets you specify the documents to exclude in the matching process.
If you leave the Exclude Filters field empty, the system performs matching on all documents in the
ZIP file or file share. If you enter any values in the field, the system scans only those documents that
do not match the filter.
The system treats forward slashes (/) and backslashes (\) as equivalent. The system ignores whitespace at the beginning
or end of the pattern. File name filtering does not support escape characters, so you cannot match on literal question
marks, commas, or asterisks.
File name filtering syntax describes the syntax accepted by the File Name Filters feature. The syntax for the Include and
Exclude filters is the same.
Operator Description
File name filter examples provides sample filters and descriptions of behavior if you enter them in the File Name Include
Filters field:
*.txt,*.docx The system indexes only .txt and .docx files in the ZIP file or file share, ignoring everything
else.
?????.docx The system indexes files with the .docx extension and files with five-character names, such as
hello.docx and stats.docx, but not good.docx or marketing.docx.
*/documentation/*,*/ The system indexes only files in two subdirectories below the root directory, one called
specs/* "documentation" and the other called "specs."
Example with wildcards and sub- IDM indexing fails or ignores the filter setting if the File Name Includes / Excludes filter string
directories: starts with an alphanumeric character and includes a wildcard, for example: l*.txt. The
*\scan_dir\l*.txt workaround is to configure the include/exclude filter with the filter string as indicated in this
example, that is, *\scan_dir\l*.txt.
For example, the filter 1*.txt does not work for a file path \\dlp.symantec.com
\scan_dir\lincoln-LyceumAddress.txt. However, if the filter is configured as *
\scan_dir\l*.txt, the indexer acknowledges the filter and index the file.
975
Filtering documents by file size
Filters let you specify documents to include or exclude from indexing. The types of filters include File Name Include Filters,
File Name Exclude Filters, and File Size Filters. You use file size filters to exclude files from the matching process based
on their size. Any files that match the size filters are ignored.
Filtering documents by file name
In the Size Filters fields, specify any restrictions on the size of files the system should index. In general you should use
only one type of file size filter.
Filter documents from indexing to reduce false positives
File size filter configuration options describes the file size filter options.
Filter Description
Ignore Files Smaller Than To exclude files smaller than a particular size:
• Enter a number in the field for Ignore Files Smaller Than.
• Select the appropriate unit of measure Bytes, KB (kilobytes), or MB (megabytes) from the
drop-down list.
For example, to prevent indexing of files smaller than one kilobyte (1 KB), enter 1 in the field and
select KB from the corresponding drop-down list.
Ignore Files Larger Than To exclude files larger than a particular size:
• Enter a number in the field for Ignore Files Larger Than.
• Select the appropriate unit of measure (Bytes, KB, or MB) from the drop-down list.
For example, to prevent indexing of files larger than two megabytes (2 MB), enter 2 in the field
and select MB from the corresponding drop-down list.
Parameter Description
Once On – Enter the date to index the document profile in the format MM/DD/YY. You can also click the date
widget and select a date.
At – Select the hour to start indexing.
By Minute At – Select the minute frequency to start indexing.
Until – Select this check box to specify a date in the format MM/DD/YY when the indexing should stop. You
can also click the date widget and select a date.
976
Parameter Description
4. Change the numerical portion of the parameter value to reflect the wanted minimum number of characters that are
allowed in Whitelisted.txt.
For example, to change the minimum to 30 characters, modify the value to look like the following:
low_threshold_k=30
The value for this parameter must match the min_normalized_size value. The default for
min_normalized_size is 50.
5. Save the file.
For more information on IDM configuration and customization, see the article "Understanding IDM configuration and
customization" at http://www.support.symantec.com at the Symantec Support Center.
977
Enabling Agent IDM
You enable exact and partial match IDM on the Windows endpoint by setting the advanced agent configuration parameter
Detection.TWO_TIER_IDM_ENABLED.str to OFF. Once two-tier detection is OFF, the DLP Agent performs exact and
partial file and exact and partial file contents matching, assuming you have generated the endpoint index.
NOTE
Two-tier deployment is not supported on the Mac Agent.
Creating and modifying Indexed Document Profiles
For new installations, exact and partial match IDM on the endpoint is the default setting for the default endpoint agent
configuration (TWO_TIER_IDM_ENABLED = OFF); you do not need to enable it.
For upgraded systems, exact and partial match IDM on the endpoint is disabled (TWO_TIER_IDM_ENABLED = ON) so
that there is no change in functionality for existing IDM policies deployed to the endpoint. If you want to use exact match
IDM on the endpoint after upgrade, you need to turn off two-tier detection and reindex each document data source.
To turn two-tier detection on or off
To turn two-tier detection on or off
1. Log on to the Enforce Server administration console.
2. Navigate to System > Agents > Agent Configuration.
3. Select the applicable agent configuration.
4. Select the Advanced Agent Settings tab.
5. Locate the Detection.TWO_TIER_IDM_ENABLED.str parameter.
6. Change the value to either "ON" or "OFF" (case insensitive) depending on your requirements.
Advanced agent settings for exact match IDM on the endpoint
7. Click Save at the top of the page to save the changes.
8. Apply the agent configuration to the agent group or groups.
Table 506: Advanced agent settings for exact match IDM on the endpoint
Advanced Agent Setting parameter Value Default Detection engine Matching type
978
Configuring the Content Matches Document Signature policy condition
The Content Matches Document Signature From matches unstructured document content that is based on the Indexed
Document Profile. The Content Matches Document Signature From condition is available for detection rules and
exceptions.
About using the Content Matches Document Signature policy condition
To configure the Content Matches Document Signature condition.
1. Add an IDM condition to a policy rule or exception, or modify an existing one.
Configuring policies
Configuring Policy Rules
Configuring policy exceptions
2. Configure the IDM condition parameters.
Content Matches Document Signature condition parameters
3. Save the policy configuration.
Action Description
Set the Minimum Document Select an option from the drop-down list.
Exposure. Choose Exact to match document contents exactly.
Choose a percentage between 10% and 90% to match document contents partially.
Configure Match Counting. Select how you want to count matches:
• Check for existence
Reports a match count of 1 if there are one or more condition matches.
• Count all matches
Reports a match count of the exact number of matches.
Configuring Match Counting
Select the components to Select one of the available message components to match on:
Match On. • Body – The content of the message.
• Attachments – Any files that are attached to the message or transferred by the message.
Selecting components to match on
Configure other conditions to Select this option to create a compound rule. All conditions must be met to trigger or except a match.
Also Match. You can Add any available condition from the drop-down menu.
Test and tune the policy. Test and tune policies to improve match accuracy
Use parallel IDM rules to tune match thresholds
Troubleshooting policies
979
Table 508: IDM policy best practices
Consideration Description
Reindex IDM profiles after upgrade. Reindex IDM profiles after upgrade
Do not compress documents whose content you want to Do not compress files in the document source
fingerprint.
Prefer partial matching over exact matching on the DLP Agent. Prefer partial matching over exact matching on the DLP Agent
Do not index empty text-based documents. Do not index empty documents
Be aware of the limitations of exact matching. Understand limitations of exact matching
Use white listing to exclude partial file contents from matching and Use white listing to exclude non-sensitive content from partial
reduce false positives. matching
Filter non-critical documents from indexing to reduce false Filter documents from indexing to reduce false positives
positives.
Change the index max size to index more than 1,000,000 Create separate profiles to index large document sources
documents.
Use scheduled indexing to automate profile updates. Use scheduled indexing to keep profiles up to date
Use multiple IDM rules in parallel to establish and tune match Use parallel IDM rules to tune match thresholds
thresholds.
980
Do not index empty documents
You should be careful about the documents you index. In particular, avoid indexing blank or empty documents.
For example, indexing a PPTX file containing only photographs or other graphical content but no textual content matches
other blank PPTX files exactly and produces false positives. Is this case, even though a PPTX file contains no user-
entered text, the file does contain header and footer placeholder text that the system extracts as file contents. Because
the amount of text extracted and normalized is more than 50 non-whitespace characters, the system treats the file as not
binary and creates a cryptographic hash of all of the file contents. As a result, all other blank PPTX files produce exact file
contents matches because the resulting MD5 of the extracted content is the same.
NOTE
This behavior has not been observed with XLSX files; that is, false positives do not get created if the blank files
are different.
Using IDM to detect exact and partial file contents
981
File type Application Result on Resave
982
Distinguish IDM Exceptions from Safe Listing and Filtering
Safe listing lets you exclude partial file contents from matching. Filtering lets you exclude specific documents from the
indexing process. IDM exceptions, on the other hand, let you except indexed files from exact matching at runtime.
You use the IDM condition as a policy exception to exclude files from detection. To be excepted from matching, an
inbound file must be an exact match with a file in the IDM index. You cannot use IDM exceptions to exclude content from
matching. To exclude content, you must safe-list it.
NOTE
Safe listing is not available for exact file or file contents matching; it is only available for partial content matching.
983
Before you set up an indexing schedule, consider the following recommendations:
• If you update your document sources occasionally (for example, less than once a month), there is no need to create a
schedule. Index the document each time you update it.
• Schedule indexing for times of minimal system use. Indexing affects performance throughout the Symantec Data Loss
Prevention system, and large documents can take time to index.
• Index a document as soon as you add or modify the corresponding document profile, and re-index the document
whenever you update it. For example, consider a situation where every Wednesday at 2:00 A.M. you update a
document. In this case scheduling the index process to run every Wednesday at 3:00 A.M. is optimal. Scheduling
document indexing daily is not recommended because that is too frequent and can degrade server performance.
• Monitor results and modify your indexing schedule accordingly. If performance is good and you want more timely
updates, schedule more frequent document updates and indexing.
• Symantec Data Loss Prevention performs incremental indexing. When a previously indexed share or directory
is indexed again, only the files that have changed or been added are indexed. Any files that are no longer in the
archive are deleted during this indexing. So a reindexing operation can run significantly faster than the initial indexing
operation.
984
The Remote IDM Indexer is supported on Windows and Linux platforms. The tool is configured using a command line
interface (CLI) or a properties file. On Windows, you can use the graphical user interface (GUI) edition of the tool to
configure it.
You can integrate the tool with external systems to schedule indexing. In addition, you can incrementally index a data
source by specifying an existing *.prdx file when you run the tool.
Feature Description
985
4. Verify installation of the Remote IDM Indexer.
Platform Installer
Linux SymantecDLPIndexers.zip
Windows Indexers.msi
Indexing the Document Data Source Using the GUI Edition (Windows only)
To configure the UI edition of the Remote IDM Indexer, you enter the parameters into the required fields. Optionally you
can provide additional parameters, such as a safe list file for filters.
On successful completion of indexing, the preindex file ( *.prdx) is generated. You move this file to the Enforce Server to
complete the indexing process.
Remote IDM Indexer GUI edition shows the GUI edition of the Remote IDM Indexer.
Configuring the Remote IDM Indexer using the GUI edition provides instructions for configuring the GUI edition of the
Remote IDM Indexer.
986
Table 514: Configuring the Remote IDM Indexer using the GUI edition
1 Enter the Source URI path. The source URI is the local file path (directory folder) where the files to be indexed are
stored. It can also be a shared file system path accessible by the host.
The files to be indexed should not be encapsulated.
If the document data source requires credentials you provide them in the URI
Credentials section.
2 Enter the Output File name. Specify the file path and name for the preindex file that the tool generates.
Include the *.prdx file extension when you specify the output file name.
3 Optionally, enter the safe list Specify the file path to the safelist.txt file.
file path. Text in the safe list file is ignored during detection for server-based partial matching.
987
Step Parameters Description
4 Optionally, enter one or more Enter one or more file names to include for indexing or to exclude for indexing.
File Name Filters. The File Name Include Filter includes the named files for indexing.
The File Name Exclude Filter excludes the named files from indexing.
The format for the include and exclude filters accepts both comma-separated and
newline-separated values.
If you use a filter, use one type but not both. For example, if you choose to use a file
name include filter, do not also provide a file name exclude filter.
5 Optionally, enter a File Size If you choose Ignore Files Smaller Than, files under the specified size are not
Filter. indexed.
If you choose Ignore Files Larger Than, files over the specified size are not indexed.
6 Optionally, click Always keep Click Always keep files
files. • When you want to incrementally add multiple data sources to the same pre-index
file.
• If you have a folder with content that gets moved and want to keep the old content
in the pre-index file.
7 Click Run to index the data Click Run to start the indexing process.
source immediately. Alternatively, you can click Schedule to schedule indexing. The tool opens the
Windows Task Utility.
Scheduling remote indexing with the Remote IDM Indexer app for Windows
8 Enter the Password for the pre- For security purposes you must provide a password for the pre-index file.
index file. The password must meet the one of the following requirements:
• ASCII password: a minimum of 10 characters, with at least one upper case letter,
one lower case letter, and one number.
• Non-ASCII password: a minimum of 10 characters, including at least one number.
The preindex file is encrypted with the password you provide.
The password you enter here is required to load the preindex into the Enforce Server
for indexing.
9 Verify indexing progress. When you click Run, the status bar shows the scanning completion percentage.
In addition the Progress section of the interface provides the following information:
Current Stage: States are Running, Completed, or Error.
Progress: The total number of files indexed.
Current File: The name of the file that is indexed.
988
CAUTION
If you run the tool from the command line with arguments, those arguments overwrite the parameters in the
properties file.
Required property file parameters lists and describes required parameters for running the Remote IDM Indexer from the
command line.
Refer to the Symantec Data Loss Prevention Help Center for details on preparing the document data source for indexing.
param.uri= This parameter is the local file path (directory folder) or shared
directory where the files to be indexed are stored.
If you want to index the files from a share, you must mount that
share on the system that contains the indexer. You must also
specify the file path of that share in the param.uri field of the
Remote IDM Indexer tool.
The files should not be encapsulated.
param.out= This parameter is the file path and name of the preindex file that
the tool generates.
Optional property file parameters lists and describes optional parameters for running the Remote IDM Indexer from the
command line.
param.whitelist= This parameter is the full file path (including the name) to the
allowlist.txt file. The allowlist file must be local to the
Remote IDM Indexer.
Text in the allowlist file is ignored during detection for partial file
contents matching.
param.include_filter= This parameter is the file type to include for indexing. Separate
multiple file type entries with a comma.
param.exclude_filter= This parameter is the file type to exclude for indexing. Multiple
values are comma-separated.
param.min_filesize_bytes= This parameter is the minimum file size filter. File sizes under the
specified size are not indexed.
param.max_filesize_bytes= This parameter is the maximum file size filter. File sizes over the
specified size are not indexed.
989
This example passes arguments by way of the command line. In this case the properties file is ignored.
Symantec\Data Loss Prevention\Indexer\16.0.10000\Protect\bin>RemoteIDMIndexer -uri=\
\10.66.195.173\remoteIDM\files -out=C:\temp\myRemoteIDMPreIndex.prdx
CAUTION
If you run the tool from the command line with arguments, those arguments overwrite the parameters in the
properties file.
Required CLI parameters lists and describes required parameters for running the Remote IDM Indexer from the command
line.
See Preparing the document data source for indexing for additional details.
-uri This parameter is the local file path (directory folder) or shared
directory where files to be indexed are stored.
The files to be indexed should not be encapsulated.
-out This parameter is the file path and name of the preindex file that
the tool generates.
Optional CLI parameters lists and describes optional parameters for running the Remote IDM Indexer from the command
line.
-whitelist This parameter is the full file path to the whitelist.txt file.
The whitelist file must be local to the Remote IDM Indexer.
Text in the whitelist file is ignored during detection.
-include_filter This parameter is one or more file types to include for indexing.
Separate multiple entires with a comma.
-exclude_filter This parameter is one or more file types to exclude for indexing.
Separate multiple entires with a comma.
-min_filesize_bytes This parameter is the minimum file size filter. Files under the
specified size are not indexed.
-max_filesize_bytes This parameter is the maximum file size filter. Files over the
specified size are not indexed.
990
• Properties file: include the parameter param.index_password_file = <path_to_password_file> in the
remote_indexer.properties file.
• CLI: include the invocation parameter -index_password_file=<path_to_password_file> at the command
line.
If you use the Windows GUI version of the Remote IDM Indexer, you can schedule or edit a task directly from the tool. The
following screen shots illustrate the process.
To schedule indexing using the Windows GUI version
To edit an existing scheduled task using the Windows GUI
Scheduling remote indexing with the Remote IDM Indexer app for Windows
Scheduling remote indexing with the Remote IDM Indexer app for Windows
If you use the Windows GUI version of the Remote IDM Indexer, you can schedule or edit a task directly from the tool. The
following screen shots illustrate the process.
To schedule indexing using the Windows GUI version
991
To edit an existing scheduled task using the Windows GUI
To schedule indexing using the Windows GUI version
1. Click Schedule to open the dialog. Scheduling remote indexing with the Remote IDM Indexer app for Windows
2. Click Create to create a new scheduled task. Or, if you already have a task created, click Edit.
You are prompted to provide a UTF8-encoded password file in cleartext for the scheduled job. Access to this file
should be limited to the appropriate user, such as your Protect user.
Click Create and provide the credentials to the Windows host.
3. Enter the user name and password for the Windows host where the Task Scheduler is installed.
When you enter the appropriate credentials (generally administrator privileges are required), the Remote IDM Indexer
creates a new task in the Windows Task Scheduler. The tool displays a dialog indicating that the task was successfully
created and provides you with the name of the task. Successfully scheduled task dialog
4. Click OK to close the dialog.
After you complete this operation with Windows the interface appears.
5. Select the SymantecDLP folder in the Task Scheduler Library.
Notice to the right that there is a task created named "Remote IDM Indexer <time-stamp>". Symantec DLP scheduled
task
6. Double-click the created task.
This action brings up the Window Task Scheduler properties dialog for this task. Using this dialog you can schedule
when the Remote IDM Indexer should run. Refer to the Task Scheduler help for details on using the Windows Task
Scheduler.
992
exclude_filter=*.docx) and run the indexing job again, the .docx files are removed from the index and only the
.pptx files remain.
993
\16.0.10000\documentprofiles or on Linux: /var/Symantec/DataLossPrevention/
ServerPlatformCommon/16.0.10000/documentprofiles, the file does not appear in the drop-down field
for selection.
-index_password_file This parameter is the full file path to the text file containing a
password. For security, the tool requires a password file that is
local to the indexer.
The password must be a minimum of 10 characters. The
password must include at least one number, one lowercase letter,
and one upper case letter (ASCII only).
The preindex file is encrypted and password that is protected with
the password in the password file.
The password is required to load the preindex into Enforce for
indexing.
The use of a password file is allowed only with cron jobs.
param.index_password_file= Note: Password files can only be used with Windows Task
Scheduler or Linux cron jobs. You cannot use a password file with
the GUI or command line.
For security purposes the tool requires a password file that is local
to the indexer:
The preindex file is encrypted and password protected with the
password in the password file.
The password is required to load the preindex into Enforce for
indexing.
The use of a password file is more secure than entering the
password in clear text in the properties file.
-user This parameter is the name of the user with read and write
privileges for the directory where the files to be indexed are
stored.
You must run the tool as a user who has privileges for the file path
where the data source files are located.
For example: Windows = Administrator; Linux = root.
-password This parameter is the password for the host where the files to be
indexed are stored.
994
With VML you do not have to locate and fingerprint all of the data you want to protect. You also do not have to describe
it and risk potential inaccuracies. Instead, you train the system to learn the type of content you want to protect based on
example documents you provide.
VML detection is based on a VML profile. You create a VML profile by uploading a representative amount of content from
a specific category of data. The system scans the content, extracts the features, and creates a statistical model based on
the frequency of keywords in the example documents. At run-time the system applies the model to analyze and detect the
content that has the features that are statistically similar to the profile.
VML simplifies the detection of unstructured, text-based content and offers the potential for high accuracy. The key to
implementing VML is the example content you train the system against. You must be careful to select the documents that
are representative of the type of content you want to protect. And, you must select good examples of content you want to
ignore that are closely related to the content you want to protect.
Configuring VML profiles and policy conditions
995
Table 519: VML training set requirements
Base false positive rate (%) The percentage of the content in the negative training set that is statistically similar to the positive
content.
Base false negative Rrate The percentage of the content in the positive training set that is statistically similar to negative content.
(%)
996
Consider an example where a Similarity Threshold is set to 4 and a message with a Similarity Score of 5 is detected.
In this case the system reports the match as an incident and displays the Similarity Score during match highlighting.
However, if a message is detected with a Similarity Score of 3, the system does not report a match (and no incident)
because the Similarity Score is below the Similarity Threshold.
Similarity Threshold and Similarity Score details describes the Similarity Threshold and Similarity Score numbers.
Similarity Description
Similarity Threshold The Similarity Threshold is a configurable parameter between 0 and 10 that is unique to each VML profile.
The default setting is 10, which requires the most similar match between the VML profile features and the
detected message content. As such, this setting is likely to produce fewer incidents. A setting of 0 produces
the most number of matches, many of which are likely to be false positives.
Adjusting the Similarity Threshold
Similarity Score The Similarity Score is a read-only run-time statistic between 0 and 10 reported by the system based on the
detection results of a VML policy. To report an incident, the Similarity Score must be higher than the Similarity
Threshold, otherwise the VML policy does not report a match.
Discover Server Discover scanning does not begin until all policy dependencies are loaded. A Discover scan based
on a VML policy does not start until the referenced VML profile is accepted. In this case the system
displays a message in the Discover scanning interface that indicates that the scan waits on the
dependency to load.
Network and Endpoint Servers For a simple rule, or compound rule where the conditions are ANDed, the entire rule fails because
the VML condition cannot match. If this is the only rule in the policy, the policy does not work.
For a policy where there are multiple rules that are ORed, only the VML rule fails; the other rules in
the policy are evaluated.
Policy detection execution
997
Table 523: Implementing VML
Step 1 Collect the example documents for Collect a representative number of example documents that contain the
training the system. positive content that you want to protect and the negative content you want
to ignore.
About the content you train
Step 2 Create a new VML profile. Define a new VML profile based on the specific business category of data
from which you have derived your positive and negative training sets.
Creating new VML profiles
Step 3 Upload the example documents. Upload the example positive and negative training sets separately to the
Enforce Server.
Uploading example documents for training
Step 4 Train the VML profile. Train the system to learn the type of content you want to protect and
generate the VML profile.
Training VML profiles
Step 5 Accept or reject the trained profile. Accept the trained profile to deploy it. Or, reject the profile, update one or
both of the training sets (by adding or removing example documents), and
restart the training process.
About the base accuracy from training percentage rates
Managing VML profiles
Step 6 Create a VML policy and test detection. Create a VML policy that references the VML profile.
Configuring the Detect using Vector Machine Learning Profile condition
Test and review incidents based on the Similarity Score.
About the Similarity Threshold and Similarity Score
Step 7 Tune the VML profile. Adjust the Similarity Threshold setting as necessary to optimize detection
results.
Adjusting the Similarity Threshold
Step 8 Follow VML best practices. Best practices for using VML
998
4. Click Create to create the new VML profile.
Or, click Cancel to cancel the operation.
5. Click Manage Profile to upload example documents.
Uploading example documents for training
The Temporary Workspace tab remains present in the user interface until you train and accept a new version of the VML
profile. In other words, there is no way to close the Temporary Workspace tab without training and accepting, even if you
made no changes to the profile.
Once you accept a new version of the VML profile, the system overwrites the previous Current Profile with the newly
accepted version. You cannot revert to a previously accepted Current Profile. However, you can revert to previous
versions of the training set for a Temporary Profile.
Managing training set documents
999
Working with the Current Profile and Temporary Workspace tabs
2. Click Upload Contents (if you have not already done so).
This action opens the Upload Contents dialog.
3. Select the category of content:
• Choose Positive: match contents similar to these to upload a positive document archive.
• Choose Negative: ignore contents similar to these to upload a negative document archive.
4. Click Browse to select the document archive to upload.
5. Navigate the file system to where you have stored the example documents.
6. Choose the file to upload and click Open.
7. Verify that you have chosen the correct category of content: Positive or Negative.
If you mismatch the upload (select Negative but upload a Positive document archive), the resulting profile is
inaccurate.
8. Click Submit to upload the document archive to the Enforce Server.
The system displays a message indicating if the file successfully uploaded. If the upload was successful, the document
archive appears in the New Documents table. This table displays the document type, name, size, date uploaded, and
the user who uploaded it. If the upload was not successful, check the error message and retry the upload. Click the X
icon in the Remove column to delete an uploaded document or document archive from the training set.
9. Click Upload Contents to repeat the process for the other training set.
The profile is not complete and cannot be trained until you have uploaded the minimum number of positive and
negative example documents.
VML training set requirements
10. Once you have successfully uploaded both training sets you are ready to train the VML profile.
Training VML profiles
1000
Table 524: Training the VML profile
Step 1 Enable training mode. Select the VML profile you want to train from the Manage > Data Profiles > Vector
Machine Learning screen. Or, create a new VML profile.
Creating new VML profiles
Click Manage Profile to the far right of the Current Profile tab. The system displays the
profile for training in the Temporary Workspace tab.
Working with the Current Profile and Temporary Workspace tabs
Step 2 Upload the training Familiarize yourself with the training set requirements and recommendations.
content. About the content you train
Upload the positive and the negative training sets in separate document archives to the
Enforce Server.
Uploading example documents for training
Step 3 Adjust the memory The default value is "High" which generally results in the best training set accuracy rates.
allocation (only if Typically you do not need to change this setting. For some situations you may want to
necessary). choose a "Medium" or "Low" memory setting (for example, deploying the profile to the
endpoint).
Adjusting the memory allocation
Note: If you change the memory setting, you must do so before you train the profile to
ensure accurate training results. If you have already trained the profile, you must retrain it
again after you adjust the memory allocation.
Step 4 Start the training process. Click Start Training to begin the profile training process.
During the training process, the system:
• Extracts the key features from the content;
• Creates the model;
• Calculates the predicted accuracy based on the averaged false positive and false
negative rates for the entire training set;
• Generates the VML profile.
Step 5 Verify training completion. When the training process completes, the system indicates if the training profile was
successfully created.
If the training process failed, the system displays an error. Check the debug log files and
restart the training process.
On successful completion of the training process, the system displays the following
information for the New Profile:
• Trained Example Documents
The number of example documents in each training set that the system has trained
against and profiled.
• Accuracy Rate From Training
The quality of the training set expressed as base false positive and base false negative
percentage rates.
About the base accuracy from training percentage rates
• Memory
• The minimum amount of memory that is required to load the profile at run-time for
detection.
Note: If you previously accepted the profile, the system also displays the Current Profile
statistics for side-by-side comparison.
1001
Step Action Description
Step 6 Accept or reject the If the training process is successful, the system prompts you to accept or reject the training
training profile. profile. Your decision is based on the Accuracy Rate from Training percentages.
About the base accuracy from training percentage rates
To accept or reject the training profile:
• Click Accept to save the training results as the active Current Profile.
Once you accept the training profile, it appears in the Current Profile tab and the
Temporary Workspace tab is removed.
• Click Reject to discard the training results.
The profile remains in the Temporary Workspace tab for editing. You can adjust one or
both of the training sets by adding or removing documents and retraining the profile.
Managing training set documents
Note: A trained VML profile is not active until you accept it. The system lets you create a
policy based on a VML profile that has not been trained or accepted. However, the VML
profile is not deployed to that policy until the profile is accepted. About using unaccepted
VML profiles in policies
Step 7 Test and tune the profile. Once you have successfully trained and accepted the VML profile, you can now use it to
define policy rules and tune the VML profile.
Configuring the Detect using Vector Machine Learning Profile condition
About the Similarity Threshold and Similarity Score
1002
5. Verify the amount of memory that is required to run the VML profile.
After you train the VML profile, the system displays the Memory Required (KB) value. This value, represents the
minimum amount of memory that is required to load the profile at run-time.
Managing VML profiles
1003
Table 525: Creating and managing VML profiles
Action Description
Create new profiles. Click New Profile to create a new VML profile.
Creating new VML profiles
View and sort profiles. The system lists all existing VML profiles and their state at the Vector Machine Learning screen.
Click the column header to sort the VML profiles by name or status.
Manage and train profiles. Select a VML profile from the list to display and manage it.
The Current Profile tab displays the active profile.
Working with the Current Profile and Temporary Workspace tabs
Click Manage Profile to edit the profile.
The editable profile appears in the Temporary Workspace tab. From this tab you can:
• Upload training set documents.
Uploading example documents for training
• Train the profile.
Training VML profiles
• Add and remove documents from the training sets.
Managing training set documents
Monitor profiles. The system lists and describes the status of all VML profiles.
• Memory Required (KB)
The minimum amount of memory that is required to load the profile in memory for detection.
Adjusting the memory allocation
• Status
The present status of the profile.
Status values for VML profiles
• Deployment Status
The historical status of the profile.
Deployment Status values for VML profiles
Remove profiles. Click the X icon at the far right to delete an existing profile.
If you delete an existing profile, the system removes the profile metadata and the Training Set from the
Enforce Server.
The Status field displays the current state of each VML profile.
The Deployment Status field indicates if the VML profile has ever been accepted or not.
1004
Table 527: Deployment Status values for VML profiles
Step 1 Create and train the VML profile. Creating new VML profiles
Training VML profiles
About using unaccepted VML profiles in policies
Step 2 Configure a new or an existing Configuring policies
policy.
Step 3 Add the VML rule to the policy. From the Configure Policy screen:
• Select Add Rule.
• Select the Detect using Vector Machine Learning profile rule from the list of
content rules.
• Select the VML profile you want to use from the drop-down menu.
• Click Next.
Step 4 Configure the VML detection rule. Name the rule and configure the rule severity.
Configuring Policy Rules
1005
Step Action Description
Step 5 Select components to match on. Select one or both message components to Match On:
• Body, which is the content of the message
• Attachments, which are any files transported by the message
Note: On the endpoint, the Symantec DLP Agent matches on the entire message,
not individual message components.
Selecting components to match on
Step 6 Configure additional conditions Optionally, you can create a compound detection rule by adding more conditions to
(optional). the rule.
To add additional conditions, select the desired condition from the drop-down
menu and click Add.
Note: All conditions must match for the rule to trigger an incident.
Configuring compound rules
Step 7 Save the policy configuration. Click OK then click Save to save the policy.
Step 1 Create and train the VML profile. Creating new VML profiles
Training VML profiles
Step 2 Configure a new or an existing policy. Configuring policies
Step 3 Add a VML exception to the policy. From the Configure Policy screen:
• Select Add Exception.
• Select the Detect using Vector Machine Learning profile exception from
the list of content exceptions.
• Select the VML profile you want to use from the drop-down menu.
• Click Next.
Step 4 Configure the policy exception. Name the exception.
Select the components you want to apply the exception to:
• Entire Message
Select this option to compare the exception against the entire message. If an
exception is found anywhere in the message, the exception is triggered and
no matching occurs.
• Matched Components Only
Select this option to match the exception against the same component as the
rule. For example, if the rule matches on the Body and the exception occurs in
an attachment, the exception is not triggered.
Step 5 Configure the condition. Generally you can accept the default condition settings for policy exceptions.
Configuring policy exceptions
Step 6 Save the policy configuration. Click OK then click Save to save the policy.
1006
Adjusting the Similarity Threshold
You adjust the Similarity Threshold setting to tune the VML profile. The Similarity Threshold determines how similar
detected content must be to a VML profile to produce an incident.
About the Similarity Threshold and Similarity Score
NOTE
You do not have to retrain the VML profile after you adjust the Similarity Threshold, unless you modify a training
set based on testing results.
To adjust the Current Value of the Similarity Threshold
1. Click Edit beside the Similarity Threshold label for the VML profile you want to tune.
This action opens the Similarity Threshold dialog.
2. Drag the meter to the desired Curent Value setting.
You set the Similarity Threshold to a decimal value between 0 and 10. The default value is 10, which produces fewer
incidents; a setting of 0 produces more incidents.
3. Click Save to save the Similarity Threshold setting.
4. Test the VML profile using a VML policy.
Compare the Similarity Scores across matches. A detected message must have a Similarity Score higher than the
Similarity Threshold to produce an incident. Make further adjustments to the Similarity Threshold setting as necessary
to optimize and fine-tune the VML profile.
Configuring the Detect using Vector Machine Learning Profile condition
Step 1 Train the VML profile. Follow the recommendations in this guide for defining the category and uploading the training
set documents. Adjust the memory allocation before you train the profile.
Step 2 Set the Similarity The default Similarity Threshold is 10. At this value the system does not generate any
Threshold to 0. incidents. A setting of 0 produces the most incidents, many of which are likely to be false
positives. The purpose of setting the value to 0 is to see the entire range of potential
matches. It also servers to tune the profile to be greater than the highest false positive score.
Step 3 Create a VML policy. Create a policy that references the VML profile you want to tune. The profile must be
accepted to be deployable to a policy.
1007
Step Action Description
Step 4 Test the policy. Test the VML policy using a corpus of test data. For example, you can use the
DLP_Wikipedia_sample.zip file to test your VML policies against. Create a
mechanism to detect incidents. The mechanism can be a Discover scan target of a local
file folder where you place the test data. Or it can be a DLP Agent scan of a copy/paste
operation.
Step 5 Review any incidents. Review any matches at the Incident Snapshot screen. Verify a relatively low Similarity Score
for each match. A relatively low Similarity Score indicates a false positive. If one or more
test documents produce a match with a relatively high Similarity Score, you have a training
set quality issue. In this case you need to review the content and if appropriate add the
document(s) to the positive training set. You then need to retrain and retune the profile.
Log files for troubleshooting VML training and policy detection
Step 6 Adjust the Similarity Review the incidents to determine the highest Similarity Score among the detected false
Threshold. positives that you have tested the profile against. Then, you can adjust the Similarity
Threshold for the profile to be greater than the highest Similarity Score for the false positives.
For example, if the highest detected false positive has a Similarity Score of 4.5, set the
Similarity Threshold to 4.6. This setting filters the known false positives from being reported
as incidents.
The following table lists and describes the VML training parameters available for configuration in properties file
MLDTraining.properties.
1008
Table 532: Relevant configuration parameters for VML training
Parameter Description
1009
Table 533: Configuration parameter for VML profiles
Parameter Description
DEFAULT_SIMILARITY_THRESHOLD Establishes the default value for the Similarity Threshold, which
is 10. Changing this value affects the default value only. You can
adjust the value using the Enforce Server administration console.
Testing and tuning VML profiles
machinelearning_training.log Records the accuracy from training percentage rates for each
fold of the evaluation process for each VML profile training run.
Examines the quality of each training set at a granular, per-fold
level.
Recommendations for accepting or rejecting a profile
machinelearning_native_filereader.log Records the "distance," which is expressed as a positive or
negative number, and the "confidence," which is a similarity
percentage, for each message evaluated by a VML policy.
Examines all messages or documents evaluated by VML
policies, including positive matches with similarity percentages
beneath the Similarity Threshold, or messages the system has
categorized as negative (expressed as a negative "distance"
number).
Testing and tuning VML profiles
machinelearning_training_native_manager.log Records the total number of features modeled and the number
of features kept to generate the profile for each training run.
The total number of features modeled versus the number
of features kept for the profile depends on the memory
allocation setting:
• If "high" the system keeps 80% of the features.
• If "medium" the system keeps 50% of the features.
• If "low" the system keeps 30% of the features.
Guidelines for profile sizing
1010
Table 535: Summary of VML best practices
Recommended uses Use VML to protect unstructured, text-based content. Do not use VML to protect graphics, binary data, or
for VML personally identifiable information (PII).
When to use VML
Category of content Define the VML profile based on a single category of content that you want to protect. The category of content
should be derived from a specific business use case. Narrowly defined categories are better than broadly
defined ones.
Recommendations for training set definition
Positive training set Archive and upload the recommended (250) number of example documents for the positive training set, or at
least the minimum (50).
Guidelines for training set sizing
Negative training set Archive and upload the example documents for the negative training set. Ideally the negative training set
contains a similar number of well-categorized documents as the positive training set. In addition, add some
documents containing generic or neutral content to your negative training set.
Guidelines for training set sizing
Profile sizing Consider adjusting the memory allocation to low. Internal testing has shown that setting the memory allocation
to low may improve accuracy in certain cases.
Guidelines for profile sizing
Training set quality Reject the training result and adjust the example documents if either of the base accuracy rates from training
are more than 5%.
Recommendations for accepting or rejecting a profile
Profile tuning Perform negative testing to tune the VML profile by using a corpus of testable data.
Testing and tuning VML profiles
Profile deployment Remove accepted profiles not in use by policies to reduce detection server load. Tune the Similarity Threshold
before deploying a profile into production across all endpoints to avoid network overhead.
Recommendations for deploying profiles
It is not possible or practical to Often collecting all of the content you want to protect for fingerprinting is an impossible task. This
fingerprint all the data you want to situation arises for many forms of unstructured data: marketing materials, financial documents,
protect. patient records, product formulas, source code, and so forth.
VML works well for this situation because you do not have to collect all of the content you want to
protect. You collect a smaller set of example documents.
You cannot adequately describe Often describing the data you want to protect is difficult without sacrificing some accuracy.
the data you want to protect. This situation may arise when you have long keyword lists that are hard to generate, tune, and
maintain.
VML works well in these situations because it automatically models the features (keywords) you
want to protect. It enables you to easily manage and update the source content.
1011
Use VML when Explanation
A policy reports frequent false Sometimes a certain category of information is a constant source of false positives. For example, a
positives. weekly sales report may consistently produce false positives for a Data Identifier policy looking for
social security numbers.
VML may work well here because you can train against the content that causes the false positives
and create a policy exception to ignore those features.
Note: The false positive contents must belong to a well-defined category for VML to be an
effective solution for this use case. Recommendations for training set definition
Protect personally identifiable Exact Data Matching (EDM) and Data Identifiers are the best option for protecting the common
information (PII). types of PII.
Protect binary files and images. Indexed Document Matching (IDM) is the best option to protect the content that is largely binary,
such as image files or CAD files.
Product source code Proprietary product source code Source code from open source projects
Product formulas Proprietary product formulas Non-proprietary product information
1012
Category Positive training set Negative training set
Quarterly earnings Pre-release earnings; sales estimates; Details of published annual accounts
accounting documents
Marketing plans Marketing plans Published marketing collateral and
advertising copy
Medical records Patient medical records Healthcare documents
Customer sales Customer purchasing patterns Publicly available consumer data
Mergers and acquisitions Confidential legal documents; M&A Publicly available materials; press releases
documents
Manufacturing methods Proprietary manufacturing methods and Industry standards
research
1013
Recommendations for uploading documents for training
While you can upload individual documents to the Enforce Server for training, it is recommended that you upload a
document archive (ZIP, RAR, TAR) that contains the example documents for each training set. The maximum upload size
is 30 MB. There is no training set size limit.
To gather the documents for training, it is recommended that you create a staging area. For example, consider a category
called "Sales Reports." In this case you would create a folder called \VML\training_stage\sales_reports that
represents the category. Within this folder you would create two subfolders, one for the positive training set and the other
for the negative training set (for example: \VML\training_stage\sales_reports\positive). When you are ready
to train the profile, you compress the positive subfolder and the negative subfolder into separate document archives.
You can partition the training set across archives if you have more than 30 MB of data to upload for a training set. Do not
embed an archive within an archive.
1014
NOTE
You can use the log file machinelearning_training.log to evaluate per-fold training accuracy rates.
Log files for troubleshooting VML training and policy detection
Fold evaluation Per fold category accuracy rates and cross-fold averages
1015
Recommendations for deploying profiles
Accepted VML profiles are transferred to every detection server and Symantec DLP Agent even if those profiles are not
required by the active policies on that server or endpoint. Detection servers load all VML profiles into memory regardless
of whether or not any associated VML policies are deployed to those servers. DLP Agents only load the VML profiles that
are required by an active policy. To optimize server performance, it is recommended not to deploy (accept) unnecessary
VML profiles and remove any accepted (deployed) VML profiles that are not required by active policies.
In addition, when you change the Similarity Threshold, the system re-syncs the entire profile with the detection servers
and DLP Agents. If you have a large VML profile and possible bandwidth limitations (for example, deployment to many
endpoints), this may cause network congestion. In this case you should test and tune the profile at a select few endpoints
before deploying the profile into production at every endpoint on your network.
1016
Configuring Form Recognition detection
To configure Form Recognition, you collect a blank set of forms that you want to protect and add them to a ZIP archive
of single-page PDF files. This ZIP archive is called a Gallery Archive. You then upload your gallery archive to a Form
Recognition profile on the Enforce Server for indexing. The Enforce Server indexes your forms and pushes the index out
to your detection servers. You also specify the fill threshold for the profile: the fill threshold specifies how much of the form
must be filled to trigger an incident.
Form Recognition workflow provides a high-level workflow for configuring Form Recognition detection:
1 Collect and prepare blank copies of the forms you want to protect. Preparing a Form Recognition Gallery
Archive
2 Configure a Form Recognition profile. Specify the Gallery Archive with Configuring a Form Recognition profile
the forms you want to detect and a Fill Threshold for creating incidents.
3 Configure a policy with a Form Recognition detection or exception rule Configuring the Form Recognition detection
using your Form Recognition profile. rule
Configuring the Form Recognition exception
rule
1017
For example, if your form is a single three-page Microsoft Word file titled YourForm.docx, separate the file into
three separate single-page files, then convert them to PDF:
– YourForm_1of3.PDF
– YourForm_2of3.PDF
– YourForm_3of3.PDF
• If your form contains electronically fillable fields, use a PDF editing tool for the conversion process that retains
AcroForms formatting, for example Adobe Acrobat.
• If your form includes several pages of un-fillable boilerplate, only add the fillable pages to your gallery archive.
3. Add all single-page PDF files to a ZIP archive.
1018
2. Click Add Rule on the Detection tab to display the Configure Policy - Add Rule.
3. Select Detect using Form Recognition Profile in the Form Recognition section. Then select the Form Recognition
profile that contains the forms you want to protect.
4. Click Next to display the Configure Policy - Edit Rule page.
5. Enter a name for the rule in the Rule Name field.
6. Choose the rule severity.
Policy severity
7. Select the conditions for the Form Recognition detection rule.
You can use the Also Match field to configure compound match rules. Compound rules
8. Click OK to add the detection rule.
9. Click Save to apply the detection rule to the policy.
The new policy displays in the Policy List.
1019
Table 543: Form Recognition Profiles details
Element Description
Add Profile Click Add Profile to configure a new Form Recognition profile.
Configuring a Form Recognition profile
Show Entries Select a value from Show Entries to specify the number of profiles you can
view on this page.
Page navigation Use the following buttons to change the view of profiles:
• Click Last to view profiles with the most recent dates in ascending order.
• Click a number to navigate to that specific page number.
• Click Next to view the next page.
• Click Previous to view the previous page.
Profile Name Click the Profile Name to view or edit the profile.
Note: Sort column data in ascending order (A-Z/1-3) by clicking the up arrow or
descending order (Z-A/3-1) by clicking the down arrow.
Description The profile description. Edit the description by clicking the profile name or the
pencil icon in the Actions column.
State Each profile displays one of the following states:
• Gallery missing or invalid displays when indexing for the profile has failed.
The gallery did not upload because the ZIP archive is invalid.
• Indexing not started displays when indexing for the profile did not start.
The uploaded gallery did not process.
• Indexing in progress displays when the uploaded gallery is indexing.
• Profile indexed displays when indexing for this profile is complete and the
index successfully created.
• Invalid gallery displays when indexing for the profile failed. The uploaded
gallery did not start indexing because it is invalid.
• Index contains no images displays when indexing for the profile failed. The
uploaded gallery did not index because it contains no compatible files.
• Indexing failed displays when indexing for this profile failed. The uploaded
gallery was not indexed.
• Indexing found some unusable files displays when indexing for the profile
completes with errors. Some of the files in the uploaded gallery cannot be
indexed.
Gallery The gallery archive name.
You cannot edit the gallery name. You can upload a new gallery or an existing
gallery that has been renamed by clicking the profile name or the pencil icon in
the Actions column.
Usable Forms Count The total number of form images in the gallery that have been indexed without
errors and can be used in a policy.
Date Indexed The date when the profile was last indexed.
Index Version The version number of the index.
Fill Threshold The fill threshold value that you provided when you configured the Form
Recognition profile. You can edit this value by clicking the profile name or the
pencil icon in the Actions column.
Actions Click the Pencil to edit profile details.
Click the red X to delete a profile. If you delete a profile, the system removes the
profile metadata and gallery from the Enforce Server.
1020
Advanced server settings for Form Recognition
Some of the default Form Recognition server settings might require testing and fine-tuning to determine what works
best for your needs. You can modify these settings on the System > Servers and Detectors > Overview > Server/
Detector Detail - Advanced Settings page. Symantec recommends that you contact Symantec Technical Support before
modifying any advanced server settings.
There are nine advanced settings related to Form Recognition:
• ContentExtraction.ImageExtractorEnabled
• ContentExtraction.MaxNumImagesToExtract
• FormRecognition.ALIGNMENT_COEFFICIENT
• FormRecognition.CANONICAL_FORM_WIDTH
• FormRecognition.MAXIMUM_FORM_WIDTH
• FormRecognition.MINIMUM_FORM_ASPECT_RATIO
• FormRecognition.MINIMUM_FORM_WIDTH
• FormRecognition.OPENCV_THREADPOOL_SIZE
• FormRecognition.PRECLASSIFIER_ACTION
1021
For languages that use the Latin character set, a minimum character height of 18 pixels for capital letters is required. A
minimum character size of 30 pixels by 30 pixels is required. A character size of 48 pixels by 48 pixels is recommended
for languages that do not use the Latin character set.
Image Quality and Resolution and Western Language (Latin Character Set) Resolution Guidance
There should be a minimum of 18 pixels vertical for any upper case Latin character. There should be up to a maximum
of 8400 pixels for the entire page. The best resolution for black and white images is 300 dpi or 400 dpi. For grayscale or
color images, the optimal recognition resolution is from 150 dpi to 300 dpi.
CJK Language Resolution Guidance
For reliable CJK text detection in an image, the language body text should be 12 points ("small four" in a Chinese size
name). The text should be scanned at 300 dpi, resulting in characters with around 48 x 48 pixels. The minimum pixel
count is about 30 x 30; that is 7.5 points at 300 dpi.
OCR Image Resolution Guidance
For all OCR languages: any image smaller than 16 x 16 pixels or larger than 8400 x 8400 is not detected.
Image Orientation Scripts Typefaces
Image orientation is known to work in most situations. We are unable to provide an exact number since there are many
factors that influence OCR. These factors include resolution, sharpness, and noise in the image. Text extraction can work
with most scripts and typefaces, as long as there is no overlap and characters can be individually distinguished.
Number of Languages Per image
OCR works on determining the dominant language in the image and does the text extraction for that language. The
selection of dominant language is based on many factors such as resolution, font size, sharpness, and noise.
Image Transformations
Text is extracted in the dominant language, as long as the image is sharp and has an acceptable quality and resolution.
See About content detection with OCR in the Cloud to learn more about deploying OCR in the cloud.
1022
You can also install the OCR Server on VMs with dedicated resources. Dedicated resources are necessary because of its
high processing requirements.
Configuration information is included with the request. OCR Servers can service requests from different detection servers
that are configured differently.
For example, you can configure one detection server to detect English with the highest possible OCR accuracy. Then, you
can configure another detection server to detect Japanese, with the highest possible speed. In this case, the same OCR
Server is able to handle both types of requests.
Upgrading to DLP 16.0.1
DLP 16.0.1 detection servers are compatible with 16.0.1 OCR Servers and are backward compatible with 16.0 OCR
Servers.
The OCR Server is an independent server, separate from any Data Loss Prevention detection server. You can configure
the detection server to talk to a single OCR address (IP address or host name). That address can either be a single
OCR Server, or a single load balancer in front of several OCR Servers. You can use an external load balancer or another
technology, such as Windows Network Load Balancing. You can configure a detection server with only a single OCR
Server address.
NOTE
Only load balancers without persistence that is enabled are supported.
You install an OCR Server using the Symantec DLP OCR Server Installer setup wizard.
1. Export and save the private keys, certificates, and trusted certificates from the 16.0 OCR server.
This step is optional. Use this step if the same TLS certificates and keys are to be used by the new OCR server. A
certificate is required for communication between the OCR client on the Enforce Server and the OCR Server. See
Exporting Private Keys, Certificates, and Trusted Certificates from a 15.x OCR Server.
2. Click OCRServer.msi.
3. Click Next.
4. Accept the agreement and click Next.
5. Select the desired Destination directory.
6. Click Next.
7. Select the desired Default data directory.
8. Click Next.
9. Click Install. The installer runs.
10. Click Finish when the installation is complete.
Now the OCR service is running and is ready to receive OCR requests.
NOTE
If you want to run the installer from the command line, it must be called with these arguments:
msiexec /i OCRServer.msi /qn /norestart /L*v log.txt INSTALLATION_DIRECTORY="C:\installdir"
In general, Installing a detection server on Windows applies to the OCR Server. The one exception is that the
only installation parameter for the OCR Server is
INSTALLATION_DIRECTORY .
Creating an OCR configuration
1023
Exporting Private Keys, Certificates, and Trusted Certificates from a
15.x OCR Server
Export private keys, certificates, and trusted certificates from 15.x OCR Servers and save them to your 16.0 OCR Servers.
Ensure that the private key is encrypted using strong PBES2 (Password-Based Encryption, PKCS#5 v2.0).
From the OCR server side, you should now have an OCR server certificate, encrypted private key, and a trusted OCR
client certificate. The certificate should contain one or more of the
-----BEGIN CERTIFICATE-----; statements. The encrypted key should contain
-----BEGIN ENCRYPTED PRIVATE KEY----- .
1024
See Setting Up TLS Trust.
After you run the OCR diagnostics, disable OCR.RECORD_REQUEST_STATISTICS to disable logging to the
OcrRequestRecord0.log file.
Use the following steps to run diagnostics for OCR sizing for the Network Prevent for Email, Network Prevent for
Web, and Network Monitor data-in-motion channels:
1025
1. Go to System > Servers and Detectors > Overview and select a detection server.
2. Click Server Settings.
3. Set OCR.RECORD_REQUEST_STATISTICS to true.
4. Click Save.
5. Restart the detection server.
6. Let the detection server run for a week and collect metrics. This process works best for the data in motion channels,
such as Network Prevent for Email, Network Prevent for Web, and Network Monitor.
7. Consult the OcrRequestsRecord0.log to get the values to enter in the OCR Server Sizing Estimator spreadsheet.
8. See Using the OCR Server Sizing Estimator for instructions and a link to the sheet.
9. Enter data in the green cells from the log for the following values:
Percentage of messages containing images requiring OCR (OCR messages)
Estimated average number of images per OCR message
10. The spreadsheet calculates the number of OCR Servers that you must deploy for the image traffic of each detection
server in your Symantec Data Loss Prevention deployment.
11. Set OCR.RECORD_REQUEST_STATISTICS to false to disable logging.
You use a different technique for estimating OCR Server sizing requirements for Network Discover.
Creating a null policy to assist in OCR diagnostics for Discover Servers
1026
NOTE
An OCR Server, whether it is a virtual or physical server, should not run other applications. The OCR
Server should be dedicated to OCR.
Hardware requirements
• Processor: 3.0 GHz or more
• Minimum: 4 logical cores per host
• Recommended: 8 logical cores per host
NOTE
In a hyperthreaded environment, the number of logical cores is twice the number of physical cores. In a
virtualized environment, the number of logical cores is the same as the number of vCPUs assigned to the VM
that runs OCR Server.
Physical Memory
Total required memory is a function of the number of hardware threads/logical cores, therefore, the number of concurrent
threads that configured to run on that host.
• Baseline memory required: 250 MB
• Memory that is required per hardware thread or logical core: 300 MB
For a VM running with 8 logical cores or VCPUs, the total memory that is required is 250 MB + 8 x 300 MB = 2.7 GB.
Disk Space
32 GB
Operating system requirements
The Symantec Data Loss Prevention OCR Server can be installed on the following versions of the Windows Server:
• Windows Server 2012 R2
• Windows Server 2016
OCR Server settings
Two OCR Server settings that must be configured in the OCR.properties file at <install_dir>/Protect/config/:
• Set the value of setting num.ocr.workers to equal the number of logical cores.
• Set the value of server.tomcat.max-threads to equal the value of setting num.ocr.workers + 1.
Assumptions for using the OCR Server Sizing Estimator Spreadsheet
The OCR Server Sizing Estimator spreadsheet can help you to estimate the number of OCR Servers that you need in
your Data Loss Prevention deployment. The spreadsheet makes the following assumptions:
• Each OCR Server is deployed on a 4-physical core or 8-logical core server.
• Hyperthreading is enabled on all servers and hypervisors
The ratio of OCR Servers to detection servers depends on the following factors:
• Percentage of messages that contain images that can be processed by one OCR Server. Not all images that are
encountered by Data Loss Prevention are sent to OCR. Small images, photos that do not contain extractable text,
and images in unsupported file formats are not sent to OCR. By default, the detection servers only extract the first 10
images (pages) from scanned multipage PDF or TIFF documents. You must estimate the percentage of images that
you expect to send to OCR for processing.
• Your acceptable rate of OCR Server timeouts.
• Estimated average number of images per message.
Factors affecting performance
1027
A wide range of factors can greatly affect recognition, accuracy, and performance, including:
• image quality
• image resolution
• image orientation
• scripts
• typefaces
• number of languages per image
• image transformations
OCR performance and accuracy are best when processing high contrast, high DPI images that contain typewritten text.
Performance is also best if the text is written in a single language and that language is devoid of image artifacts, rotations,
and other types of transformations.
1028
Table 544: Definitions of spreadsheet values
Busy hour rate per detection server The number of messages per second that are processed when the
system is at its busiest. You can get this information from the logs.
Percentage of messages containing images requiring OCR The value in cell B:10 is the percentage of message traffic that
(OCR messages) contains images that are sent to OCR. For a Discover scan on
a repository containing only scanned images, the percentage
of message traffic that contains images that are sent to OCR
is 100%. If about one email message in every 20 contains an
image file that is submitted to OCR, the percentage of message
traffic that contains images sent to OCR is 5%.
This value does not count the number of images within the
message. For example, if one out of every 10 messages contain
a scanned document with 10 pages, insert 10% in this field. The
focus is on the percentage of messages and not the number of
images.
Estimated average number of images per OCR message Determine this estimate based on the types of images that are
processed in your deployment. For example, a 10-page scanned
PDF file contains 10 images. A single screenshot that is saved in
a JPG file only contains a single image.
Average OCR time (seconds) The average time that it takes to process an OCR image. While
the default in the spreadsheet is 1.0 seconds, the average time is
usually 1.5 seconds.
Number of OCR Workers Ideally there is 1 worker per processing or physical core.
Generally, there are 8 or 16 workers to a server.
System utilization rate This value should not be 100% because a buffer is necessary.
Number of OCR servers per detection server Given the configured values, is the number of OCR Servers that
are required to handle each detection server.
1029
• Network Monitor
• Network Prevent for Email
• Network Prevent for Web
• Network Discover
• DLP Cloud
1030
8. Enter the OCR request wait timeout (seconds) value. This setting defines the amount of time a request can sit in the
queue at the OCR Server before it is rejected because of lack of worker threads. The default time-out is 5.
9. Enter a value for Accuracy vs speed. By default, the OCR Server sets the value dynamically for each document. The
Sensitive Image Recognition preclassifier on the detection server inspects each image and determines if it is suitable
for OCR content extraction (and form recognition). The preclassifier then determines which preset is most appropriate.
If you uncheck this box, you can select a preset to use for all images. You can choose from Accurate, Balanced, or
Fast. This strategy can be appropriate for Discover scans, where accuracy is prioritized over time.
10. In the Supported Languages section, select the candidate languages for OCR.
You can select one or more languages, and the OCR Server selects a language from that pool to use for the
image. Symantec assumes that documents are primarily one language (for example, all French, or all English,
as opposed to mixed English and French). The number of languages should be as small as possible. The more
languages that you select, the slower the processing speed.
Even if a Latin language is not selected, you may still get an accurate text recognition result from that language. For
example, you can select English and German and then you can submit a mixed English-French image to the OCR
Server. The OCR Server may choose English and still return some French text. The language selection affects which
Latin spell-check dictionary to use. If a character in the image is unclear, the language selection also affects the pool of
characters to choose from.
Mixed language images containing one or more non-Latin languages are not supported. You must select a non-Latin
language as the primary language for any character detection for that language. All other non-Latin and non-English
characters are discarded, regardless of the other languages selected.
When an image is detected as containing primarily a non-Latin language, English may also be returned, but at
a reduced accuracy. English is not returned for Arabic images. While this also might be true for Hebrew and Thai,
Symantec does not officially support Hebrew and Thai.
11. In the Languages and Dictionaries Specialized Dictionaries section, you enable supplemental spell checking for
different businesses (legal, financial, medical) across different languages.
12. In the Languages and Dictionaries Custom Dictionary section, specify the name of your custom dictionary file to
aid recognition accuracy. For example, if certain proper nouns give the OCR Server difficulty, you can place them in
this custom dictionary.
Using Dictionaries and spell checking improves recognition results for low-quality scans and images (such as faxes). If
the characters are crisp and clean, they are easier for the engine to read, and the Dictionaries are less useful.
13. The custom dictionary is a text file, with one entry per line. This text file must be placed in the dictionary directory of
each server at C\Program Files\Symantec\DataLossPrevention\OCRServer\16.0.1000\Protect\bin.
After you create a configuration, use the following steps to assign a profile to a detection server.
Assign a profile to a Detection Server
14. Go to System > Servers and Detectors > Overview.
15. Select a monitor.
16. On the Server/Detector Detail page, click Configure.
17. On the Configure Server page, click OCR Engine. In OCR Engine Configuration select the configuration that you
want to use for the server.
18. Click Save.
1031
Viewing OCR Incidents in Reports
OCR incidents for both on premises and Cloud OCR are flagged and detected text is highlighted in yellow in incident
reports. Thumbnails of the page are included in the incident. Click the thumbnail to view a larger version of the image.
This image contains the extracted text that violates the Symantec Data Loss Prevention policy.
The encrypted key password must be supplied to the OCR server in Protect/config/OCR.properties file.
5. A Detection Server Truststore (.jks file) is required. Verify the OCR server certificate to identify the certificate to
trust. Then, import the certificate with the following command:
keytool -importcert -storetype JKS -keystore output.jks -storepass [PASSWORD] -alias
ocrserver -file [SERVER CERTIFICATE FILEPATH]
The preceding command attempts to create a file named output.jks. If that file exists, the certificate is added to that
existing .jks instead.
Load the Credentials
1. On the OCR server, place the certificate file and matching private key file in Protect/keystore . Modify the
following settings in Protect/config/OCR.properties :
– CertificateFilePath : Set the relative filepath to the certificate file.
– PrivateKeyFilePath : Set the relative filepath to the private key file.
– PrivateKeyPassword : Set the password for the encrypted private key.
1032
2. On the detection server, place the truststore .jks file in DetectionServer/<version>/Protect/keystore .
Modify the following setting in DetectionServer/<version>/Protect/config/OCRDetection.properties :
– .grpc.truststore.location : Set the relative filepath to the truststore .jks file
– .grpc.truststore.password : Set the password for the truststore .jks file
– grpc.server.san : Set a hostname that matches what is specified in the Subject Alternative Name extension
of the OCR Server certificate. During TLS negotiation, this setting value is what is matched against the SAN of the
server certificate.
1033
You can use Symantec Information Centric Analytics (ICA) with Symantec Data Loss Prevention to protect sensitive data
in your organization.
ICA allows you to configure user risk scoring settings to display risk vectors and indicate risk ratings. For more information
about configuring ICA, see the Symantec Information Centric Analytics documentation available at the Information
Security help center.
The following user risk based detection options are available:
• Create policy rules that protect sensitive data based on the user risk score.
• Apply user risk scores to the following supported detection channels:
• Network Monitor
• Network Prevent for Web
• Network Prevent for Email
• Endpoint Prevent
NOTE
This solution works with your existing Symantec Data Loss Prevention policies on DLP cloud detectors,
including DLP Cloud Service for Email, Symantec Web Security Service (WSS), and DLP Cloud Detection
Service with CASB.
• View the user risk score in incidents triggered by policies where no user risk condition is specified. DLP incident
moderators can use the risk score information to determine user risk.
• Respond to incidents based on the user risk score
On endpoints, user risk-based detection applies to any user logged on to the endpoint. The user risk information is saved
in the agent store on the endpoint. The Endpoint Server sends user risk data to the endpoint. Users risk detection on the
endpoint supports domain/user and hostname/user user formats.
User risk-based detection supports the following sender formats:
Format Example
SMTP jane.doe@abc.com
NTLM WinNT://abc/jane.doe
Local://abc/jane.doe or abc/jane.doe
LDAP LDAP://host.abc.com/CN=Jane
Doe,CN=Users,DC=abc,DC=com
Data Identifiers
Symantec Data Loss Prevention provides data identifiers to detect specific instances of described content. Data identifiers
let you quickly implement precise, short-form data matching with minimal effort.
Data identifiers are algorithms that combine pattern matching with data validators to detect content. Patterns are similar
to regular expressions but are more efficient because they are tuned to match the data precisely. Validators are accuracy
checks that focus the scope of detection and ensure compliance.
For example, the Credit Card Number system data identifier detects numbers that match a specific pattern. The matched
pattern is validated by a Luhn check algorithm. In this example, the validation is performed on the first 15 digits of the
number that evaluates to equal the 16th digit.
Symantec Data Loss Prevention provides pre-configured data identifiers that you can use to detect commonly used
sensitive data, such as credit card, social security, and driver license numbers. Most data identifiers come in three
1034
breadths: wide, medium, and narrow. You can use the breadth of a data identiffier to fine-tune your detection results. Data
identifiers offer broad support for detecting international content.
If a system-defined data identifier does not meet your needs, you can modify it. You can also define your own custom data
identifiers to detect any content that you can describe.
Selecting a data identifier breadth
Related Links
System-defined data identifiers on page 1035
Category Description
Personal Identity Detect various types of identification numbers for the regions of Africa, Asia Pacific, Europe, North America,
and South America.
Personal identity data identifiers
Financial Detect financial identification numbers, such as credit card numbers and ABA routing numbers.
Financial data identifiers
Healthcare Detect U.S. and international drug codes, and other healthcare-related pattern-based sensitive data.
Healthcare data identifiers
Information Technology Detect IP addresses.
Information technology data identifiers
International keywords International keywords for PII data identifiers.
International keywords for PII data identifiers
Data identifier
Table 548: Asia Pacific personal identity lists system-defined data identifiers for the Asia Pacific region.
Data identifier
1035
Data identifier
Table 549: European personal identity lists system-defined data identifiers for the European region.
Data identifier
1036
Data identifier
1037
Data identifier
1038
Data identifier
1039
Data identifier
1040
Data identifier
North American personal identity lists system-defined data identifiers for the North American region.
Data identifier
1041
Data identifier
South American personal identity lists system-defined data identifiers for the South American region.
Data identifier
1042
Data identifier
Data identifier
Data identifier
1043
Information technology data identifiers
Information technology lists system-defined data identifiers for detecting information technology related patterns, such as
IPv4 and IPv6 addresses, and mobile device identification numbers.
Data identifier
1044
need to, you can extend a system-defined data identifier by modifying it, or you can implement one or more custom data
identifiers to detect unique data.
Data identifier configuration done at the policy instance-level is specific to that policy. Modifications you make to data
identifiers at the system-level apply to all data identifiers derived from the modified data identifier.
1045
and lookbehind expressions, and many special characters (notably the dot "." character). In addition, the system only
allows the use of ASCII characters for data identifier patterns.
For more information, see Data identifier pattern language specification.
When you edit a system data identifier, the system exposes the pattern for viewing and editing. The system-defined data
identifier patterns have been tuned and optimized for precise content matching.
See Selecting a data identifier breadth.
In addition, you can create a custom data identifier in which case you are required to implement at least one pattern. The
best way to understand how to write patterns is to examine the system-defined data identifier patterns.
See Writing data identifier patterns to match data.
1046
About unique match counting
Data identifiers, keywords, and regular expressions support unique match counting. This feature lets you count only those
pattern matches that are unique.
Unique match counting is useful when you are only concerned with detecting the presence of unique patterns and not with
detecting every matched pattern. For example, you could use unique match counting to trigger an incident if a document
contains 10 or more unique social security numbers. In this case, if a document contained 10 instances of the same social
security number, the policy would not trigger an incident.
Using unique match counting
Configuring unique match counting
• Breadth • Patterns
You can implement any breadth the data identifier supports You cannot modify the match patterns at the instance level.
at the instance level. • Mandatory Validators
• Optional Validators You cannot modify, add, or remove required validators at the
You can select one or more optional validators at the instance level.
instance level.
1047
Introducing data identifiers
Action Description
Edit a data identifier. Select the data identifier from the list to modify it.
Selecting a data identifier breadth
Extending and customizing data identifiers
Editing data identifiers
Define a custom data Click Add data identifier to create a custom data identifier.
identifier. Custom data identifier configuration
Workflow for creating custom data identifiers
Sort and view data The list is sorted alphabetical by Name.
identifiers. You can also sort by the Category.
A pencil icon to the left means that the data identifier is modified from its original state, or is custom.
Remove a data identifier. Click the X icon on the right side to delete a data identifier.
The system does not let you delete system data identifiers. You can only delete custom data identifiers.
1 Clone the system data identifier Clone the system data identifier before you modify it.
you want to modify. Cloning a system data identifier before modifying it
Clone system-defined data identifiers before modifying to preserve original state
2 Edit the cloned data identifier. If you modify a system data identifier, click the plus sign to display the breadth and edit
the data identifier.
Selecting a data identifier breadth
3 Edit one or more Patterns. You can modify any pattern that the Data Identifier provides.
Writing data identifier patterns to match data
4 Edit the data input for any validator Editing pattern validator input
that accepts input. List of pattern validators that accept input data
5 Optionally, you can add or remove Selecting pattern validators
Validators, as necessary.
1048
Step Action Description
7 Implement the data identifier in a Configuring the Content Matches data identifier condition
policy rule or exception.
1 Add a data identifier rule Select the Content Matches data identifier condition at the Add Detection Rule or Add
or exception to a policy, or Exception screen.
configure an existing one. Adding a Rule to a Policy
Adding an Exception to a Policy
2 Choose a data identifier. Choose a data identifier from the list and click Next.
System-defined data identifiers
3 Select a Breadth of Use the breadth option to narrow the scope of detection.
detection. About data identifier breadths
Wide is the default setting and detects the broadest set of matches. Medium and narrow
breadths, if available, check additional criteria and detect fewer matches.
Selecting a data identifier breadth
4 Select and configure one or Optional validators restrict the match criteria and reduce false positives.
more Optional Validators. About optional validators for data identifiers
5 Configure Match Counting. Select how you want to count matches:
• Check for existence
Do not count multiple matches; report a match count of 1 for one or more matches.
• Count all matches
Count each match; specify the minimum number of matches to report an incident.
Configuring Match Counting
• Count all unique matches
This is the default setting.
About unique match counting
Configuring unique match counting
6 Configure the message Select one or more message components on which to match.
components to Match On. On the endpoint, the detection engine matches the entire message, not individual
components.
Selecting components to match on
If the data identifier uses optional or required keyword validators, the keyword must be
present in the same component as the matched data identifier content.
About cross-component matching
1049
Step Action Description
7 Configure additional Optionally, you can Add one or more additional conditions from any available in the Also
conditions to Also Match. Match condition list.
All conditions in a compound rule or exception must match to trigger or except an incident.
Configuring compound rules
Breadth Description
Wide The wide breadth defines a single or multiple patterns to create the greatest number of matches. In general this
breadth produces a higher rate of false positives than the medium and narrow breadths.
Medium The medium breadth may refine the detection pattern(s) and/or add one or more data validators to limit the
number of matches.
Narrow The narrow breadth offers the tightest patterns and strictest validation to provide the most accurate positive
matches. In general this option requires the presence of a keyword or other validating restriction to trigger a
match.
1050
Data identifier Breadth(s) Normalizer
1051
Data identifier Breadth(s) Normalizer
1052
Data identifier Breadth(s) Normalizer
1053
Data identifier Breadth(s) Normalizer
1054
Data identifier Breadth(s) Normalizer
1055
Data identifier Breadth(s) Normalizer
1056
Data identifier Breadth(s) Normalizer
1057
Data identifier Breadth(s) Normalizer
1058
Data identifier Breadth(s) Normalizer
1059
Data identifier Breadth(s) Normalizer
1060
Data identifier Breadth(s) Normalizer
1061
Data identifier Breadth(s) Normalizer
1062
Data identifier Breadth(s) Normalizer
1063
Data identifier Breadth(s) Normalizer
1064
Data identifier Breadth(s) Normalizer
1065
Data identifier Breadth(s) Normalizer
Require beginning characters Match the characters that begin (lead) the matched data item.
For example, for the CA Drivers License data identifier, you could require the beginning character to be
the letter "C." In this case the engine matches a license number C6457291.
Acceptable characters for optional validators
Require ending characters Match the characters that end (trail) the matched data item.
Acceptable characters for optional validators
Exclude beginning characters Exclude from matching characters that begin (lead) the matched data.
Acceptable characters for optional validators
Exclude ending characters Exclude from matching the characters that end (trail) the matched data item.
Acceptable characters for optional validators
1066
Optional validator Description
Find keywords Match one or more keywords or key phrases in addition to the matched data item. Can check for the
proximity of matched data against a list of keywords.
Keywords can also be scanned for case sensitivity. Then a check is performed for the proximity of the
matched data identifier patterns against a list of keywords. An incident is generated when all of the
data identifier patterns in the rule match. Captured keywords are highlighted in incidents. Proximity,
case sensitivity, and validator highlighting are disabled by default and must be enabled to work.
The keyword must be detected in the same message component as the data identifier content to report
a match.
About cross-component matching
This optional validator accepts any characters (numbers, letters, others).
Acceptable characters for optional validators
List of pattern validators that accept input data
Exact Match Data Identifier Lookup tokens around a pattern for an Exact Match Data Identifier index and validate the pattern.
Check Adding an EMDI check to a built-in or custom data identifier condition in a policy
1067
NOTE
The Find keyword optional validator accepts any characters as values for all data identifiers .
The type of data expected by the optional validator depends on the data identifier. Most data identifier/optional validator
pairings accept numbers only; some accept alphanumeric values, and a few accept any characters. If you enter
unacceptable input and attempt to save the policy, the system reports an error.
Configuring optional validators
Exclude/require Exclude/require
Data Identifier
beginning characters ending characters
ABA Routing Number Numbers only Numbers only
Argentina Tax Identification Number Numbers only Numbers only
Australia Driver's License Number Alphanumeric Alphanumeric
Australian Business Number Numbers only Numbers only
Australian Company Number Numbers only Numbers only
Australian Medicare Number Numbers only Numbers only
Australian Passport Number Letters only (normalized to Numbers only
lowercase)
Australian Tax File Number Numbers only Numbers only
Austria Passport Number Alphanumeric Alphanumeric
Austria Tax Identification Number Numbers only Numbers only
Austria Value Added Tax (VAT) Number Letters only Numbers only
Austrian Social Security Number Numbers only Numbers only
Belgian National Number Numbers only Numbers only
Belgium Driver's Licence Number Numbers only Numbers only
Belgium Passport Number Alphanumeric Alphanumeric
Belgium Tax Identification Number Numbers only Numbers only
Belgium Value Added Tax (VAT) Number Letters only Numbers only
Bosnia-Herzegovina Unique Master Citizen Number Numbers only Numbers only
Brazilian Election Identification Number Numbers only Numbers only
Brazilian National Registry of Legal Entities Number Numbers only Numbers only
Brazil RG Number Numbers only Alphanumeric
Brazilian Natural Person Registry Number Numbers only Numbers only
British Columbia Personal Number Numbers only Numbers only
Bulgaria Value Added Tax (VAT) Number Letters only Numbers only
Bulgarian Uniform Civil Number - EGN Numbers only Numbers only
Burgerservicenummer Numbers only Numbers only
Canada Driver's License Number Alphanumeric Alphanumeric
Canada Government Identification Number Alphanumeric Numbers only
Canada Passport Number Letters only Numbers only
Canada Permanent Resident (PR) Number Letters only Numbers only
Canadian Social Insurance Number Numbers only Numbers only
1068
Exclude/require Exclude/require
Data Identifier
beginning characters ending characters
Chile Driver License Number Numbers only Numbers only
Chilean National Identification Number Alphanumeric Alphanumeric
China Passport Number Alphanumeric Alphanumeric
Codice Fiscale Letters only Letters only
Columbian Addresses Numbers only Numbers only
Colombian Cell Phone Number Numbers only Numbers only
Columbian Personal Identification Number Numbers only Numbers only
Colombian Tax Identification Number Numbers only Numbers only
Common Procedure Coding System (HCPCS CPT Code) Alphanumeric Alphanumeric
Credit Card Magnetic Stripe Data Numbers only Numbers only
Credit Card Number Numbers only Numbers only
Croatia National Identification Number Alphanumeric Alphanumeric
CUSIP Number Alphanumeric (normalized to Alphanumeric (normalized to
lowercase) lowercase)
Cyprus Tax Identification Number Letters only Numbers only
Cyprus Value Added Tax (VAT) Number Alphanumeric Alphanumeric
Czech Republic Driver's Licence Number Letters only Numbers only
Czech Republic Personal Identification Number Numbers only Numbers only
Czech Republic Tax Identification Number Numbers only Numbers only
Czech Republic Value Added Tax (VAT) Number Letters only Numbers only
Denmark Personal Identification Number Alphanumeric Alphanumeric
Denmark Tax Identification Number Numbers only Numbers only
Denmark Value Added Tax (VAT) Number Letters only Numbers only
Driver's License Number – AR State Letters only (normalized to Numbers only
lowercase)
Driver's License Number – AZ State Letters only (normalized to Numbers only
lowercase)
Driver's License Number – CA State Letters only (normalized to Numbers only
lowercase)
Driver's License Number – CT State Numbers only Numbers only
Driver's License Number – DC State Numbers only Numbers only
Driver's License Number – FL, MI, MN States Letters only (normalized to Numbers only
lowercase)
Driver's License Number – Guam Alphanumeric Numbers only
Driver's License Number – HI State Alphanumeric Numbers only
Driver's License Number – IA State Alphanumeric Numbers only
Driver's License Number – ID State Alphanumeric Numbers only
Driver's License Number – IN State Alphanumeric Numbers only
Driver's License Number – KY State Alphanumeric Numbers only
Driver's License Number – KS State Alphanumeric Numbers only
Driver's License Number – MA State Alphanumeric Numbers only
1069
Exclude/require Exclude/require
Data Identifier
beginning characters ending characters
Driver's License Number – MD State Letters only Numbers only
Driver's License Number – MS State Alphanumeric Numbers only
Driver's License Number – MO State Alphanumeric Numbers only
Driver's License Number – ND State Alphanumeric Numbers only
Driver's License Number – NE State Numbers only
Driver's License Number – NH State Alphanumeric Numbers only
Driver's License Number – NJ State Letters only (normalized to Numbers only
lowercase)
Driver's License Number – NY State Numbers only Numbers only
Driver's License Number – OH State Alphanumeric Numbers only
Driver's License Number – OK State Alphanumeric Numbers only
Driver's License Number – OR State Alphanumeric Numbers only
Driver's License Number – RI State Alphanumeric Numbers only
Driver's License Number – US Virgin Islands Letters only Numbers only
Driver's License Number – VA State Alphanumeric Numbers only
Driver's License Number – VT State Numbers only Numbers only
Driver's License Number - WA State Alphanumeric (normalized to Alphanumeric (normalized to
lowercase) lowercase)
Driver's License Number - WI State Letters only Numbers only
Driver's License Number – WV State Alphanumeric Numbers only
Drug Enforcement Agency (DEA) Number Letters only (normalized to Numbers only
lowercase)
Estonia Driver's Licence Number Letters only Numbers only
Estonia Passport Number Letters only Numbers only
Estonia Personal Identification Number Numbers only Numbers only
Estonia Value Added Tax (VAT) Number Letters only Numbers only
European Health Insurance Card Number Numbers only Numbers only
Finland Driver's Licence Number Alphanumeric Alphanumeric
Finland European Health Insurance Number Numbers only Numbers only
Finland Passport Number Letters only Numbers only
Finland Tax Identification Number Alphanumeric Alphanumeric
Finland Value Added Tax (VAT) Number Letters only Numbers only
Finnish Personal Identification Number Alphanumeric (normalized to Alphanumeric (normalized to
lowercase) lowercase)
France Driver's Licence Number Numbers only Numbers only
France Health Insurance Number Numbers only Numbers only
France Tax Identification Number Numbers only Numbers only
France Value Added Tax (VAT) Number Letters only Numbers only
French INSEE Code Numbers only Numbers only
French Passport Number Alphanumeric Alphanumeric
French Social Security Number Alphanumeric Alphanumeric
1070
Exclude/require Exclude/require
Data Identifier
beginning characters ending characters
German Passport Number Alphanumeric (normalized to Alphanumeric (normalized to
lowercase) lowercase)
German Personal Identification Number Alphanumeric (normalized to Alphanumeric (normalized to
lowercase) lowercase)
German Driver's Licence Number Alphanumeric Alphanumeric
German Tax Identification Number Numbers only Numbers only
German Value Added Tax (VAT) Number Letters only Numbers only
Greece Passport Number Letters only Numbers only
Greece Social Security Number (AMKA) Numbers only Numbers only
Greece Value Added Tax (VAT) Number Letters only Numbers only
Greek Tax Identification Number Numbers only Numbers only
Health Insurance Claim Number Alphanumeric Alphanumeric
Hong Kong ID Alphanumeric Alphanumeric
Hungarian Social Security Number Numbers only Numbers only
Hungarian Tax Identification Number Numbers only Numbers only
Hungarian VAT Number Letters only (normalized to Numbers only
lowercase)
Hungary Driver's Licence Number Letters only Numbers only
Hungary Passport Number Letters only Numbers only
IBAN Central Alphanumeric Alphanumeric
IBAN East Alphanumeric Alphanumeric
IBAN West Alphanumeric Alphanumeric
Iceland National Identification Number Numbers only Numbers only
Iceland Passport Number Letters only Numbers only
Iceland Value Added Tax (VAT) Number Letters only Numbers only
India RuPay Card Number Numbers only Numbers only
Indian Aadhar Card Number Numbers only Numbers only
Indonesian Identity Card Number Letters only Letters only
International Mobile Equipment Identity Number Numbers only Numbers only
International Securities Identification Number Letters only (normalized to Numbers only
lowercase)
IP Address Any characters Any characters
IPv6 Address Alphanumeric Alphanumeric
Ireland Passport Number Letters only Numbers only
Ireland Tax Identification Number Alphanumeric Alphanumeric
Ireland Value Added Tax (VAT) Number Letters only Numbers only
Irish Personal Public Service Number Numbers only Letters only (normalized to
lowercase)
Israel Personal Identification Number Numbers only Numbers only
Italy Driver's Licence Number Letters only Letters only
Italy Health Insurance Number Letters only Letters only
1071
Exclude/require Exclude/require
Data Identifier
beginning characters ending characters
Italy Passport Number Alphanumeric Alphanumeric
Italy Value Added Tax (VAT) Number Letters only Numbers only
Japan Driver's License Number Numbers only Numbers only
Japan Passport Number Letters only Numbers only
Japanese Juki-Net ID Number Numbers only Numbers only
Japanese My Number - Corporate Numbers only Numbers only
Japanese My Number - Personal Numbers only Numbers only
Kazakhstan Passport Number Letters only Numbers only
Korea Passport Number Alphanumeric Alphanumeric
Korea Residence Registration Number for Foreigners Numbers only Numbers only
Korea Residence Registration Number for Korean Numbers only Numbers only
Kosovo Unique Master Citizen Number Number Numbers only Numbers only
Latvia Driver's Licence Number Letters only Numbers only
Latvia Passport Number Letters only Numbers only
Latvia Personal Identification Number Numbers only Numbers only
Latvia Value Added Tax (VAT) Number Letters only Numbers only
Liechtenstein Passport Number Letters only Numbers only
Lithuania Personal Identification Number Numbers only Numbers only
Lithuania Tax Identification Number Numbers only Numbers only
Lithuania Value Added Tax (VAT) Number Letters only Numbers only
Luxembourg National Register of Individuals Number Numbers only Numbers only
Luxembourg Passport Number Alphanumeric Alphanumeric
Luxembourg Tax Identification Number Numbers only Numbers only
Luxembourg Value Added Tax (VAT) Number Letters only Numbers only
Macau National Identification Number Numbers only Numbers only
Macedonia Unique Master Citizen Number Numbers only Numbers only
Malaysia Passport Number Letters only Numbers only
Malaysian MyKad Number (MyKad) Numbers only Numbers only
Malta National Identification Number Numbers only Letters only
Malta Tax Identification Number Alphanumeric Alphanumeric
Malta Value Added Tax (VAT) Number Alphanumeric Alphanumeric
Medicare Beneficiary Number Alphanumeric Alphanumeric
Mexico Passport Number Alphanumeric Numbers only
Mexican Personal Registration and Identification Number Alphanumeric Alphanumeric
Mexican Tax Identification Number Alphanumeric Alphanumeric
Mexican Unique Population Registry Code Alphanumeric (normalized to Alphanumeric (normalized to
lowercase) lowercase)
Mexico CLABE Number Numbers only Numbers only
Montenegro Unique Master Citizen Number Numbers only Numbers only
National Drug Code (NDC) Numbers only Numbers only
1072
Exclude/require Exclude/require
Data Identifier
beginning characters ending characters
National Provider Identifier Number Numbers only Numbers only
Netherlands Bank Account Number Alphanumeric Alphanumeric
Netherlands Driver's Licence Number Numbers only Numbers only
Netherlands Passport Number Alphanumeric Alphanumeric
Netherlands Tax Identification Number Numbers only Numbers only
Netherlands Value Added Tax (VAT) Number Letters only Numbers only
New Zealand Driver's License Number Letters only Numbers only
New Zealand National Health Index Number Letters only (normalized to Numbers only
lowercase)
New Zealand Passport Number Letters only Numbers only
Norway Driver's Licence Number Numbers only Numbers only
Norway Health Insurance Card Number (HICN) Numbers only Numbers only
Norway National Identification Number Numbers only Numbers only
Norway Value Added Tax Number Alphanumeric Alphanumeric
Norwegian Birth Number Numbers only Numbers only
People's Republic of China ID Alphanumeric (normalized to Alphanumeric (normalized to
lowercase) lowercase)
Poland Driver's Licence Number Numbers only Numbers only
Poland European Health Insurance Number Numbers only Numbers only
Poland Passport Number Letters only Numbers only
Poland Value Added Tax (VAT) Number Letters only Numbers only
Polish Identification Number Letters only Numbers only
Polish REGON Number Numbers only Numbers only
Polish Social Security Number (PESEL) Numbers only Numbers only
Polish Tax Identification Number Numbers only Numbers only
Portugal Driver's Licence Number Letters only Numbers only
Portugal National Identification Number Alphanumeric Alphanumeric
Portugal Passport Number Letters only Numbers only
Portugal Tax Identification Number Numbers only Numbers only
Portugal Value Added Tax (VAT) Number Letters only Numbers only
Randomized US Social Security Number (SSN) Numbers only Numbers only
Romania Driver's Licence Number Alphanumeric (normalized to Alphanumeric (normalized to
lowercase) lowercase)
Romania National Identification Number Numbers only Numbers only
Romania Numerical Personal Code Numbers only Numbers only
Romania Value Added Tax (VAT) Number Letters only Numbers only
Romanian Numerical Personal Code Numbers only Numbers only
Russia Cargo Customs Declaration Number Numbers only Numbers only
Russia Employment Record Letters only Numbers only
Russia Individual Personal Account Insurance Number Numbers only Numbers only
Russia Military Identity Number Letters only Numbers only
1073
Exclude/require Exclude/require
Data Identifier
beginning characters ending characters
Russia OMS Number Numbers only Numbers only
Russian Passport Identification Number Numbers only Numbers only
Russian Taxpayer Identification Number Numbers only Numbers only
SEPA Creditor Identifier Number North Alphanumeric Alphanumeric
SEPA Creditor Identifier Number South Alphanumeric Alphanumeric
SEPA Creditor Identifier Number West Alphanumeric Alphanumeric
SEPA Creditor Identifier Number East Alphanumeric Alphanumeric
Serbia Unique Master Citizen Number Numbers only Numbers only
Serbia Value Added Tax (VAT) Number Alphanumeric Alphanumeric
Singapore NRIC Alphanumeric (normalized to Alphanumeric (normalized to
lowercase) lowercase)
Slovakia Driver's Licence Number Letters only Numbers only
Slovakia National Identification Number Alphanumeric Alphanumeric
Slovakia Passport Number Letters only Numbers only
Slovakia Value Added Tax (VAT) Number Letters only Numbers only
Slovenia Passport Number Letters only Numbers only
Slovenia Tax Identification Number Numbers only Numbers only
Slovenia Unique Master Citizen Number Numbers only Numbers only
Slovenia Value Added Tax (VAT) Number Letters only Numbers only
South African Personal Identification Number Numbers only Numbers only
Spain Driver's Licence Number Alphanumeric Alphanumeric
Spain Value Added Tax (VAT) Number Alphanumeric Alphanumeric
Spanish Customer Account Number Numbers only Numbers only
Spanish DNI ID Alphanumeric Alphanumeric
Spanish Passport Number Alphanumeric Alphanumeric
Spanish Social Security Number Numbers only Numbers only
Spanish Tax ID (CIF) Alphanumeric Alphanumeric
Sri Lanka National Identification Number Alphanumeric Alphanumeric
Sweden Driver's Licence Number Numbers only Numbers only
Sweden Personal Identification Number Numbers only Numbers only
Sweden Tax Identification Number Numbers only Numbers only
Sweden Value Added Tax (VAT) Number Letters only Numbers only
Swedish Passport Number Alphanumeric Alphanumeric
SWIFT Code Alphanumeric Alphanumeric
Swiss AHV Number Numbers only Numbers only
Swiss Social Security Number (AHV) Alphanumeric Alphanumeric
Switzerland Health Insurance Card Number Numbers only Numbers only
Switzerland Passport Number Letters only Numbers only
Switzerland Value Added Tax (VAT) Number Alphanumeric (normalized to Alphanumeric (normalized to
lowercase) lowercase)
1074
Exclude/require Exclude/require
Data Identifier
beginning characters ending characters
Taiwan ROC ID Alphanumeric Alphanumeric
Thailand Passport Number Letters only Numbers only
Thailand Personal ID Number Numbers only Numbers only
Turkish Identification Number Numbers only Numbers only
Turkey Local Phone Number Numbers only Numbers only
Turkey Mobile Number Numbers only Numbers only
Turkey Passport Number Letters only Numbers only
Turkey Tax Identification Number Numbers only Numbers only
Turkey VAT Number Letters only Numbers only
UK Bank Account Number Sort Code Numbers only Numbers only
UK Driver's Licence Number Alphanumeric (normalized to Alphanumeric (normalized to
lowercase) lowercase)
UK Electoral Roll Number Letters only (normalized to Numbers only
lowercase)
UK National Health Service (NHS) Number Numbers only Numbers only
UK National Insurance Number Letters only (normalized to Letters only (normalized to
lowercase) lowercase)
UK Passport Number Numbers only Numbers only
UK Tax Identification Number Numbers only Numbers only
UK Value Added Tax (VAT) Number Letters only Numbers only
Ukraine Identity Card Numbers only Numbers only
Ukraine Passport (Domestic) Numbers only Numbers only
Ukraine Passport (International) Alphanumeric Alphanumeric
United Arab Emirates Personal Number Numbers only Numbers only
US Adoption Tax Identification Number Numbers only Numbers only
US Individual Tax Identification Number (ITIN) Numbers only Numbers only
US Passport Number Numbers only Numbers only
US Preparer Tax Identification Number Numbers only Numbers only
US Social Security Number (SSN) Numbers only Numbers only
US ZIP+4 Postal Codes Letters only Numbers only
Vehicle Identification Number Alphanumeric Numbers only
Venezuela Driver's License Number Alphanumeric Numbers only
Venezuela National ID Number Letters only Numbers only
Venezuela Value Added Tax (VAT) Number Letters only Numbers only
Vojvodina Unique Master Citizen Number Numbers only Numbers only
1075
Table 564: Unique match counting characteristics
First match is unique A unique match is the first match found in a message component.
Detection Messages and Message Components
Match count updated for each unique The match count is incremented by 1 for each unique pattern match.
match
Only unique matches are highlighted Duplicate matches are neither counted nor highlighted at the Incident Snapshot screen
Uniqueness does not span message For example, if the same SSN appears in both the message body and attachment, two
components unique matches will be generated, not one. This is because each instance is detected in a
separate message component.
Compound rule with data identifier and In a compound rule combining a data identifier condition with a keyword condition that
keyword proximity conditions specifies keyword proximity logic, the reported match will be the first match found
1076
Editing pattern validator input
NOTE
The system does not export modified and custom data identifiers in a policy template. The system exports a
reference to the system data identifier. The target system where the policy template is imported provides the
actual data identifier. Clone system-defined data identifiers before modifying to preserve original state
Editing data identifiers
1077
About pattern validators
To edit required validator input
1. Edit the data identifier by selecting it from the Manage > Policies > data identifiers screen.
2. Select the Rule Breadth you want to modify.
Generally, the medium and narrow breadth options include validators that accept data input.
3. Select the editable validator from the Active Validators list whose input you want to edit.
For example, select Find keywords.
List of pattern validators that accept input data
4. Edit the input for the validator in the Description and Data Entry field.
5. Select the qualities you want for the keyword;
• Proximity - To find a keyword only within the set proximity of the matched patterns, check this box and also
indicate the Word Distance or proximity.
• Case sensitive - Check this box if you want to search for a case-sensitive match.
• Highlight keywords in incident - Check this box if you want to highlight the matched keywords in incidents.
6. Click Update Validator to save the changes you have made to the validator input.
Click Discard Changes to not save the changes.
7. Click Save to save the data identifier.
Validator Description
Exact Match Enter a comma-separated list of values. If the values are numeric, do NOT enter any dashes or
other separators. Each value can be of any length.
Exclude beginning characters Enter a comma-separated list of values. If the values are numeric, do NOT enter any dashes or
other separators. Each value can be of any length.
Exclude ending characters Enter a comma-separated list of values. If the values are numeric, do NOT enter any dashes or
other separators. Each value can be of any length.
Exclude exact match Enter a comma-separated list of values. Each value can be of any length.
Exclude prefix Enter a comma-separated list of values. Each value can be of any length.
Exclude suffix Enter a comma-separated list of values. Each value can be of any length.
Find keywords Enter a comma-separated list of values. Each value can be of any length.
Require beginning characters Enter a comma-separated list of values. If the values are numeric, do NOT enter any dashes or
other separators. Each value can be of any length.
Require ending characters Enter a comma-separated list of values. If the values are numeric, do NOT enter any dashes or
other separators. Each value can be of any length.
1078
Editing keywords for international PII data identifiers
Data identifiers offer broad support for detecting international content.
Introducing data identifiers
Some international data identifiers offer a wide breadth of detection only. In this case you can implement the Find
Keywords optional validator to narrow the scope of detection. Implementing this optional validator may help you eliminate
any false positives that your policy matches.
Selecting a data identifier breadth
To use keywords for international data identifiers
1. Create a policy using one of the system-provided international data identifiers that is listed in the table.
List of keywords for international system data identifiers
2. Select the Find Keywords optional validator.
Configuring the Content Matches data identifier condition
3. Copy and past the appropriate comma-separated keywords from the list to the Find Keywords optional validator field.
Configuring optional validators
1079
Data identifier Language Keywords English translation
1080
Data identifier Language Keywords English translation
Brazilian Natural Person Brazilian Portuguese Cadastro de Pessoas Registration of individuals, Brazilian
Registry Number Físicas, Brasileiro Pessoa Natural Person Registry Number,
Natural Número de Registro, natural person registry number,
pessoa natural número individual registration number
de registro, pessoas
singulares registro NO
British Columbia Personal French MSP nombre, soins de MSP Number, MSP no, personal
Healthcare Number santé no, soins de healthcare number, Healthcare No,
santé personnels nombre, PHN
MSPNombre#, soinsdesanténo#
Bulgaria Value Added Tax Bulgarian номер на таксата, ДДС, Fee number, VAT, VAT number, value
(VAT) Number ДДС#, ДДС номер., ДДС added tax
номер.#, номер на данъка
върху добавената стойност,
данък върху добавената
стойност, ДДС номер
Bulgarian Uniform Civil Bulgarian Униформ граждански номер, Uniform civil number, Uniform ID,
Number - EGN Униформ ID, Униформ Uniform civil ID, Bulgarian uniform civil
граждански ID, Униформ number
граждански не., български
Униформ граждански номер,
УниформгражданскиID#,
Униформгражданскине.#
Burgerservicenummer Dutch Persoonsnummer, sofinummer, person number, social-fiscal number
sociaal-fiscaal nummer, (abbreviation), social-fiscal number,
persoonsgebonden person-related number
Canada Driver's License French permis de conduire Driver's license
Number
Canada Passport Numbert French numéro passeport, No Passport number, passport no.,
passeport, passeport# passport#
Canada Permanent French numéro résident permanent, permanent resident number,
Resident (PR) Number résident permanent non, permanent resident no, permanent
résident permanent no., resident number, permanent resident
carte résident permanent, card, permanent resident card number,
numéro carte résident pr no
permanent, pr non
Chilean National Spanish Chilena número Chileand identification number,
Identification Number identificación, nacional national identity, identification number,
identidad, número national identification number, identity
identificación, número number, Unique National Role
identificación nacional,
identidad número,
NúmerodeIdentificación#,
Identidadchilenano#,
Rol Único Nacional,
RolÚnicoNacional#,
nacionalidentidad#
China Passport Number Chinese ####, ##, ### Chinese passport, passport, passport
book
Codice Fiscale Italian codice fiscal, dati tax code, personal data, VAT number,
anagrafici, partita I.V.A., VAT number
p. iva
1081
Data identifier Language Keywords English translation
Columbian Addresses Spanish Calle, Cll, Carrera, Street, St, Career, Avenue, Diagonal,
Cra, Cr, Avenida, Av, Dg, Transversal, sidewalk
Diagonal, Diag, Tv, Trans,
Transversal, vereda
Columbian Cell Phone Spanish numero celular, número de Cellular number, telephone number,
Number teléfono, teléfono celular cellular telephone number
no., numero celular#
Columbian Personal Spanish cedula, cédula, c.c., Identification card, citizenship card,
Identification Number c.c,C.C., C.C, cc, CC, identification document
NIE., NIE, nie., nie,
cedula de ciudadania,
cédula de ciudadanía,
cc#, CC #, documento de
identificacion, documento
de identificación, Nit.
Columbian Tax Spanish NIT., NIT, nit., nit, Nit. TIN (tax identification number)
Identification Number
Croatia National Croatian Osobna iskaznica, Personal ID, national identification
Identification Number Nacionalni identifikacijski number, personal ID, personal
broj, osobni ID, osobni identification number, tax identification
identifikacijski broj, card, tax number, tax identification
porez iskaznica, number, tax code, taxpayer code
porezni broj, porezni
identifikacijski broj,
porez kod, šifra poreznog
obveznika
Cyprus Tax Identification Turkish, Greek αριθμός φορολογικού Tax identification number, tax number,
Number μητρώου, Vergi Kimlik TIN number, Cyprus TIN number
Numarası, vergi numarası,
Kıbrıs TIN numarası
Cyprus Value Added Tax Turkish, Greek KDV, kdv#, KDV numarası, VAT, VAT number, value added tax,
(VAT) Number Katma değer Vergisi, Φόρος
Προστιθέμενης Αξίας
Czech Republic Driver's Czech řidičský průkaz, řidičský Driving license, driver's license
Licence Number prúkaz, číslo řidičského number, driving license number,
průkazu, řidičské číslo driver's lic., driver license number,
řidičů, ovladače lic., driver's permit
Číslo licence řidiče,
Řidičský průkaz, povolení
řidiče, řidiči povolení,
povolení k jízdě, číslo
licence
Czech Republic Personal Czech Česká Osobní identifikační Czech Personal Identification Number,
Identification Number číslo, Osobní identifikační personal identification number, Czech
číslo., identifikační identification number
číslo, čeština
identifikační číslo
Czech Republic Tax Czech osobní kód, Národní Personal code, national identification
Identification Number identifikační číslo, osobní number, personal identification
identifikační číslo, cínové number, TIN number, tax identification
číslo, daňové identifikačné number, taxpayer ID
číslo, daňový poplatník id
1082
Data identifier Language Keywords English translation
Czech Republic Value Czech číslo DPH, Daň z přidané VAT number, value added tax, VAT
Added Tax (VAT) Number hodnoty, Dan z pridané
hodnoty, Daň přidané
hodnoty, Dan pridané
hodnoty, DPH, DIC, DIČ
Denmark Personal Danish Nationalt National identification number,
Identification Number identifikationsnummer, personal number, unique identification
personnummer, unikt number, identification number, central
identifikationsnummer, registry of persons, CPR number
identifikationsnummer,
centrale personregister,
cpr,cpr-nummer,cpr#,
cpr-nummer#,
identifikationsnummer#,
personnummer#
Denmark Value Added Tax Danish moms, momsnummer, moms VAT number, vat, value added tax
(VAT) Number identifikationsnummer, number, vat identification number
merværdiafgift
Estonia Driver's Licence Estonian juhiluba, JUHILUBA, Driving license, driving license number,
Number juhiluba number, juhiloa driver's license number, license
number, Juhiluba, juhi number
litsentsi number
Estonia Passport Number Estonian Pass, pass, passi number, Passport, passport number, Estonian
pass nr, pass#, Pass nr, passport number
Eesti passi number
Estonia Personal Estonian isikukood, isikukood#, Personal identification code, tax
Identification Code IK, IK#, maksu ID, ID, taxpayer identification number,
maksukohustuslase tax identification number, tax code,
identifitseerimisnumber, taxpayer code
maksukood, maksukood#,
maksuID#, maksumaksja
kood, maksumaksja
identifitseerimisnumber
Estonia Value Added Tax Estonian käibemaksu VAT registration number, VAT, VAT
(VAT) Number registreerimisnumber, number
käibemaksu, Käibemaksu
number, käibemaks,
käibemaks#, käibemaksu#
1083
Data identifier Language Keywords English translation
European Health Insurance Croatian, Danish, numero conto medico, Medical account number, health
Card Number Estonian, Finnish, tessera sanitaria insurance card number, insurance card
French, German, assicurazione numero, number, health insurance number,
Irish, Italian, carta assicurazione numero, medical account number, health
Luxembourgish, Krankenversicherungsnummer, card number, health card, insurance
Polish, Slovenian, assicurazione sanitaria number, EHIC number,
Spanish numero, medisch
rekeningnummer,
ziekteverzekeringskaartnummer,
verzekerings kaart
nummer, gezondheidskaart
nummer, gezondheidskaart,
medizinische Kontonummer,
Krankenversicherungskarte
Nummer,
Versicherungsnummer,
Gesundheitskarte Nummer,
Gesundheitskarte,
arstliku konto number,
ravikindlustuse kaardi
number, tervisekaart,
tervisekaardi number,
Uimhir ehic, tarjeta
salud, broj kartice
zdravstvenog osiguranja,
kartice osiguranja broj,
zdravstvenu karticu,
zdravstvene kartice broj,
ehic broj, numero tessera
sanitaria, numero carta
di assicurazione, tessera
sanitaria, numero ehic,
Gesondheetskaart, ehic
nummer, numer rachunku
medycznego, numer karty
ubezpieczenia zdrowotne,
numer karty ubezpieczenia,
karta zdrowia, numer
karty zdrowia, numer ehic,
sairausvakuutuskortin
numero, vakuutuskortin
numero, terveyskortti,
terveyskortin numero,
medicinsk kontonummer,
ehic numeris, medizinescher
Konto Nummer, zdravstvena
izkaznica
Finland Driver's License Finnish, Swedish permis de conduire, Driver's license, driver's license
Number ajokortti, ajokortin number, driver's lic.
numero, kuljettaja lic.,
körkort, körkort nummer,
förare lic.
1084
Data identifier Language Keywords English translation
Finland European Health Finnish Suomi EHIC-numero, Finland EHIC number, sickness
Insurance Number Sairausvakuutuskortti, insurance card, health insurance card,
sairaanhoitokortin, EHIC, Finnish health insurance card,
Sjukförsäkringskort, ehic, Health Card, Survival Card, health
sairaanhoitokortin, Suomen insurance number
sairausvakuutuskortti,
Finska sjukförsäkringskort,
Terveyskortti,
Hälsokort, ehic#,
sairausvakuutusnumero,
sjukförsäkring nummer
Finland Passport Number Finnish Suomen passin numero, Finnish passport number, Finnish
suomalainen passi, passin passport, passport number, passport
numero, passin numero.#, number, passport #
passin numero#, passin
numero, passin numero.,
passin numero#, passi#
Finland Tax Identification Finnish verotunniste, verokortti, Tax identification number, tax card, tax
Number verotunnus, veronumero ID, tax number
Finland Value Added Tax Finnish arvonlisäveronumero, ALV, VAT number, VAT, VAT identification
(VAT) Number arvonlisäverotunniste, ALV number
nro, ALV numero, alv
Finnish Personal Finnish tunnistenumero, Identification number, personal
Identification Number henkilötunnus, yksilöllinen identification number, unique personal
henkilökohtainen identification number, identity number,
tunnistenumero, Finnish personal identification number,
Ainutlaatuinen national identification number
henkilökohtainen tunnus,
identiteetti numero, Suomen
kansallinen henkilötunnus,
henkilötunnusnumero#,
kansallisen tunnistenumero,
tunnusnumero,kansallinen
tunnus numero
France Driver's License French permis de conduire Driver's license
Number
France Health Insurance French carte vitale, carte Health card, social insurance card
Number d'assuré social
France Tax Identification French numéro d'identification Tax identification number
Number fiscale
France Value Added Tax French Numéro d'identification Value added tax identification number,
(VAT) Number taxe sur valeur ajoutée, value added tax number, value added
Numéro taxe valeur tax, VAT number, French VAT number,
ajoutée, taxe valeur SIREN identification number
ajoutée, Taxe sur la valeur
ajoutée, Numéro de TVA
intracommunautaire, n° TVA,
numéro de TVA, Numéro de
TVA en France, français
numéro de TVA, Numéro
d'identification SIREN
French INSEE Code French INSEE, numéro de sécu, code INSEE, social security number, social
sécu security code
1085
Data identifier Language Keywords English translation
French Passport Number French Passeport français, French passport, passport, passport
Passeport, Passeport livre, book, passport card, passport number
Passeport carte, numéro
passeport
French Social Security French sécurité sociale non., Social secuty number, social security
Number sécurité sociale numéro, code, insurance number
code sécurité sociale,
numéro d'assurance,
sécuritésocialenon.#,
sécuritésocialeNuméro#
German Passport Number German Reisepass kein, Reisepass, Passport number, passport, German
Deutsch Passnummer, passport number, passport number
Passnummer, Reisepasskein#,
Passnummer#
German Personal ID German persönliche Personal identification number, ID
Number identifikationsnummer, number, Germane personal ID number,
ID-Nummer, Deutsch personal ID number, clear ID number,
persönliche-ID- personal number, identity number,
Nummer, persönliche ID insurance number
Nummer, eindeutige ID-
Nummer, persönliche
Nummer,identität nummer,
Versicherungsnummer,
persönlicheNummer#,
IDNummer#
Germany Driver's License German Führerschein, Fuhrerschein, Driver's license, driver's license
Number Fuehrerschein, number
Führerscheinnummer,
Fuhrerscheinnummer,
Fuehrerscheinnummer,
Führerscheinnummer,
Fuhrerscheinnummer,
Fuehrerscheinnummer,
Führerschein- Nr,
Fuhrerschein- Nr,
Fuehrerschein- Nr
Germany Value Added Tax German Mehrwertsteuer, Value added tax, value added tax
(VAT) Number MwSt, Mehrwertsteuer identification number, value added tax
Identifikationsnummer, number
Mehrwertsteuer nummer
Greece Passport Number Greek λλάδα pasport αριθμός, Greece passport number, Greece
Ελλάδα pasport όχι., passport no., passport, Greece
Ελλάδα Αριθμός Διαβατηρίου, passport, passport book
διαβατήριο, Διαβατήριο,
ΕΛΛΑΔΑ ΔΙΑΒΑΤΗΡΙΟ,
Ελλάδα Διαβατήριο, ελλάδα
διαβατήριο, Διαβατήριο
Βιβλίο, βιβλίο διαβατηρίου
Greece Social Security Greek Αριθμού Μητρώου Κοινωνικής Social security number
Number (AMKA) Ασφάλισης
1086
Data identifier Language Keywords English translation
Greece Value Added Tax Greek FPA, fpa, Foros VAT, value added tax, tax identification
(VAT) Number Prostithemenis Axias, number
arithmós dexamenís, Fóros
Prostithémenis Axías,
μέγας κάδος, ΦΠΑ, Φ Π
Α, Φόρος Προστιθέμενης
Αξίας, ΦΟΡΟΣ ΠΡΟΣΤΙΘΕΜΕΝΗΣ
ΑΞΙΑΣ, φόρος προστιθέμενης
αξίας, Arithmos Forologikou
Mitroou, Α.Φ.Μ, ΑΦΜ
Greek Tax Identification Greek Αριθμός Φορολογικού Tax identification number, TIN, tax
Number Μητρώου, AΦΜ, Φορολογικού registry number
Μητρώου Νο., τον αριθμό
φορολογικού μητρώου
Hong Kong ID Chinese (Traditional) ### , ### Identity card, Hong Kong permanent
resident ID Card
Hungary Driver's Licence Hungarian jogosítvány, License, driver's lic, driver's license,
Number Illesztőprogramok Lic, number of licenses, driving license
jogsi, licencszám, vezetői
engedély, VEZETŐI ENGEDÉLY,
vezető engedély, VEZETŐ
ENGEDÉLY
Hungary Passport Number French, Hungarian útlevél, Magyar Passport, Hungarian passport number,
útlevélszám, útlevél passport book, number, passport
könyv, nombre, numéro de number
passeport, hongrois, numéro
de passeport hongrois
Hungarian Social Security Hungarian Magyar Hungarian social security number,
Number társadalombiztosítási szám, social security number, social security
Társadalombiztosítási szám, ID, social security code
társadalombiztosítási ID,
szociális biztonsági kódot,
szociális biztonság nincs.,
társadalombiztosításiID#
Hungarian Tax Hungarian Magyar adóazonosító jel Hungarian tax identification tumber,
Identification Number no, adóazonosító szám, tax identification number, Hungarian
magyar adószám, Magyar tax number, Hungarian tax authority
adóhatóság no., azonosító number, tax number, tax authority
szám, adóazonosító no., number
adóhatóság no
Hungarian VAT Number Hungarian Közösségi adószám, Value added tax identification number,
Általános forgalmi adó sales tax number, value added tax,
szám, hozzáadottérték adó, Hungarian value added tax number
magyar Közösségi adószám
Iceland National Icelandic kennitala, persónuleg Social security number, personal
Identification Number kennitala, galdur identification number, magic number,
númer, skattanúmer, tax code, taxpayer code, taxpayer ID
skattgreiðenda kóða, number
kennitala skattgreiðenda
Iceland Passport Number Icelandic vegabréf, vegabréfs númer, Passport, passport number, passport
Vegabréf Nei, vegabréf# no.
1087
Data identifier Language Keywords English translation
1088
Data identifier Language Keywords English translation
Italy Health Insurance Italian TESSERA SANITARIA, Health insurance card, Italian health
Number tessera sanitaria, tessera insurance card
sanitaria italiana
Italian Passport Number Italian Repubblica Italiana Italian Republic passport, passport,
Passaporto, Passaporto, Italian passport, Italian passport
Passaporto Italiana, number, passport number
passport number, Italiana
Passaporto numero,
Passaporto numero, Numéro
passeport italien, numéro
passeport
Italy Value Added Tax (VAT) Italian IVA, numero partita IVA, VAT, VAT number, VAT#, VAT number
Number IVA#, numero IVA
Japan Driver's License Japanese #####, ##, ##, ##, ####, # Public Security Committee, driver's
Number ####, #########, ########## license, driving license, driver license,
#, #####, ####### driver's license number, driving license
number, driver license number, license
Japanese Juki-Net ID Japanese #########, #######, ####, # Juki-Net identification number, Juki-
Number ##### Net number, identification number,
personal identification number
Japanese My Number - Japanese ######, #### My number, common number
Corporate
Japanese My Number - Japanese ######, ####, #### My number, personal number, common
Personal number
Japan Passport Number Japanese #####, #####, ###### Japanese passport, passport, passport
number
Kazakhstan Passport Kazakh төлқұжат, төлқұжат нөмірі, Passport, passport number, passport
Number номер паспорта, заграничный ID, international passport, national
пасспорт, национальный passport
паспорт
Korea Passport Number Korean ### ##, ##, ## ##, #### Korean passport, passport, passport
number, Republic of Korea
Korea Residence Korean ### ## ##, #### Foreigner registration number, social
Registration Number for security number
Foreigners
Korean Residence Korean ######, #### Resident registration number, social
Registration Number for security number
Korean
Latvia Driver's Licence Latvian licences numurs, vadītāja License number, driver's license,
Number apliecība, autovadītāja driver's license number, driver's lic.
apliecība, vadītāja
apliecības numurs, Vadītāja
licences numurs, vadītāji
lic., vadītāja atļauja
Latvia Passport Number Latvian LATVIJA, LETTONIE, Pases Latvia, passport no., passport number,
Nr., Pases Nr, Pase, pase, passport book, passport #, passport
pases numurs, Pases Nr, card
pases grāmata, pase#, pases
karte
1089
Data identifier Language Keywords English translation
1090
Data identifier Language Keywords English translation
Luxembourg Tax French, German Zinn, Zinn Nummer, TIN, TIN number, Luxembourg tax
Identification Number Luxembourg Tax identification number, tax number, tax
Identifikatiounsnummer, ID, social security ID, Luxembourg tax
Steier Nummer, Steier ID, identification number, Social Security,
Sozialversicherungsausweis, Social Security Card, tax identification
Zinnzahl, Zinn nein, number
Zinn#, luxemburgische
steueridentifikationsnummer,
Steuernummer,Steuer ID,
sécurité sociale, carte
de sécurité sociale,
étain,numéro d'étain,
étain non, étain#, Numéro
d'identification fiscal
luxembourgeois, numéro
d'identification fiscale
Luxembourg Value Added German, TVA kee, TVA#, TVA Luxembourg VAT number, VAT
Tax (VAT) Number Luxembourgish Aschreiwung kee, T.V.A, number, VAT, value added tax number,
stammnummer, bleiwen, VAT ID, VAT registration number, value
geheescht, gitt id, added tax
mehrwertsteuer, vat
registrierungsnummer,
umsatzsteuer-id, wat,
umsatzsteuernummer,
umsatzsteuer-
identifikationsnummer, id
de la batterie, lëtzebuerg
vat nee, registréierung
nummer, numéro de TVA,
numéro de enregistrement
vat
Macau National Chinese, #####, ####### ID number, unique identification
Identification Number Portuguese número de identificação, number
número cartão identidade, Identification number, identity card
número cartão identidade number, national identity card number,
nacional, número personal identification number, unique
identificação pessoal, identification number, unique non-ID,
número identificação único, unique ID #
id único não, ID único#
Malaysia Passport Number Malay pasport, nombor pasport, Passport, passport number, passport #
pasport#
Malaysian MyKad Number Malay nombor kad pengenalan, Identification card number,
(MyKad) kad pengenalan no, kad identification card no., Malaysian
pengenalan Malaysia, identification card, unique identity
bilangan identiti number, personal number
unik, nombor peribadi,
nomborperibadi#,
kadpengenalanno#
Malta National Maltese numru identifikazzjoni national identification number, national
Identification Number nazzjonali, ID nazzjonali, ID, personal identification number,
numru identifikazzjoni personal ID
personali, ID personali,
IDnazzjonali#, IDpersonali#
1091
Data identifier Language Keywords English translation
Malta Tax Identification Maltese kodiċi tat-taxxa, Tax code, tax number, tax identification
Number numru tat-taxxa, numru number, taxid# taxpayer identification
identifikazzjoni tat- number, taxpayer code, tin, tin no
taxxa, taxxaid#,
numru identifikazzjoni
kontribwent, kodiċi
kontribwent, landa, landa
nru
Malta Value Added Tax Maltese Numru tal-VAT, numru tal- VAT number, VAT, value added tax
(VAT) Number VAT, bettija,valur miżjud number, vat identification number
taxxa in-numru, bettija
identifikazzjoni in-numru
Mexican Personal Spanish Clave de Registro de Personal identity registration key,
Registration and Identidad Personal, Mexican personal identification code,
Identification Number Código de Identificación Mexican personal identification number
Personal mexicana, número
de identificación personal
mexicana
Mexican Tax Identification Spanish Registro Federal de Federal taxpayer registry, tax
Number Contribuyentes, número identification number, federal taxpayer
de identificación de registry number, RFC number, RFC
impuestos, Código del key
Registro Federal de
Contribuyentes, Número RFC,
Clave del RFC
Mexican Unique Spanish Única de registro de Unique population registry, unique key,
Population Registry Code Población, clave única, unique identity key, unique personal
clave única de identidad, identity, personal identity key
clave personal Identidad,
personal Identidad
Clave, ClaveÚnica#,
clavepersonalIdentidad#
Mexico CLABE Number Spanish Clave Bancaria Standardized banking code,
Estandarizada, standardized bank code number, code
Estandarizado Banco número number
de clave, número de clave,
clave número, clave#
Netherlands Bank Account Dutch, Papiamento bancu aklarashon number, Bank account number, account
Number aklarashon number, number
bankrekeningnummer,
rekeningnummer
Netherlands Driver's Dutch RIJMEWIJS, permis de Driver's license, driving permit, driver's
License Number conduire, rijbewijs, license number
Rijbewijsnummer,
RIJBEWIJSNUMMER
Netherlands Passport Dutch Nederlanden paspoort Dutch passport number, passport,
Number nummer, Paspoort, paspoort, passport number
Nederlanden paspoortnummer,
paspoortnummer
1092
Data identifier Language Keywords English translation
1093
Data identifier Language Keywords English translation
Norwegian Birth Number Norwegian fødsel nummer, Fødsel nr, Birth number
fødsel nei, fødselnei#,
fødselnummer#
People's Republic of China Chinese (Simplified) ###,####,###### Identity Card, Information of resident,
ID Information of resident identification
Poland Driver's Licence Polish Kierowcy Lic., prawo Drivers license number, driving license,
Number jazdy, numer licencyjny, license number
zezwolenie na prowadzenie,
PRAWO JAZDY
Poland European Health Polish Numer EHIC, Karta EHIC number, Health Insurance Card,
Insurance Number Ubezpieczenia Zdrowotnego, European Health Insurance Card,
Europejska Karta health insurance number, medical
Ubezpieczenia Zdrowotnego, account number
numer ubezpieczenia
zdrowotnego, numer rachunku
medycznego
Poland Passport Number French, Polish paszport#, numer paszportu, Passport #, passport number, passport
Nr paszportu, paszport, number, passport, passport book
książka paszportowa Passport, number, passport number,
passeport, nombre, numéro passport #, passport number
de passeport, passeport#,
No de passeport
Poland Value Added Tax Polish Numer Identyfikacji Tax identification number, tax ID
(VAT) Number Podatkowej, NIP, nip, number, VAT number, value added tax,
Liczba VAT, podatek od VAT invoice, VAT invoice #
wartosci dodanej, faktura
VAT, faktura VAT#
Polish Identification Polish owód osobisty, Tożsamości Identification card, national identity,
Number narodowej, osobisty identification card number, unique
numer identyfikacyjny, number, number
niepowtarzalny numer, numer
Polish REGON Number Polish numer statystyczny, Statistical number, REGON number
REGON, numeru REGON,
numerstatystyczny#,
numeruREGON#
Polish Social Security Polish PESEL Liczba, społeczny PESEL number, social security
Number (PESEL) bezpieczeństwo number, social security ID, social
liczba, społeczny security code
bezpieczeństwo ID,
społeczny bezpieczeństwo
kod, PESELliczba#,
społecznybezpieczeństwoliczba#
Polish Tax Identification Polish Numer Identyfikacji Tax identification number, Polish tax
Number Podatkowej, Polski numer identification number
identyfikacji podatkowej,
NumerIdentyfikacjiPodatkowej#
1094
Data identifier Language Keywords English translation
Portugal Driver's License Portuguese carteira de motorista, driver's license, license number,
Number carteira motorista, driving license, driving license Portugal
carteira de habilitação,
carteira habilitação,
número de licença, número
licença, permissão de
condução, permissão
condução, Licença condução
Portugal, carta de condução
Portugal National Portuguese bilhete de identidade, identity card, civil identification number,
Identification Number número de identificação citizen's card number, identification
civil, número de cartão document, citizen's card, bi number of
de cidadão, documento Portugal, document number
de identificação, cartão
de cidadão, número bi
de portugal, número do
documento
Portugal Passport Number French and passaporte, passeport, Passport number, passport,
Portuguese portuguese passport, Portuguese passport
portuguese passeport,
portuguese passaporte,
passaporte nº, passeport nº
Portugal Tax Identification Portuguese número identificação fiscal Tax identification numberr
Number
Portugal Value Added Tax Portuguese imposto sobre valor Value added tax, VAT, VAT number,
(VAT) Number acrescentado, VAT nº, VAT code
número iva, vat não, código
iva
Romania Driver's Licence Romanian permis de conducere, PERMIS Driving license, driving license number
Number DE CONDUCERE, Permis
de conducere, numărul
permisului de conducere,
Numărul permisului de
conducere
Romania National Romanian numărul de identificare fiscal identification number, tax
Identification Number fiscală, identificarea identification number, fiscal code
fiscală nr #, codul fiscal number,
nr.
Romania Value Added Tax Romanian CIF, cif, CUI, cui, TVA, VAT, VAT #, value added tax, fiscal
(VAT) Number tva, TVA#, tva#, taxa code, fiscal identification code, unique
pe valoare adaugata, cod registration code, unique identification
fiscal, cod fiscal de code, code unique registration
identificare, cod fiscal
identificare, Cod Unic
de Înregistrare, cod unic
de identificare, cod unic
identificare, cod unic
de înregistrare, cod unic
înregistrare
1095
Data identifier Language Keywords English translation
Romanian Numerical Romanian Cod Numeric Personal, cod Personal numeric code, personal
Personal Code identificare personal, identification code, unique
cod unic identificare, identification code, identity number,
număr personal unic, personal identification number
număr identitate, număr
identificare personal,
număridentitate#,
CodNumericPersonal#,
numărpersonalunic#
Russian Passport Russian паспорт нет, паспорт, Passport no., passport, passport
Identification Number номер паспорта, паспорт ID, number, passport ID, Russian
Российской паспорт, Русский passport, Russian passport number
номер паспорта, паспорт#,
паспортID#, номерпаспорта#
Russian Taxpayer Russian НДС, номер TIN (tax identification number),
Identification Number налогоплательщика, taxpayer number, taxpayer ID, rax
Налогоплательщика ИД, налог number
число, налогчисло#, ИНН#,
НДС#
SEPA Creditor Identifier Bulgarian, Finnish, SEPA-Gläubiger- SEPA creditor identifier, creditor ID,
Number North French, German, Identifikator, Gläubiger- SEPA ID, creditor ID
Irish, Italian, ID, SEPA-ID, Gläubiger- Creditor ID, SEPA ID
Luxembourgish, Kennung SEPA creditor identifier, crediting,
Portuguese, ID créancier, ID SEPA, creditor identification
Spanish Identifiant du créancie SEPA creditor identifier, Creditor
SEPA Krediter Identifier
Identifizéierer, Creditor ID, SEPA ID, Creditor
Kreditergeld, Krediter identifier
Identifizéierer Creditor ID, Creditor Identifier
SEPA kreditoridentifikator, Creditor ID, Creditor Identifier
Kreditoridentifikator Creditor Identifier SEPA, Creditor ID,
Velkojan tunnus, SEPA- SEPA ID, Creditor Identifier
tunnus, Velkojan tunniste SEPA Creditor Identifier, Creditor
ID Creidiúnaí, Aithnitheoir Identifier
Creidiúnaí
ID del creditore,
Identificatore del
creditore
Identificador de acreedor
SEPA, ID del acreedor, ID
de SEPA, Identificador del
acreedor
Identificador Credor SEPA,
Identificador do Credor
1096
Data identifier Language Keywords English translation
SEPA Creditor Identifier Bulgarian, Finnish, SEPA-Gläubiger- SEPA creditor identifier, creditor ID,
Number South French, German, Identifikator, Gläubiger- SEPA ID, creditor ID
Irish, Italian, ID, SEPA-ID, Gläubiger- Creditor ID, SEPA ID
Luxembourgish, Kennung SEPA creditor identifier, crediting,
Portuguese, ID créancier, ID SEPA, creditor identification
Spanish Identifiant du créancie SEPA creditor identifier, Creditor
SEPA Krediter Identifier
Identifizéierer, Creditor ID, SEPA ID, Creditor
Kreditergeld, Krediter identifier
Identifizéierer Creditor ID, Creditor Identifier
SEPA kreditoridentifikator, Creditor ID, Creditor Identifier
Kreditoridentifikator Creditor Identifier SEPA, Creditor ID,
Velkojan tunnus, SEPA- SEPA ID, Creditor Identifier
tunnus, Velkojan tunniste SEPA Creditor Identifier, Creditor
ID Creidiúnaí, Aithnitheoir Identifier
Creidiúnaí
ID del creditore,
Identificatore del
creditore
Identificador de acreedor
SEPA, ID del acreedor, ID
de SEPA, Identificador del
acreedor
Identificador Credor SEPA,
Identificador do Credor
SEPA Creditor Identifier Bulgarian, Finnish, SEPA-Gläubiger- SEPA creditor identifier, creditor ID,
Number West French, German, Identifikator, Gläubiger- SEPA ID, creditor ID
Irish, Italian, ID, SEPA-ID, Gläubiger- Creditor ID, SEPA ID
Luxembourgish, Kennung SEPA creditor identifier, crediting,
Portuguese, ID créancier, ID SEPA, creditor identification
Spanish Identifiant du créancie SEPA creditor identifier, Creditor
SEPA Krediter Identifier
Identifizéierer, Creditor ID, SEPA ID, Creditor
Kreditergeld, Krediter identifier
Identifizéierer Creditor ID, Creditor Identifier
SEPA kreditoridentifikator, Creditor ID, Creditor Identifier
Kreditoridentifikator Creditor Identifier SEPA, Creditor ID,
Velkojan tunnus, SEPA- SEPA ID, Creditor Identifier
tunnus, Velkojan tunniste SEPA Creditor Identifier, Creditor
ID Creidiúnaí, Aithnitheoir Identifier
Creidiúnaí
ID del creditore,
Identificatore del
creditore
Identificador de acreedor
SEPA, ID del acreedor, ID
de SEPA, Identificador del
acreedor
Identificador Credor SEPA,
Identificador do Credor
1097
Data identifier Language Keywords English translation
Serbia Unique Master Serbian јединствен мајстор грађанин Unique master citizen number, unique
Citizen Number Број, Јединствен матични identification number, unique id
број, јединствен број ид, number, National identification number
Национални идентификациони
број
Serbia Value Added Tax Serbian poreski identifikacioni Tax identification number VAT number,
(VAT) Number broj, PORESKI value added tax, VAT, identification
IDENTIFIKACIONI BROJ, number, tax number
Poreski br., ПДВ број,
Порез на додату вредност,
PDV broj, Porez na dodatu
vrednost, porez na dodatu
vrednost, PDV, pdv, ПДВ,
порески идентификациони
број, PIB, pib, пиб,
poreski broj, порески број
Slovakia Driver's Licence Slovak vodičský preukaz, Vodičský Driving license, license number
Number preukaz, VODIČSKÝ PREUKAZ,
číslo vodičského preukazu,
ovládače lic., povolenie
vodiča, povolenia vodičov,
povolenie na jazdu,
povolenie jazdu, číslo
licencie
Slovakia National Hungarian, Slovak identifikačné číslo, ID number, identity card number,
Identification Number személyi igazolvány száma, national identity card number, national
személyigazolvány szám, identification number, identification
číslo občianského preukazu, number, ID card number, identification
identifikačná karta č, card, national identity card
személyi igazolvány szám,
nemzeti személyi igazolvány
száma, číslo národnej
identifikačnej karty,
národná identifikačná karta
č, nemzeti személyazonosító
igazolvány, nemzeti
azonosító szám, národné
identifikačné číslo,
národná identifikačná
značka č, nemzeti azonosító
szám, azonosító szám,
identifikačné číslo
Slovakia Passport Number French, Slovak PASSEPORT, passeport, Passport, passport number, passport
cestovný pas, číslo pasu, no
pas č, Číslo pasu, PAS,
CESTOVNÝ PAS, Passeport n°
Slovakia Value Added Tax Slovak číslo DPH, číslo dane VAT number, value added tax
(VAT) Number z pridanej hodnoty, number, VAT, value added tax, VAT
identifikačné číslo identification number
vat, dph, DPH, daň z
pridanej hodnoty, daň
pridanej hodnoty, číslo
dane pridanej hodnoty,
identifikačné číslo DPH
1098
Data identifier Language Keywords English translation
Slovenia Passport Number French, Slovenian številka potnega lista, Passport number, passport, passport
potni list, knjiga potnega book, passport #
lista, potni list #,
passeport, Passeport
Slovenia Tax Identification Slovenian identifikacijska številka Tax identification number, Slovenian
Number davka, Slovenska davčna tax number, tax number
številka, Davčna številka
Slovenia Unique Master Slovenian EMŠO, emšo, edinstvena Unique national number, unique
Citizen Number številka državljana, enotna identification number, uniform
identifikacijska številka, registration number, unique registration
Enotna maticna številka number, citizen's number, unique
obcana, enotna maticna identification number
številka obcana, številka
državljana, edinstvena
identifikacijska številka
Slovenia Value Added Tax Slovenian številka davka na dodano Value added tax number, VAT no,
(VAT) Number vrednost, DDV št, slovenia Slovenia vat no
vat št
South African Personal Afrikaans nasionale identifikasie National identification number, national
Identification Number nommer, nasionale identity number, insurance number,
identiteitsnommer, personal identity number, unique
versekering aantal, identity number, identity number
persoonlike
identiteitsnommer,
unieke identiteitsnommer,
identiteitsnommer,
identiteitsnommer#,
versekeringaantal#,
nasionaleidentiteitsnommer#
South Korea Resident Korean ######, #### Resident Registration Number,
Registration Number Resident Number
Spain Driver's License Spanish permiso de conducción, Driver's license, driver's license
Number permiso conducción, Número number, driving license, driving permit,
licencia conducir, Número driving permit number
de carnet de conducir,
Número carnet conducir,
licencia conducir, Número
de permiso de conducir,
Número de permiso conducir,
Número permiso conducir,
permiso conducir, licencia
de manejo, el carnet de
conducir, carnet conducir
Spain Value Added Tax Spanish Número IVA españa, Número Spain VAT number, Spanish VAT
(VAT) Number de IVA español, español number, VAT Number, VAT, value
Número IVA, Número de valor added tax number, value added tax
agregado, IVA, Número IVA,
Número impuesto sobre
valor añadido, Impuesto
valor agregado, Impuesto
sobre valor añadido, valor
añadido el impuesto, valor
añadido el impuesto numero
1099
Data identifier Language Keywords English translation
Spanish Customer Spanish número cuenta cliente, Customer account number, account
Account Number código cuenta, cuenta code, customer account ID, customer
cliente ID, número cuenta bank account number, bank account
bancaria cliente, código code
cuenta bancaria
Spanish DNI ID Spanish NIE número, Documento NIE number, national identity
Nacional de Identidad, document, unique identity, national
Identidad único, Número identity number, DNI number
nacional identidad, DNI
Número
Spanish Passport Number Spanish libreta pasaporte, passport book, passport number,
número pasaporte, Spanish passport, passport
Número Pasaporte, España
pasaporte, pasaporte
Spanish Social Security Spanish Número de la Seguridad Social security number
Number Social, número de la
seguridad social
Spanish Tax ID (CIF) Spanish número de contribuyente, taxpayer number, corporate tax
número de impuesto number, tax identification number, CIF
corporativo, número de number
Identificación fiscal, CIF
número, CIFnúmero#
Sri Lanka National Identity Sinhala See user interface ID, national identity number, personal
Number identification number, National Identity
Card number
Sweden Driver's License Finnish, Romani, ajokortti, permis de Driver's license, driver's license
Number Swedish, Yiddish conducere,ajokortin numero, number, driving license number
kuljettajat lic., drivere
lic., körkort, numărul
permisului de conducere,
שָאפער דערלויבעניש נומער,
körkort nummer, förare
lic., דריווערס דערלויבעניש,
körkortsnummer
Sweden Personal Swedish personnummer ID, personligt ID number, personal ID number,
Identification Number id-nummer, unikt id- unique ID number, personal,
nummer, personnummer, identification number
identifikationsnumret,
personnummer#,
identifikationsnumret#
Sweden Tax Identification Swedish skattebetalarens Tax identification number, Swedish
Number identifikationsnummer, TIN, TIN number
Sverige TIN, TIN-nummer
Sweden Value Added Tax Swedish moms#, sverige moms, Swedish VAT, Swedish VAT number,
(VAT) Number sverige momsnummer, VAT registration number
sverige moms nr, sweden vat
nummer, sweden momsnummmer,
momsregistreringsnummer
Swedish Passport Number Swedish Passnummer, pass, sverige Passport number, passport, Swedish
pass, SVERIGE PASS, sverige passport, Swedish passport number
Passnummer
1100
Data identifier Language Keywords English translation
Switzerland Health German, Italian medizinische Kontonummer, Medical account number, health
Insurance Card Number Krankenversicherungskarte insurance card number, health
Nummer, numero conto insurance number
medico, tessera sanitaria
assicurazione numero,
assicurazione sanitaria
numero
Switzerland Passport French, German, Passeport, passeport, Passport, passport number, passport #
Number Italian numéro passeport, numéro passport book
de passeport,passeport#, Passport, passport Number, passport #
No de passeport, No de Passport, passport number, passport
passeport., Numéro de no., passport #
passeport, PASSEPORT, LIVRE Passport, passport #
DE PASSEPORT
Pass, Passnummer, Pass#,
Pass Nr., Pass Nr, PASS
Passaporto, Numero di
passaporto, passaporto,
Passaporto n,Passaporto
n., passaporto#, Passaport,
numero passaporto, numero
di passaporto, numero
passaporto, passaporto n,
PASSAPORTO
Reisepass, Reisepass#,
REISEPASS
Switzerland Value Added French, German, T.V.A, numéro TVA, T.V.A#, VAT, VAT number, VAT #, value added
Tax (VAT) Number Italian numéro taxe valeur ajoutée, tax number, value added tax, VAT
T.V.A., taxe sur la valeur registration number,
ajoutée, T.V.A#, numéro VAT, VAT number, VAT #
enregistrement TVA, Numéro VAT, VAT registration number, VAT #,
TVA VAT number
I.V.A, Partita IVA, I.V.A#,
numero IVA
MwSt, Umsatzsteuer-
Identifikationsnummer,
MwSt#, Mehrwertsteuer-
Nummer, Mehrwertsteuer,
VAT Registrierungsnummer,
Umsatzsteuer-
Identifikationsnummer
Swiss AHV Number French Numéro AVS, numéro AVS number, insurance number,
d'assuré, identifiant national identifier, national insurance
national, numéro number, social security number, AVH
d'assurance vieillesse, number
numéro de sécurité soclale,
Numéro AVH
German AHV-Nummer, Matrikelnumme, AHV number, Swiss Registration
Personenidentifikationsnummernumber, PIN
Italian AVS, AVH AVS, AVH
1101
Data identifier Language Keywords English translation
Swiss Social Security French, German, Identifikationsnummer, Identification number, social security
Number (AHV) Italian sozialversicherungsnummer, number, personal identification ID, tax
identification identification number, tax ID, social
personnelle ID, security number, tax number
Steueridentifikationsnummer,
Steuer ID, codice fiscale,
Steuernummer
Taiwan ROC ID Chinese (Traditional) ######### Taiwan ID
Thailand Passport Number Thai ########### Passport, passport number
###,#####################
Thailand Personal ID Thai ##############, Insurance number, personal
Number ########################, identification, identification number
###########################,
###############,
#########################,
###########################
Turkish Identification Turkish Kimlik Numarası, Türkiye Identification number, Turkish Republic
Number Cumhuriyeti Kimlik identification number, citizen identity,
Numarası, vatandaş kimliği, personal identification number, citizen
kişisel kimlik no, kimlik identification number
Numarası#, vatandaş kimlik
numarası, Kişisel kimlik
Numarası
Ukraine Identity Card Ukrainian посвідчення особи України Ukraine identity card
Ukraine Passport Number Ukrainian паспорт, паспорт Passport, Ukraine passport, passport
(Domestic) України, номер паспорта, number
персональний
Ukraine Passport Number Ukranian паспорт, паспорт України, Passport, Ukraine passport, passport
(International) номер паспорта number
United Arab Emirates Arabic رقم,الهوية الشخصية رقم Personal ID Number, PIN, Unique ID
Personal Number فريدة من,التعريف الشخصي Number, Insurance Number, Unique
التأمين,نوعها هوية رقم Identity #
هوية فريدة,التأمينرقم,رقم#
Venezuela National ID Spanish cédula de identidad National ID number, national
Number número, clave única de identification number, personal ID
identidad, personal de number, personal identification, unique
identidad clave, personal identification number
de identidad, número de
identificación nacional,
número ID nacional
1102
If you have existing policies that use the US SSN data identifier to detect SSNs, you should update each policy to use
the US Randomized SSN data identifier. If you have created policies using the version 12.5 US Randomized SSN data
identifier, you should update each to use the latest version of the US Randomized SSN data identifier.
To update a policy to use the US Randomized SSN data identifier provides steps for updating your SSN policies.
To update a policy to use the US Randomized SSN data identifier
1. Edit the policy that implements the US SSN data identifier or the 12.5 US Randomized SSN data identifier.
Configuring policies
Refer to the topic "Configuring policies" in the Symantec Data Loss Prevention Help Center.
2. Edit the rule that contains the US SSN data identifier.
Configuring policy rules
Refer to the topic "Configuring policy rules" in the Symantec Data Loss Prevention Help Center.
3. Remove the US SSN data identifier.
4. Add the US Randomized SSN data identifier.
Managing and adding data identifiers
Refer to the topic "Managing and adding data identifiers" in the Symantec Data Loss Prevention Help Center.
5. Save the policy.
6. Test policy detection for both traditional and US Randomized SSNs.
Test and tune policies to improve match accuracy
Refer to the topic "Test and tune policies to improve match accuracy" in the Symantec Data Loss Prevention Help
Center.
7. Deploy the updated SSN policy into production.
Policy deployment
Refer to the topic "Policy deployment" in the Symantec Data Loss Prevention Help Center.
Component Description
Patterns Define one or more data identifier pattern language patterns, separated by line breaks.
See About data identifier patterns.
Data Normalizer Select a data normalizer to standardize the data before matching against it.
See Selecting a data normalizer.
1103
Component Description
Validators Add or remove validators to perform validation checks on the data detected by the pattern(s).
See About pattern validators.
Validation Checks Select system-provided validation checks to add them to your list of Active Validators.
See About pattern validators.
Description and Data Entry Provide comma-separated data values for any validators that require data input.
See About pattern validators.
Pre- and Post-Validators Pre- and post-validators define characters and character ranges that are valid before or after a data
identifier pattern.
See Configuring pre- and post-validators.
1 Select Manage > Policies > Data The Data Identifiers screen lists all data identifiers available in the system.
Identifiers.
2 Select Add data identifier. Enter a Name for the custom data identifier.
The name must be unique.
Enter a Description for the custom data identifier.
A custom data identifier is assigned to the Custom category by default and cannot be
changed.
The description field is limited to 255 characters per line.
3 Enter one or more Patterns to Beginning with version 16.0, DLP supports standard PCRE syntax for defining regular
match data. expressions.
For DPL 15.8 endpoints, you must use the legacy pattern syntax.
You must enter at least one regular expression for the custom data identifier to be valid.
Separate multiple patterns by line breaks.
See Writing data identifier patterns to match data.
4 Select a Data Normalizer. You must select a data normalizer.
See Selecting a data normalizer.
The following normalizers are available:
• Digits
• Digits and Letters
• Lowercase
• Swift codes
• Do nothing
Select this option if you do not want to normalize the data.
5 Select zero or more Validation Including a validator to check and verify pattern matching is optional.
Checks. See Selecting pattern validators.
1104
Step Action Description
6 Pre- and Post-Validators: Pre- and Post-Validators are required. You can accept the default values, or edit them
Specify characters or character as necessary.
ranges that are valid before or See Configuring pre- and post-validators.
after a data identifier pattern.
7 Save the custom data identifier. Click Save at the upper left of the screen.
Once you define and save a custom data identifier, it appears alphabetically in the list
of data identifiers at the Data Identifiers screen.
To edit a custom data identifier, select it from the list.
See Editing data identifiers.
Note: Click Cancel to not save the custom data identifier.
8 Implement the custom data The system lists all custom data identifiers beneath the Custom category for the
identifier in one or more policies. "Content Matches data identifier" condition at the Configure Policy - Add Rule and
the Configure Policy - Add Exception screens.
See Configuring the Content Matches data identifier condition.
You can configure optional validators at the policy instance level for custom data
identifiers.
See Configuring optional validators.
1105
Table 570: Custom data identifier configuration
1106
Table 571: Legacy data identifier pattern language limitations
Character Description
* The asterisk (*), pipe (|), and dot (.) characters are not supported for legacy data identifier patterns.
|
.
\w The \w construct cannot be used to match the underscore character (_).
\s The \s construct cannot be used to match a whitespace character; instead, use an actual whitespace.
\d For digits, use the construct \d.
Grouping Grouping only works at the beginning of the pattern, such as in credit card numbers.
You can use three types of tokens when defining a legacy data identifier pattern. Tokens are sequences of non-
whitespace characters at the beginning of the file, or preceded by one or more whitespace characters, followed by
whitespace characters or the end of the file. The three token types that are used in legacy data identifier patterns are:
• Character literals
• Bracket expressions
• Special characters
You can follow each token by an optional quantifier.
See Quantifiers.
Data identifier patterns only match a complete token or set of tokens.
NOTE
You use legacy data identifier patterns only for DLP 15.8 endpoints. For later versions of DLP, you must use
standard PCRE syntax to define regular expressions.
Support for regular expressions is subject to a few limitations. For more information, see Limitations of data
identifier support for PCRE regular expressions.
Literal characters, metacharacters, and special characters
Most characters are literal matches in the legacy data identifier pattern language. For example, the character a in the
legacy data identifier pattern matches the character a in your content. The legacy data identifier pattern language includes
four metacharacters. To match these metacharacters as character literals, use the backslash to escape the characters in
your legacy data identifier pattern. See Metacharacters for descriptions of these metacharacters.
Character Description
The legacy data identifier pattern language includes five predefined special characters. See Special characters for
descriptions of these special characters.
1107
Table 573: Special characters
Character Description
Bracket expressions
Bracket expressions begin with [ and end with ], and contain at least one character within the body of the expression. For
example, the bracket expression [abcd] matches any of the letters "a," "b," "c," or "d."
You can include a character range within a bracket expression by separating two characters with a hyphen: -. For
example, the bracket expression [a-z] matches the lower-case letters "a" through "z". Any two characters separated
by - are interpreted as a range. The relative ordering of the range does not matter: [a-z] and [z-a] match the same
characters.
You can include the characters "]" and "-" in your bracket expression if you follow these rules:
• The "]" character must appear as the first character in your bracket expression. For example: []a-z] matches the "]"
character or any lower-case letter between "a" and "z."
• The "-" character must appear as either the first or last character in your bracket expression. If your bracket expression
contains both the "]" and "-" characters, the "]" must be the first character, and "-" the last character. For example: []-]
matches either "]" or "-."
Order of interpretation
Data identifier patters are interpreted from left to right. For example, the bracket expression [a-d-z] is interpreted as the
range a-d and then the literals - and z.
Quantifiers
You can follow any token in your legacy data identifier pattern with a quantifier. The quantifier specifies how many
occurrences of the pattern to match. See Quantifiers for a description of the quantifiers available in the legacy data
identifier pattern language.
Quantifier Description
? This quantifier specifies that the expression should match zero or one occurrences of the preceding
token.
{n} This quantifier specifies that the expression should match exactly n occurrences of the preceding
token.
{n, m} This quantifier specifies that the expression should match between n and m occurrences of the
preceding token (inclusive).
1108
If you create a custom data identifier, you must implement at least one regular expression.
See About data identifier patterns.
See Limitations of data identifier support for PCRE regular expressions.
See Using the legacy data identifier pattern language.
To edit or implement a pattern
1. Review the patterns for the data identifier you want to modify.
See Selecting a data identifier breadth.
2. Consider cloning the data identifier, if you are modifying a system data identifier.
See Cloning a system data identifier before modifying it.
3. Select Manage > Policies > Data Identifiers in the Enforce Server administration console.
4. Select the data identifier you want to modify.
5. Select the breadth for the data identifier you want to modify.
Generally, patterns vary among detection breadths.
6. In the Patterns field, modify an existing pattern, or enter one or more new patterns, separated by line breaks. If you
created a pattern using the legacy pattern syntax, enter the pattern in the Legacy field.
You can save a maximum of 500 regular expressions and a maximum of 63 legacy patterns.
NOTE
You use legacy data identifier patterns only for DLP 15.8 endpoints. For later versions of DLP, you must use
standard regular expression syntax to define data identifier patterns.
Support for regular expressions is subject to a few limitations. For more information, see Limitations of data
identifier support for PCRE regular expressions.
7. Optionally, if you created one or more legacy patterns, click Convert to convert all of the legacy patterns to regular
expressions.
When you click Convert, all the converted patterns are added to the Patterns.
8. Click Save to save the data identifier.
Table 575: Available validators for system and custom data identifiers
Validator Description
ABA Checksum Every ABA routing number must start with the following two digits: 00-15,21-32,61-72,80 and
pass an ABA specific, position-weighted check sum.
Advanced KRRN Validation Validates that 3rd and 4th digits are a valid month, that 5th and 6th digits are a valid day, and the
checksum matches the check digit.
Advanced SSN Validator checks whether SSN contains zeros in any group, the area number (first group) is
less than 773 and not 666, the delimiter between the groups is the same, the number does
not consist of all the same digits, and the number is not reserved for advertising (123-45-6789,
987-65-432x).
1109
Validator Description
Argentinian Tax Identity Number Computes the checksum and validates the pattern against it.
Validation Check
Australian Business Number Computes the checksum and validates the pattern against it.
Validation Check
Australian Company Number Computes the checksum and validates the pattern against it.
Validation Check
Australian Medicare Number Computes the checksum and validates the pattern against it.
Validation Check
Australian Tax File validation Computes the checksum and validates the pattern against it.
check
Austria VAT Number Validation Computes the checksum and validates the pattern against it.
Check
Austrian Social Security Number Computes the checksum and validates the pattern against it.
Validation Check
Basic SSN Performs minimal SSN validation.
Belgian National Number Computes the checksum and validates the pattern against it.
Validation Check
Belgian Tax Identification Number Computes the checksum and validates the pattern against it.
Validation Check
Belgium VAT Number Validation Computes the checksum and validates the pattern against it.
Check
Brazil Election Identification Computes the checksum and validates the pattern against it.
Number Validation Check
Brazilian National Registry of Computes the checksum and validates the pattern against it.
Legal Entities Number Validation
Check
Brazilian Natural Person Registry Computes the checksum and validates the pattern against it.
Number Validation Check
British Columbia Personal Computes the checksum and validates the pattern against it.
Healthcare Number Validation
Check
Bulgaria Value Added Tax (VAT) Computes the checksum and validates the pattern against it.
Number Validation Check
Bulgarian Uniform Civil Number Computes the checksum and validates the pattern against it.
Validation Check
Burgerservicenummer Check Performs a check for the Burgerservicenummer.
Canada Driver's License Number Computes the checksum and validates the pattern against it.
Check
Chilean National Identification Computes the checksum and validates the pattern against it.
Number Validation Check
China ID checksum validator Computes the checksum and validates the pattern against it.
Codice Fiscale Control Key Check Computes the control key and checks if it is valid.
Croatia National Identification Computes the checksum and validates the pattern against it.
Number Validation Check
Cusip Validation Validator checks for invalid CUSIP ranges and computes the CUSIP checksum (Modulus 10
Double Add Double algorithm).
1110
Validator Description
Custom Script* Enter a custom script to validate pattern matches for this data identifier breadth.
Creating custom script validators
Cyprus Tax Identification Number Computes the checksum and validates the pattern against it.
Validation Check
Cyprus Value Added Tax (VAT) Computes the checksum and validates the pattern against it.
Number Validation Check
Czech Personal Identity Number Computes the checksum and validates the pattern against it.
Validation Check
Czech Republic Tax Identification Computes the checksum and validates the pattern against it.
Number Validation Check
Czech Republic VAT Number Computes the checksum and validates the pattern against it.
Validation Check
Denmark Personal Identification Computes the checksum and validates the pattern against it.
Number Validation Check
Denmark Tax Identification Computes the checksum and validates the pattern against it.
Number Validation Check
Denmark VAT Number Validation Computes the checksum and validates the pattern against it.
Check
DNI control key check Computes the control key and checks if it is valid.
Driver's License Number WA State Computes the checksum and validates the pattern against it.
Validation Check
Driver's License Number WI State Computes the checksum and validates the pattern against it.
Validation Check
Drug Enforcement Agency Computes the checksum and validates the pattern against it.
Number Validation Check
Duplicate digits Ensures that a string of digits are not all the same.
Dutch Tax Identification Number Computes the checksum and validates the pattern against it.
Validation Check
Estonia Personal Identification Computes the checksum and validates the pattern against it.
Number Check
Estonia Value Added Tax (VAT) Computes the checksum and validates the pattern against it.
Number Validation Check
Exact Match* Enter a comma-separated list of values. If the values are numeric, do NOT enter any dashes or
other separators. Each value can be of any length.
Exact Match Data Identifier Check Looks up tokens around a pattern for the Exact Match Data Identifier index and validates the
pattern.
Exclude beginning characters* Enter a comma-separated list of values. If the values are numeric, do NOT enter any dashes or
other separators. Each value can be of any length.
Note: Beginning and ending validators concern the text of the match itself. Prefix and suffix
validators concern characters before and after matched text.
Exclude ending characters* Enter a comma-separated list of values. If the values are numeric, do NOT enter any dashes or
other separators. Each value can be of any length.
Exclude exact match* Enter a comma-separated list of values. Each value can be of any length.
1111
Validator Description
Exclude prefix* Enter a comma-separated list of values. Each value can be of any length.
Note: Prefix and suffix validators concern characters before and after matched text. Beginning
and ending validators concern the text of the match itself.
Exclude suffix* Enter a comma-separated list of values. Each value can be of any length.
Find keywords* Enter a comma-separated list of values. Each value can be of any length.
Finland Driver's Licence Number Computes the checksum and validates the pattern against it.
Validation Check
Finland Tax Identification Number Computes the checksum and validates the pattern against it.
Validation Check
Finland VAT Number Validation Computes the checksum and validates the pattern against it.
Check
Finnish Personal Identification Computes the checksum and validates the pattern against it.
Number Validation Check
France VAT Number Validation Computes the checksum and validates the pattern against it.
Check
French Social Security Number Computes the checksum and validates the pattern against it.
Validation Check
German ID Number Validation Computes the checksum and validates the pattern against it.
Check
German Passport Number Computes the checksum and validates the pattern against it.
Validation Check
Germany Tax Number Validation Computes the checksum and validates the pattern against it.
Check
Germany VAT Number Validation Computes the checksum and validates the pattern against it.
Check
Greece Social Security Number Computes the checksum and validates the pattern against it.
(AMKA)
Greece VAT Number Validation Computes the checksum and validates the pattern against it.
Check
Greek Tax Identification Number Computes the checksum and validates the pattern against it.
Validation Check
HCPCS CPT Code Validation Computes the checksum and validates the pattern against it.
Check
Health Care Insurance Number Computes the checksum and validates the pattern against it.
Check
Hong Kong ID Computes the checksum and validates the pattern against it.
Hungarian Social Security Computes the checksum and validates the pattern against it.
Validation Check
Hungarian Tax Identification Computes the checksum and validates the pattern against it.
Number Validation Check
Hungarian VAT Number Validation Computes the checksum and validates the pattern against it.
Check
Hungary Passport Number Computes the checksum and validates the pattern against it.
Validation Check
Iceland National Identification Computes the checksum and validates the pattern against it.
Number Validation Check
1112
Validator Description
Indonesian Kartu Tanda Computes the checksum and validates the pattern against it.
Penduduk Validation Check
INSEE Control Key Validator computes the INSEE control key and compares it to the last 2 digits of the pattern.
IP Basic Check Every IP address must match the format x.x.x.x and every number must be less than 256.
IP Octet Check Every IP address must match the format x.x.x.x, every number must be less than 256, and no IP
address can contain only single-digit numbers (1.1.1.2).
IP Reserved Range Check Checks whether the IP address falls into any of the "Bogons" ranges. If so the match is invalid.
IPv6 Basic Validation Check Every IPv6 address must match the format xxxx.xxxx.xxxx.xxxx.xxxx.xxxx.xxxx.xxxx and every
number must be lower than ffff.
Ipv6 Medium Validation Check Every IPv6 address must match the format xxxx.xxxx.xxxx.xxxx.xxxx.xxxx.xxxx.xxxx and every
number must be lower than ffff. No IPv6 address can start with 0.
Ipv6 Reserved Validation Check Every IPv6 address must match the format xxxx.xxxx.xxxx.xxxx.xxxx.xxxx.xxxx.xxxx and every
number must be lower than ffff. No IPv6 address can start with 0. Each IPv6 address must be
fully compressed.
Ireland Tax Identification Number Computes the checksum and validates the pattern against it.
Validation Check
Ireland VAT Number Validation Computes the checksum and validates the pattern against it.
Check
Irish Personal Public Service Computes the checksum and validates the pattern against it.
Number Validation Check
Israel Personal Identity Number Computes the checksum and validates the pattern against it.
Validation Check
Italy VAT Number Validation Computes the checksum and validates the pattern against it.
Check
Japan Driver's License Number Computes the checksum and validates the pattern against it.
Validation Check
Japanese Juki-Net ID Validation Computes the checksum and validates the pattern against it.
Check
Japanese My Number Validation Computes the checksum and validates the pattern against it.
Check
KRRN Foreign Validation Check Validates that 3rd and 4th digits are a valid month, that 5th and 6th digits are a valid day, and the
checksum matches the check digit.
Latvia Personal Code Check Computes the checksum and validates the pattern against it.
Latvia Value Added Tax (VAT) Computes the checksum and validates the pattern against it.
Number Validation Check
Lithuania Tax Identification Computes the checksum and validates the pattern against it.
Number Validation Check
Lithuania Value Added Tax (VAT) Computes the checksum and validates the pattern against it.
Number Validation Check
Luhn Check Computes the Luhn checksum and validates the matched pattern against it.
Luxembourg National Register Computes the checksum and validates the pattern against it.
of Individuals Number Validation
Check
Luxembourg Tax Identification Computes the checksum and validates the pattern against it.
Number Validation Check
Luxembourg VAT Number Computes the checksum and validates the pattern against it.
Validation Check
1113
Validator Description
Malaysian MyKad Number Computes the checksum and validates the pattern against it.
Validation Check
Malta Value Added Tax (VAT) Computes the checksum and validates the pattern against it.
Number Validation Check
Medicare Beneficiary Identifier Computes the checksum and validates the pattern against it.
Number Validation Check
Mexican CRIP Validation Check Computes the checksum and validates the pattern against it.
Mexican Tax Identification Computes the checksum and validates the pattern against it.
Validation Check
Mexican Unique Population Computes the checksum and validates the pattern against it.
Registry Code Validation Check
Mexico CLABE Number Validation Computes the checksum and validates the pattern against it.
Check
Mod 97 Validator Computes the ISO 7064 Mod 97-10 checksum of the complete match.
National Provider Identifier Computes the checksum and validates the pattern against it.
Number Validation Check
National Securities Identification Computes the checksum and validates the pattern against it.
Number Validation Check
Netherlands Bank Account Computes the checksum and validates the pattern against it.
Number Validation Check
Netherlands VAT Number Computes the checksum and validates the pattern against it.
Validation Check
New Zealand National Health Computes the checksum and validates the pattern against it.
Index Number Validation Check
NIB Number Validation Check Computes the ISO 7064 Mod 97-10 checksum of the complete match of the NIB Number.
No Validation Performs no validation.
Norway National Identificaiton Computes the checksum and validates the pattern against it.
Number Validation Check
Norway Value Added Tax (VAT) Computes the checksum and validates the pattern against it.
Number Check
Norwegian Birth Number Computes the checksum and validates the pattern against it.
Validation Check
Number Delimiter Validates a match by checking the surrounding digits.
Poland VAT Number Validation Computes the checksum and validates the pattern against it.
Check
Polish ID Number Validation Computes the checksum and validates the pattern against it.
Check
Polish REGON Number Validation Computes the checksum and validates the pattern against it.
Check
Polish Social Security Number Computes the checksum and validates the pattern against it.
Validation Check
Polish Tax ID Number Validation Computes the checksum and validates the pattern against it.
Check
Portugal National Identification Computes the checksum and validates the pattern against it.
Number Validation Check
1114
Validator Description
Portugal Tax and VAT Computes the checksum and validates the pattern against it.
Identification Number Validation
Check
Randomized US Social Security Computes the checksum and validates the pattern against it.
Number Validation Check
Require beginning characters* Enter a comma-separated list of values. If the values are numeric, do NOT enter any dashes or
other separators. Each value can be of any length.
Require ending characters* Enter a comma-separated list of values. If the values are numeric, do NOT enter any dashes or
other separators. Each value can be of any length.
Romania Driver's Licence Number Computes the checksum and validates the pattern against it.
Validation Check
Romania National Identification Computes the checksum and validates the pattern against it.
Number Check
Romania VAT Number Validation Computes the checksum and validates the pattern against it.
Check
Romanian Numerical Personal Computes the checksum and validates the pattern against it.
Code Check
Russian Taxpayer Identification Computes the checksum and validates the pattern against it.
Number Validation Check
SEPA Creditor Number Validation Computes the checksum and validates the pattern against it.
Check
Serbia Value Added Tax (VAT) Computes the checksum and validates the pattern against it.
Number Validation Check
Singapore NRIC Computes the Singapore NRIC checksum and validates the pattern against it.
Slovakia National Identification Computes the checksum and validates the pattern against it.
Number Validation Check
Slovakia Value Added Tax (VAT) Computes the checksum and validates the pattern against it.
Number Validation Check
Slovenia Tax Identification Computes the checksum and validates the pattern against it.
Number Validation Check
Slovenia Unique Master Citizen Computes the checksum and validates the pattern against it.
Number Validation Check
Slovenia Value Added Tax (VAT) Computes the checksum and validates the pattern against it.
Number Validation Check
South African Personal Computes the checksum and validates the pattern against it.
Identification Number Validation
Check
Spain VAT Number Validation Computes the checksum and validates the pattern against it.
Check
Spanish Customer Account Computes the checksum and validates the pattern against it.
Number Validation Check
Spanish SSN Number Validation Computes the checksum and validates the pattern against it.
Check
Spanish Tax ID Number Validation Computes the checksum and validates the pattern against it.
Check
Sri Lanka National Identification Computes the checksum and validates the pattern against it.
Number Validation Check
1115
Validator Description
SSN Area-Group number For a given area number (first group), not all group numbers (second group) might have been
assigned by the SSA. Validator eliminates SSNs with invalid group numbers.
Sweden TaxPayer Identification Computes the checksum and validates the pattern against it.
Number Validation Check
Sweden Value Added Tax Number Computes the checksum and validates the pattern against it.
Validation Check
Swedish Personal Identification Computes the checksum and validates the pattern against it.
Number Validation Check
Swiss AHV Swiss AHV Modulus 11 Checksum.
Swiss Social Security Number Computes the checksum and validates the pattern against it.
Validation Check
Switzerland Value Added Tax Computes the checksum and validates the pattern against it.
(VAT) Number Validation Check
Taiwan ID Taiwan ID checksum.
Thailand Personal Identification Computes the checksum and validates the pattern against it.
Number Validation Check
Turkish Identification Number Computes the checksum and validates the pattern against it.
Validation Check
UK Bank Sort Code Check Computes the checksum and validates the pattern against it.
UK Drivers License Every UK drivers license must be 16 characters and the number at the 8th and 9th position must
be larger than 00 and smaller than 32.
UK NHS UK NHS checksum.
UK VAT Number Validation Check Computes the checksum and validates the pattern against it.
Ukraine Identity Card Check Validates that the first eight digits are a correctly formatted date.
Venezuela Identification Number Computes the checksum and validates the pattern against it.
Validation Check
Verhoeff Validation Check Computes the checksum and validates the pattern against it.
Ukraine Identity Card Check Computes the checksum and validates the pattern against it.
Zip+4 Postal Codes Validation Computes the checksum and validates the pattern against it.
Check
1116
To select a pattern validator
1. Create a custom data identifier.
Workflow for creating custom data identifiers
2. In the Validators section, select the desired validator.
About pattern validators
3. If the validator does not require data input, click Add Validator.
The validator is added to the Active Validators list.
4. If the validator requires data input, enter the data values in the Description and Data Entry field.
5. Edit the input for the validator in the Description and Data Entry field. If you are using the Find keywords validator,
edit the input for the validator in the Description and Data Entry field. Then select the qualities you want for the
keyword:
• Proximity: Finds a keyword only within the set proximity of the matched patterns. Check this box and also indicate
the Word Distance.
• Case sensitive: Check this box if you want to search for a case-sensitive match.
• Highlight keywords in incident: Check this box if you want to highlight the matched keywords in incidents.
6. Click Add Validator when you are done entering the values.
The validator is added to the Active Validators list.
7. To remove a validator, select it in the Active Validators list and click the red X icon.
8. Click Save to save the configuration of the data identifier.
Normalizer Description
1117
You can implement a custom script validator in a system data identifier you modify or in a custom data identifier.
NOTE
Refer to the Symantec Data Loss Prevention Detection Customization Guide for details on using the Symantec
Data Loss Prevention Scripting Language.
To implement a custom script validator
1. Modify an existing data identifier or create a custom data identifier.
Workflow for creating custom data identifiers
2. Select the Custom Script validator from the list of Validation Checks.
3. Enter your custom script in the Description and Data Entry field.
4. Click Add Validator to add the custom validator to the Active Validators list.
5. Click Save to save the configuration of the data identifier.
The following strings would match or not match the data identifier pattern based on the preceding or following characters
as described here:
1118
Table 578: Pre- and post-validator pattern matching examples
Use data identifiers instead of regular expressions when possible. Use data identifiers instead of regular expressions to improve
accuracy
Modify data identifier definitions when you want tuning to apply Modify data identifier definitions when you want tuning to apply
globally. globally
Clone system-defined data identifiers before modifying them. Clone system-defined data identifiers before modifying to preserve
original state
Consider using multiple data identifier breadths in parallel. Consider using multiple breadths in parallel to detect different
severities of confidential data
Avoid matching on the Envelope over HTTP. Avoid matching on the Envelope over HTTP to reduce false
positives
Use the Randomized US SSN data identifier to detect traditional Use the Randomized US SSN data identifier to detect SSNs
and randomized SSNs.
1119
Best practice Description
Use unique match counting to improve accuracy and ease Use unique match counting to improve accuracy and ease
remediation. remediation
Modify data identifier definitions when you want tuning to apply globally
Data identifiers offer two levels of configuration:
• Definitions
• Instances
Data identifier definitions are configured at the system-level of the Enforce Server. At the definition level you can tune the
data that is supplied by any required validator that the definition declares at this level, as well as what validators are used.
Data identifier instances are only configured at the policy rule level. Any configurations that are made at the rule level are
local in scope and applicable only to that policy. At the rule level you use optional validators, such as require or exclude
beginning or ending characters, to tune the instance of the data identifier rule.
The general recommendation is to configure data identifier definitions so that the changes apply globally to any instance
of that data identifier definition. Such configurations are reusable across policies. Rule-level optional validators, such as,
should be used for unique policies.
1120
Consider using multiple breadths in parallel to detect different severities of confidential data
Matching data identifiers against content often requires fine-tuning as you adjust the configuration to keep both false
positives and false negatives to a minimum. After you configure an instance of the Content Matches Data Identifier
condition, study the matches and adjust the configuration to ensure optimum data matching success.
Consider adjusting the data identifier breadth you use if the data identifier produces too many false positive or negatives.
For example, if you use a wide breadth and receive many false positives, consider using a medium breadth or narrow
breadth.
About data identifier breadths
As an alternative approach, consider using multiple data identifier breadths in parallel in the same rule with different
severity levels for each rule. For example, in a single policy that is designed to detect credit card numbers, you can add
three rules to the policy, each using a different breadth (one wide, one medium, one narrow). You would then set the
severity for the narrow to be high severity incidents, and the wide to be low severity incidents. Using this layered approach
lets you survey the data flowing through the enterprise using a policy that covers both ends of spectrum. You can use this
sampling-based approach to focus your remediation efforts on the highest-priority incidents while still detecting and being
able to review low-severity incidents.
1121
The best practice is to use unique match counting when you only care about unique matches, not duplicate matches. For
example, if you are using the Credit Card Numbers data identifier to protect credit card numbers, and you only care if a
document contains 25 or more unique numbers, you can use count all unique matches instead of the count all matches
option. If you counted all matches, a document containing 25 of the same CCNs would trigger the policy, which is not the
objective of your policy.
About unique match counting
About keyword matching for Chinese, Japanese, and Korean (CJK) languages
Symantec Data Loss Prevention detection servers support natural language processing for Chinese, Japanese, and
Korean (CJK) keywords. When natural language processing for CJK languages is enabled, the detection server validates
CJK tokens before reporting a match. For CJK languages, a token is a single character which constitutes a word. Thus,
partial word matching does not apply to CJK languages.
Token validation for CJK keywords is only supported for detection servers and is disabled by default. You must enable
token validation for each detection server. In addition you must match on whole words for token validation to apply.
On the endpoint you can use whole word matching for CJK keywords.
Keyword matching use cases for CJK languages summarizes keyword matching use cases for CJK languages.
1122
Table 581: Keyword matching use cases for CJK languages
Server Enable token verification on the detection server and use whole word matching
Enabling and using CJK token verification for server keyword matching
Endpoint Use whole word matching
Keyword matching examples for CJK languages
Behavior Description
Whole word matching With whole word matching, keywords match at word boundaries only (\W in the regular expression lexicon).
Any characters other than A-Z, a-z, and 0-9 are interpreted as word boundaries.
With whole word matching, keywords must have at least one alphanumeric character (a letter or a number).
A keyword consisting of only white-space characters, such as "..", is ignored.
Quotation marks Do not use quotation marks when you enter keywords or phrases because quotes are interpreted literally
and will be required in the match.
White space The systems strips out the white space before and after keywords or key phrases. Each whitespace within
a keyword phrase is counted. In addition to actual spaces, all characters other than A-Z, a-z, and 0-9 are
interpreted as white spaces.
Case sensitivity The case sensitivity option that you choose applies to all keywords in the list for that condition.
Plurals and verb All plurals and verb inflections must be specifically listed. If the number of enumerations becomes
inflections complicated use the wildcard character (asterisk [*]) to detect a keyword suffix (in whole word mode only).
Keyword phrases You can enter keyword phrases, such as social security number (without quotes). The system
looks for the entire phrase without returning matches on individual constituent words (such as social or
security).
1123
Behavior Description
Keyword variants The system only detects the exact keyword or key phrase, not variants. For example, if you specify the
key phrase social security number, detection does not match a phrase that contains two spaces
between the words.
Matching multiple The system implies an OR between keywords. That is, a message component matches if it contains any of
keywords the keywords, not necessarily all of them. To perform an ALL (or AND) keyword match, combine multiple
keyword conditions in a compound rule or exception.
Alpha-numeric During keyword matching, only a letter or a digit is considered a valid keyword start position. Special
characters characters (non-alphanumeric) are treated as delimiters (ignored). For example, the ampersand character
("&") and the underscore character ("_") are special characters and are not considered for keyword start
position.
For example, consider the following:
____keyword__
Keyword
&&akeyword&&
123Keyword__
For these examples, the valid keyword start positions are as follows: k, K, a, and 1.
Note: This same behavior applies to keyword validators implemented in data identifiers.
Proximity The word distance (proximity value) is exclusive of detected keywords. Thus, a word distance of 10 allows
for a proximity window of 12 words.
1124
Keyword type Keyword(s) Matches Does Not Match
1125
Keep the keyword lists for your HIPAA and Caldicott policies up to date
HIPAA and HITECH (including PHI) policy template
Caldicott Report policy template
Match on whole or partial keywords and Separate each keyword or phrase by a newline or comma.
key phrases Keyword matching examples
Match on the wildcard asterisk (*) Match the wildcard at the end of a keyword, in whole word mode only.
character Keyword matching examples
Keyword proximity matching Match across a range of keywords.
About keyword proximity
Find keywords Implement one or more keywords in data identifiers to refine the scope of detection.
Introducing data identifiers
Policy rules and exceptions You can implement keyword matching conditions in policy rules and exceptions.
Configuring the Content Matches Keyword condition
Cross-component matching Keyword matching detects on one or more message components.
Detection messages and message components
Keyword dictionary If you have a large dictionary of keywords, you can index the keyword list.
Use VML to generate and maintain large keyword dictionaries
CJK token verification Enable on the detection server for CJK languages and match on whole words only.
Keyword matching use cases for CJK languages
1126
3. Save the policy.
Action Description
Enter the match type. Select if you want the keyword match to be:
Case Sensitive or Case Insensitive
Case insensitive is the default.
Choose the keyword Select the keyword separator you to delimit multiple keywords:
separator. Newline or Comma.
Newline is the default.
Match any keyword. Enter one or more keywords or key phrases that you want to match. Use the separator that you have
selected (newline or comma) to delimit multiple keyword or key phrase entries.
You can use the asterisk (*) wildcard character at the end of any keyword to match one or more suffix
characters in that keyword. If you use the asterisk wildcard character, you must match on whole words only.
For example, a keyword entry of confid* would match on "confidential" and "confide," but not "confine."
As long as the keyword prefix matches, the detection engine matches on the remaining characters using the
wildcard.
Keyword matching syntax
Keyword matching examples
Configure keyword Keyword proximity matching lets you specify a range of detection among keyword pairs.
proximity matching About keyword proximity
(optional). To implement keyword proximity matching:
• Select (check) the Keyword Proximity matching option in the "Conditions" section of the rule builder
interface.
• Click Add Pair of Keywords.
• Enter a pair of keywords.
• Specify the Word distance.
The maximum distance between keywords is 999, as limited by the three-digit length of the “Word
distance” field. The word distance is exclusive of detected keywords. For example, a word distance of
10 allows for a range of 12 words, including the two words comprising the keyword pair.
• Repeat the process to add more keyword pairs.
The system connects multiple keyword pair entries the OR Boolean operator, meaning that the detection
engine evaluates each keyword pair independently.
Match on whole or Select the option On whole words only to match on whole keywords only (by default this option is
partial keywords. selected).
Match on whole words only if you use the asterisk (*) wildcard character in any keyword you enter in the list.
Keyword matching examples
You must match on whole words only if you have enabled token validation for the server.
Keyword matching examples for CJK languages
Configure match Keyword matching lets you specify how you want to count condition matches.
conditions. Select one of the following options:
• Check for existence
The system reports one incident for all matches.
• Count all matches and only report incidents with at least 1 matches (default)
The system reports one incident for each match with the default setting. Or, you can configure the match
threshold by changing the default value from 1 to another value.
Configuring Match Counting
1127
Action Description
Select components to Keyword matching detection supports matching across message components.
match on. Selecting components to match on
Select one or more message components to match on:
• Envelope – Header metadata used to transport the message
• Subject – Email subject of the message (only applies to SMTP)
• Body – The content of the message
• Attachments – Any files attached to or transferred by the message
Note: The endpoint the DLP Agent matches on the entire message, not on individual components.
Note: Detection Messages and Message Components
Also match one or more Select this option to create a compound rule. All conditions must be met to report a match.
conditions. You can Add any available condition from the list.
Configuring compound rules
Enabling and using CJK token verification for server keyword matching
To use token verification for Chinese, Japanese, and Korean (CJK) languages you must enable it on the server and you
must use whole word matching for the keyword condition. In addition, there must be a sufficient amount of message text
for the system to recognize the language.
Keyword matching examples for CJK languages
Keyword token verification parameter lists and describes the detection server parameter that lets you enable token
verification for CJK languages.
Enable keyword token verification for CJK describes how to enable and use token verification for CJK keywords.
Enable keyword token verification for CJK
1. Log on to the Enforce Server as an administrative user.
2. Navigate to the System > Servers and Detectors > Overview > Server/Detector Detail - Advanced Settings
screen for the detection server or detector you want to configure.
1128
Configuring the Content Matches Keyword condition
Updating the Drug, Disease, and Treatment keyword lists for your HIPAA and
Caldicott policies
If you have created a policy derived from the HIPAA or Caldicott template and have not made any changes or
customizations to the derived policy, after upgrade you can create a new policy from the appropriate template and remove
the old policy from production. If you have made changes to a policy derived from either the HIPAA or Caldicott policy
template and you want to preserve these changes, you can copy the updated keyword lists from either the HIPAA or
Caldicott policy template and use the copied keyword lists to update your HIPAA or Caldicott policies.
About updates to the Drug, Disease, and Treatment keyword lists
Keep the keyword lists for your HIPAA and Caldicott policies up to date
To update the Drug, Disease, and Treatment keyword lists for HIPAA and Caldicott policies provides instructions for
updating the keyword lists for your HIPAA and Caldicot policies.
To update the Drug, Disease, and Treatment keyword lists for HIPAA and Caldicott policies
1. Create a new policy from a template and choose either the HIPAA or Caldicott template.
Creating a policy from a template
2. Edit the detection rules for the policy.
Configuring policy rules
3. Select the Patient Data and Drug Keywords (Keyword Match) rule.
4. Select the Content Matches Keyword condition.
5. Select all the keywords in the Match any Keyword data field and copy them to the Clipboard.
6. Paste the copied keywords to a text file named Drug Keywords.txt.
7. Cancel the rule edit operation to return to the policy Detection tab.
8. Repeat the same process for the Patient Data and Treatment Keywords (Keyword Match) rule.
9. Copy and paste the keywords from the condition to a text file named Treatment Keywords.txt.
10. Repeat the same process for the Patient Data and Disease Keywords (Keyword Match) rule.
11. Copy and paste the keywords from the condition to a text file named Disease Keywords.txt.
12. Update your HIPAA and Caldicott policies derived from the HIPAA or Caldicott templates using the keyword *.txt
files you created.
13. Test your updated HIPAA and Caldicott policies.
1129
Table 588: Summary of keyword matching best practices
Enable linguistic validation for CJK keyword detection on Enable token verification on the server to reduce false positives for CJK
the server. keyword detection
Update keyword lists for your Caldicott and HIPAA policies. Keep the keyword lists for your HIPAA and Caldicott policies up to date
Tune keyword validators to improve data identifier Tune keywords lists for data identifiers to improve match accuracy
accuracy.
Use VML to profile long keyword lists and dictionaries Use VML to generate and maintain large keyword dictionaries
Use keyword matching for metadata detection. Use keyword matching to detect document metadata
Enable token verification on the server to reduce false positives for CJK keyword
detection
Symantec Data Loss Prevention provides token validation for Chinese, Japanese, and Korean (CJK) languages. Token
validation is supported for detection servers and must be enabled.
About keyword matching for Chinese, Japanese, and Korean (CJK) languages
Token validation lets you match CJK keywords using whole word matching, and improves overall match accuracy for CJK
languages. Although there may be a slight performance hit, you should enable token verification for each detection server
where CJK keyword conditions are deployed. Once enabled you can use whole word matching for CJK keywords.
Enabling and using CJK token verification for server keyword matching
Keep the keyword lists for your HIPAA and Caldicott policies up to date
For each Symantec Data Loss Prevention relese, the Drug, Disease, and Treatment keyword lists are updated based
on information from the U.S. Federal Drug Administration (FDA) and other sources. These keyword lists are used in the
HIPAA and HITECH (including PHI) and Caldicott Report policy templates.
About updates to the Drug, Disease, and Treatment keyword lists
If you have upgraded to the latest Data Loss Prevention version and you have existing policies derived from either the
HIPAA or Caldicott policy template, consider updating your HIPAA and Caldicott policies to use the Drug, Disease, and
Treatment keyword lists provided with this Data Loss Prevention version.
Updating the Drug, Disease, and Treatment keyword lists for your HIPAA and Caldicott policies
1130
Use keyword matching to detect document metadata
Symantec Data Loss Prevention supports metadata detection for certain document formats, such as DOCX and PDF.
Detection servers and DLP Agents support metadata detection.
If you want to detect document metadata, the recommendation is to enable it for the server or endpoint and use the
Content Matches Keyword condition to match metadata tags.
1131
Table 589: Regular expression constructs for policy condition matching
Regular expression
Description
construct
. Any single character
\d Any digit (0-9)
\s Any white space
\w Any word character (a-z, A-Z, 0-9, _)
\D Anything other than a digit
\S Anything other than white space
[] Elements inside brackets are a character class (For example, [abc] matches 1 character: a, b, or c.)
^ At the beginning of a character class, negates it (For example, [^abc] matches anything except a, b, or
c.)
+ Following a regular expression means 1 or more (For example, \d+ means 1 or more digit.)
? Following a regular expression means 0 or 1 (For example, \d? means 1 or no digits.)
* Following a regular expression means any number (For example, \d* means 0, 1, or more digits.)
(?i) At the beginning of a regular expression makes the expression case-insensitive (Regular expressions are
case-sensitive by default.)
(?: ) Groups regular expressions together (The ?: is a slight performance enhancement.)
(?u) Makes a period (.) match even newline characters
| Means OR (For example, A|B means regular expression A or regular expression B.)
1132
3. Save the policy configuration.
Action Description
Use Data Identifiers instead of regular expressions where Use regular expressions sparingly to support efficient performance
possible.
Use regular expressions sparingly to support efficient policy Test regular expressions before deployment to improve accuracy
performance.
Use look ahead and behind characters to improve regular Use look ahead and look behind characters to improve regular
expression performance. expression accuracy
Test regular expressions for accuracy and performance. Test regular expressions before deployment to improve accuracy
1133
The regular expression condition is useful for matching or excepting unique data types for which there are no system-
provided Data Identifiers. Examples of these include internal account numbers and data types that can vary greatly in
length, such as email addresses.
Use look ahead and look behind characters to improve regular expression
accuracy
Symantec Data Loss Prevention implements a significant enhancement to improve the performance of regular
expressions. To achieve improved regular expression performance, the look ahead and look behind sections must exactly
match one of the supported standard sections.
Look ahead and look behind standard sections lists the standard look ahead and look behinds sections that this
performance improvement supports. If either section differs even slightly, that section is executed as part of the regular
expression without the performance improvement.
About writing regular expressions
Operation Construct
You can create policies and detect violations using any supported language. You can use localized keywords, regular
expressions, and Data Profiles to detect data loss. In addition, Symantec Data Loss Prevention offers several international
data identifiers and policy templates for protecting confidential data.
Best practices for detecting non-English language content
1134
Use international policy templates for policy creation
Use custom keywords for system data identifiers
Enable token validation to match Chinese, Japanese, and Korean keywords on the server
Canadian Social Insurance Numbers This policy detects patterns indicating Canadian social insurance numbers.
Canadian Social Insurance Numbers policy template
Caldicott Report This policy protects UK patient information.
Caldicott Report policy template
UK Data Protection Act 1998 This policy protects personal identifiable information.
Data Protection Act 1998 policy template
EU Data Protection Directives This policy detects personal data specific to the EU directives.
Data Protection Directives (EU) policy template
UK Human Rights Act 1998 This policy enforces Article 8 of the act for UK citizens.
Human Rights Act 1998 policy template
PIPEDA (Canada) This policy detects Canadian citizen customer data.
PIPEDA policy template
SWIFT Codes (International banking) This policy detects codes that banks use to transfer money across international
borders.
SWIFT Codes policy template
UK Drivers License Numbers This policy detects UK Drivers License Numbers.
UK Drivers License Numbers policy template
UK Electoral Roll Numbers This policy detects UK Electoral Roll Numbers.
UK Electoral Roll Numbers policy template
UK National Insurance Numbers This policy detects UK National Insurance Numbers.
UK National Insurance Numbers policy template
UK National Health Service Number This policy detects personal identification numbers issued by the NHS.
UK National Health Service (NHS) Number policy template
UK Passport Numbers This policy detects valid UK passports.
UK Passport Numbers policy template
UK Tax ID Numbers This policy detects UK Tax ID Numbers.
UK Tax ID Numbers policy template
1135
Some international data identifiers offer a wide breadth of detection only. In this case you can implement the Find
Keywords optional validator to narrow the scope of detection. Implementing this optional validator may help you eliminate
any false positives that your policy matches.
Selecting a data identifier breadth
The following table provides keywords for several international data identifiers.
To use international keywords for system data identifiers
1. Create a policy using one of the system-provided international data identifiers that is listed in the table.
International data identifiers and keyword lists
2. Select the Find Keywords optional validator.
Configuring the Content Matches data identifier condition
3. Copy and past the appropriate comma-separated keywords from the list to the Find Keywords optional validator field.
Configuring optional validators
1136
Data Identifier Language Keywords English Translation
Belgium Driver's License German, French, Führerschein, Fuhrerschein, Driver's license, driver's license
Number Frisian Fuehrerschein, number, driving permit, driving permit
Führerscheinnummer, number
Fuhrerscheinnummer,
Fuehrerscheinnummer,
Führerscheinnummer,
Fuhrerscheinnummer,
Fuehrerscheinnummer,
Führerschein- Nr,
Fuhrerschein- Nr,
Fuehrerschein- Nr,
permis de conduire,
rijbewijs,Rijbewijsnummer,
Numéro permis conduire
Belgium Passport Number Dutch, German, Paspoort, paspoort, Passport, passport number, passport
French paspoortnummer, Reisepass book, passport card
kein, Reisepass,
Passnummer, Passeport,
Passeport livre, Passeport
carte, numéro passeport
Belgium Tax Identification Dutch, German, Numéro de registre National registry number, tax
Number French national, numéro identification number, tax number
d'identification
fiscale, belasting
aantal,Steuernummer
Belgium Value Added Tax German, French Numéro T.V.A, Umsatzsteuer- VAT number, tax identification number
(VAT) Number Identifikationsnummer,
Umsatzsteuernummer
Brazilian Election Brazilian Portuguese número identificação, Identification number, voter
Identification Number identificação do eleitor, identification, electoral identification
ID eleitor eleição, número number, Brazilian electoral
identificação eleitoral, identification number,
Número identificação
eleitoral brasileira,
IDeleitoreleição#
Brazilian National Brazilian Portuguese Brasileira ID Legal,
Registry of Legal entidades jurídicas
Entities Number ID,Registro Nacional de
Pessoas Jurídicas n º,
BrasileiraIDLegal#
Brazilian Natural Brazilian Portuguese Cadastro de Pessoas
Person Registry Físicas, Brasileiro
Number Pessoa Natural Número de
Registro, pessoa natural
número de registro,
pessoas singulares
registro NO
British Columbia Personal French MSP nombre, soins de MSP Number, MSP no, personal
Healthcare Number santé no, soins de healthcare number, Healthcare No,
santé personnels nombre, PHN
MSPNombre#, soinsdesanténo#
1137
Data Identifier Language Keywords English Translation
Bulgaria Value Added Tax Bulgarian номер на таксата, ДДС, Fee number, VAT, VAT number, value
(VAT) Number ДДС#, ДДС номер., ДДС added tax
номер.#, номер на данъка
върху добавената стойност,
данък върху добавената
стойност, ДДС номер
Bulgarian Uniform Civil Bulgarian Униформ граждански номер, Uniform civil number, Uniform ID,
Number - EGN Униформ ID, Униформ Uniform civil ID, Bulgarian uniform civil
граждански ID, Униформ number
граждански не., български
Униформ граждански номер,
УниформгражданскиID#,
Униформгражданскине.#
Burgerservicenummer Dutch Persoonsnummer, sofinummer, person number, social-fiscal number
sociaal-fiscaal nummer, (abbreviation), social-fiscal number,
persoonsgebonden person-related number
Canada Driver's License French permis de conduire Driver's license
Number
Canada Passport Numbert French numéro passeport, No Passport number, passport no.,
passeport, passeport# passport#
Canada Permanent French numéro résident permanent, permanent resident number,
Resident (PR) Number résident permanent non, permanent resident no, permanent
résident permanent no., resident number, permanent resident
carte résident permanent, card, permanent resident card number,
numéro carte résident pr no
permanent, pr non
Chilean National Spanish Chilena número Chileand identification number,
Identification Number identificación, nacional national identity, identification number,
identidad, número national identification number, identity
identificación, número number, Unique National Role
identificación nacional,
identidad número,
NúmerodeIdentificación#,
Identidadchilenano#,
Rol Único Nacional,
RolÚnicoNacional#,
nacionalidentidad#
China Passport Number Chinese ####, ##, ### Chinese passport, passport, passport
book
Codice Fiscale Italian codice fiscal, dati tax code, personal data, VAT number,
anagrafici, partita I.V.A., VAT number
p. iva
Columbian Addresses Spanish Calle, Cll, Carrera, Street, St, Career, Avenue, Diagonal,
Cra, Cr, Avenida, Av, Dg, Transversal, sidewalk
Diagonal, Diag, Tv, Trans,
Transversal, vereda
Columbian Cell Phone Spanish numero celular, número de Cellular number, telephone number,
Number teléfono, teléfono celular cellular telephone number
no., numero celular#
1138
Data Identifier Language Keywords English Translation
Columbian Personal Spanish cedula, cédula, c.c., Identification card, citizenship card,
Identification Number c.c,C.C., C.C, cc, CC, identification document
NIE., NIE, nie., nie,
cedula de ciudadania,
cédula de ciudadanía,
cc#, CC #, documento de
identificacion, documento
de identificación, Nit.
Columbian Tax Spanish NIT., NIT, nit., nit, Nit. TIN (tax identification number)
Identification Number
Croatia National Croatian Osobna iskaznica, Personal ID, national identification
Identification Number Nacionalni identifikacijski number, personal ID, personal
broj, osobni ID, osobni identification number, tax identification
identifikacijski broj, card, tax number, tax identification
porez iskaznica, number, tax code, taxpayer code
porezni broj, porezni
identifikacijski broj,
porez kod, šifra poreznog
obveznika
Cyprus Tax Identification Turkish, Greek αριθμός φορολογικού Tax identification number, tax number,
Number μητρώου, Vergi Kimlik TIN number, Cyprus TIN number
Numarası, vergi numarası,
Kıbrıs TIN numarası
Cyprus Value Added Tax Turkish, Greek KDV, kdv#, KDV numarası, VAT, VAT number, value added tax,
(VAT) Number Katma değer Vergisi, Φόρος
Προστιθέμενης Αξίας
Czech Republic Driver's Czech řidičský průkaz, řidičský Driving license, driver's license
Licence Number prúkaz, číslo řidičského number, driving license number,
průkazu, řidičské číslo driver's lic., driver license number,
řidičů, ovladače lic., driver's permit
Číslo licence řidiče,
Řidičský průkaz, povolení
řidiče, řidiči povolení,
povolení k jízdě, číslo
licence
Czech Republic Personal Czech Česká Osobní identifikační Czech Personal Identification Number,
Identification Number číslo, Osobní identifikační personal identification number, Czech
číslo., identifikační identification number
číslo, čeština
identifikační číslo
Czech Republic Tax Czech osobní kód, Národní Personal code, national identification
Identification Number identifikační číslo, osobní number, personal identification
identifikační číslo, cínové number, TIN number, tax identification
číslo, daňové identifikačné number, taxpayer ID
číslo, daňový poplatník id
Czech Republic Value Czech číslo DPH, Daň z přidané VAT number, value added tax, VAT
Added Tax (VAT) Number hodnoty, Dan z pridané
hodnoty, Daň přidané
hodnoty, Dan pridané
hodnoty, DPH, DIC, DIČ
1139
Data Identifier Language Keywords English Translation
1140
Data Identifier Language Keywords English Translation
European Health Insurance Croatian, Danish, numero conto medico, Medical account number, health
Card Number Estonian, Finnish, tessera sanitaria insurance card number, insurance card
French, German, assicurazione numero, number, health insurance number,
Irish, Italian, carta assicurazione numero, medical account number, health
Luxembourgish, Krankenversicherungsnummer, card number, health card, insurance
Polish, Slovenian, assicurazione sanitaria number, EHIC number,
Spanish numero, medisch
rekeningnummer,
ziekteverzekeringskaartnummer,
verzekerings kaart
nummer, gezondheidskaart
nummer, gezondheidskaart,
medizinische Kontonummer,
Krankenversicherungskarte
Nummer,
Versicherungsnummer,
Gesundheitskarte Nummer,
Gesundheitskarte,
arstliku konto number,
ravikindlustuse kaardi
number, tervisekaart,
tervisekaardi number,
Uimhir ehic, tarjeta
salud, broj kartice
zdravstvenog osiguranja,
kartice osiguranja broj,
zdravstvenu karticu,
zdravstvene kartice broj,
ehic broj, numero tessera
sanitaria, numero carta
di assicurazione, tessera
sanitaria, numero ehic,
Gesondheetskaart, ehic
nummer, numer rachunku
medycznego, numer karty
ubezpieczenia zdrowotne,
numer karty ubezpieczenia,
karta zdrowia, numer
karty zdrowia, numer ehic,
sairausvakuutuskortin
numero, vakuutuskortin
numero, terveyskortti,
terveyskortin numero,
medicinsk kontonummer,
ehic numeris, medizinescher
Konto Nummer, zdravstvena
izkaznica
Finland Driver's License Finnish, Swedish permis de conduire, Driver's license, driver's license
Number ajokortti, ajokortin number, driver's lic.
numero, kuljettaja lic.,
körkort, körkort nummer,
förare lic.
1141
Data Identifier Language Keywords English Translation
Finland European Health Finnish Suomi EHIC-numero, Finland EHIC number, sickness
Insurance Number Sairausvakuutuskortti, insurance card, health insurance card,
sairaanhoitokortin, EHIC, Finnish health insurance card,
Sjukförsäkringskort, ehic, Health Card, Survival Card, health
sairaanhoitokortin, Suomen insurance number
sairausvakuutuskortti,
Finska sjukförsäkringskort,
Terveyskortti,
Hälsokort, ehic#,
sairausvakuutusnumero,
sjukförsäkring nummer
Finland Passport Number Finnish Suomen passin numero, Finnish passport number, Finnish
suomalainen passi, passin passport, passport number, passport
numero, passin numero.#, number, passport #
passin numero#, passin
numero, passin numero.,
passin numero#, passi#
Finland Tax Identification Finnish verotunniste, verokortti, Tax identification number, tax card, tax
Number verotunnus, veronumero ID, tax number
Finland Value Added Tax Finnish arvonlisäveronumero, ALV, VAT number, VAT, VAT identification
(VAT) Number arvonlisäverotunniste, ALV number
nro, ALV numero, alv
Finnish Personal Finnish tunnistenumero, Identification number, personal
Identification Number henkilötunnus, yksilöllinen identification number, unique personal
henkilökohtainen identification number, identity number,
tunnistenumero, Finnish personal identification number,
Ainutlaatuinen national identification number
henkilökohtainen tunnus,
identiteetti numero, Suomen
kansallinen henkilötunnus,
henkilötunnusnumero#,
kansallisen tunnistenumero,
tunnusnumero,kansallinen
tunnus numero
France Driver's License French permis de conduire Driver's license
Number
France Health Insurance French carte vitale, carte Health card, social insurance card
Number d'assuré social
France Tax Identification French numéro d'identification Tax identification number
Number fiscale
France Value Added Tax French Numéro d'identification Value added tax identification number,
(VAT) Number taxe sur valeur ajoutée, value added tax number, value added
Numéro taxe valeur tax, VAT number, French VAT number,
ajoutée, taxe valeur SIREN identification number
ajoutée, Taxe sur la valeur
ajoutée, Numéro de TVA
intracommunautaire, n° TVA,
numéro de TVA, Numéro de
TVA en France, français
numéro de TVA, Numéro
d'identification SIREN
French INSEE Code French INSEE, numéro de sécu, code INSEE, social security number, social
sécu security code
1142
Data Identifier Language Keywords English Translation
French Passport Number French Passeport français, French passport, passport, passport
Passeport, Passeport livre, book, passport card, passport number
Passeport carte, numéro
passeport
French Social Security French sécurité sociale non., Social secuty number, social security
Number sécurité sociale numéro, code, insurance number
code sécurité sociale,
numéro d'assurance,
sécuritésocialenon.#,
sécuritésocialeNuméro#
German Passport Number German Reisepass kein, Reisepass, Passport number, passport, German
Deutsch Passnummer, passport number, passport number
Passnummer, Reisepasskein#,
Passnummer#
German Personal ID German persönliche Personal identification number, ID
Number identifikationsnummer, number, Germane personal ID number,
ID-Nummer, Deutsch personal ID number, clear ID number,
persönliche-ID- personal number, identity number,
Nummer, persönliche ID insurance number
Nummer, eindeutige ID-
Nummer, persönliche
Nummer,identität nummer,
Versicherungsnummer,
persönlicheNummer#,
IDNummer#
Germany Driver's License German Führerschein, Fuhrerschein, Driver's license, driver's license
Number Fuehrerschein, number
Führerscheinnummer,
Fuhrerscheinnummer,
Fuehrerscheinnummer,
Führerscheinnummer,
Fuhrerscheinnummer,
Fuehrerscheinnummer,
Führerschein- Nr,
Fuhrerschein- Nr,
Fuehrerschein- Nr
Germany Value Added Tax German Mehrwertsteuer, Value added tax, value added tax
(VAT) Number MwSt, Mehrwertsteuer identification number, value added tax
Identifikationsnummer, number
Mehrwertsteuer nummer
Greece Passport Number Greek λλάδα pasport αριθμός, Greece passport number, Greece
Ελλάδα pasport όχι., passport no., passport, Greece
Ελλάδα Αριθμός Διαβατηρίου, passport, passport book
διαβατήριο, Διαβατήριο,
ΕΛΛΑΔΑ ΔΙΑΒΑΤΗΡΙΟ,
Ελλάδα Διαβατήριο, ελλάδα
διαβατήριο, Διαβατήριο
Βιβλίο, βιβλίο διαβατηρίου
Greece Social Security Greek Αριθμού Μητρώου Κοινωνικής Social security number
Number (AMKA) Ασφάλισης
1143
Data Identifier Language Keywords English Translation
Greece Value Added Tax Greek FPA, fpa, Foros VAT, value added tax, tax identification
(VAT) Number Prostithemenis Axias, number
arithmós dexamenís, Fóros
Prostithémenis Axías,
μέγας κάδος, ΦΠΑ, Φ Π
Α, Φόρος Προστιθέμενης
Αξίας, ΦΟΡΟΣ ΠΡΟΣΤΙΘΕΜΕΝΗΣ
ΑΞΙΑΣ, φόρος προστιθέμενης
αξίας, Arithmos Forologikou
Mitroou, Α.Φ.Μ, ΑΦΜ
Greek Tax Identification Greek Αριθμός Φορολογικού Tax identification number, TIN, tax
Number Μητρώου, AΦΜ, Φορολογικού registry number
Μητρώου Νο., τον αριθμό
φορολογικού μητρώου
Hong Kong ID Chinese (Traditional) ### , ### Identity card, Hong Kong permanent
resident ID Card
Hungary Driver's Licence Hungarian jogosítvány, License, driver's lic, driver's license,
Number Illesztőprogramok Lic, number of licenses, driving license
jogsi, licencszám, vezetői
engedély, VEZETŐI ENGEDÉLY,
vezető engedély, VEZETŐ
ENGEDÉLY
Hungary Passport Number French, Hungarian útlevél, Magyar Passport, Hungarian passport number,
útlevélszám, útlevél passport book, number, passport
könyv, nombre, numéro de number
passeport, hongrois, numéro
de passeport hongrois
Hungarian Social Security Hungarian Magyar Hungarian social security number,
Number társadalombiztosítási szám, social security number, social security
Társadalombiztosítási szám, ID, social security code
társadalombiztosítási ID,
szociális biztonsági kódot,
szociális biztonság nincs.,
társadalombiztosításiID#
Hungarian Tax Hungarian Magyar adóazonosító jel Hungarian tax identification tumber,
Identification Number no, adóazonosító szám, tax identification number, Hungarian
magyar adószám, Magyar tax number, Hungarian tax authority
adóhatóság no., azonosító number, tax number, tax authority
szám, adóazonosító no., number
adóhatóság no
Hungarian VAT Number Hungarian Közösségi adószám, Value added tax identification number,
Általános forgalmi adó sales tax number, value added tax,
szám, hozzáadottérték adó, Hungarian value added tax number
magyar Közösségi adószám
Iceland National Icelandic kennitala, persónuleg Social security number, personal
Identification Number kennitala, galdur identification number, magic number,
númer, skattanúmer, tax code, taxpayer code, taxpayer ID
skattgreiðenda kóða, number
kennitala skattgreiðenda
Iceland Passport Number Icelandic vegabréf, vegabréfs númer, Passport, passport number, passport
Vegabréf Nei, vegabréf# no.
1144
Data Identifier Language Keywords English Translation
1145
Data Identifier Language Keywords English Translation
Italy Health Insurance Italian TESSERA SANITARIA, Health insurance card, Italian health
Number tessera sanitaria, tessera insurance card
sanitaria italiana
Italian Passport Number Italian Repubblica Italiana Italian Republic passport, passport,
Passaporto, Passaporto, Italian passport, Italian passport
Passaporto Italiana, number, passport number
passport number, Italiana
Passaporto numero,
Passaporto numero, Numéro
passeport italien, numéro
passeport
Italy Value Added Tax (VAT) Italian IVA, numero partita IVA, VAT, VAT number, VAT#, VAT number
Number IVA#, numero IVA
Japan Driver's License Japanese #####, ##, ##, ##, ####, # Public Security Committee, driver's
Number ####, #########, ########## license, driving license, driver license,
#, #####, ####### driver's license number, driving license
number, driver license number, license
Japanese Juki-Net ID Japanese #########, #######, ####, # Juki-Net identification number, Juki-
Number ##### Net number, identification number,
personal identification number
Japanese My Number - Japanese ######, #### My number, common number
Corporate
Japanese My Number - Japanese ######, ####, #### My number, personal number, common
Personal number
Japan Passport Number Japanese #####, #####, ###### Japanese passport, passport, passport
number
Kazakhstan Passport Kazakh төлқұжат, төлқұжат нөмірі, Passport, passport number, passport
Number номер паспорта, заграничный ID, international passport, national
пасспорт, национальный passport
паспорт
Korea Passport Number Korean ### ##, ##, ## ##, #### Korean passport, passport, passport
number, Republic of Korea
Korea Residence Korean ### ## ##, #### Foreigner registration number, social
Registration Number for security number
Foreigners
Korean Residence Korean ######, #### Resident registration number, social
Registration Number for security number
Korean
Latvia Driver's Licence Latvian licences numurs, vadītāja License number, driver's license,
Number apliecība, autovadītāja driver's license number, driver's lic.
apliecība, vadītāja
apliecības numurs, Vadītāja
licences numurs, vadītāji
lic., vadītāja atļauja
Latvia Passport Number Latvian LATVIJA, LETTONIE, Pases Latvia, passport no., passport number,
Nr., Pases Nr, Pase, pase, passport book, passport #, passport
pases numurs, Pases Nr, card
pases grāmata, pase#, pases
karte
1146
Data Identifier Language Keywords English Translation
1147
Data Identifier Language Keywords English Translation
Luxembourg Tax French, German Zinn, Zinn Nummer, TIN, TIN number, Luxembourg tax
Identification Number Luxembourg Tax identification number, tax number, tax
Identifikatiounsnummer, ID, social security ID, Luxembourg tax
Steier Nummer, Steier ID, identification number, Social Security,
Sozialversicherungsausweis, Social Security Card, tax identification
Zinnzahl, Zinn nein, number
Zinn#, luxemburgische
steueridentifikationsnummer,
Steuernummer,Steuer ID,
sécurité sociale, carte
de sécurité sociale,
étain,numéro d'étain,
étain non, étain#, Numéro
d'identification fiscal
luxembourgeois, numéro
d'identification fiscale
Luxembourg Value Added German, TVA kee, TVA#, TVA Luxembourg VAT number, VAT
Tax (VAT) Number Luxembourgish Aschreiwung kee, T.V.A, number, VAT, value added tax number,
stammnummer, bleiwen, VAT ID, VAT registration number, value
geheescht, gitt id, added tax
mehrwertsteuer, vat
registrierungsnummer,
umsatzsteuer-id, wat,
umsatzsteuernummer,
umsatzsteuer-
identifikationsnummer, id
de la batterie, lëtzebuerg
vat nee, registréierung
nummer, numéro de TVA,
numéro de enregistrement
vat
Macau National Chinese, #####, ####### ID number, unique identification
Identification Number Portuguese número de identificação, number
número cartão identidade, Identification number, identity card
número cartão identidade number, national identity card number,
nacional, número personal identification number, unique
identificação pessoal, identification number, unique non-ID,
número identificação único, unique ID #
id único não, ID único#
Malaysia Passport Number Malay pasport, nombor pasport, Passport, passport number, passport #
pasport#
Malaysian MyKad Number Malay nombor kad pengenalan, Identification card number,
(MyKad) kad pengenalan no, kad identification card no., Malaysian
pengenalan Malaysia, identification card, unique identity
bilangan identiti number, personal number
unik, nombor peribadi,
nomborperibadi#,
kadpengenalanno#
Malta National Maltese numru identifikazzjoni national identification number, national
Identification Number nazzjonali, ID nazzjonali, ID, personal identification number,
numru identifikazzjoni personal ID
personali, ID personali,
IDnazzjonali#, IDpersonali#
1148
Data Identifier Language Keywords English Translation
Malta Tax Identification Maltese kodiċi tat-taxxa, Tax code, tax number, tax identification
Number numru tat-taxxa, numru number, taxid# taxpayer identification
identifikazzjoni tat- number, taxpayer code, tin, tin no
taxxa, taxxaid#,
numru identifikazzjoni
kontribwent, kodiċi
kontribwent, landa, landa
nru
Malta Value Added Tax Maltese Numru tal-VAT, numru tal- VAT number, VAT, value added tax
(VAT) Number VAT, bettija,valur miżjud number, vat identification number
taxxa in-numru, bettija
identifikazzjoni in-numru
Mexican Personal Spanish Clave de Registro de Personal identity registration key,
Registration and Identidad Personal, Mexican personal identification code,
Identification Number Código de Identificación Mexican personal identification number
Personal mexicana, número
de identificación personal
mexicana
Mexican Tax Identification Spanish Registro Federal de Federal taxpayer registry, tax
Number Contribuyentes, número identification number, federal taxpayer
de identificación de registry number, RFC number, RFC
impuestos, Código del key
Registro Federal de
Contribuyentes, Número RFC,
Clave del RFC
Mexican Unique Spanish Única de registro de Unique population registry, unique key,
Population Registry Code Población, clave única, unique identity key, unique personal
clave única de identidad, identity, personal identity key
clave personal Identidad,
personal Identidad
Clave, ClaveÚnica#,
clavepersonalIdentidad#
Mexico CLABE Number Spanish Clave Bancaria Standardized banking code,
Estandarizada, standardized bank code number, code
Estandarizado Banco número number
de clave, número de clave,
clave número, clave#
Netherlands Bank Account Dutch, Papiamento bancu aklarashon number, Bank account number, account
Number aklarashon number, number
bankrekeningnummer,
rekeningnummer
Netherlands Driver's Dutch RIJMEWIJS, permis de Driver's license, driving permit, driver's
License Number conduire, rijbewijs, license number
Rijbewijsnummer,
RIJBEWIJSNUMMER
Netherlands Passport Dutch Nederlanden paspoort Dutch passport number, passport,
Number nummer, Paspoort, paspoort, passport number
Nederlanden paspoortnummer,
paspoortnummer
1149
Data Identifier Language Keywords English Translation
1150
Data Identifier Language Keywords English Translation
Norwegian Birth Number Norwegian fødsel nummer, Fødsel nr, Birth number
fødsel nei, fødselnei#,
fødselnummer#
People's Republic of China Chinese (Simplified) ###,####,###### Identity Card, Information of resident,
ID Information of resident identification
Poland Driver's Licence Polish Kierowcy Lic., prawo Drivers license number, driving license,
Number jazdy, numer licencyjny, license number
zezwolenie na prowadzenie,
PRAWO JAZDY
Poland European Health Polish Numer EHIC, Karta EHIC number, Health Insurance Card,
Insurance Number Ubezpieczenia Zdrowotnego, European Health Insurance Card,
Europejska Karta health insurance number, medical
Ubezpieczenia Zdrowotnego, account number
numer ubezpieczenia
zdrowotnego, numer rachunku
medycznego
Poland Passport Number French, Polish paszport#, numer paszportu, Passport #, passport number, passport
Nr paszportu, paszport, number, passport, passport book
książka paszportowa Passport, number, passport number,
passeport, nombre, numéro passport #, passport number
de passeport, passeport#,
No de passeport
Poland Value Added Tax Polish Numer Identyfikacji Tax identification number, tax ID
(VAT) Number Podatkowej, NIP, nip, number, VAT number, value added tax,
Liczba VAT, podatek od VAT invoice, VAT invoice #
wartosci dodanej, faktura
VAT, faktura VAT#
Polish Identification Polish owód osobisty, Tożsamości Identification card, national identity,
Number narodowej, osobisty identification card number, unique
numer identyfikacyjny, number, number
niepowtarzalny numer, numer
Polish REGON Number Polish numer statystyczny, Statistical number, REGON number
REGON, numeru REGON,
numerstatystyczny#,
numeruREGON#
Polish Social Security Polish PESEL Liczba, społeczny PESEL number, social security
Number (PESEL) bezpieczeństwo number, social security ID, social
liczba, społeczny security code
bezpieczeństwo ID,
społeczny bezpieczeństwo
kod, PESELliczba#,
społecznybezpieczeństwoliczba#
Polish Tax Identification Polish Numer Identyfikacji Tax identification number, Polish tax
Number Podatkowej, Polski numer identification number
identyfikacji podatkowej,
NumerIdentyfikacjiPodatkowej#
1151
Data Identifier Language Keywords English Translation
Portugal Driver's License Portuguese carteira de motorista, driver's license, license number,
Number carteira motorista, driving license, driving license Portugal
carteira de habilitação,
carteira habilitação,
número de licença, número
licença, permissão de
condução, permissão
condução, Licença condução
Portugal, carta de condução
Portugal National Portuguese bilhete de identidade, identity card, civil identification number,
Identification Number número de identificação citizen's card number, identification
civil, número de cartão document, citizen's card, bi number of
de cidadão, documento Portugal, document number
de identificação, cartão
de cidadão, número bi
de portugal, número do
documento
Portugal Passport Number French and passaporte, passeport, Passport number, passport,
Portuguese portuguese passport, Portuguese passport
portuguese passeport,
portuguese passaporte,
passaporte nº, passeport nº
Portugal Tax Identification Portuguese número identificação fiscal Tax identification numberr
Number
Portugal Value Added Tax Portuguese imposto sobre valor Value added tax, VAT, VAT number,
(VAT) Number acrescentado, VAT nº, VAT code
número iva, vat não, código
iva
Romania Driver's Licence Romanian permis de conducere, PERMIS Driving license, driving license number
Number DE CONDUCERE, Permis
de conducere, numărul
permisului de conducere,
Numărul permisului de
conducere
Romania National Romanian numărul de identificare fiscal identification number, tax
Identification Number fiscală, identificarea identification number, fiscal code
fiscală nr #, codul fiscal number,
nr.
Romania Value Added Tax Romanian CIF, cif, CUI, cui, TVA, VAT, VAT #, value added tax, fiscal
(VAT) Number tva, TVA#, tva#, taxa code, fiscal identification code, unique
pe valoare adaugata, cod registration code, unique identification
fiscal, cod fiscal de code, code unique registration
identificare, cod fiscal
identificare, Cod Unic
de Înregistrare, cod unic
de identificare, cod unic
identificare, cod unic
de înregistrare, cod unic
înregistrare
1152
Data Identifier Language Keywords English Translation
Romanian Numerical Romanian Cod Numeric Personal, cod Personal numeric code, personal
Personal Code identificare personal, identification code, unique
cod unic identificare, identification code, identity number,
număr personal unic, personal identification number
număr identitate, număr
identificare personal,
număridentitate#,
CodNumericPersonal#,
numărpersonalunic#
Russian Passport Russian паспорт нет, паспорт, Passport no., passport, passport
Identification Number номер паспорта, паспорт ID, number, passport ID, Russian
Российской паспорт, Русский passport, Russian passport number
номер паспорта, паспорт#,
паспортID#, номерпаспорта#
Russian Taxpayer Russian НДС, номер TIN (tax identification number),
Identification Number налогоплательщика, taxpayer number, taxpayer ID, rax
Налогоплательщика ИД, налог number
число, налогчисло#, ИНН#,
НДС#
SEPA Creditor Identifier Bulgarian, Finnish, SEPA-Gläubiger- SEPA creditor identifier, creditor ID,
Number North French, German, Identifikator, Gläubiger- SEPA ID, creditor ID
Irish, Italian, ID, SEPA-ID, Gläubiger- Creditor ID, SEPA ID
Luxembourgish, Kennung SEPA creditor identifier, crediting,
Portuguese, ID créancier, ID SEPA, creditor identification
Spanish Identifiant du créancie SEPA creditor identifier, Creditor
SEPA Krediter Identifier
Identifizéierer, Creditor ID, SEPA ID, Creditor
Kreditergeld, Krediter identifier
Identifizéierer Creditor ID, Creditor Identifier
SEPA kreditoridentifikator, Creditor ID, Creditor Identifier
Kreditoridentifikator Creditor Identifier SEPA, Creditor ID,
Velkojan tunnus, SEPA- SEPA ID, Creditor Identifier
tunnus, Velkojan tunniste SEPA Creditor Identifier, Creditor
ID Creidiúnaí, Aithnitheoir Identifier
Creidiúnaí
ID del creditore,
Identificatore del
creditore
Identificador de acreedor
SEPA, ID del acreedor, ID
de SEPA, Identificador del
acreedor
Identificador Credor SEPA,
Identificador do Credor
1153
Data Identifier Language Keywords English Translation
SEPA Creditor Identifier Bulgarian, Finnish, SEPA-Gläubiger- SEPA creditor identifier, creditor ID,
Number South French, German, Identifikator, Gläubiger- SEPA ID, creditor ID
Irish, Italian, ID, SEPA-ID, Gläubiger- Creditor ID, SEPA ID
Luxembourgish, Kennung SEPA creditor identifier, crediting,
Portuguese, ID créancier, ID SEPA, creditor identification
Spanish Identifiant du créancie SEPA creditor identifier, Creditor
SEPA Krediter Identifier
Identifizéierer, Creditor ID, SEPA ID, Creditor
Kreditergeld, Krediter identifier
Identifizéierer Creditor ID, Creditor Identifier
SEPA kreditoridentifikator, Creditor ID, Creditor Identifier
Kreditoridentifikator Creditor Identifier SEPA, Creditor ID,
Velkojan tunnus, SEPA- SEPA ID, Creditor Identifier
tunnus, Velkojan tunniste SEPA Creditor Identifier, Creditor
ID Creidiúnaí, Aithnitheoir Identifier
Creidiúnaí
ID del creditore,
Identificatore del
creditore
Identificador de acreedor
SEPA, ID del acreedor, ID
de SEPA, Identificador del
acreedor
Identificador Credor SEPA,
Identificador do Credor
SEPA Creditor Identifier Bulgarian, Finnish, SEPA-Gläubiger- SEPA creditor identifier, creditor ID,
Number West French, German, Identifikator, Gläubiger- SEPA ID, creditor ID
Irish, Italian, ID, SEPA-ID, Gläubiger- Creditor ID, SEPA ID
Luxembourgish, Kennung SEPA creditor identifier, crediting,
Portuguese, ID créancier, ID SEPA, creditor identification
Spanish Identifiant du créancie SEPA creditor identifier, Creditor
SEPA Krediter Identifier
Identifizéierer, Creditor ID, SEPA ID, Creditor
Kreditergeld, Krediter identifier
Identifizéierer Creditor ID, Creditor Identifier
SEPA kreditoridentifikator, Creditor ID, Creditor Identifier
Kreditoridentifikator Creditor Identifier SEPA, Creditor ID,
Velkojan tunnus, SEPA- SEPA ID, Creditor Identifier
tunnus, Velkojan tunniste SEPA Creditor Identifier, Creditor
ID Creidiúnaí, Aithnitheoir Identifier
Creidiúnaí
ID del creditore,
Identificatore del
creditore
Identificador de acreedor
SEPA, ID del acreedor, ID
de SEPA, Identificador del
acreedor
Identificador Credor SEPA,
Identificador do Credor
1154
Data Identifier Language Keywords English Translation
Serbia Unique Master Serbian јединствен мајстор грађанин Unique master citizen number, unique
Citizen Number Број, Јединствен матични identification number, unique id
број, јединствен број ид, number, National identification number
Национални идентификациони
број
Serbia Value Added Tax Serbian poreski identifikacioni Tax identification number VAT number,
(VAT) Number broj, PORESKI value added tax, VAT, identification
IDENTIFIKACIONI BROJ, number, tax number
Poreski br., ПДВ број,
Порез на додату вредност,
PDV broj, Porez na dodatu
vrednost, porez na dodatu
vrednost, PDV, pdv, ПДВ,
порески идентификациони
број, PIB, pib, пиб,
poreski broj, порески број
Slovakia Driver's Licence Slovak vodičský preukaz, Vodičský Driving license, license number
Number preukaz, VODIČSKÝ PREUKAZ,
číslo vodičského preukazu,
ovládače lic., povolenie
vodiča, povolenia vodičov,
povolenie na jazdu,
povolenie jazdu, číslo
licencie
Slovakia National Hungarian, Slovak identifikačné číslo, ID number, identity card number,
Identification Number személyi igazolvány száma, national identity card number, national
személyigazolvány szám, identification number, identification
číslo občianského preukazu, number, ID card number, identification
identifikačná karta č, card, national identity card
személyi igazolvány szám,
nemzeti személyi igazolvány
száma, číslo národnej
identifikačnej karty,
národná identifikačná karta
č, nemzeti személyazonosító
igazolvány, nemzeti
azonosító szám, národné
identifikačné číslo,
národná identifikačná
značka č, nemzeti azonosító
szám, azonosító szám,
identifikačné číslo
Slovakia Passport Number French, Slovak PASSEPORT, passeport, Passport, passport number, passport
cestovný pas, číslo pasu, no
pas č, Číslo pasu, PAS,
CESTOVNÝ PAS, Passeport n°
Slovakia Value Added Tax Slovak číslo DPH, číslo dane VAT number, value added tax
(VAT) Number z pridanej hodnoty, number, VAT, value added tax, VAT
identifikačné číslo identification number
vat, dph, DPH, daň z
pridanej hodnoty, daň
pridanej hodnoty, číslo
dane pridanej hodnoty,
identifikačné číslo DPH
1155
Data Identifier Language Keywords English Translation
Slovenia Passport Number French, Slovenian številka potnega lista, Passport number, passport, passport
potni list, knjiga potnega book, passport #
lista, potni list #,
passeport, Passeport
Slovenia Tax Identification Slovenian identifikacijska številka Tax identification number, Slovenian
Number davka, Slovenska davčna tax number, tax number
številka, Davčna številka
Slovenia Unique Master Slovenian EMŠO, emšo, edinstvena Unique national number, unique
Citizen Number številka državljana, enotna identification number, uniform
identifikacijska številka, registration number, unique registration
Enotna maticna številka number, citizen's number, unique
obcana, enotna maticna identification number
številka obcana, številka
državljana, edinstvena
identifikacijska številka
Slovenia Value Added Tax Slovenian številka davka na dodano Value added tax number, VAT no,
(VAT) Number vrednost, DDV št, slovenia Slovenia vat no
vat št
South African Personal Afrikaans nasionale identifikasie National identification number, national
Identification Number nommer, nasionale identity number, insurance number,
identiteitsnommer, personal identity number, unique
versekering aantal, identity number, identity number
persoonlike
identiteitsnommer,
unieke identiteitsnommer,
identiteitsnommer,
identiteitsnommer#,
versekeringaantal#,
nasionaleidentiteitsnommer#
South Korea Resident Korean ######, #### Resident Registration Number,
Registration Number Resident Number
Spain Driver's License Spanish permiso de conducción, Driver's license, driver's license
Number permiso conducción, Número number, driving license, driving permit,
licencia conducir, Número driving permit number
de carnet de conducir,
Número carnet conducir,
licencia conducir, Número
de permiso de conducir,
Número de permiso conducir,
Número permiso conducir,
permiso conducir, licencia
de manejo, el carnet de
conducir, carnet conducir
Spain Value Added Tax Spanish Número IVA españa, Número Spain VAT number, Spanish VAT
(VAT) Number de IVA español, español number, VAT Number, VAT, value
Número IVA, Número de valor added tax number, value added tax
agregado, IVA, Número IVA,
Número impuesto sobre
valor añadido, Impuesto
valor agregado, Impuesto
sobre valor añadido, valor
añadido el impuesto, valor
añadido el impuesto numero
1156
Data Identifier Language Keywords English Translation
Spanish Customer Spanish número cuenta cliente, Customer account number, account
Account Number código cuenta, cuenta code, customer account ID, customer
cliente ID, número cuenta bank account number, bank account
bancaria cliente, código code
cuenta bancaria
Spanish DNI ID Spanish NIE número, Documento NIE number, national identity
Nacional de Identidad, document, unique identity, national
Identidad único, Número identity number, DNI number
nacional identidad, DNI
Número
Spanish Passport Number Spanish libreta pasaporte, passport book, passport number,
número pasaporte, Spanish passport, passport
Número Pasaporte, España
pasaporte, pasaporte
Spanish Social Security Spanish Número de la Seguridad Social security number
Number Social, número de la
seguridad social
Spanish Tax ID (CIF) Spanish número de contribuyente, taxpayer number, corporate tax
número de impuesto number, tax identification number, CIF
corporativo, número de number
Identificación fiscal, CIF
número, CIFnúmero#
Sri Lanka National Identity Sinhala See user interface ID, national identity number, personal
Number identification number, National Identity
Card number
Sweden Driver's License Finnish, Romani, ajokortti, permis de Driver's license, driver's license
Number Swedish, Yiddish conducere,ajokortin numero, number, driving license number
kuljettajat lic., drivere
lic., körkort, numărul
permisului de conducere,
שָאפער דערלויבעניש נומער,
körkort nummer, förare
lic., דריווערס דערלויבעניש,
körkortsnummer
Sweden Personal Swedish personnummer ID, personligt ID number, personal ID number,
Identification Number id-nummer, unikt id- unique ID number, personal,
nummer, personnummer, identification number
identifikationsnumret,
personnummer#,
identifikationsnumret#
Sweden Tax Identification Swedish skattebetalarens Tax identification number, Swedish
Number identifikationsnummer, TIN, TIN number
Sverige TIN, TIN-nummer
Sweden Value Added Tax Swedish moms#, sverige moms, Swedish VAT, Swedish VAT number,
(VAT) Number sverige momsnummer, VAT registration number
sverige moms nr, sweden vat
nummer, sweden momsnummmer,
momsregistreringsnummer
Swedish Passport Number Swedish Passnummer, pass, sverige Passport number, passport, Swedish
pass, SVERIGE PASS, sverige passport, Swedish passport number
Passnummer
1157
Data Identifier Language Keywords English Translation
Switzerland Health German, Italian medizinische Kontonummer, Medical account number, health
Insurance Card Number Krankenversicherungskarte insurance card number, health
Nummer, numero conto insurance number
medico, tessera sanitaria
assicurazione numero,
assicurazione sanitaria
numero
Switzerland Passport French, German, Passeport, passeport, Passport, passport number, passport #
Number Italian numéro passeport, numéro passport book
de passeport,passeport#, Passport, passport Number, passport #
No de passeport, No de Passport, passport number, passport
passeport., Numéro de no., passport #
passeport, PASSEPORT, LIVRE Passport, passport #
DE PASSEPORT
Pass, Passnummer, Pass#,
Pass Nr., Pass Nr, PASS
Passaporto, Numero di
passaporto, passaporto,
Passaporto n,Passaporto
n., passaporto#, Passaport,
numero passaporto, numero
di passaporto, numero
passaporto, passaporto n,
PASSAPORTO
Reisepass, Reisepass#,
REISEPASS
Switzerland Value Added French, German, T.V.A, numéro TVA, T.V.A#, VAT, VAT number, VAT #, value added
Tax (VAT) Number Italian numéro taxe valeur ajoutée, tax number, value added tax, VAT
T.V.A., taxe sur la valeur registration number,
ajoutée, T.V.A#, numéro VAT, VAT number, VAT #
enregistrement TVA, Numéro VAT, VAT registration number, VAT #,
TVA VAT number
I.V.A, Partita IVA, I.V.A#,
numero IVA
MwSt, Umsatzsteuer-
Identifikationsnummer,
MwSt#, Mehrwertsteuer-
Nummer, Mehrwertsteuer,
VAT Registrierungsnummer,
Umsatzsteuer-
Identifikationsnummer
Swiss AHV Number French, German, Numéro AVS, numéro AVS number, insurance number,
Italian d'assuré, identifiant national identifier, national insurance
national, numéro number, social security number, AVH
d'assurance vieillesse, number
numéro de sécurité soclale, AHV number, Swiss Registration
Numéro AVH number, PIN
AHV-Nummer, Matrikelnumme, AVS, AVH
Personenidentifikationsnummer
AVS, AVH
1158
Data Identifier Language Keywords English Translation
Swiss Social Security French, German, Identifikationsnummer, Identification number, social security
Number (AHV) Italian sozialversicherungsnummer, number, personal identification ID, tax
identification identification number, tax ID, social
personnelle ID, security number, tax number
Steueridentifikationsnummer,
Steuer ID, codice fiscale,
Steuernummer
Taiwan ROC ID Chinese (Traditional) ######### Taiwan ID
Thailand Passport Number Thai ########### Passport, passport number
###,#####################
Thailand Personal ID Thai ##############, Insurance number, personal
Number ########################, identification, identification number
###########################,
###############,
#########################,
###########################
Turkish Identification Turkish Kimlik Numarası, Türkiye Identification number, Turkish Republic
Number Cumhuriyeti Kimlik identification number, citizen identity,
Numarası, vatandaş kimliği, personal identification number, citizen
kişisel kimlik no, kimlik identification number
Numarası#, vatandaş kimlik
numarası, Kişisel kimlik
Numarası
Ukraine Identity Card Ukrainian посвідчення особи України Ukraine identity card
Ukraine Passport Number Ukrainian паспорт, паспорт Passport, Ukraine passport, passport
(Domestic) України, номер паспорта, number
персональний
Ukraine Passport Number Ukranian паспорт, паспорт України, Passport, Ukraine passport, passport
(International) номер паспорта number
United Arab Emirates Arabic رقم,الهوية الشخصية رقم Personal ID Number, PIN, Unique ID
Personal Number فريدة من,التعريف الشخصي Number, Insurance Number, Unique
التأمين,نوعها هوية رقم Identity #
هوية فريدة,التأمينرقم,رقم#
Venezuela National ID Spanish cédula de identidad National ID number, national
Number número, clave única de identification number, personal ID
identidad, personal de number, personal identification, unique
identidad clave, personal identification number
de identidad, número de
identificación nacional,
número ID nacional
1159
With whole word matching, keywords match at word boundaries only (\W in the regular expression lexicon). Any
characters other than A-Z, a-z, and 0-9 are interpreted as word boundaries. With whole word matching, keywords must
have at least one alphanumeric character (a letter or a number). A keyword consisting of only white-space characters,
such as "..", is ignored.
About keyword matching for Chinese, Japanese, and Korean (CJK) languages
1160
To detect a custom file type, you use the Symantec Data Loss Prevention Scripting Language to write a custom script
that detects the binary signature of the file format that you want to protect. To implement this match condition you need to
enable it on the Enforce Server.
Enabling the Custom File Type Signature condition in the policy console
Configuring the Custom File Type Signature condition
Refer to the Symantec Data Loss Prevention Detection Customization Guide for the language syntax and examples.
NOTE
The Symantec Data Loss Prevention Scripting Language only identifies custom file formats; it does not extract
content from custom file types.
1161
The Total Attachment File Size and Total Attachment File Count rules are available on both Windows and Mac
endpoints. On Windows, they apply to Microsoft Outlook and IBM (Lotus) Notes events. On Mac, they apply to Outlook for
Mac events.
Configuring the Message Attachment or File Size Match condition
Message Attachment or File Type Detect or except specific files and attachments by type.
Match About file type matching
Configuring the Message Attachment or File Type Match condition
Message Attachment or File Size Detect or except specific files and attachments by size.
Match About file size matching
Configuring the Message Attachment or File Size Match condition
Message Attachment or File Detect or except specific files and attachments by name.
Name Match About file name matching
Configuring the Message Attachment or File Name Match condition
Custom File Type Signature Detect or except custom file types.
1162
subfile_kv0.tmp has duplicate matches as in kveml.mail. The two duplicate matches increase the total
match count for the incident.
• If Message Attachment or File Size Match is selected for the file size detection condition, an extra
attachment that is labeled smime.p7m appears in the incident snapshot. The extra attachment increases the
match count of the incident.
• For a plain-text signed S/MIME email (without an attachment), the matches in the body are displayed in the
subfile_kv0.tmp file.
• Signed emails with no attachments are displayed with an attachment icon in the incident list, because the
intermediate file is flagged as an attachment.
About file type matching
1. Add a Message Attachment or File Type Match condition to a policy rule or exception, or edit an existing one.
Configuring policies
Configuring policy rules
Configuring policy exceptions
2. Configure the Message Attachment or File Type Match condition parameters.
Message Attachment or File Type Match condition parameters
3. Click Save to save the policy.
Action Description
Select the file type or types to Select all the formats that you want to match.
match. Supported formats for file type identification
Click select all or deselect all to select or deselect all formats.
To select all formats within a certain category (for example, all word-processing formats), click the
section heading.
The system implies an OR operator among all file types you select. For example, if you select
Microsoft Word and Microsoft Excel file type attachments, the system detects all messages with
Word or Excel documents attached. The system does not detect messages with both attachment
types.
Match on attachments only. This condition only matches on the Message Attachments component.
Detection messages and message components
Also match on one or Select this option to create a rule. All conditions must match to trigger or except an incident.
more conditions. You can Add any condition available from the list.
Configuring compound rules
1163
Configuring policy exceptions
2. Select the Message Attachment or File Type Match condition:
Message Attachment or File Size Match parameters
3. Click Save to save the policy.
Action Description
Single File Size Select More Than to specify the minimum file size of the file to match or Less Than to specify the
maximum file size to qualify a match.
Enter a number, and select the unit of measure: bytes, kilobytes (KB), megabytes (MB), or gigabytes
(GB).
Total Attachment File Size Enter a number, and select the unit of measure: bytes, kilobytes (KB), megabytes (MB), or gigabytes
(GB) to qualify a match.
Total Attachment File Count Enter a number to specify the number of files to qualify a match.
Match on attachements only. Select one or both of the following message components on which to base the match:
• Envelope – The option is not applicable for these options.
• Subject – The option is not applicable for these options.
• Body – The content of the message (This option applies only to Single File Size).
• Attachments – Any files that are attached to the message or transferred by the message.
Selecting components to match on
Also match one or more Select this option to create a rule. All conditions must match to trigger or except an incident.
conditions. You can Add any condition available from the list.
Configuring compound rules
1164
3. Click Save to save the policy.
Action Description
Specify the File Name. Specify the file name to match using the DOS pattern matching language to represent patterns in the
file name.
Separate multiple matching patterns with commas or by placing them on separate lines.
File name matching syntax
File name matching examples
Match on attachments. This condition only matches on the Message Attachments component.
Detection Messages and Message Components
Also match one or more Select this option to create a rule. All conditions must match to trigger or except an incident.
conditions. You can Add any condition available from the list.
Configuring compound rules
Operator Description
To match a Word file name that begins with ENG- followed by ENG-????????.doc
any eight characters:
If you are not sure that it is a Word document: ENG-????????.*
If you are not sure how many characters are in the name: ENG-*.*
To match all file names that begin with ENG- and all file names Enter as comma separated values:
that begin with ITA-: ENG-*.*,ITA-*
1165
Match objective Example
Enabling the Custom File Type Signature Condition in the Policy Console
By default the Custom File Type Signature policy condition is not enabled. To implement the Custom File Type
Signature condition, you must first enable it.
About custom file type identification
To enable the Custom File Type Signature rule
1. Using a text editor, open the file \Program Files\Symantec\DataLossPrevention\EnforceServer
\16.0.10000\Protect\config\Manager.properties
2. Set the value of the following parameter to "true":
com.vontu.manager.policy.showcustomscriptrule=true
Action Description
Enter the Script Name. Specify the name of the script. The name must be unique across policies.
Enter the custom file type Enter the File Type Matches Signature script for detecting the binary signature of the custom file type.
script. See Detection Customization for details on writing custom scripts.
1166
Action Description
Match only on attachments. This condition only matches on the Message Attachments component.
Detection Messages and Message Components
Also match one or more Select this option to create a rule. All conditions must match to trigger or except an incident.
conditions. You can Add any condition available from the list.
Configuring compound rules
Use compound file property rules to protect design and multimedia files
You can use IDM to protect files, or you can use file property rules. Unless you must protect an exact file, the general
recommendation is to use the file property rules because there is less overhead in setting up the rules.
For example, if you want to detect CAD files that contain IP diagrams, you could index these files and apply IDM rules to
detect them. Alternatively, you could create a policy that contains a file type rule that detects on the CAD file format plus a
file size rule that specifies a threshold size. The file property approach is preferred because in this scenario all you really
care about is protecting large CAD files potentially leaving the company. There is no need to gather and index these files
for IDM if you can simply create rules that will detect on the file type and the size.
Example
Any characters you enter (other than the DOS operators) match exactly.
For example, to match a Word file name that begins with ENG- followed by any eight characters, enter: ENG-????????.doc
If you are not sure that it is a Word document, enter: ENG-????????.*
If you are not sure how many characters follow ENG-, enter: ENG-*.*
To match all file names that begin with ENG- and all file names that begin with ITA-, enter: ENG-*.*,ITA-* (comma separated), or you
can separate the file names by line space.
1167
Use scripts and plugins to detect custom file types
Symantec Data Loss Prevention provides two mechanisms for detecting custom file types: the DLP Scripting Language
and the Content Extraction SPI. If the only requirement is file type recognition, it may be easier to write a script than an
SPI plugin. But, there may be occasions where using a script is inadequate.
The scripting language does not support loops; you cannot iterate over the file type bytes and do some processing. The
scripting language is designed to detect a known signature at a relatively known offset. You cannot use the scripting
language detect subtypes of the same document type. For example, if you wanted to detect password protected PDF files,
you could not use the scripting language. Or, if you wanted to detect only Word documents with track changes enabled,
you would have to write a plugin. On the other hand, you can deploy a script to the endpoint; currently plugins are server-
based only.
For more information on writing custom scripts, see About detection customization.
Custom file type identification Symantec Data Loss Prevention detects more than 300 file types. However, if the type of file you
want to detect is not supported, you can detect it using a custom script. Use the Symantec Data Loss
Prevention Scripting Language to write a script that detects the binary signature of the particular file
format you want to detect.
Note: For a complete list of supported file types, see Overview of detection file format support.
About the scripting language
Workflow for detecting custom file types
Custom script validators for Symantec Data Loss Prevention provides you with Data Identifiers to detect file contents. Data
Data Identifiers Identifiers use validation checks to increase match accuracy and reduce false positives. Symantec
Data Loss Prevention provides more than 150 system-defined Data Identifier validators. In addition,
you can use the Data Loss Prevention Scripting Language to write your own custom script validators
for Data Identifiers.
Note: For more information about Data Identifiers, see Introducing Data Identifiers.
About the scripting language
File Type Analyzer The Symantec Data Loss Prevention File Type Analyzer utility helps you determine the unique bytes
of the custom file type you want to detect. You can then use the Symantec Data Loss Prevention
Scripting Language to accurately identify custom file formats.
About the File Type Analyzer utility
1168
Table 604: Detection features that support scripting
Feature Description
Custom File Type Signature detection The DLP Scripting Language lets you write a script that detects the unique bytes of a
custom file type.
Workflow for detecting custom file types
Custom script validators for Data The DLP Scripting Language lets you write a script to validate patterns in a message.
Identifiers Implementing custom script validators
System variables
System variables store the data that you can check and manipulate. For custom file type detection, the script has access
to the entire file by the $data variable. For custom validators, the script has access to the raw message, the normalized
message, and the 10 bytes preceding and trailing the matched data. For custom validators the script does not have
access to the entire message.
WARNING
Do not assign values to system variables. These variables already hold system-defined data. Use a local
variable such as $result to assign values. You should not use system variables with logical, assignment, or
arithmetic operations.
1169
Table 605: System variables
$data The script engine creates the byte array $data variable when it reads in a file. The $data
variable stores the entire file.
$match The script engine stores the data that match the pattern in the $match variable before it is
normalized.
$normalizedMatch The script engine stores the normalized matched data in the $normalizedMatch variable
after it is normalized.
$matchPrefix You can use this method to verify if a message starts with a certain pattern. The methods
checks 10 bytes before the matched pattern.
$matchSuffix You can use this method to verify if a message ends with a certain pattern. The methods
checks 10 bytes after the matched pattern.
Assert statement
The Assert statement evaluates a Boolean expression and asserts the value "true" when the expression returns a match.
The Assert statement must end with a semicolon.
The Assert statement supports all regular Boolean expressions:
• == evaluates to
• >= greater than or equal to
• <= less than or equal to
• > greater than
• < less than
• != does not evaluate to
If/Else statements
You use the If/Else conditional statement to control the flow of program execution. The If/Else statement lets you include
conditional logic in your script when you need to evaluate the unique bytes of a complex data set.
The If/Else condition operates the same as conditional statements that other programming languages provide. The If/Else
statement takes a Boolean expression, evaluates it, and alters the execution of the program based on the result of the
expression.
The following example shows one way to use the If/Else conditional statement:
if ($var1 == 3)
1170
{
// statement
// statement
}
else
// statement
The scripting language supports nested execution of the statements that are contained within the conditional statement.
To use nested statements, you use brackets within the scope of an If/Else statement to offset the multiple script
statements.
If the data set you want to evaluate requires more advanced conditional logic, you can declare multiple If/Else statements
nested within each other.
Evaluate statement
The Evaluate statement provides a number of functions that you can you use to evaluate data. Not all functions are
available for each feature.
Addition X X
AsciiValue X NO
DataLength X X
Execute+ X x
GetAsciiStringAt X X
GetBinaryIntValue X NO
GetBinaryValueAt X NO
GetHexStringValueAt X NO
GetIntegerAt X X
GetStringValueAt NO X
Modulus X X
Multiply X X
Print+ X x
ReadFile+ X x
Subtract X X
Key:
• X = Feature supports the statement on server and endpoint.
• NO = Statement is not supported by that feature.
• x = Statement is not supported on the endpoint; server-side only.
• + = Advanced function, requires you to set the system property "genieScript.ADVANCED_FUNCTION_ENABLED.str"
to true.
1171
Evaluate statement functions
You use Evaluate statements to execute functions on variable or constant data values. You can save the return value of
an Evaluate function as a variable or discard the return value. Evaluate statements must end with a semicolon.
NOTE
To ensure that your scripts run on the server and the endpoint, script values must be specified in hexadecimal
(hex) notation. For example, $int4 = getBinaryValueAt($data,0x19,2) is proper. However, if the following
non-hex value is specified in an endpoint environment, the script causes the DLP Agent to crash: $int4 =
getBinaryValueAt($data,25,2).
Addition The Addition function takes two values as Add two variables together and returns the value in
add arguments and adds them together. The values the variable $result.
can be variables or constants. You can save the $result = add($var1, $var4);
returned result as a variable or discard the result. Add two constants together but discards the value.
The Addition function adds two or more values add(1, 2);
together and returns the result. The values can be Add three values together.
variables or constants. You can save the returned $result = add($var1, 2, $var4);
result as a variable or discard the result.
AsciiValue The AsciiValue function takes a single ASCII $result = ascii('CFV');
ascii string as a parameter and assigns it to the The $result variable is assigned the specified ASCII
specified variable. value.
The length of the ASCII parameter must be from
one to four characters.
You can use this statement for readability
purposes.
DataLength The DataLength function counts the length of the $result = datalength($data);
datalength variable array. The function takes the variable The engine creates the byte array $data variable
name of a byte array as a parameter and returns when it reads in a file. The $data variable stores up
the number of bytes in that array. to the first 4 KB of the file.
Execute (advanced function) The Execute function allows a user to call $result = execute($string1, equals,
execute methods on any Java objects available as $string2);
variables in the script's computation state. For Assuming that a String is saved under the variable
example, if you have a String saved under the $string.
variable name $data, you can call the String's
equals method using the execute function.
GetAsciiStringAt The GetAsciiStringAt function treats the data as The variable $data is a byte array with the values:
getAsciiStringAt ASCII characters and converts the data into a 'abcdef'.getBytes();
string. The data is converted starting from the The result should be abc.
specified offset for the specified number of digits. $result = getAsciiStringAt($data, 0x0,
3);
GetBinaryIntValue The GetBinaryIntValue function pulls the byte data $result = getBinaryIntValue($data,
getBinaryIntValue as an integer from the specified index of a byte 0x0, 1);
array variable. It also allows a user to specify how The $data variable is byte array with values
many digits to pull from the data. Since the return {(byte)0x59,(byte) 0xAD,(byte) 0x1C,(byte) 0xDF,
value is an integer, the number of digits has to be (byte) 0x2B,(byte)0x37}. In this example the $result
1 – 4 bytes. should equal 89.
You can use this function to analyze data at
$result = getBinaryIntValue($data, 1);
specific offsets of a byte array. The number of
The $data variable is a byte array with values {1, 2,
digits are combined to form an integer value.
3}. The $result should equal 2.
1172
Function Description Example
GetBinaryValuteAt The GetBinaryValuteAt function pulls the byte The variable $data is byte array with values
getBinaryValueAt data into a new byte array based on the offset and {(byte)0x59,(byte) 0xAD,(byte) 0x1C,(byte) 0xDF,
length specified. The new byte array can then be (byte) 0x2B,(byte)0x37}. The $result should be a
compared to other byte arrays for equality. byte array with the byte 0x59.
This function lets you specify how many digits to $result = getBinaryValueAt($data, 0x0,
retrieve from the data (from 1 - 4 bytes). You use 1);
this function to analyze data at specific offsets of a
The $data variable is a byte array with values {1, 2,
byte array. 3}. The $result should equal a new byte array with
Note: GetBinaryValueAt() returns an array with the number 2 in it.
the bytes, whereas GetBinaryIntValue() returns an $result = getBinaryValueAt($data, 1);
integer that is composed of the bytes.
1173
Example scripts for custom file type detection
Listed here are several example script solutions that detect custom file types. These examples can be used as reference
for writing your own custom scripts and for detecting the indicated custom file type.
The following script example detects the Microsoft Word file type:
$Int1 = getHexStringValue('D0CF');
$Int2 = getBinaryValueAt($data, 0x0, 2);
assertTrue($Int1 == $Int2);
$Int3 = getHexStringValue('ECA5');
$Int4 = getBinaryValueAt($data, 0x200, 2);
assertTrue($Int3 == $Int4);
NOTE
EPUB files are in the open book format (XML) encapsulated in a zip file format. You cannot test this script
using the File Type Analyzer utility because the script detects the "application/epub+zip" string contained in
the manifest file (named "mimetype"). The utility cannot crack the zip file to read the manifest. However, the
detection engine can crack the zip file and read the manifest. You can implement this script in an instance of the
Custom File Type Signature detection rule and detect EPUB files.
The following script example detects the Amazon Kindle file type:
$book=ascii('BOOK');
1174
$mobi=ascii('MOBI');
$word1=getBinaryValueAt($data, 0x3c, 4);
$word2=getBinaryValueAt($data, 0x40, 4);
assertTrue($book == $word1);
assertTrue($mobi == $word2);
$null=getBinaryValueAt($data, 0x3b, 1);
assertTrue($null == 0);
$nullx=getBinaryValueAt($data, 0x44, 1);
assertTrue($nullx == 0);
The following script example detects the Oracle IRM file type, which is used for Digital Rights Management (DRM):
$soft=ascii('Soft');
$seal=ascii('SEAL');
$word1=getBinaryValueAt($data, 0x0, 4);
$word2=getBinaryValueAt($data, 0x4, 4);
assertTrue($soft == $word1);
assertTrue($seal == $word2);
In addition, the following two tutorials offer additional examples of the scripting language:
• Java class files
Tutorial 1: Detecting Java class files
• Password-encrypted zip files
Tutorial 2: Detecting an encrypted ZIP file format
Parameter Description
Pattern \d{5}
Normalizer Do Nothing
Custom Script $s1 = getStringValueAt($normalizedMatch, 0x4,1); // Get the 5th digit
$s2 = getStringValueAt($normalizedMatch, 0x0,4); // Get the first 4 digits
$size1 = datalength($s1);// Calculate the length; it should be 1
$size2 = datalength($s2);// Calculate the length; it should be 4
assertTrue($size1 == 1); // Check if size = 1
assertFalse($size2 != 4); // Check if size is anything other than 4
1175
The following custom script validates a 10-character string in the form of LL/MM/DD/YYYY. The first two characters
are the initials of the person and are excluded from validation. The remaining digits are saved into separate variables,
computed by a multiplier, and added. Then they are compared to ensure that they conform to a proper day (less than 32),
month (less than 13), and year (less than 2051).
Parameter Description
Pattern \l{2}\d{8}
The following custom script validator can be used to verify the match of a Turkish ID number. A Turkish ID is an 11-digit
number. The first digit cannot be zero. The 10th and 11th digits are check digits for error detection.
Parameter Description
Pattern \d{11}
1176
Parameter Description
Custom Script
$k1 = getIntegerAt($normalizedMatch, 0x0, 1);
$k2 = getIntegerAt($normalizedMatch, 0x1, 1);
$k3 = getIntegerAt($normalizedMatch, 0x2, 1);
$k4 = getIntegerAt($normalizedMatch, 0x3, 1);
$k5 = getIntegerAt($normalizedMatch, 0x4, 1);
$k6 = getIntegerAt($normalizedMatch, 0x5, 1);
$k7 = getIntegerAt($normalizedMatch, 0x6, 1);
$k8 = getIntegerAt($normalizedMatch, 0x7, 1);
$k9 = getIntegerAt($normalizedMatch, 0x8, 1);
$c1 = getIntegerAt($normalizedMatch, 0x9, 1);
$c2 = getIntegerAt($normalizedMatch, 0xA, 1);
1177
The File Type Analyzer is included in the Symantec_DLP_16.0_Platform_(OS)-IN.zip file that can be downloaded
from the Broadcom Product Downloads portal.
1. Double-click the fileanalyzer_windows_x64-4_0_1.exe executable.
2. At the "Welcome" screen, click Next.
3. Accept the default Destination Directory C:\Program Files\File Analyzer.
Or, you can change the Destination Directory to one you prefer.
4. Click Next to install the utility.
5. Click Finish to complete the installation process.
Parameter Use
Add Directory This option lets you choose which directories to include in the file analysis. You can add multiple directories to a
single data set.
Each directory that you select should contain samples of the file type you want to analyze and ultimately detect.
To have a useful data set, include several samples of the file type, including different versions of the product with
different features enabled and disabled.
Note: To achieve the best results, the recommended minimum sample size is 15 files of the same file type.
Remove This option lets you remove a directory that you have added to the data set. You can select multiple directories to
Directory remove. When a directory is removed, it is no longer scanned as part of the data set.
1178
Parameter Use
File Name Filter This field contains a regular expression pattern that tells the utility what files from each directory to include in the data
set. A regular expression is used because it provides flexibility for filtering the files that you want to include in your
data set.
The following regular expression reads in all ASCII file names from a directory (or directories) to a data set:
[\w\s]+.[\w]+
The following regular expression lets you filter file the names that use non-ASCII characters:
[^0x00]+.[\w]+
Note: For assistance with using regular expressions for file name filtering, see the topic "About writing regular
expressions" in the Symantec Data Loss Prevention Help Center.
Number of This field specifies the number of bytes per file to display for analysis.
Bytes The default maximum value for this field is 1024 bytes.
Increasing the number of bytes that are analyzed
Chunk Size This field represents the size of the group of bytes to be displayed in a column. For example, if you enter 2 in this
field, the utility displays 2 bytes of data in each column (offset).
Parser Type This option defines how the data is displayed for analysis from the scanned data set.
• The BYTE option displays the analysis results in hexadecimal format representing the corresponding byte value.
• The ASCII option displays the analysis results as ASCII characters.
• The NUMBER option displays the analysis results in integer format.
Recursive Scan If this box is checked, the utility scans each directory and any subdirectories that are included in the data set. If a
directory contains subdirectories where files you want to scan are located, choose this option.
Note: Recursive scanning is memory intensive. If you want to analyze either a large or a recursive data set, consider
increasing the Java heap size to improve performance.
Increasing the Java heap size for large or recursive data sets
Analyze Click this option when you have completed configuring the data set. The File Type Analyzer utility validates the
Dataset input and initiates the file analysis process. The utility reads in all the necessary data and displays the results in the
"Analyze Dataset" screen.
1179
types that use unique bytes within the same file to indicate file type. For example, the CADAM file type (*.cdd) uses the
same values for bytes 0 – 3 and bytes 8 – 11 within each file, but these values are different across files.
Once you have analyzed the results and determined the magic bytes, the next step is to write a script to detect the file
type.
About the scripting language syntax
Refer to the tutorials for instructions on creating the data set, analyzing the results, and writing a script to detect a custom
file type. These tutorials demonstrate how the File Type Analyzer utility works and should help you get started scripting
solutions to detect custom file types.
Tutorial 1: Detecting Java class files
Tutorial 2: Detecting an encrypted ZIP file format
Table 613: Parameters for testing the script solution against the data set
Parameter Use
Solution This field is where you enter the script text you want to use to detect the custom file type.
About the scripting language syntax
Notes This field provides a mechanism for annotating the data set you have configured and your script solution.
Symantec Data Loss Prevention File Type Analyzer utility interface
This field is useful for saving your data set configurations and script solutions.
Saving, opening, editing a data set
Test Solution Click this option to verify that your script accurately detects the custom file type.
When you test your solution, the utility takes the data from the data set table and filters the files based on the data set
criteria. Once the data set is built, the script engine runs the solution against the data set. Then it displays the results
in the "Test Dataset Results" screen. The displayed results give you an indication of how well your script has worked to
detect the custom file type.
The "Test Dataset Results" screen displays the results of the test in two tabbed panes:
• Matched Files – The top pane lists all the files in the configured data set that your script detected.
• Mismatched Files – The bottom pane displays all the files in the configured data set that your script did not detect.
This bifurcated display lets you quickly assess the accuracy of your script. You can easily see files matched that should
not (false positives). You can also see the files that failed to match but should have (false negatives). Finally, you can see
if there is any discrepancy between a file extension and the actual file type based on its unique bytes.
1180
Table 614: Options for saving, opening, editing a data set
Parameter Use
Save You can perform a File > Save action to save your data set configuration and script solution.
The file is saved as a *.fgi file type.
Open You can perform a File > Open action to open a saved data set. Browse to the *.fgi file and open it.
Edit Dataset Use this option to change the configuration parameters of an active data set.
You can add directories to or remove directories from the data set, change configuration parameters, or
update the script solution.
Increasing the Java heap size for large or recursive data sets
If you analyze a large or a recursive data set, you may have to wait to analyze or test the files in the data set. The File
Type Analyzer utility needs to scan each directory in the data set. Then it performs I/O operations on each file that meets
the data set criteria.
If the utility runs out of memory before it processes the files, it freezes and does not move on to the expected screen.
If you analyze a large data set (100,000+ files) or use recursive scanning to create the data set, increase the maximum
Java heap size.
To increase the Java heap size for the File Type Analyzer utility (GUI version)
1. Open a command line interface (Windows) or a console interface (Linux).
2. Launch the File Type Analyzer utility from the command line using the following command:
analyzer_gui.exe -Xmx1024m
3. The interface should launch with the Java heap size increased accordingly.
You should now be able to analyze or test a large or a recursive data set without error or significant delay.
1181
• Workflow for detecting custom file types
• Tutorial 1: Detecting Java class files
• Tutorial 2: Detecting and encrypted ZIP file format
• Implementing custom script validators
1182
In addition, to ensure that your script matches only Java class files, add a few non-Java class files to the same
directory.
4. Add the data set directory to the File Type Analyzer utility.
In the File Type Analyzer utility, click Add Directory. Browse to and select the directory where you copied the files and
click Open.
5. In the File Name Filter field enter a regular expression to filter the files.
For example, the following regular expression screens all files in the selected directory: [\w\s]+.[\w]+
• (\w) Any alphanumeric character, digit, or underscore
• (\s) Any whitespace
• (+) One or more of the previous characters must match
• (.) Any single character, including itself
You may need to adjust this expression to find the files you want to analyze in the specified directory. For example, if a
file name contains a dash (-), adjust the expression as follows: [\w\s-]+.[\w]+
Creating the data set
6. In the Number of Bytes field, enter 1024.
The magic bytes of a file are almost always contained within the first 1024 bytes of a file. If you want to analyze more
than the first 1024 bytes of data, you must increase the number of bytes that the File Type Analyzer utility can read
and display.
Increasing the number of bytes that are analyzed
7. For the Chunk Size enter 1.
8. For the Parser Type choose BYTE.
9. If the files you want to screen are in nested directories, choose the Recursive Scan option.
NOTE
If you choose the Recursive Scan option, or you have a large data set, increase the Java heap size allocated
to the File Type Analyzer utility.
Increasing the Java heap size for large or recursive data sets
10. Click Analyze Dataset. The utility analyzes all files in the directory and displays the results. The utility organizes each
file by tabs according to its extension. In the All tab the utility displays all screened files. In the .class tab the utility
displays only the Java class files.
11. Click Analyze Table Data again. This time the utility highlights the bytes within each file that match across all files.
As you can see, for Java class files there are several bytes in common, including the first four (0 through 3): CA FE
BA BE. These bytes are the magic bytes for Java class files.
In the drop-down menu at the bottom you can change how the utility analyzes table data. The default option is
COLUMN_MATCH, which generally provides the most accurate matching. If you switch to this analysis mode you
need to click Analyze Table Data again to see the matching bytes by row.
12. Now that you know what the magic bytes are for Java class files, you can author a script to detect this file type. You
can then test your script using the File Type Analyzer utility.
In the Solution field, enter the following script to detect Java class files:
$Int1 = getHexStringValue('CAFE');
$Int2 = getBinaryValueAt($data, 0x0, 2);
1183
assertTrue($Int1 == $Int2);
$Int3 = getHexStringValue('BABE');
$Int4 = getBinaryValueAt($data, 0x2, 2);
assertTrue($Int3 == $Int4);
13. Click Test Solution. At the top of the interface you see the Matched Files. Only those files containing the CAFE
BABE magic bytes appear in the "Matched Files" section of the interface. Files that do not contain these magic bytes
appear in the Mismatched Files section at the lower-half of the interface.
• When you analyze the data set, the File Type Analyzer utility indicates that the first 2 bytes of a Java class file are
CA FE. So, in the first statement of the script you assign that value as a hexadecimal string to the variable $Int1.
• In the second statement of the script you get the firsts 2 bytes of each file and assign that value to the variable
$Int2. The "0x0, 2" portion of the statement tells the script engine to start at the first byte and get the first two.
• In the third statement you compare the values of the two variables and check for a match.
• The process is repeated for the third and the fourth bytes ("0x2, 2"), looking for a match on BA BE. Files that match
both evaluations are detectable by the script and appear in the "Matched Files" portion of the interface.
14. In the Note section enter a comment about the solution, such as "Custom script for detecting Java class
files."
15. In the File Type Analyzer interface, select File > Save. Give the file a name and save it to a local directory, such as C:
\temp\JavaClassFiles.fgi.
16. Close the File Type Analyzer interface and relaunch it. Choose File > Open then browse to and select the
JavaClassFiles.fgi file.
The data set parameters and script solution appear in the interface. From here you can reanalyze the data set and
refine your solution as necessary. Click Edit Dataset to add or remove directories containing files you want to analyze.
You can also right-click a row and remove an individual file from the data set.
17. Once you have debugged your solution, deploy your script to an instance of the Custom File Type Signature rule. You
can then author and deploy new policies that use this rule to detect the custom file type.
1184
5. Enter and select the required data set parameters:
• File Name Filter: [\w\s]+.[\w]+
• Number of Bytes: 1024
• Chunk Size: 1
• Parser Types: BYTE
6. Click Analyze Dataset.
7. With COLUMN_MATCH selected, click Analyze Table Data.
The utility highlights the byte matches across all files. Note the exact matches for the first 6 bytes of all files. Note also
that the seventh byte is 0 for the ZIP files that are not encrypted. The seventh byte is the encryption bit.
8. In the Solution field, enter the following script:
$pktag=ascii('PK');
$frecord=getHexStringValue('0304');
$pkbytes=getBinaryValueAt($data, 0x0, 2);
assertTrue($pktag == $pkbytes);
$recordbytes=getBinaryValueAt($data, 0x2, 2);
assertTrue($frecord == $recordbytes);
$cryptByte=getBinaryValueAt($data, 0x6, 1);
$encrypted=mod($cryptByte, 2);
assertTrue($encrypted == 1);
9. The solution should match only those ZIP files in the data set that are encrypted. The ZIP files that are not encrypted
should appear in the "Mismatched Files" pane.
• $pktag=ascii('PK');
The first statement assigns the "$pktag" variable the value "PK." If you switch the Parser Type to ASCII, you see
that the first 2 bytes of all ZIP files are "P" and "K".
• $frecord=getHexStringValue('0304');
The second statement assigns the "$frecord" variable the value of "0304", which are the third and fourth bytes of
the ZIP files. (Switch back to BYTE for the Parser Type to confirm this value.)
• $pkbytes=getBinaryValueAt($data, 0x0, 2);
The third statement gets the binary value of the first 2 bytes.
• assertTrue($pktag == $pkbytes);
The fourth statement compares the values of the "$pktag" and "$pkbytes" variables, looking for an exact match of
"P" and "K". If the values match, the assertTrue value is achieved.
• $recordbytes=getBinaryValueAt($data, 0x2, 2);
The fifth statement checks the binary value of the third and fourth bytes (start at the third byte and count 2). Here
the values (in BYTE mode) are "03" and "04".
• assertTrue($frecord == $recordbytes);
The sixth statement compares the values of the "$frecord" and the "$recordbytes" variables. If the returned value
("$recordbytes") matches the value assigned to the "$frecord" variable ("03" and "04"), the assertTrue value is
achieved.
• $cryptByte=getBinaryValueAt($data, 0x6, 1);
The seventh statement gets the binary value at the seventh byte (column 6).
• $encrypted=mod($cryptByte, 2);
The eighth statement divides the value of the seventh byte (as assigned to the "$cryptByte" variable) by "2." It then
assigns this remainder to the "$encrypted" variable.
• assertTrue($encrypted == 1);
1185
The ninth statement checks the value of the "$encrypted" variable. If the value is zero (no remainder), then the ZIP
file is not encrypted. If there is a remainder then the ZIP file is encrypted.
Protocol Description
Email/SMTP Simple Mail Transfer Protocol (SMTP) is a protocol for sending email messages between servers.
FTP The file transfer protocol (FTP) is used on the Internet for transferring files from one computer to another.
HTTP The hypertext transfer protocol (HTTP) is the underlying protocol that supports the World Wide Web. HTTP
defines how messages are formatted and transmitted, and what actions Web servers and browsers should
take in response to various commands.
HTTP/SSL Hypertext transfer protocol over Secure Sockets Layer (HTTPS) is a protocol for sending data securely
between a client and server.
NNTP Network News Transport Protocol (NNTP), which is used to send, distribute, and retrieve USENET messages.
TCP:custom_protocol The Transmission Control Protocol (TCP) is used to reliably exchange data between computers across the
Internet. This option is only available if you have defined a custom TCP port.
1186
Table 616: Protocol Monitoring condition parameters for Network
Action Description
Add or modify the Protocol Add a new Protocol or Endpoint Monitoring condition to a policy rule or exception, or modify an
or Endpoint Monitoring existing rule or exception condition.
condition. Configuring policies
Configuring Policy Rules
Configuring policy exceptions
Select one or more protocols To detect Network incidents, select one or more Protocols.
to match. • Email/SMTP
• FTP
• HTTP
• HTTPS/SSL
• NNTP
Configure a custom network Select one or more custom protocols: TCP:custom_protocol.
protocol.
Configure endpoint Configuring the Endpoint Monitoring condition
monitoring.
Match on the entire message. The Protocol Monitoring condition matches on the entire message, not individual message
components.
The Envelope option is selected by default. You cannot select individual message components.
Detection Messages and Message Components
Also match one or more Select this option to create a rule. All conditions must match to trigger or except an incident.
conditions. You can Add any condition available from the list.
Configuring compound rules
1187
See About Endpoint Prevent monitoring.
Symantec Data Loss Prevention provides several methods for detecting and excepting endpoint events, and a collection
of response rules for responding to them.
See Response rule actions for endpoint detection.
Protocol Description
Email/SMTP Simple Mail Transfer Protocol (SMTP) is a protocol for sending email messages between servers.
FTP The file transfer protocol (FTP) is used on the Internet for transferring files from one computer to another.
HTTP The hypertext transfer protocol (HTTP) is the underlying protocol that supports the World Wide Web. HTTP
defines how messages are formatted and transmitted, and what actions Web servers and browsers should
take in response to various commands.
HTTP/SSL Hypertext transfer protocol over Secure Sockets Layer (HTTPS) is a protocol for sending data securely
between a client and server.
Destination Description
1188
About endpoint location detection
You can detect or except events based on the location of the endpoint.
Using the Endpoint Location detection method, you can choose to detect incidents only when the endpoint is on or off the
network.
For example, you might configure this condition to match only when users are off the corporate network because you have
other rules in place for detecting network incidents. In this case implementing the Endpoint Location detection method
would achieve this result.
Configuring the Endpoint Location condition
1189
Endpoint match conditions Details
Endpoint Location Detect when the endpoint is on or off the corporate network.
About endpoint location detection
Configuring the Endpoint Location condition
Action Description
Add or modify the Endpoint Add a new Protocol or Endpoint Monitoring condition to a policy rule or exception, or modify an
Monitoring condition. existing rule or exception condition.
Configuring Policy Rules
Configuring policy exceptions
Configuring policies
Select one or more endpoint To detect Endpoint incidents, select one or more Endpoint Protocols:
protocols to match. • Email/SMTP
• HTTP
• HTTPS/SSL
• FTP
About endpoint protocol monitoring
Select one or more endpoint To detect when users move data on the endpoint, select one or more Endpoint Destinations:
destinations. • Local Drive
• CD/DVD
• Removable Storage Device
• Copy to Network Share
• Printer/Fax
• Clipboard
About endpoint protocol monitoring
Monitor endpoint applications. To detect when endpoint applications access files, select the Application File Access option.
Match on the entire message. The DLP Agent evaluates the entire message, not individual message components.
The Envelope option is selected by default. You cannot select the other message components.
Detection Messages and Message Components
Also match one or more Select this option to create a rule. All conditions must match to trigger or except an incident.
conditions. You can Add any condition available from the list.
Configuring compound rules
1190
You can implement an instance of the Endpoint Location condition in one or more policy detection rules and exceptions.
Configuring policies
Action Description
Add or modify the Endpoint Add a new Endpoint Location detection condition to a policy rule or exception, or modify an existing
Location condition. policy rule or exception.
Configuring Policy Rules
Configuring policy exceptions
Select the location to monitor. Select one of the following endpoint locations to monitor:
• Off the corporate network
Select this option to detect or except events when the endpoint computer is off of the corporate
network.
• On the corporate network
Select this option to detect or except events when the endpoint computer is on the corporate
network.
This option is the default selection.
About endpoint location detection
Match on the entire message. The DLP Agent evaluates the entire message, not individual message components.
The Envelope option is selected by default. The other message components are not selectable.
Detection Messages and Message Components
Also match one or more Select this option to create a rule. All conditions must match to trigger or except an incident.
conditions. You can Add any condition available from the list.
Configuring compound rules
Action Description
Add or modify an Add a new Endpoint Device Class or ID condition to a policy rule or exception, or modify an existing one.
Endpoint Device Configuring Policy Rules
condition. Configuring policy exceptions
Select one or more The condition matches when users move data from an endpoint computer to the selected device(s).
devices. Click Create an endpoint device to define one or more devices.
Creating and modifying endpoint device configurations
Match on the entire The DLP Agent matches on the entire message, not individual message components.
message. The Envelope option is selected by default. You cannot select other components.
Detection Messages and Message Components
1191
Action Description
Also match one or more Select this option to create a rule. All conditions must match to trigger or except an incident.
conditions. You can Add any condition available from the drop-down menu.
Configuring compound rules
NOTE
The Device Instance ID is also used by Symantec Endpoint Protection.
To obtain the Device Instance ID (on Windows)
1. Right-click My Computer.
2. Select Manage.
3. Select the Device Manager.
4. Click the plus sign beside any device to expand its list of device instances.
5. Double-click the device instance. Or, right-click the device instance and select Properties.
6. Look in the Details tab for the Device Instance Id.
7. Use the ID to create device metadata expressions.
Creating and modifying endpoint device configurations
1192
NOTE
You can use the DeviceID utility for Windows and Mac endpoints to generate removable storage device
information.
To create and modify endpoint device ID expressions
1. Go to the System > Agent > Endpoint Devices screen.
2. Click Add Device.
3. Enter the Device Name.
4. Enter a Device Description.
5. Enter the Device Definition expression.
The device definition must conform to the regular expression syntax.
Example Windows endpoint regular device expressions
About writing regular expressions
6. Click Save to save the device configuration.
7. Implement the Endpoint Device Class or ID condition in a detection rule or exception.
Configuring the Endpoint Device Class or ID condition
1193
• Any detection method that executes on the endpoint matches on the entire message, not individual message
components.
Detection Messages and Message Components
• The Endpoint Destination and Endpoint Location methods are specific to the endpoint computer and are not user-
based.
Distinguish synchronized DGM from other types endpoint detection
• You might often combine group and detection methods on the endpoint. Keep in mind that the policy language ANDs
detection and group methods, whereas methods of the same type, two rules for example, are ORed.
Policy detection execution
fr, cu All SMTP email that is addressed to Any email that is addressed to French
a .fr (France) or .cu (Cuba) addresses. company with the .com extension
instead of .fr.
Any HTTP post to a .fr address through
a Web-based mail application, such as
Yahoo mail.
company.com All SMTP email that is addressed to Any SMTP email that is not addressed
the specific domain URL, such as to the specific domain URL.
symantec.com.
3rdlevel.company.com All SMTP email that is addressed to Any SMTP email that is not addressed
the specific 3rd level domain, such as to the specific 3rd level domain.
dlp.symantec.com.
bob@company.com All SMTP email that is addressed to Any email not specifically
bob@company.com. addressed to bob@company.com,
All SMTP email that is addressed to such as:
BOB@COMPANY.COM (the pattern is • sally@company.com
not case-sensitive). • robert.bob@company.com
• bob@3rdlevel.company.com
192.168.0.* All email, Web, or URL traffic Note: If the IP address does not
specifically addressed to 192.168.0. match, use one or more domain URLs
[0-255]. instead.
This result assumes that the IP
address maps to the desired domain,
such as web.company.com.
1194
Example Pattern Matches Does Not Match
Sender/User Matches Pattern Matches on an email address, domain address, IP address, Windows user name, or
IM screen name/handle.
Configuring the Sender/User Matches Pattern condition
Recipient Matches Pattern Matches on an email address, domain address, IP address, or newsgroup.
Configuring the Recipient Matches Pattern condition
1195
Table 627: Configuring the Sender/User Matches Pattern condition
Action Description
1196
50 policies, using a Reusable Sender Pattern lets you enter the Sender Pattern a single time, then select it for each policy.
In addition, if you need to update the Sender Pattern for those 50 policies, you can edit it from the Configure Reusable
Sender Pattern page and your changes will be applied automatically to each policy using that pattern.
To configure a Reusable Sender Pattern
1. Take one of the following actions:
• If you are configuring a policy with a Sender/User Matches Pattern rule, from the Manage > Policies > Policy
List > Configure Policy - Edit Rule page, click Create Reusable Sender Pattern.
• In the Enforce Server administration console, navigate to Manage > Policies > Sender/Recipient Patterns, then
click Add > Sender Pattern.
2. In the General section on the Configure Reusable Sender Pattern page, enter a Name and Description for your
Reusable Sender Pattern.
3. In the Sender Pattern section, enter the User Patterns and IP Addresses as described in the "Configuring the
Sender/User Matches Pattern condition table".
Configuring the Sender/User Matches Pattern condition
4. Click Save.
5. To edit a saved Reusable Sender Pattern, on the Manage > Policies > Sender/Recipient Patterns page, click the
dropdown arrow next to the name of the pattern you want to edit, then select Edit.
6. To delete a saved Reusable Sender Pattern, on the Manage > Policies > Sender/Recipient Patterns page, click the
dropdown arrow next to the name of the pattern you want to delete, then select Delete.
NOTE
You cannot delete a Reusable Sender Pattern that is currently in use in any policy.
Action Description
1197
Action Description
URL Domain
Enter one or more URL Domains to match Web-based traffic, including Web-based email and
postings to a Web site. For example, if you want to prohibit the receipt of certain types of data
using Hotmail, enter hotmail.com.
Select a Reusable Recipient You can select a Recipient Pattern that you have saved for reuse in your policies. Select
Pattern Reusable Recipient Pattern, then choose the pattern you want from the dropdown list.
Configure match counting. Select one of the following options to specify the number of email recipients that must
match:
• All recipients must match (Email Only) does not count a match unless ALL email message
recipients match the specified pattern.
• At least _ recipients must match (Email Only) lets you specify the minimum number of
email message recipients that must match to be counted.
Select one of the following options to specify how you want to count the matches:
• Check for existence
Reports a match count of 1 if there are one or more matches.
• Count all matches
Reports the sum of all matches.
Configuring Match Counting
Match on the entire message. This condition matches on the entire message. The Envelope option is selected by default. You
cannot select any other message component.
Detection Messages and Message Components
Also match moreconditions. Select this option to create a rule. All conditions in a rule or exception must match to trigger an
incident.
You can Add any available condition from the list.
Configuring compound rules
1198
4. Click Save.
5. To edit a saved Reusable Recipient Pattern, on the Manage > Policies > Sender/Recipient Patterns page, click the
dropdown arrow next to the name of the pattern you want to edit, then select Edit.
6. To delete a saved Reusable Recipient Pattern, on the Manage > Policies > Sender/Recipient Patterns page, click
the dropdown arrow next to the name of the pattern you want to delete, then select Delete.
NOTE
You cannot delete a Reusable Recipient Pattern that is currently in use in any policy.
1199
Match domains instead of IP addresses to improve accuracy
The URL Domain pattern matches HTTP traffic to particular URL domains. You do not enter the entire URL. For example,
you enter mail.yahoo.com not http://www.mail.yahoo.com.
The system does not resolve URL domains to IP addresses. For example, you specify an IP address of 192.168.1.1
for a specific domain. If users access the domain URL using a Web browser, the system does not match emails that are
transmitted by the IP address. In this case, use a domain pattern instead of an IP address, such as internalmemos.com.
You can detect senders/users and recipients based one or more IP addresses . However, to do so you must carefully
consider the placement of the detection server on your network. If the detection server is installed between the Web proxy
and the Internet, the IP address of all Web traffic from individuals in your organization appears to come from the Web
proxy. If the detection server is installed between the Web proxy and the internal corporate network, the IP address of
all Web traffic from outside your organization appears to go to the Web proxy. The best practice is to match on domain
names instead of IP addresses.
Use Synchronized DGM for Network Prevent for Web Identity Detection
With Symantec Data Loss Prevention 16.0 MP1, you can use synchronized Directory Group Matching (DGM) with
Network Prevent for Web and ProxySG.
An email address header that is sent by ProxySG is used as the user identity for DGM detection.
1200
Troubleshooting policies
NOTE
DLP Agents that are installed on Mac endpoints support User Groups that use Active Directory (AD) group
conditions in policies.
1. Establish a connection to the Active Directory server you want to synchronize with.
2. At the Manage > User Groups screen, click Create New Group.
Or, to edit an existing user group, select the group in the User Groups screen.
3. Configure the User Group parameters as required.
Configure a User Group
NOTE
If you are configuring User Groups for the first time, you must select the option Refresh the group directory
index on Save to populate the User Group.
4. After you locate the users you want, use the Add and Remove options to include or exclude them in the User Group.
5. Click Save.
Action Description
Enter the group name. The Group Name is the name that you want to use to identify this group.
Use a descriptive name so that you can easily identify it later on.
Enter the group Enter a short Description of the group.
description.
Select the usage type. Select an option to designate access:
• Select Policies to only allow the User Group to access policies.
• Select Roles to only allow the User Group to access roles.
View which policies use Initially, when you create a new User Group, the Used in Policy field displays None.
the group. If the User Group already exists and you modify it, the system displays a list of the policies that implement
the User Group, assuming one or more group-based policies is created for this User Group.
Refresh the group Select (check) the Refresh the group directory index on Save option to synchronize the user group
directory index on profile with the most recent directory server index immediately on Save of the profile. If you leave this box
Save. unselected (unchecked), the profile is synchronized with the directory server index based on the Directory
Connection setting.
If this is the first time you are configuring the User Group profile, you must select the Refresh the group
directory index on Save option to populate the profile with the latest directory server index replication.
Select the directory Select the directory server you want to use from the Directory Server list.
server. You must establish a connection to the directory server before you create the User Group profile.
1201
Action Description
Include email aliases. Check the Include Mail Aliases box to index user email aliases along with primary email addresses.
For example, if a user has the primary email address "robert_smith@company.com" and an email alias
"bob_smith@company.com," checking this box will index both email addresses. Be aware that indexing email
aliases will increase your index size.
Search the directory for Enter the search string in the search field and click Search to search the directory for specific users. You can
specific users. search using literal text or wildcard characters (*).
The search results display the Common Name (CN) and the Distinguished Name (DN) of the directory server
that contains the user. These names give you the specific user identity. Results are limited to 1000 entries.
Click Clear to clear the results and begin a new search of the directory.
Literal text search criteria options:
• Name of individual node, such as "engineering" or "accounting"
• Email address, such as "goakham@symantec-dlp.com"
Wildcard character search criteria options:
• The supported wildcard character is an asterisk (*)
• Proper wildcard search examples:
– Gabriel *akha* returns "Gabriel Oakham"
– j* jop* returns "Janice Joplin"
• Improper wildcard search:
– Do not begin the search string with a wildcard; this will hinder directory server search performance.
– For example, the following search is not recommended: *Gabriel Oakham.
Browse the directory for You can browse the directory tree for groups and users by clicking on the individual nodes and expanding
user groups. them until you see the group or node that you want.
The browse results display the name of each node. These names give you the specific user identity.
The results are limited to 20 entries by default. Click See More to view up to 1000 results.
Add a user group to the To add a group or user to the User Group profile, select it from the tree and click Add.
profile. After you select and add the node to the Added Groups column, the system displays the Common Name
(CN) and the Distinguished Name (DN).
Save the user group. Click Save to save the User Group profile you have configured.
1202
Table 631: Workflow for implementing synchronized DGM
1 Create the connection to the Establish the connection from the Enforce Server to a directory server such as
directory server. Microsoft Active Directory.
2 Create the User Group. Create one or more User Groups on the Enforce Server and populate the User
Groups with the exact identities from the users, groups, and business units that are
defined in the directory server
Configuring User Groups
3 Configure a new policy or edit an Configuring policies
existing one.
4 Configure one or more group Choose the type of synchronized DGM rule you want to implement and reference
rules or exceptions. the User Group. After the policy and the group are linked, the policy applies only to
those identifies in the referenced User Group.
Configuring the Sender/User based on a Directory Server Group condition
Configuring the Recipient based on a Directory Server Group condition
Parameter Description
Select User Groups to include Select one or more User Groups that you want this policy to detect.
in this policy If you have not created a User Group, click Create a new User Group.
Configuring User Groups
Match On This condition matches on the entire message. The Envelope option is selected by default. You
cannot select any other message component.
Detection Messages and Message Components
Also Match Select this option to create a rule. All conditions in a rule or exception must match to trigger an
incident.
You can Add any available condition from the list.
Configuring compound rules
1203
NOTE
The Recipient based on a Directory Server Group condition requires two-tier detection. About two-tier
detection for synchronized DGM
Table 633: Configuring the Recipient based on a Directory Server Group condition
1 Select User Groups to Select the User Group(s) that you want this policy to match on.
include in this policy If you have not created a User Group, click Create a new Endpoint User Group option.
Configuring User Groups
2 Match On This rule detects the entire message, not individual components. The Envelope option is
selected by default. You cannot select any other message component.
Detection Messages and Message Components
3 Also Match Select this option to create a rule. All conditions in a rule or exception must match to
trigger an incident.
You can Add any available condition from the list.
Configuring compound rules
1204
exclude certain email addresses from analysis. Or, you might want to prevent certain people from sending confidential
information by email.
Configuring Exact Data profiles for DGM
Profiled DGM is distinguished from synchronized DGM, which uses a connection to a directory server (such as Microsoft
Active Directory) to match identities.
Introducing synchronized Directory Group Matching (DGM)
1 Create the data source file. Create a data source file from the directory server or database you want to profile.
Make sure the data source file contains the appropriate fields.
The following fields are supported for profiled DGM:
• Email address
• IP address
• Window user name (in the format domain\user)
• IM screen name
Creating the exact data source file for profiled DGM for EDM
2 Prepare the data source file for Configuring Exact Data profiles for EDM
indexing. Preparing the exact data source file for indexing for EDM
3 Create the Exact Data Profile. This includes uploading the data source file to the Enforce Server, mapping the data
fields, and indexing the data source.
Uploading exact data source files for EDM to the Enforce Server
Creating and modifying Exact Data Profiles for EDM
Mapping Exact Data Profile fields for EDM
Scheduling Exact Data Profile indexing for EDM
4 Define the profiled DGM Configuring the Sender/User based on a Profiled Directory condition
condition. Configuring the Recipient based on a Profiled Directory condition
5 Test the profiled DGM policy. Use a test policy group and verify that the matches the policy generates are accurate.
Test and tune policies to improve match accuracy
1205
Configuring profiled DGM policy conditions
Symantec Data Loss Prevention provides two match conditions for profiled DGM: sender/user and recipient. Both
conditions can be used as policy rules or exceptions. For example, consider a scenario where you index a list of email
addresses and author profiled DGM policies based on this indexed data. You could write a rule that requires the message
sender to be from the indexed list to violate the policy. Or, you could write an exception that is not violated if the recipient
of an email is from the indexed list.
Creating the exact data source file for profiled DGM for EDM
Sender/User based on a Directory from If this condition is implemented as a policy rule, a match occurs only if the sender or
<EDM Profile> user of the data is contained in the index profile. If this condition is implemented as a
policy exception, the data will be excepted from matching if it is sent by a sender/user
listed in the index profile
Recipient based on a Directory from If this condition is implemented as a policy rule, a match occurs only if the recipient of
<EDM Profile> the data is contained in the index profile. If this condition is implemented as a policy
exception, the data will be excepted from matching if it is received by a recipient listed in
the index profile.
Table 636: Configuring the Sender/User Based on a Directory From an EDM Profile Condition
Parameter Description
Where Select this option to have the system match on the specified field values. Select a field from the drop-down list.
Type the values for that field in the adjacent text box. If you enter more than one value, separate the values with
commas.
For example, for an Employees directory group profile that includes a Department field, you would select
Where, select Department from the drop-down list, and enter Marketing,Sales in the text box. If the condition is
implemented as a rule, a match occurs only if the sender or user works in Marketing or Sales (as long as the other
input content meets all other detection criteria). If the condition is implemented as an exception, in this example
the system ignores from matching messages from a sender or user who works in Marketing or Sales.
Is Any Of Enter or modify the information that you want to match. For example, if you want to match any sender in the Sales
department, select Department from the drop-down list, and then enter Sales in this field (assuming that your
data includes a Department column). Use a comma-separated list if you want to specify more than one value.
1206
Configuring the Recipient based on a Profiled Directory condition
The Recipient based on a Directory from condition lets you create detection methods based on the identity of the
recipient. This method requires an Exact Data Profile.
Creating the exact data source file for profiled DGM for EDM
After you select the Exact Data Profile, when you configure the rule, the directory you selected and the recipient
identifier(s) appear at the top of the page.
Configuring the Sender/User based on a Directory from an EDM Profile condition describes the parameters for configuring
Recipient based on a Directory from an EDM profile condition.
Table 637: Configuring the Recipient based on a Directory from an EDM profile condition
Parameter Description
Where Select this option to have the system match on the specified field values. Specify the values by selecting a field
from the drop-down list and typing the values for that field in the adjacent text box. If you enter more than one
value, separate the values with commas.
For example, for an Employees directory group profile that includes a Department field, you would select
Where, select Department from the drop-down list, and enter Marketing, Sales in the text box. For a detection
rule, this example causes the system to capture an incident only if at least one recipient works in Marketing or
Sales (as long as the input content meets all other detection criteria). For an exception, this example prevents the
system from capturing an incident if at least one recipient works in Marketing or Sales.
Is Any Of Enter or modify the information you want to match. For example, if you want to match any recipient in the Sales
department, select Department from the drop-down list, and then enter Sales in this field (assuming that your
data includes a Department column). Use a comma-separated list if you want to specify more than one value.
Include an email address field in the Exact Data Profile for profiled DGM
You must include the appropriate fields in the Exact Data Profile to implement profiled DGM.
Creating the exact data source file for profiled DGM for EDM
If you include the email address field in the Exact Data Profile for profiled DGM and map it to the email data validator,
email address will appear in the Directory EDM drop-down list (at the remediation page).
Use Profiled DGM for Network Prevent for Web Identity Detection
Use one of the profiled DGM conditions to implement identity matching to implement DGM for Network Prevent for Web.
For example, you may want to use identity matching to block all web traffic for specific users.
Creating the exact data source file for profiled DGM for EDM
Configuring the Sender/User based on a Profiled Directory condition
1207
Introducing Contextual Attributes for User Risk Scores
Apply the User Risk Score context match condition to apply contextual attributes for the user risk score.
The User Risk Score context match condition allows you to configure a detection rule based on user risk scores. For
example, you can create a policy detection rule that includes the User Risk Score condition. The condition can specify
that the detection rule applies to incidents that list a user risk score that exceeds a specified threshold.
NOTE
Rule conditions apply to supported DLP detection channels. See Introducing User Risk Based Detection.
The User Risk Score condition allows you to specify the following attributes and attribute values:
• Attribute: User Risk Score
• Operator
• Risk score (between between 1 and 100, 100 indicating the highest user risk)
You can also create a compound condition by selecting Detect based on user risk score in the Also match list. For
more information, see Configuring compound rules.
Related Links
Introducing User Risk Based Detection on page 1033
Use User Risk-based Detection to trigger policies based on the risk score for a particular user.
Adding a Rule to a Policy on page 825
Add one or more rules to a policy to indicate at least one match condition.
Configuring Policy Rules on page 827
You configure a policy rule with one or more match conditions. The configuration of each rule condition depends on its
type.
1208
1. Add a Contextual Attributes (Cloud Applications and API Detection Appliance only) condition to a policy rule or
exception, or edit an existing one.
2. Select a contextual attribute condition from the Attributes drop-down list.
Contextual attribute categories
3. Configure the appropriate contextual attribute values.
4. Click OK.
1209
Table 638: General attributes
Application Name Securlets: Specifies the name of the cloud web proxy,
• Amazon S3 Gatelet, or Securlet.
• Amazon Web Services
• Box
• Cisco Spark
• Dropbox
• Google Calendar
• Google Drive
• Gmail
• Microsoft Azure
• Office 365 Email
• Office 365 OneDrive
• Office 365 SharePoint
• Salesforce
• SAP
• ServiceNow
• Slack
• Yammer
Gatelets:
• 4Shared
• 4Sync
• Acrobat.com
• AIM Mail
• Alfresco
• Amazon CloudDrive
• Amazon Web Services
• Amazon WorkDocs
• BitCasa
• Box
• BV ShareX
• cCloud
• CentralDesktop
• CloudMe
• CloudProvider
• Confluence
• Copy
• Cubby
• DigitalBucket
• Digital Ocean
• Dropbox
• Dynamics
• Egnyte
• FilesAnywhere
• Flow
• Ftopia
• Gmail
• GroupDocs
• Hightail
• Huddle
• IBM Connections
1210
• iCloud
• iDrive
• Intralinks
• Joyent
Attribute Value Description
Data Type • Data-at-Rest Specifies the data type: data at rest (stored
• Data-in-Motion in a cloud repository), data in motion (data
• Custom traveling over the network), or custom.
User attributes
User attributes address specific information about the user that is associated with an incident.
Activity Type • Create Specifies the type of action that was taken
• Edit by the user on the data of the incident.
• Rename Symantec Web Security Service does not
• Upload use this attribute.
• Download
• Custom
Client Tenant Domain Enter the name in the Match field. Specifies the client tenant domain of the
user. You can match exactly with or without
case sensitivity, or match on a regular
expression.
Client Tenant User ID Enter the user identifier in the Match field. Specifies the client tenant identifier of the
user. You can match exactly with or without
case sensitivity, or match on a regular
expression.
Exposed Document Count • Is Greater Than Specifies the users with a number of
• Is Less Than exposed documents above or below a
• Is Greater Than or Equals certain value, or within a range you specify.
• Is Less Than or Equals Symantec Web Security Service does not
use this attribute.
• Equals
• Range
User ID • Match Specifies a user identifier that you provide.
• Match Type You can match exactly with or without
case sensitivity, or match on a regular
expression.
User Name • Match Specifies a user identifier that you provide.
• Match Type You can match exactly with or without
case sensitivity, or match on a regular
expression.
Symantec Web Security Service does not
use this attribute.
User Threat Score • Is Greater Than Specifies the Shadow IT threat score of the
• Is Less Than user, above or below a certain value, or
• Is Greater Than or Equals within a range you specify.
• Is Less Than or Equals This attribute applies only to Securlet
policies.
• Equals
• Range
1211
Attribute Value Description
Document Creation Date • After Specifies the date the document was
• Before created.
• On or After
• On or Before
• On
• Range
Document Last Accessed • After Specifies the date the document was last
• Before accessed.
• On or After
• On or Before
• On
• Range
Document Last Modified • After Specifies the date the document was last
• Before modified.
• On or After
• On or Before
• On
• Range
Document Owner • Match Specifies the name of the document owner.
• Match Type You can match exactly with or without
case sensitivity, or match on a regular
expression.
Document Tag • Match Specifies the metadata tag of the
• Match Type document. You can match exactly with
or without case sensitivity, or match on a
regular expression.
Document Type • Match Specifies the type of document. You
• Match Type can match exactly with or without
case sensitivity, or match on a regular
expression.
1212
Attribute Value Description
1213
Table 641: Data transfer attributes
1214
Attribute Value Description
1215
Custom attributes
Custom attributes let you enter any attributes for your Application Detection policies that are not provided by default.
1216
Lastly, you can enable metadata extraction for a limited number of document formats (such as DOCX), and use keyword
matching to detect document metadata.
About document metadata detection
NOTE
While there is some overlap among file types supported for extraction and for identification (because if the
system can crack the file it must be able to identify its type), the supported formats for each operation are
distinct and implemented using different match conditions. The number of file formats supported for type
identification is much broader than those supported for content extraction.
Operation
Description Configuration Supported formats
type
File type Symantec Data Loss Prevention does not Explicitly using the Message Supported formats for file type
identification rely on file extensions to identify the format. Attachment or File Type Match identification
File type is identified by the unique binary file property condition.
signature of the file format.
File contents File contents is any text-based content that Implicitly using one or more Supported formats for content
extraction can be viewed through the native or source content match conditions, extraction
application. including EDM, IDM, VML, data
identifiers, keyword, regular
expressions.
Subfile Subfiles are files encapsulated in a parent Implicitly using one or more Supported encapsulation formats
extraction file. Subfiles are extracted and processed content match conditions, for subfile extraction
(Subfile) individually for identification and content including EDM, IDM, VML, data
extraction. If the subfile format is not identifiers, keyword, regular
supported by default, a custom method can expressions.
be used to detect and crack the file.
Metadata Metadata is information about the file, Available for content-based match Supported file formats for
extraction such as author, version, or user-defined conditions. Must be enabled. metadata extraction
(Metadata) tags. Generally limited to Microsoft Office
documents (OLE-enabled) and Adobe PDF
files. Metadata support may differ between
agent and server.
1217
NOTE
The Message Attachment or File Type Match condition is a context-based match condition that only supports
file type identification. This condition does not support file contents extraction. To extract file contents for policy
evaluation you must use a content-based detection rule. Supported formats for content extraction
Overview of detection file format support
1218
Message Attachment or File Type Match formats
1219
Message Attachment or File Type Match formats
1220
Message Attachment or File Type Match formats
iCalendar
Informix SmartWare II
Informix SmartWare II Communication File
Informix SmartWare II Database
Informix SmartWare Spreadsheet
Interleaf
Java Archive
JPEG
JPEG File Interchange Format (JFIF)
JustSystems Ichitaro
KW ODA G31D (G31)
KW ODA G4 (G4)
KW ODA Internal G32D (G32)
KW ODA Internal Raw Bitmap (RBM)
Lasergraphics Language
Legato Extender
Link Library- Other
Link Library UNIX
Link Library VAX
Link Library SUN
Lotus 1-2-3 (123)
Lotus 1-2-3 (WK4)
Lotus 1-2-3 Charts
Lotus AMI Pro
Lotus AMI Professional Write Plus
Lotus AMIDraw Graphics
Lotus Freelance Graphics
Lotus Freelance Graphics 2
Lotus Notes Bitmap
Lotus Notes CDF
Lotus Notes database
Lotus Pic
Lotus Screen Cam
Lotus SmartMaster
Lotus Word Pro
Lyrix MacBinary
MacBinary
Macintosh Raster
MacPaint
Macromedia (Adobe) Director
1221
Message Attachment or File Type Match formats
1222
Message Attachment or File Type Match formats
1223
Message Attachment or File Type Match formats
NeXT/Sun Audio
NIOS TOP
Nota Bene
Nurestor Drawing (NUR) (server only)
Oasis Open Document Format (ODT)
Oasis Open Document Format (ODS)
Oasis Open Document Format (ODP)
Object Module UNIX
Object Module VAX
Object Module SUN
ODA/ODIF
ODA/ODIF (FOD 26)
Office Writer
OLE DIB object
OLIDIF
OmniOutliner (OO3)
OpenOffice Calc (SXC)
OpenOffice Calc (ODS)
OpenOffice Impress (SXI)
OpenOffice Impress (SXP)
OpenOffice Impress (ODP)
OpenOffice Writer (SXW)
OpenOffice Writer (ODT)
Open PGP
OS/2 PM Metafile Graphics
Paradox (PC) Database
PC COM executable
PC Library Module
PC Object Module
PC PaintBrush
PC True Type Font
PCD Image
PeachCalc Spreadsheet
Persuasion Presentation
PEX Binary Archive (SUN)
PGP Compressed Data
PGP Encrypted Data
PGP Public Keyring
PGP Secret Keyring
PGP Signature Certificate
1224
Message Attachment or File Type Match formats
1225
Message Attachment or File Type Match formats
1226
Message Attachment or File Type Match formats
WinZip
Word Connection
WordERA (V 1.0)
WordMARC word processor
WordPad
WordPerfect General File
WordPerfect Graphics 1
WordPerfect Graphics 2
WordStar
WordStar 2000
WordStar 6.0
WriteNow
Writing Assistant word processor
X Bitmap (XBM)
X Image
X Pixmap (XPM)
Xerox 860 Comm.
Xerox Writer word processor
XHTML
XML (generic)
XML Paper Specification
XyWrite
1227
File format category Default support list
1228
Format Name Format Extension
StarOfficeWriter SXW
StarOfficeWriter ODT
WordPad RTF
XML Paper Specification XPS
XyWrite XY4
1229
Table 648: Supported spreadsheet formats for file contents extraction
Table 649: Supported text and markup file formats for content extraction
ANSI TXT
ASCII TXT
HTML HTM
Microsoft Excel Windows XML XML
Microsoft Word Windows XML XML
Microsoft Visio XML VDX
Oasis Open Document Format ODT
Oasis Open Document Format ODS
Oasis Open Document Format ODP
Rich Text Format RTF
Unicode Text TXT
1230
Format Name Format Extension
XHTML HTM
XML (generic) XML
1231
Table 652: Supported graphics file formats for content extraction
File Share Encryption (PGP Netshare) You can decrypt Symantec File Share encrypted files and can extract file contents for policy
evaluation using the File Share plugin.
Custom You can write a plug-in to perform content, subfile, and metadata extraction operations on
custom file formats.
Note: Content extraction plug-ins are limited to detection servers.
Virtual Card File VCF and VCARD electronic business card files
1232
Supported encapsulation formats for subfile extraction
Symantec Data Loss Prevention supports various encapsulation formats for subfile extraction, such as ZIP, RAR, and
TAR. The system automatically performs subfile extraction for supported formats using content-based match conditions.
Subfile extraction is a subset of content extraction in that, if the system is successful in extracting a subfile from a
supported encapsulated file, the system automatically extracts the text-based subfile contents if the subfile format is
supported for content extraction.
Overview of detection file format support
Supported encapsulation formats for subfile extraction lists the file formats whose content Symantec Data Loss Prevention
can extract for content evaluation.
7-Zip 7Z
BinHex HQX
GZIP GZ
iCalendar ICS
Java Archive JAR
Microsoft Cabinet CAB
Microsoft Compressed Folder LZH
Microsoft Compressed Folder LHA
Microsoft Visio 2013 VSD
Microsoft Visio 2013 XML VSDX
Microsoft Visio 2013_Macro VSDM
Microsoft Visio 2013_Stencil VSSX
Microsoft Visio 2013_Stencil_Macro VSSM
Microsoft Visio 2013_Template VSTX
Microsoft Visio 2013_Template_Macro VSTM
PKZIP ZIP
WinZip ZIP
RAR archive RAR
Tape Archive TAR
UNIX Compress Z
UUEncoding UUE
Virtual Card File VCF and VCARD electronic business card files
YENC YENC (server only)
1233
This list is not exhaustive and is provided for quick reference only. Other file formats may be supported, and other custom
fields may be returned. The best practice is to always use the filter utility to verify metadata support for each file format
you want to detect.
Always use the filter utility to verify file format metadata support
Example fields:
Microsoft Office documents, for
example:
• Title
For Microsoft Office documents, the system
• Word (DOC, DOCX) • Subject
extracts Object Linking and Embedding
• Excel (XLS, XLSX) (OLE) metadata. • Author
• PowerPoint (PPT, PPTX) • Keywords
• Other custom fields
Example fields:
For Adobe PDF files, the system extracts • Author
Document Information Dictionary (DID)
• Title
Adobe PDF files metadata. The system does not support
Adobe Extensible Metadata Platform (XMP) • Subject
metadata extraction. • Creation
• Update dates
Microsoft Visio Supported format extensions
Use the filter utility to verify metadata Always use the filter utility to verify file
Other file formats (including binary and text)
extraction for other file formats. format metadata support
Content extraction plug-in that supports the
Custom file formats Custom file type metadata
metadata extraction operation.
1234
1. Log on to the Enforce Server administration console as a system administrator.
2. Navigate to the System > Servers and Detectors > Overview > Server/Detector Detail - Advanced Settings
screen for the detection server or cloud detector you want to enable metadata extraction.
3. Click the Server Settings button.
4. Locate property ContentExtraction.EnableMetaData in the list.
5. Enter the value on for this property to enable metadata extraction.
6. Click Save to save the configuration.
7. Click Recycle the server at the Server Detail screen to restart the server.
8. Click Done at the Server Detail screen to complete the process.
Consideration Topic
Always use filter to verify file format metadata support. Always use the filter utility to verify file format metadata support
Enable metadata detection only if it is necessary. Distinguish metadata from file content and application data
Avoid generating false positives by selecting keywords carefully. Use and tune keyword lists to avoid false positives on metadata
Understand resource implications of endpoint metadata extraction. Understand performance implications of enabling endpoint
metadata detection
Create a separate endpoint configuration for metadata detection. Create a separate endpoint configuration for metadata detection
Use response rules to add metadata tags to incidents. Use response rules to tag incidents with metadata
Always Use the Filter Utility to Verify File Format Metadata Support
To help you create policies that detect file format metadata, use the filter utility that is available with any Symantec Data
Loss Prevention detection or Endpoint Server installation. This utility provides an easy way to determine which metadata
1235
fields the system returns for a given file format. The utility generates output that contains the metadata the system will
extract at runtime for each file format you test using filter.
To verify file format metadata extraction support using filter describes how to use the filter utility. It is recommended that
you always follow this process so that you can create and tune policies that accurately detect file format metadata.
NOTE
The data output by the filter utility is in ASCII format. Symantec Data Loss Prevention processes data in Unicode
format. Therefore, you may rely on the existence of the fields returned by the filter utility, but the metadata
detected by Symantec Data Loss Prevention may not look identical to the filter output.
To verify file format metadata extraction support using filter
1. On the file system where a detection server is installed, start a command prompt session.
2. Change directory to where the filter utility is located.
For example, on a default 64-bit Windows installation you would issue the following command:
cd \Program Files\Symantec\DataLossPrevention\EnforceServer\16.0.10000\Protect\plugins
\contentextraction\Verity\x64
3. Issue the following command to run the filter program and display its syntax and optional parameters.
filter -help
As indicated by the help, you use the following syntax to execute the filter utility:
filter [options] inputfile outputfile
The inputfile is an instance of the file format you want to verify. The outputfile is a file the filter utility writes the
extracted data to.
• To verify metadata extraction, use the "get doc summary info" option:-i
• To verify content extraction, use no options: filter inputfile outputfile
4. Execute filter against an instance of the file format to verify metadata extraction.
For example, on Windows you would issue the following command:
filter -i \temp\myfile.doc \temp\metadata_output.txt
Where myfile.doc is a file containing metadata you want to verify and have copied to the \temp directory, and
metadata_output.txt is the name of the file you want the system to generate and write the extracted data to.
5. Review the filter output. The output data should be similar to the following:
1 2 1252 CodePage 1 1 "S" Title 0 0 (null) 1 1 "P" Author 0 0 (null)
0 0 (null) 0 1 "" (null) 1 1 "m" LastAuthor 1 1 "1" RevNumber
1 3 6300 Minutes EditTime 1 3 Mon Aug 27 11:53:07 2007 LastPrinted
6. Refer to the following tables for an explanation of each metadata extraction field output by the filter utility.
Example filter metadata output repeats the output from Step 5, formatted for readability.
Metadata fields generated by the filter utility explains each column field.
1 2 1252 CodePage
1 1 "S" Title
1236
Column 1 Column 2 Column 3 Column 4
0 0 (null)
1 1 "P" Author
0 0 (null)
0 0 (null)
0 1 "" (null)
1 1 "m" LastAuthor
1 1 "1" RevNumber
1 3 6300 Minutes EditTime
1 3 Mon Aug 27 11:53:07 2007 LastPrinted
1 = valid field The type of data: The data payload for the field. The name of the field (empty or
0 = invalid field 1 = String null if the field is invalid).
Note: You may ignore rows 2 = Integer
where the first column is 0. 3 = Date/Time
5 = Boolean
Application data Application data including message transport information is extracted separately from the file
format extraction. For all inbound messages, the system extracts message envelope (header) and
subject information as text at the application layer. The type of application data that is extracted
depends on the channels that are supported by the detection server or endpoint.
Headers and footers Document header text and footer text are extracted as content, not metadata. To avoid false
positives, remove or allowlist headers and footers from documents.
Use Safe Listing to Exclude Non-Sensitive Content from Partial Matching
See Indexed Document Matching (IDM) for details.
Markup text Markup text is extracted as content, not metadata. Markup text extraction is supported for HTML,
XML, SGML, and more. Markup text extraction is disabled by default.
See Advanced Server Settings to enable Markup text extraction.
1237
Content type Extraction method
Hidden text Hidden text is extracted as content, not metadata. Hidden text extraction in the form of tracked
changes is supported for some Microsoft Office file formats. Hidden text extraction is disabled by
default.
See Advanced Server Settings to enable Hidden text extraction.
Watermarks Text-based watermarks are extracted as content, not metadata. Text-based watermark detection
is supported for Microsoft Word documents (versions 2003 and 2007). Text-based watermark
detection is not supported for other file formats.
1238
WARNING
Do not enable Office Open XML high-performance content extraction on detection servers using Indexed
Document Matching (IDM) policies.
Table 661: Office Open XML formats for high-performance content extraction
1239
spiVersion="1.1"
disabled="false"
extractsAllSubfiles="true">
3. (Optional): To enable PowerPoint content extraction, add the following lines to the manifest.xml file:
<documentType type="pptx">
<supportedOperations>
<operation type="FileTypeIdentification"/>
<operation type="TextExtraction"/>
<operation type="SubFileExtraction"/>
<operation type="MetadataExtraction"/>
</supportedOperations>
</documentType>
1240
Property type Property
Company
EditTime
HyperlinkBase
HyperlinksChanged
LineCount
LinksDirty
Manager
PageCount
Parcount
ScaleCrop
Security
SharedDoc
Template
TitleOfParts
WordCount
Custom properties All other custom properties
1241
Table 663:
1242
skipFilesWithSignatures=0x38,0x42,0x50,0x53;
imageSignatures=0x42,0x4d;
0xff,0xd8,0xff,0xe0;
0xff,0xd8,0xff,0xe1;
0xff,0xd8,0xff,0xe8;
0xff,0xd8,0xff,0xe2;
0xff,0xd8,0xff,0xe3;
0x89,0x50,0x4e,0x47,0x0d,0x0a,0x1a,0x0a;
0xd7,0xcd,0xc6,0x9a;
1243
Table 664: Caldicott Report policy template rules
Patient Data and Compound EDM and This compound rule looks for a match among the following data fields in
Drug Keywords Keyword Rule combination with a keyword from the "Prescription Drug Names" dictionary.
Both conditions must be satisfied for the rule to trigger an incident.
• Account number
• Email
• ID card number
• Last name
• Phone
• UK NHS (National Health Service) number
• UK NIN (National Insurance Number)
Patient Data and Compound EDM and This compound rule looks for a match among the following EDM data fields
Disease Keywords Keyword Rule in combination with a keyword from the "Disease Names" dictionary. Both
conditions must be satisfied for the rule to trigger an incident.
• Account number
• Email
• ID card number
• Last name
• Phone
• UK NHS (National Health Service) number
• UK NIN (National Insurance Number)
Patient Data Compound EDM and This compound rule looks for a match among the following EDM data fields in
and Treatment Keyword Rule combination with a keyword from the "Medical Treatment Keywords" dictionary.
Keywords Both conditions must be satisfied for the rule to trigger an incident:
• Account number
• Email
• ID card number
• Last name
• Phone
• UK NHS (National Health Service) number
• UK NIN (National Insurance Number)
UK NHS Number Simple DCM Rule This rule looks for a keyword from "UK NIN Keywords" dictionary in
and Drug combination with a pattern matching the UK NIN data identifier and a keyword
Keywords from the "Prescription Drug Names" dictionary.
UK NHS Number Simple DCM Rule This rule looks for a keyword from "UK NIN Keywords" dictionary in
and Disease combination with a pattern matching the UK NIN data identifier and a keyword
Keywords from the "Disease Names" dictionary.
UK NHS Number Simple DCM Rule This rule looks for a keyword from "UK NIN Keywords" dictionary in
and Treatment combination with a pattern matching the UK NIN data identifier and a keyword
Keywords from the "Medical Treatment Keywords" dictionary.
1244
California Consumer Privacy Act Policy Template
The California Consumer Privacy Act covers the handling and protection of sensitive personal information that individuals
provide during everyday transactions.
This template works best with an exact data profile that contains the following columns:
• personalID
• uniqueID
If the chosen exact data profile does not have all recommended columns, the new policy depends on the columns that are
present.
Do not use Exact Data Matching. Using this option creates a policy from the template, but any Exact Data Matching rules
that are contained in the template are not created.
Rule Description
Randomized US Social Security Number (SSN) (Data Identifiers) Default severity: High. Check for existence. Look in envelope,
subject, body, and attachments.
US Vehicle Identification Number (Data Identifiers) Default severity: High. Check for existence. Look in envelope,
subject, body, and attachments.
US Passport Number (Data Identifiers) Default severity: High. Check for existence. Look in envelope,
subject, body, and attachments.
Driver's License Number - California State (Data Identifiers) Default severity: High. Check for existence. Look in envelope,
subject, body, and attachments.
US Individual Tax Identification Number (ITIN) (Data Identifiers) Default severity: High. Check for existence. Look in envelope,
subject, body, and attachments.
US Adoption Taxpayer Identification Number (Data Identifiers) Default severity: High. Check for existence. Look in envelope,
subject, body, and attachments.
CCPA Travel Related Keywords (Keyword Match) Match "account number", "bank card number", "driver license
number", "ID card number", "passenger name", ... Default severity:
High. Check for existence. Look in envelope, subject, body, and
attachments. Case insensitive. Match on whole words only.
US Preparer Taxpayer Identification Number (Data Identifiers) Default severity: High. Check for existence. Look in envelope,
subject, body, and attachments.
Configuring policies
Exporting policy detection as a template
1245
CAN-SPAM Act Policy Templates
The Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM) establishes requirements for
those who send commercial email.
The CAN-SPAM Act template detects activity from an organization's bulk mailer to help ensure compliance with the CAN-
SPAM Act requirements.
The detection exception Exclude emails that contain the mandated keywords allows messages to pass that have one
or more keywords from the user-defined "CAN-SPAM Exception Keywords" dictionary.
Table 666: Detection exception: Exclude emails that contain the mandated keywords
Simple exception Content Matches Exclude emails that contain the mandated keywords (Keyword Match):
Keyword (DCM) • Match keyword from "[physical postal address]" or "advertisement".
• Look in envelope, subject, body, attachments.
• Case insensitive.
• Match on whole words only.
Note: After you define the keywords, you can choose to count all matches
and require 2 keywords from the list to be matched.
The detection exception CAN-SPAM Compliant Emails excludes from detection document content from the selected IDM
index with at least 90% match.
Simple exception Content Matches Exception for CAN-SPAM compliant emails (IDM):
Document Profile (IDM) • Exact content match (90%)
• Look in the message body and attachments.
• Check for existence.
Choosing an Indexed Document Profile
If an exception is not met, the detection rule Monitor Email From Bulk Mailer looks for a sender's email address that
matches one from the "Bulk Mailer Email Address" list, which is user-defined.
Simple rule Sender/User Matches Monitor Email From Bulk Mailer (Sender):
Pattern (DCM) • Match sender pattern(s): [bulk-mailer@company.com] (user defined)
• Severity: High.
1246
Colombian Personal Data Protection Law 1581 Policy Template
The Colombian Personal Data Protection Law 1581 policy template detects the personal data of Colombian citizens at risk
of exposure.
Table 669: Colombian Personal Data Protection Law 1581 policy template rules
Rule Description
Colombia Address Number Detects Colombian street addresses using the Colombian
Addresses data identifier.
Colombia Cell Phone Number Detects Colombian cell phone numbers using the Colombian Cell
Phone Number data identifier.
Colombia Personal Identification Number Detects Colombian personal identification numbers using the
Colombian Personal Identification Number data identifier.
ColombiaTax Identification Number Detects Colombian tax identification numbers using the Colombian
Tax Identification Number data identifier.
Related Links
Data Identifiers on page 1034
Configuring policies
Exporting policy detection as a template
1247
Table 670: Rules comprising the Confidential Documents template
Confidential Documents, Simple IDM Rule with one This rule looks for content from specific documents registered
Indexed condition as confidential; returns a match if 80% or more of the source
document is found. If you do not have an Indexed Document
Profile configured this rule is dropped.
Confidential Documents Compound DCM Rule: This rule looks for a combination of keywords from the
Attachment/File Type and "Confidential Keywords" list and the following file types:
Keyword Match. Both conditions • Microsoft Excel Macro
must match for the rule to • Microsoft Excel
trigger an incident.
• Microsoft Works Spreadsheet
• SYLK Spreadsheet
• Corel Quattro Pro
• Multiplan Spreadsheet
• Comma Separate Values
• Applix Spreadsheets
• Lotus 1-2-3
• Microsoft Word
• Adobe PDF
• Microsoft PowerPoint
Proprietary Documents Compound DCM Rule: This compound rule looks for a combination of keywords from the
Attachment/File Type and "Proprietary Keywords" dictionary and the above referenced file
Keyword Match types.
Internal Use Only Documents Compound DCM Rule: This compound rule looks for a combination of keywords from the
Attachment/File Type and "Internal Use Only Keywords" dictionary and the above referenced
Keyword Match file types.
Documents Not For Distribution Compound DCM Rule: This compound rule looks for a combination of keywords from the
Attachment/File Type and "Not For Distribution Words" dictionary and the above referenced
Keyword Match file types.
Configuring policies
Exporting policy detection as a template
Configuring policies
Exporting policy detection as a template
1248
Credit Card Numbers Policy Template
This policy detects patterns indicating credit card numbers at risk of exposure.
Configuring policies
Exporting policy detection as a template
Table 671: EDM conditions for the Customer Data Protection Policy Template
Username/Password EDM Rule This rule looks for usernames and However, the following
Combinations passwords in combination with three or combinations are not a
more of the following fields: violation:
• SSN • Phone, email, and last name
• Phone • Email, first name, and last
• Email name
• First Name • Phone, first name, and last
• Last Name name
• Bank Card number
• Account Number
• ABA Routing Number
• Canadian Social Insurance Number
• UK National Insurance Number
Date of Birth EDM Rule This rule looks for any three of the However, the following
following data fields in combination: combinations are not a
• SSN violation:
• Phone • Phone, email, and first name
• Email • Phone, email, and last name
• First Name • Email, first name, and last
• Last Name name
• Bank Card number • Phone, first name, and last
name
• Account Number
• ABA Routing Number
• Canadian Social Insurance Number
• UK National Insurance Number
• Date of Birth
Exact SSN or CCN EDM Rule This rule looks for an exact social security
number or bank card number.
Customer Directory EDM Rule This rule looks for Phone or Email.
1249
Table 672: DCM conditions for the Customer Data Protection Policy Template
US Social Security Number Compound DCM Rule This rule looks for a match to the Randomized
Patterns US Social Security number data identifier and a
keyword from the "US SSN Keywords" dictionary.
Credit Card Numbers, All Compound DCM Rule This rule looks for a match to the credit card
number system pattern and a keyword from the
"Credit Card Number Keywords" dictionary.
ABA Routing Numbers Compound DCM Rule This rule looks for a match to the ABA Routing
number data identifier and a keyword from the
"ABA Routing Number Keywords" dictionary.
Table 673: Data Protection Act 1998, Personal Data detection rule
Description
This EDM rule looks for three of the following columns of data: However, the following combinations are not an
• NIN (National Insurance Number) incident:
• Account number • First name, last name, pin
• Pin • First name, last name, password
• Bank card number • First name, last name, email
• First name • First name, last name, phone
• Last name • First name, last name, mother's maiden name
• Drivers license
• Password
• Tax payer ID
• UK NHS number
• Date of birth
• Mother's maiden name
• Email address
• Phone number
1250
Table 674: Additional detection rules in the Data Protection Act 1998 Policy Template
Description
The UK Electoral Roll Numbers rule implements the UK Electoral Roll Number data identifier.
The UK National Insurance Numbers rule implements the narrow breadth edition of the UK National Insurance Number data
identifier.
The UK Tax ID Numbers rule implements the narrow edition of the UK Tax ID Number data identifier.
The UK Drivers License Numbers rule implements the narrow breadth edition of the UK Driver's License number data identifier.
The UK Passport Numbers rule implements the narrow breadth edition of the UK Passport Number data identifier.
The UK NHS Numbers rule implements the narrow breadth edition of the UK National Health Service (NHS) Number data identifier.
Method Description
1251
Method Description
The detection rule Secret Information (Keyword Match) looks for any keywords in the "Secret Information" dictionary.
The detection rule Classified or Restricted Information (Keyword Match) looks for any keywords in the "Classified or
Restricted Information" dictionary.
1252
Table 678: Detection rule: Classified or Restricted Information (Keyword Match)
The detection rule Other Sensitive Information looks for any keywords in the "Other Sensitive Information" dictionary.
Configuring policies
Exporting policy detection as a template
NOTE
Both file types and file name extensions are used because the policy does not detect the true file type for all the
required documents.
Choosing an Indexed Document Profile
Configuring policies
1253
Exporting policy detection as a template
Rule Description
SaaS API Keys - AWS (Data Identifier) SaaS application and service (AWS EC2, AWS Storage
S3 Account etc.) utilizes keys to identify and authorize API
transactions. These keys, secrets and tokens often provide
authorization to sensitive information or action such as DB or File
access, including CRUD operations.
Default severity: High. Count all unique matches. Look in
envelope, subject, body, attachments.
SaaS API Keys - Azure (Data Identifier) SaaS application and service (Azure Active Directory, Azure
Storage Account etc.) utilizes keys to identify and authorize client
transactions. These keys or secrets often provide authorization
to sensitive information or action such as DB or File access,
including CRUD operations.
Default severity: High. Count all unique matches. Look in
envelope, subject, body, attachments.
SaaS API Keys - GCP (Data Identifier) SaaS application and service (Secret Key, Access Token,
Oauth Client ID etc.) utilizes keys to identify and authorize API
transactions. These keys, secrets and tokens often provide
authorization to sensitive information or action such as DB or File
access, including CRUD operations.
Default severity: High. Count all unique matches. Look in
envelope, subject, body, attachments.
GitHub Access Tokens (Data Identifier) GitHub access tokens like GitHub personal access tokens,GitHub
Oauth tokens and GitHub app tokens are secure way to
authenticate and authorize access to GitHub resources.
Default severity: High. Count all unique matches. Look in
envelope, subject, body, attachments.
DB Connection strings (Data Identifier) The database connection string is an expression that contains
the parameters required along with sensitive information for the
applications to connect a database server.
Default severity: High. Count all unique matches. Look in
envelope, subject, body, attachments.
Private keys and certificates (Data Identifier) The keys, digital certificates, and trusted certificate authorities
establish and verify the identities of applications.
Default severity: High. Count all unique matches. Look in
envelope, subject, body, attachments.
Slack Access Tokens (Data Identifier) Slack access tokens like User OAuth token, Bot User OAuth token
etc are authentication tokens used to interact with slack platform
and it gives authorized access to perform read-write operations on
slack platform.
Default severity: High. Count all unique matches. Look in
envelope, subject, body, attachments.
1254
Employee Data Protection Policy Template
This policy detects employee data at risk of exposure.
Username/Password EDM Rule This rule looks for usernames and passwords in combination with
Combinations any three of the following data fields.
• SSN
• Phone
• Email
• First Name
• Last Name
• Bank Card Number
• Account Number
• ABA Routing Number
• Canadian Social Insurance Number
• UK National Insurance Number
• Date of Birth
Employee Directory EDM Rule This rule looks for Phone or Email.
US Social Security Number DCM Rule This rule looks for a match from the Randomized US Social
Patterns Security Number (SSN) data identifier and a keyword from the
"US SSN Keywords" dictionary.
Credit Card Numbers, All DCM Rule This rule looks for a match from the credit card number system
pattern and a keyword from the "Credit Card Number Keywords"
dictionary.
ABA Routing Numbers DCM Rule This rule looks for a match from the ABA Routing number
data identifier and a keyword from the "ABA Routing Number
Keywords" dictionary.
Configuring policies
Exporting policy detection as a template
1255
DCM Rule S/MIME
This rule looks for a keyword from the "S/MIME Encryption Keywords" dictionary.
DCM Rule HushMail Transmissions
This rule looks for a match from a list of recipient URLs.
Configuring policies
Exporting policy detection as a template
Table 682: Enhanced Credit Card Numbers with Individual Issuers policy template rules
Credit Card Number - American Account number required for processing credit card Count all matches. Look in envelope,
Express transactions. Often abbreviated as CCN and also subject, body, attachments.
known as a Primary Account Number (PAN).
Credit Card Number - Mastercard A payment card number, primary account number Count all matches. Look in envelope,
(PAN), or card number that is the card identifier that subject, body, attachments.
found on payment cards, such as credit cards and
debit cards, issued by Mastercard Inc. It facilitates
electronic fund transfers throughout the world. Often
abbreviated as CCN and also known as a Bank
Card Number.
Credit Card Number - Visa A payment card number, primary account number Count all matches. Look in envelope,
(PAN), or simply a card number, is the card identifier subject, body, attachments.
that is found on payment cards, such as credit
cards and debit cards, issued by Visa Inc. It
facilitates electronic fund transfers throughout the
world. Often abbreviated as CCN and also known
as a Bank Card Number.
Credit Card Number - Maestro A payment card number, primary account number Count all matches. Look in envelope,
(PAN), or simply a card number, is the card identifier subject, body, attachments.
found on payment cards, such as credit cards and
debit cards, issued by Maestro. Maestro is a brand
owned by Mastercard that was introduced in 1991.
Often abbreviated as CCN and also known as a
Bank Card Number.
Credit Card Number - Japan Credit A payment card number, primary account number Count all matches. Look in envelope,
Bureau (JCB) (PAN), or simply a card number, is the card identifier subject, body, attachments.
found on payment cards, such as credit cards and
debit cards, issued by Japan Credit Bureau (JCB).
Often abbreviated as CCN and also known as a
Bank Card Number.
Credit Card Number - Discover Account number required to process credit card Count all matches. Look in envelope,
transactions. Often abbreviated as CCN and also subject, body, attachments.
known as a Primary Account Number (PAN).
Credit Card Number - Diners Club Account number required to process credit card Count all matches. Look in envelope,
transactions. Often abbreviated as CCN and also subject, body, attachments.
known as a Primary Account Number (PAN).
1256
Export Administration Regulations (EAR) Policy Template
The U.S. Department of Commerce enforces the Export Administration Regulations (EAR). These regulations primarily
cover technologies and technical information with commercial and military applicability. These technologies are also
known as dual-use technologies, for example, chemicals, satellites, software, computers, and so on.
This Export Administration Regulations (EAR) template detects violations from regulated countries and controlled
technologies.
The detection rule Indexed EAR Commerce Control List Items and Recipients looks for a country code in the recipient
from the "EAR Country Codes" dictionaryand for a specific "SKU" from an Exact Data Profile index (EDM). Both conditions
must match to trigger an incident.
Table 683: Detection rule: Indexed EAR Commerce Control List Items and Recipients
Compound rule Content Matches Exact Data Choosing an Exact Data Profile
(EDM)
Content Matches Keyword Configuring the Content Matches Keyword condition
(DCM)
The detection rule EAR Commerce Control List and Recipients looks for a country code in the recipient from the "EAR
Country Codes" list and a keyword from the "EAR CCL Keywords" dictionary. Both conditions must match to trigger an
incident.
Table 684: Detection rule: EAR Commerce Control List and Recipients
Compound rule Recipient Matches Pattern EAR Commerce Control List and Recipients (Recipient):
(DCM) • Match: Email address OR URL domain suffixes.
• Severity: High.
• Check for existence.
• At least 1 recipient(s) must match.
• Matches on entire message.
Content Matches Keyword EAR Commerce Control List and Recipients (Keyword Match):
(DCM) • Match: EAR CCL Keywords
• Severity: High.
• Check for existence.
• Look in envelope, subject, body, attachments.
• Case insensitive.
• Match on whole words only.
Configuring policies
Exporting policy detection as a template
1257
develop and implement an identity theft prevention program. FACTA is designed to detect, prevent, and mitigate identity
theft in connection with the opening of a covered account or any existing covered account.
The Username/Password Combinations detection rule detects the presence of both a user name and password from a
profiled database index.
Simple rule Content Matches Exact This condition detects exact data containing both of the following data items:
Data (EDM) • User name
• Password
Choosing an Exact Data Profile
The Exact SSN or CCN detection rule detects the presence of either a social security number or a credit card number
from a profiled database.
Simple rule Content Matches Exact This condition detects exact data containing either of the following data
Data (EDM) columns:
• Social security number (Taxpayer ID)
• Bank Card Number
Choosing an Exact Data Profile
The Customer Directory detection rule detects the presence of either an email address or a phone number from a
profiled database.
Simple rule Content Matches Exact This condition detects exact data containing either of the following data
Data (EDM) columns:
• Email address
• Phone number
Choosing an Exact Data Profile
The Three or More Data Columns detection rule detects exact data containing three or more of data items from a
profiled database index.
1258
Table 688: Three or More Data Columns detection rule
Simple rule Content Matches Exact Detects exact data containing three or more of the following data items:
Data (EDM) • ABA Routing Number
• Account Number
• Bank Card Number
• Birth Date
• Email address
• First Name
• Last Name
• National Insurance Number
• Password
• Phone Number
• Social Insurance Number
• Social security number (Taxpayer ID)
• User name
However, the following combinations are not a match:
• Phone Number, Email, First Name
• Phone Number, First Name, Last Name
Choosing an Exact Data Profile
The US Social Security Number Patterns detection rule implements the narrow breadth edition of the Randomized US
Social Security Number (SSN) system data identifier.
This data identifier detects nine-digit numbers with the pattern DDD-DD-DDDD separated with dashes or spaces or
without separators. The number must be in valid assigned number ranges. This condition eliminates common test
numbers, such as 123456789 or all the same digit. It also requires the presence of a Social Security keyword.
Simple rule Content Matches Data • Data Identifier: Randomized US Social Security Number (SSN) narrow breadth
Identifier (DCM) • Severity: High.
• Count all matches.
• Look in envelope, subject, body, attachments.
The Credit Card Numbers, All detection rule implements the narrow breadth edition of the Credit Card Number system
Data Identifier.
This data identifier detects valid credit card numbers that are separated by spaces, dashes, periods, or without
separators. This condition performs Luhn check validation and includes formats for American Express, Diner's Club,
Discover, Japan Credit Bureau (JCB), MasterCard, and Visa. It eliminates common test numbers, including those
reserved for testing by credit card issuers. It also requires the presence of a credit card keyword.
1259
Table 690: Credit Card Numbers, All detection rule
Simple rule Content Matches Data • Data Identifier: Credit Card Number narrow breadth
Identifier (DCM) • Severity: High.
• Count all matches.
• Look in envelope, subject, body, attachments.
The ABA Routing Numbers detection rule implements the narrow breadth edition of the ABA Routing Number system
Data Identifier.
This data identifier detects nine-digit numbers. It validates the number using the final check digit. This condition eliminates
common test numbers, such as 123456789, number ranges that are reserved for future use, and all the same digit. This
condition also requires the presence of an ABA keyword.
Simple rule Content Matches Data • Data Identifier: ABA Routing Number narrow breadth
Identifier (DCM) • Severity: High.
• Count all matches.
• Look in envelope, subject, body, attachments.
Rule Description
Financial Information, Indexed This rule looks for content from specific financial information files that are registered as
proprietary; returns a match if 80% or more of the source document is found.
Financial Information This rule looks for the combination of specified file types, keywords from the Financial
Keywords dictionary, and keywords from the Confidential/Proprietary Words dictionary.
The specified file types are:
• Applix Spreadsheets
• Comma Separated Values
• Corel Quattro Pro
• Lotus 1-2-3
• Microsoft Excel
• Microsoft Excel Macro
• Microsoft Works Spreadsheet
• Multiplan Spreadsheet
• SYLK Spreadsheet
1260
Forbidden Websites Policy Template
The Forbidden Websites policy template is designed to detect access to specified web sites.
NOTE
To process HTTP GET requests appropriately, you may need to configure the Network Prevent for Web server.
To enable a Forbidden Website policy to process GET requests appropriately
Forbidden Websites This rule looks for any keywords in the "Forbidden Websites"
dictionary, which is user-defined.
Configuring policies
Exporting policy detection as a template
Suspicious Gambling Keywords This rule looks for five instances of keywords from the "Gambling Keywords,
Confirmed" dictionary.
Less Suspicious Gambling Keywords This rule looks for 10 instances of keywords from the "Gambling Keywords,
Suspect" dictionary.
Configuring policies
Exporting policy detection as a template
1261
General Data Protection Regulation (Banking and Finance)
This template focuses on General Data Protection Regulation (GDPR) banking and finance related keywords, Data
Identifiers and an EDM profile with related columns.
The GDPR is a regulation by which the European Commission intends to strengthen and unify data protection for
individuals within the EU. It also addresses export of personal data outside the EU. The primary objectives of the GDPR
are to give citizens back the control of their personal data and to simplify the regulatory environment for international
business by unifying the regulation within the EU. The GDPR replaces the EU Data Protection Directives as of 25 May
2018.
Table 695: General Data Protection Regulations (Banking and Finance) detection rules
GDPR Banking and Finance Related Keyword Match Matches a list of related keywords:
Keywords account number, bank
card number, driver
license number, ID card
number, Kontonummer,
Bankkartennummer,
Führerscheinnummer,
Ausweisnummer, Numéro
de compte, numéro carte
bancaire, numéro de permis
de conduire, numéro de
carte d'identité, numero di
conto, banca carta numero,
carta d'identità numero,
patente guida numero,
Número cuenta, número
tarjeta bancaria, número
licencia conducir, número
tarjeta de identificación,
rekeningnummer, bank
kaart aantal, rijbewijs
nummer, ID-kaartnummer,
bankkortnummer, körkort
nummer, identitetskortnummer,
førerkortnummer, ID-
kortnummer, tilinumero,
pankkikortin numero,
ajokortin numero,
Henkilökortin numero, uimhir
chuntais, uimhir chárta
bainc, uimhir ceadúnas
tiomána, Uimhir chárta
aitheantais, Kontosnummer,
Identifikatiounskaart, número
de conta, número cartão
bancário, número licença
motorista, Número do cartão
de identificação
Credit Card Number Data Identifiers Account number needed to process credit
card transactions. Often abbreviated as
CCN. Also known as a Primary Account
Number (PAN).
1262
Name Type Description
UK Driver's Licence Number Data Identifiers The UK Drivers Licence Number is the
identification number for an individual's
driver's license issued by the Driver and
Vehicle Licensing Agency of the United
Kingdom.
UK Passport Number Data Identifiers The UK Passport Number identifies a
United Kingdom passport using the current
official specification of the UK Government
Standards of the UK Cabinet Office.
UK Tax ID Number Data Identifiers The UK Tax ID Number is a personal
identification number provided by the UK
Government Standards of the UK Cabinet
Office.
Credit Card Magnetic Stripe Data Data Identifiers The magnetic stripe of a credit card
contains information about the card.
Storage of the complete version of this data
is a violation of the Payment Card Industry
(PCI) Data Security Standard.
French Passport Number Data Identifiers The French passport is an identity
document issued to French citizens.
Besides enabling the bearer to travel
internationally and serving as indication of
French citizenship, the passport facilitates
the process of securing assistance from
French consular officials abroad or other
European Union member states in case a
French consular is absent, if needed.
Belgium National Identity Number Data Identifiers All citizens of Belgium have a National
Number. Belgians 12 years of age and
older are issued a Belgian identity card.
Czech Personal Identification Number Data Identifiers All citizens of the Czech Republic are
issued a unique personal identification
number by the Ministry of Interior.
French INSEE code Data Identifiers The INSEE code in France is used as
a social insurance number, a national
identification number, and for taxation and
employment purposes.
French Social Security Number Data Identifiers The French Social Security Number (FSSN)
is a unique number assigned to each
French citizen or resident foreign national. It
serves as a national identification number.
Greek Tax Identification Number Data Identifiers The Arithmo Forologiko Mitro (AFM) is a
unique personal tax identification number
assigned to any individual resident in
Greece or person who owns property in
Greece.
Hungarian Social Security Number Data Identifiers The Hungarian Social Security Number
(TAJ) is a unique identifier issued by the
Hungarian government.
Hungarian Tax Identification Number Data Identifiers The Hungarian Tax Identification Number is
a 10-digit number that always begins with
the digit "8."
1263
Name Type Description
Hungarian VAT Number Data Identifiers All Hungarian businesses (including non-
profit organizations) upon registration at the
court of Registry are granted a value-added
tax (VAT) number.
Irish Personal Public Service Number Data Identifiers The format of the number is a unique 8-
character alphanumeric string ending with
a letter, such as 8765432A. The number is
assigned at the registration of birth of the
child and is issued on a Public Services
Card and is unique to every person.
Luxembourg National Register of Data Identifiers The Luxembourg National Register
Individuals Number of Individuals Number is an 11-digit
identification number issued to all
Luxembourg citizens at age 15.
Polish Identification Number Data Identifiers Every Polish citizen 18 years of age or
older residing permanently in Poland
must have an Identity Card, with a unique
personal number. The number is used as
identification for almost all purposes.
Polish REGON Number Data Identifiers Each national economy entity is obligated
to register in the register of business
entities called REGON in Poland. It is the
only integrated register in Poland covering
all of the national economy entities. Each
company has a unique REGON number.
Polish Social Security Number (PESEL) Data Identifiers The Polish Social Security Number
(PESEL) is the national identification
number used in Poland. The PESEL
number is mandatory for all permanent
residents of Poland and for temporary
residents living in Poland. It uniquely
identifies a person and cannot be
transferred to another.
Polish Tax Identification Number Data Identifiers The Polish Tax Identification Number
(NIP) is a number the government gives
to every Poland citizen who works or does
business in Poland. All taxpayers have a
tax identification number called NIP.
Romanian Numerical Personal Code Data Identifiers In Romania, each citizen has a unique
numerical personal code (Code Numeric
Personal, or CNP). The number is used
by authorities, health care, schools,
universities, banks, and insurance
companies for customer identification.
Spanish DNI ID Data Identifiers The Spanish DNI ID appears on the
Documento nacional de identidad (DNI)
and is issued by the Spanish Hacienda
Publica to every citizen of Spain. It is
the most important unique identifier in
Spain used for opening accounts, signing
contracts, taxes, and elections.
1264
Name Type Description
Spanish Social Security Number Data Identifiers The Spanish Social Security Number is
a 12-digit number assigned to Spanish
workers to allow access to the Spanish
healthcare system.
Spanish Customer Account Number Data Identifiers The Spanish customer account number
is the standard customer bank account
number used across Spain.
Spanish Tax ID (CIF) Data Identifiers The Spanish Tax Identification corporate
tax identifier (CIF) is equivalent to the VAT
number, required for running a business
in Spain. This identifier is a company's
identification for tax purposes and is
required for any legal transactions.
German Passport Number Data Identifiers The German passport number is issued
to German nationals for the purpose of
international travel. A German passport
is an officially recognized document that
German authorities accept as proof of
identity from German citizens.
Bulgarian Uniform Civil Number Data Identifiers The uniform civil number (EGN) is unique
number assigned to each Bulgarian citizen
or resident foreign national. It serves as a
national identification number. An EGN is
assigned to Bulgarians at birth, or when a
birth certificate is issued.
Austria Social Security Number Data Identifiers A social security number is allocated to
Austrian citizens who receive available
social security benefits. It is allocated by the
umbrella association of the Austrian social
security authorities.
Spanish Passport Number Data Identifiers Spanish passports are issued to Spanish
citizens for the purpose of travel outside
Spain.
Swedish Passport Number Data Identifiers Swedish passports are issued to nationals
of Sweden for the purpose of international
travel. Besides serving as proof of Swedish
citizenship, they facilitate the process of
securing assistance from Swedish consular
officials abroad or other European Union
member states in case a Swedish consular
is absent, if needed.
German Personal ID Number Data Identifiers The German Personal ID Number is issued
to all German citizens.
IBAN Central Data Identifiers The International Bank Account Number
(IBAN) is an international standard for
identifying bank accounts across national
borders.
The IBAN Central data identifier detects
IBAN numbers for Andorra, Austria,
Belgium, Germany, Italy, Liechtenstein,
Luxembourg, Malta, Monaco, San Marino,
and Switzerland.
1265
Name Type Description
1266
Name Type Description
Belgium Passport Number Data Identifiers Belgian passports are passports issued
by the Belgian state to its citizens to
facilitate international travel. The Federal
Public Service Foreign Affairs, formerly
known as the Ministry of Foreign Affairs,
is responsible for issuing and renewing
Belgian passports.
Belgium Tax Identification Number Data Identifiers Belgium issues a tax identification number
for persons who has obligations to declare
taxes in Belgium.
Belgium Value Added Tax (VAT) Number Data Identifiers VAT is a consumption tax that is borne
by the end consumer. VAT is paid for
each transaction in the manufacturing and
distribution process. For Belgium, the Value
Added Tax is issued by VAT office for the
region in which the business is established.
Belgium Driver Licence Number Data Identifiers Identification number for an individual's
driver's licence issued by the Driver and
Vehicle Licensing Agency of Belgium.
Denmark Personal Identification Number Data Identifiers In Denmark, every citizen has a national
identification number. The number serves
as proof of identification for almost all
purposes.
Netherlands Bank Account Number Data Identifiers The Netherlands bank account number is
the standard bank account number used
across the Netherlands.
Netherlands Driver's License Number Data Identifiers Identification number for an individual's
driver's licence issued by the RDW
government agency of the Netherlands.
Netherlands Passport Number Data Identifiers Dutch passports are issued to Netherlands
citizens for the purpose of international
travel.
Netherlands Value Added Tax (VAT) Data Identifiers VAT is a consumption tax that is borne
Number by the end consumer. VAT is paid for
each transaction in the manufacturing and
distribution process. For the Netherlands,
the Value Added Tax is issued by VAT
office for the region in which the business is
established.
France Driver's License Number Data Identifiers Identification number for an individual's
driver's licence issued by the Driver and
Vehicle Licensing Agency of France.
France Tax Identification Number Data Identifiers France issue a tax identification number
for anyone who has obligations to declare
taxes in France.
Germany Driver's License Number Data Identifiers Identification number for an individual's
driver's licence issued by the Driver and
Vehicle Licensing Agency of Germany.
Italy Passport Number Data Identifiers Italian passports are issued to Italian
citizens for the purpose of international
travel.
1267
Name Type Description
Italy Value Added Tax (VAT) Number Data Identifiers VAT is a consumption tax that is borne
by the end consumer. VAT is paid for
each transaction in the manufacturing and
distribution process. For Italy, the Value
Added Tax is issued by VAT office for the
region in which the business is established.
Italy Driver's License Number Data Identifiers Identification number for an individual's
driver's licence issued by the Driver and
Vehicle Licensing Agency of Italy.
Netherlands Tax Identification Number Data Identifiers The Netherlands issues a tax identification
number at birth or at registration at the
municipality.
Spain Driver's License Number Data Identifiers Identification number for an individual's
driver's licence issued by the Driver and
Vehicle Licensing Agency of Spain.
Germany Value Added Tax (VAT) Number Data Identifiers VAT is a consumption tax that is borne
by the end consumer. VAT is paid for
each transaction in the manufacturing and
distribution process. For Germany, the
Value Added Tax is issued by VAT office
for the region in which the business is
established.
France Value Added Tax (VAT) Number Data Identifiers The Value Added Tax (VAT) is a tax levied
on goods and services provided in France
and is collected from the final customer.
Companies must register with the Register
of Commerce and Companies in France to
get VAT number allocated.
Austria Value Added Tax (VAT) Number Data Identifiers VAT is a consumption tax that is borne
by the end consumer. VAT is paid for
each transaction in the manufacturing and
distribution process. For Austria, the VAT
number is issued by the tax office for the
region in which the business is established.
Sweden Tax Identification Number Data Identifiers Sweden uses tax identification numbers
(TINs) to identify taxpayers and facilitate
the administration of their national tax
affairs. TINs are also useful for identifying
taxpayers who invest in other EU countries
and are more reliable than other identifiers
such as name and address.
Sweden Value Added Tax (VAT) Number Data Identifiers VAT is a consumption tax that is borne
by the end consumer. VAT is paid for
each transaction in the manufacturing and
distribution process.
Denmark Value Added Tax (VAT) Number Data Identifiers VAT is a consumption tax that is borne
by the end consumer. VAT is paid for
each transaction in the manufacturing and
distribution process. For Denmark, the VAT
number is issued by the tax office for the
region in which the business is established.
1268
Name Type Description
Finland Passport Number Data Identifiers Finnish passports are issued to nationals
of Finland for the purpose of international
travel. They also facilitate the process of
securing assistance from Finnish consular
officials abroad.
Finland Driver's Licence Number Data Identifiers Identification number for an individual's
driver's license issued in an EU or EEA
Member State for a Finnish license.
Finland Value Added Tax (VAT) Number Data Identifiers VAT is a consumption tax that is borne
by the end consumer. VAT is paid for
each transaction in the manufacturing and
distribution process.
Ireland Passport Number Data Identifiers An Irish passport is the passport issued
to citizens of Ireland. An Irish passport
enables the bearer to travel internationally
and serves as evidence of Irish citizenship
and citizenship of the European union.
It also facilitates the access to consular
assistance from both Irish embassies and
any embassy from other European union
member states while abroad.
Ireland Value Added Tax (VAT) Number Data Identifiers VAT is a consumption tax that is borne
by the end consumer. VAT is paid for
each transaction in the manufacturing and
distribution process. For Ireland, the VAT
number is issued by the Irish tax authority.
Ireland Tax Identification Number Data Identifiers This number is issued by department
of social protection for natural persons
and by revenue commissioner for non-
natural persons. Non-natural persons can
be companies, partnerships, trusts, and
unincorporated bodies.
Luxembourg Passport Number Data Identifiers A Luxembourg passport is an international
travel document issued to nationals of the
grand Duchy of Luxembourg, and may
also serve as proof of Luxembourgish
citizenship.
Luxembourg Value Added Tax (VAT) Data Identifiers VAT is a consumption tax that is borne
Number by the end consumer. VAT is paid for
each transaction in the manufacturing and
distribution process.
Portugal National Identification Number Data Identifiers The national identification number is
a unique identification number usually
present on documents like citizen cards
which are issued by the Portuguese
government to its citizens. It can be used as
a travel document within the EU and some
other European countries.
1269
Name Type Description
1270
Name Type Description
Greece Social Security Number (AMKA) Data Identifiers The AMKA (social security number) is the
work and insurance identification number of
every worker, retired person and protected
family member in Greece.
Romania National Identification Number Data Identifiers In Romania each citizen has a personal
numerical code (Cod Numeric Personal,
CNP) as unique national identification
number. This number is also used as a tax
identification number for financial purposes.
Slovakia National Identification Number Data Identifiers In Slovakia, identification cards are issued
by the state authorities at 15 years of age
for every citizen. This number is used in
Slovak Republic as the primary unique
identifier for every person by government
institutions, banks and so on.
Slovenia Unique Master Citizen Number Data Identifiers The unique master citizen number is a
unique identification number assigned
to every citizen of Slovenia at birth or on
acquiring citizenship.
Latvia Personal Identification Number Data Identifiers The Latvian personal identification number
is used for national identity and as a tax
identification number for financial purposes.
It is issued by the office of citizenship and
migration affairs of the Ministry of Interior.
Sweden Driver's Licence Number Data Identifiers In Sweden, a driving license is required
when operating a car, motorcycle or moped
on public roads. Driving licenses are issued
by the prefectural governments public
safety commissions and are overseen on
a nationwide basis by the National Police
Agency.
Greece Passport Number Data Identifiers Greek passports are issued to Greek
citizens for the purpose of international
travel. The passport along with the
national identity card allows for free rights
of movement and residence in any of
the states of the European Union and
European Economic Area.
Greece Value Added Tax (VAT) Number Data Identifiers Value Added Tax (VAT) is a consumption
tax that is borne by the end consumer.
VAT is paid for each transaction in the
manufacturing and distribution process. For
Greece, VAT is administered by the VAT
office for the region in which the business is
established.
Poland Passport Number Data Identifiers A Polish passport is an international
travel document issued to nationals of
Poland. It may also serve as proof of Polish
citizenship.
1271
Name Type Description
Poland Value Added Tax (VAT) Number Data Identifiers Value Added Tax (VAT) is a consumption
tax that is borne by the end consumer.
VAT is paid for each transaction in the
manufacturing and distribution process. For
Poland, VAT is administered by the VAT
office for the region in which the business is
established.
Romania Value Added Tax (VAT) Number Data Identifiers Value Added Tax (VAT) is a consumption
tax that is borne by the end consumer.
VAT is paid for each transaction in the
manufacturing and distribution process. In
Romania, it is also called TVA or CIF.
Hungary Passport Number Data Identifiers Hungarian passports are issued to
Hungarian citizens for international travel by
the Central Data Processing, Registration,
and Election Office of the Hungarian
Ministry of the Interior.
Czech Republic Value Added Tax (VAT) Data Identifiers Value Added Tax (VAT) is a consumption
Number tax that is borne by the end consumer.
VAT is paid for each transaction in the
manufacturing and distribution process. In
the Czech Republic, it is also called DPH.
Slovakia Passport Number Data Identifiers Slovak passports are issued to citizens of
Slovakia to facilitate international travel.
Slovakia Value Added Tax (VAT) Number Data Identifiers Value Added Tax (VAT) is a consumption
tax that is borne by the end consumer.
VAT is paid for each transaction in the
manufacturing and distribution process. For
Slovakia, VAT is administered by the tax
office for the region in which the business is
established.
Slovenia Passport Number Data Identifiers Slovenian passports are issued to citizens
of Slovenia to facilitate international travel.
Slovenia Tax Identification Number Data Identifiers The Slovenia Tax Identification Number is
a unique identifier of individuals and legal
entities for tax purposes. The Financial
Administration of the Republic of Slovenia
issues and administers tax identification
numbers in Slovenia.
Slovenia Value Added Tax (VAT) Number Data Identifiers Value Added Tax (VAT) is a consumption
tax that is borne by the end consumer.
VAT is paid for each transaction in the
manufacturing and distribution process. For
Slovenia, VAT is administered by the tax
office for the region in which the business is
established.
Croatia National Identification Number Data Identifiers The Croatian National Identification number
(Osobni identifikacijski broj or OIB) is the
permanent personal and tax identifier for
Croatian citizens and residents.
1272
Name Type Description
Estonia Personal Identification Number Data Identifiers In Estonia, the personal identification code
is a number based on the sex and birth
date of a person. This code is used as a
unique personal identifier by governmental
and other systems where identification is
required, as well as for digital signatures
using the national identity card and its
associated certificates. It also serves as tax
identification number.
Estonia Value Added Tax (VAT) Number Data Identifiers Value Added Tax (VAT) is a consumption
tax that is borne by the end consumer.
VAT is paid for each transaction in the
manufacturing and distribution process.
For Estonia, VAT is administered by tax
office for the region in which the business is
established.
Lithuania Personal Identification Data Identifiers In Lithuania, the personal identification
Number code is a number based on the sex
and birth date of a person. This code is
used as a unique personal identifier by
governmental and other systems where
identification is required, as well as for
digital signatures using the national identity
card and its associated certificates.
Lithuania Tax Identification Number Data Identifiers The Lithuanian Taxpayer Identification
Number is used to identify taxpayers and
facilitate the administration of their national
tax affairs.
Estonia Passport Number Data Identifiers The Estonian passport is an international
travel document issued to citizens of
Estonia that also serves as proof of
Estonian citizenship. The Border Guard
Board in Estonia and Estonian foreign
representations abroad are responsible for
issuing Estonian passports.
Lithuania Value Added Tax (VAT) Data Identifiers Value Added Tax (VAT) is a consumption
Number tax that is borne by the end consumer.
VAT is paid for each transaction in the
manufacturing and distribution process. In
Lithuania, VAT is administered by the State
Tax Inspectorate.
Latvia Passport Number Data Identifiers Latvian passports are issued to citizens of
Latvia for identity and international travel
purposes. The territorial section of The
Office of Citizenship and Migration Affairs
issues passports.
Latvia Value Added Tax (VAT) Number Data Identifiers Value Added Tax (VAT) is a consumption
tax that is borne by the end consumer.
VAT is paid for each transaction in the
manufacturing and distribution process. In
Latvia, VAT is administered by the State
Revenue Service.
1273
Name Type Description
Bulgaria Value Added Tax (VAT) Number Data Identifiers Value Added Tax (VAT) is a consumption
tax that is borne by the end consumer.
VAT is paid for each transaction in the
manufacturing and distribution process.
In Bulgaria, VAT is administered by the
National Revenue Agency, which is
overseen by the Bulgarian Ministry of
Finance.
Malta National Identification Number Data Identifiers Every resident of Malta is assigned a
national number. For foreigners who are
authorized to reside in Malta, National
numbers for foreign resident end with the
letter A. National numbers for Maltese
citizens end with M, G, L, H or P.
Malta Tax Identification Number Data Identifiers The Malta Tax Identification Number
is assigned by the Inland Revenue
Department as a means of identification for
income tax purposes.
Malta Value Added Tax (VAT) Number Data Identifiers Value Added Tax (VAT) is a consumption
tax that is borne by the end consumer.
VAT is paid for each transaction in the
manufacturing and distribution process.
In Malta, VAT is administered by tax office
for the region in which the business is
established.
Iceland National Identification Number Data Identifiers The Iceland National Identification
Number is a unique national identifier
used by the Icelandic government to
identify individuals and organizations. It
is administered by the Registers Iceland.
Icelandic national identification numbers
are issued to Icelandic citizens at birth
and to foreign nationals resident in Iceland
upon registration. They are also issued to
corporations and institutions.
Serbia Unique Master Citizen Number Data Identifiers The Serbian Unique Master Citizen Number
is a unique identifier for Serbian citizens.
It is assigned to every citizen of Serbia at
birth or upon acquiring citizenship.
Switzerland Passport Number Data Identifiers Swiss passports are issued to citizens of
Switzerland to facilitate international travel.
Iceland Value Added Tax (VAT) Number Data Identifiers Value Added Tax (VAT) is a consumption
tax that is borne by the end consumer.
VAT is paid for each transaction in the
manufacturing and distribution process. For
Iceland, VAT is administered by the VAT
office for the region in which the business is
established.
Iceland Passport Number Data Identifiers Icelandic passports are issued to citizens
of Iceland for the purpose of international
travel and may also serve as a proof of
Iceland citizenship.
1274
Name Type Description
Switzerland Value Added Tax (VAT) Data Identifiers Value Added Tax (VAT) is a consumption
Number tax that is borne by the end consumer.
VAT is paid for each transaction in the
manufacturing and distribution process. For
Switzerland, VAT is administered by the
Federal Statistical Office for the region in
which the business is established.
Serbia Value Added Tax (VAT) Number Data Identifiers Value Added Tax (VAT) is a consumption
tax that is borne by the end consumer.
VAT is paid for each transaction in the
manufacturing and distribution process.
In Serbia, VAT is administered by the Tax
Administration department of the Ministry of
Finance.
Liechtenstein Passport Number Data Identifiers Liechtenstein passports are issued to
nationals of Liechtenstein for the purpose
of international travel. The passport may
also serve as proof of Liechtensteiner
citizenship.
Norway National Identification Number Data Identifiers The Norway National identification number
is assigned by the Norwegian state to all
citizens of the country. It is administered by
the Tax Administration.
Norway Value Added Tax (VAT) Number Data Identifiers Value Added Tax (VAT) is a consumption
tax that is borne by the end consumer.
VAT is paid for each transaction in the
manufacturing and distribution process. For
Norway, VAT Is administered by the VAT
office for the region in which the business is
established.
Romania Driver's Licence Number Data Identifiers A driving license in Romania is a document
confirming the rights of the holder to drive
motor vehicles.
Czech Republic Driver's Licence Data Identifiers The Czech Republic Ministry of Transport
Number grants driver's licenses in the Czech
Republic, confirming the rights of the holder
to drive motor vehicles.
Slovakia Driver's Licence Number Data Identifiers A Slovak drivers license is a document
confirming the rights of the holder to drive
motor vehicles. Slovak driver's licenses are
granted by the Ministry of Interior.
Poland Driver's Licence Number Data Identifiers Poland issues driving licenses confirming
the rights of the holder to drive motor
vehicles.
Hungary Driver's Licence Number Data Identifiers A driving license in Hungary is a document
issued by the Ministry of Economics and
Transport, confirming the rights of the
holder to drive motor vehicles.
Latvia Driver Licence Number Data Identifiers A driver's license in Latvia is a document
issued by the Road Traffic Safety
Directorate, confirming the rights of the
holder to drive motor vehicles.
1275
Name Type Description
Norway Driver Licence Number Data Identifiers A driver's license is required in Norway
before a person is permitted to drive a
motor vehicle of any description on a road
in Norway.
Cyprus Value Added Tax (VAT) Number Data Identifiers Value Added Tax (VAT) is a consumption
tax that is borne by the end consumer.
VAT is paid for each transaction in the
manufacturing and distribution process.
For Cyprus, VAT is administered by the tax
office for the region in which the business is
established.
Cyprus Tax Identification Number Data Identifiers The Cyprus Tax Identification Number is a
unique identifier for Cypriot taxpayers.
Estonia Driver's Licence Number Data Identifiers The Estonian Road Administration issues
driving licenses in Estonia, confirming the
rights of the holder to drive motor vehicles.
SEPA Creditor Identifier Number North Data Identifiers The Single Euro Payment Area (SEPA) is a
payments system created by the European
Union that harmonizes the way cashless
payments transact between Euro countries.
SEPA North is for the United Kingdom,
Sweden, Denmark, Finland, Ireland.
European consumers, businesses, and
government agents who make payments
by direct debit, credit card or through credit
transfers use the SEPA architecture. The
Single Euro Payment Area is approved and
regulated by European Commission.
SEPA Creditor Identifier Number South Data Identifiers The Single Euro Payment Area (SEPA)
is a payments system created by the
European Union that harmonizes the way
cashless payments transact between
Euro countries. SEPA South is for Italy,
Spain, and Portugal. European consumers,
businesses, and government agents who
make payments by direct debit, credit
card or through credit transfers use the
SEPA architecture. The Single Euro
Payment Area is approved and regulated
by European Commission.
SEPA Creditor Identifier Number West Data Identifiers The Single Euro Payment Area (SEPA)
is a payments system created by the
European Union that harmonizes the way
cashless payments transact between Euro
countries. SEPA West is for Germany,
France, Netherlands, Belgium, Austria,
and Luxembourg. European consumers,
businesses, and government agents who
make payments by direct debit, credit
card, or through credit transfers use
the SEPA architecture. The Single Euro
Payment Area is approved and regulated
by European Commission.
1276
General Data Protection Regulation (Digital Identity)
This template focuses on General Data Protection Regulation (GDPR) digital identity related keywords, Data Identifiers
and an EDM profile with related columns.
The GDPR is a regulation by which the European Commission intends to strengthen and unify data protection for
individuals within the EU. It also addresses export of personal data outside the EU. The primary objectives of the GDPR
are to give citizens back the control of their personal data and to simplify the regulatory environment for international
business by unifying the regulation within the EU. The GDPR replaces the EU Data Protection Directives as of 25 May
2018.
Table 696: General Data Protection Regulations (Digital Identity) detection rule
International Mobile Equipment Identity Data Identifiers The International Mobile Station Equipment
Number Identity (IMEI) is a unique identifier for
3GPP (GSM, UMTS, and LTE) and iDEN
mobile phones and some satellite phones.
1277
Table 697: General Data Protection Regulations (Government Identification) detection rules
1278
Name Type Description
1279
Name Type Description
1280
Name Type Description
Spanish Tax ID (CIF) Data Identifiers The Spanish Tax Identification corporate
tax identifier (CIF) is equivalent to the VAT
number, required for running a business
in Spain. This identifier is a company's
identification for tax purposes and is
required for any legal transactions.
German Passport Number Data Identifiers The German passport number is issued
to German nationals for the purpose of
international travel. A German passport
is an officially recognized document that
German authorities accept as proof of
identity from German citizens.
Bulgarian Uniform Civil Number Data Identifiers The uniform civil number (EGN) is unique
number assigned to each Bulgarian citizen
or resident foreign national. It serves as a
national identification number. An EGN is
assigned to Bulgarians at birth, or when a
birth certificate is issued.
Austrian Social Security Number Data Identifiers A social security number is allocated to
Austrian citizens who receive available
social security benefits. It is allocated by the
umbrella association of the Austrian social
security authorities.
Spanish Passport Number Data Identifiers Spanish passports are issued to Spanish
citizens for the purpose of travel outside
Spain.
Swedish Passport Number Data Identifiers Swedish passports are issued to nationals
of Sweden for the purpose of international
travel. Besides serving as proof of Swedish
citizenship, they facilitate the process of
securing assistance from Swedish consular
officials abroad or other European Union
member states in case a Swedish consular
is absent, if needed.
German Personal ID Number Data Identifiers The German Personal ID Number is issued
to all German citizens.
Burgerservicenummer Data Identifiers In the Netherlands, the
Burgerservicenummer is used to uniquely
identify citizens and is printed on driving
licenses, passports and international ID
cards under the header Personal Number.
Codice Fiscale Data Identifiers The Codice Fiscale uniquely identifies an
Italian citizen or permanent resident alien
and issuance of the code is centralized
to the Ministry of Treasure. The Codice
Fiscale is issued to every Italian at birth.
Finnish Personal Identification Number Data Identifiers The Finnish Personal Identification Number
or Personal Identity Code is a unique
personal identifier used for identifying
citizens in government and many other
transactions.
1281
Name Type Description
Swedish Personal Identification Number Data Identifiers The Swedish Personal Identification
Number is the unique national identification
for Swedish every citizen. The number
is used by authorities, health care,
schools, universities, banks, and insurance
companies for customer identification.
Austria Passport Number Data Identifiers Austrian passports are travel documents
issued to Austrian citizens by the Austrian
Passport Office of the Department of
Foreign Affairs and Trade, both in Austria
and overseas, and enable the passport
holder to travel internationally.
Austria Tax Identification Number Data Identifiers Austria issues tax identification numbers to
individuals based on their area of residence
to identify taxpayers and facilitate national
taxes.
Belgium Passport Number Data Identifiers Belgian passports are passports issued
by the Belgian state to its citizens to
facilitate international travel. The Federal
Public Service Foreign Affairs, formerly
known as the Ministry of Foreign Affairs,
is responsible for issuing and renewing
Belgian passports.
Belgium Tax Identification Number Data Identifiers Belgium issues a tax identification number
for persons who has obligations to declare
taxes in Belgium.
Belgium Value Added Tax (VAT) Number Data Identifiers VAT is a consumption tax that is borne
by the end consumer. VAT is paid for
each transaction in the manufacturing and
distribution process. For Belgium, the Value
Added Tax is issued by VAT office for the
region in which the business is established.
Belgium Driver's License Number Data Identifiers Identification number for an individual's
driver's licence issued by the Driver and
Vehicle Licensing Agency of Belgium.
Denmark Personal Identification Number Data Identifiers In Denmark, every citizen has a national
identification number. The number serves
as proof of identification for almost all
purposes.
Netherlands Bank Account Number Data Identifiers The Netherlands bank account number is
the standard bank account number used
across the Netherlands.
Netherlands Driver's License Number Data Identifiers Identification number for an individual's
driver's licence issued by the RDW
government agency of the Netherlands.
Netherlands Passport Number Data Identifiers Dutch passports are issued to Netherlands
citizens for the purpose of international
travel.
1282
Name Type Description
Netherlands Value Added Tax (VAT) Data Identifiers VAT is a consumption tax that is borne
Number by the end consumer. VAT is paid for
each transaction in the manufacturing and
distribution process. For the Netherlands,
the Value Added Tax is issued by VAT
office for the region in which the business is
established.
France Driver's License Number Data Identifiers Identification number for an individual's
driver's licence issued by the Driver and
Vehicle Licensing Agency of France.
France Health Insurance Number Data Identifiers A Carte Vitale is social insurance card used
in France that contains medical information
for the card holder. It has a unique 21-digit
serial number.
France Tax Identification Number Data Identifiers France issue a tax identification number
for anyone who has obligations to declare
taxes in France.
Germany Driver's License Number Data Identifiers Identification number for an individual's
driver's licence issued by the Driver and
Vehicle Licensing Agency of Germany.
Italy Passport Number Data Identifiers Italian passports are issued to Italian
citizens for the purpose of international
travel.
Italy Value Added Tax (VAT) Number Data Identifiers VAT is a consumption tax that is borne
by the end consumer. VAT is paid for
each transaction in the manufacturing and
distribution process. For Italy, the Value
Added Tax is issued by VAT office for the
region in which the business is established.
Italy Driver's License Number Data Identifiers Identification number for an individual's
driver's licence issued by the Driver and
Vehicle Licensing Agency of Italy.
Netherlands Tax Identification Number Data Identifiers The Netherlands issues a tax identification
number at birth or at registration at the
municipality.
Spain Driver's License Number Data Identifiers Identification number for an individual's
driver's licence issued by the Driver and
Vehicle Licensing Agency of Spain.
Germany Value Added Tax (VAT) Number Data Identifiers VAT is a consumption tax that is borne
by the end consumer. VAT is paid for
each transaction in the manufacturing and
distribution process. For Germany, the
Value Added Tax is issued by VAT office
for the region in which the business is
established.
France Value Added Tax (VAT) Number Data Identifiers The Value Added Tax (VAT), is a tax levied
on goods and services provided in France
and is collected from the final customer.
Companies must register with the Register
of Commerce and Companies in France to
get VAT number allocated.
1283
Name Type Description
Ireland Passport Number Data Identifiers An Irish passport is the passport issued
to citizens of Ireland. An Irish passport
enables the bearer to travel internationally
and serves as evidence of Irish citizenship
and citizenship of the European union.
It also facilitates the access to consular
assistance from both Irish embassies and
any embassy from other European union
member states while abroad.
Luxembourg Passport Number Data Identifiers A Luxembourg passport is an international
travel document issued to nationals of the
grand Duchy of Luxembourg, and may
also serve as proof of Luxembourgish
citizenship.
Portugal Passport Number Data Identifiers Portuguese passports are issued to
citizens of Portugal for the purpose of
international travel. The passport, along
with the national identity card allows for free
rights of movement and residence in any
of the states of the European Union and
European economic area.
Finland Passport Number Data Identifiers Finnish passports are issued to nationals
of Finland for the purpose of international
travel. They also facilitate the process of
securing assistance from Finnish consular
officials abroad.
Finland Driver's Licence Number Data Identifiers Identification number for an individual's
driver's license issued in an EU or EEA
Member State for a Finnish license.
Austria Value Added Tax (VAT) Number Data Identifiers VAT is a consumption tax that is borne
by the end consumer. VAT is paid for
each transaction in the manufacturing and
distribution process. For Austria, the VAT
number is issued by the tax office for the
region in which the business is established.
Sweden Tax Identification Number Data Identifiers Sweden uses tax identification numbers
(TINs) to identify taxpayers and facilitate
the administration of their national tax
affairs. TINs are also useful for identifying
taxpayers who invest in other EU countries
and are more reliable than other identifiers
such as name and address.
Sweden Value Added Tax (VAT) Number Data Identifiers VAT is a consumption tax that is borne
by the end consumer. VAT is paid for
each transaction in the manufacturing and
distribution process.
Denmark Value Added Tax (VAT) Number Data Identifiers VAT is a consumption tax that is borne
by the end consumer. VAT is paid for
each transaction in the manufacturing and
distribution process. For Denmark, the VAT
number is issued by the tax office for the
region in which the business is established.
1284
Name Type Description
Finland Value Added Tax (VAT) Number Data Identifiers VAT is a consumption tax that is borne
by the end consumer. VAT is paid for
each transaction in the manufacturing and
distribution process.
Ireland Value Added Tax (VAT) Number Data Identifiers VAT is a consumption tax that is borne
by the end consumer. VAT is paid for
each transaction in the manufacturing and
distribution process. For Ireland, the VAT
number is issued by the Irish tax authority.
Ireland Tax Identification Number Data Identifiers This number is issued by department
of social protection for natural persons
and by revenue commissioner for non-
natural persons. Non-natural persons can
be companies, partnerships, trusts, and
unincorporated bodies.
Portugal Tax Identification Number Data Identifiers A fiscal number is a tax identification
number that is issued in Portugal to anyone
who wishes to undertake any official
matters in Portugal.
Portugal Value Added Tax (VAT) Number Data Identifiers VAT is a consumption tax that is borne
by the end consumer. VAT is paid for
each transaction in the manufacturing and
distribution process.
Luxembourg Value Added Tax (VAT) Data Identifiers VAT is a consumption tax that is borne
Number by the end consumer. VAT is paid for
each transaction in the manufacturing and
distribution process.
Portugal National Identification Number Data Identifiers The national identification number is
a unique identification number usually
present on documents like citizen cards
which are issued by the Portuguese
government to its citizens. It can be used as
a travel document within the EU and some
other European countries.
Portugal Driver's Licence Number Data Identifiers The Institute for Mobility and Land
Transport (IMTT) issues driver's licenses in
Portugal.
Denmark Tax Identification Number Data Identifiers Denmark issues a tax identification number
for persons who have obligations to declare
taxes in Denmark. The tax identification
number also serves as a personal health
insurance number.
Finland Tax Identification Number Data Identifiers Finland issues a tax identification number
for persons who have obligations to declare
taxes in Finland.
Luxembourg Tax Identification Number Data Identifiers This number is issued by Luxembourg
inland revenue (Administration des
contributions directes - ACD) department
and is used for tax related purposes of
natural and non natural persons.
1285
Name Type Description
Germany Tax Identification Number Data Identifiers Germany issues a tax identification number
for persons who have obligations to declare
taxes in Germany.
UK Value Added Tax (VAT) Number Data Identifiers VAT is a consumption tax that is borne
by the end consumer. VAT is paid for
each transaction in the manufacturing
and distribution process. For the United
Kingdom, the VAT number is issued by
the VAT office for the region in which the
business is established.
Spain Value Added Tax (VAT) Number Data Identifiers VAT is a consumption tax that is borne
by the end consumer. VAT is paid for
each transaction in the manufacturing
and distribution process. VAT in Spain is
overseen by the State Tax Administration
Agency.
UK Bank Account Number Sort Code Data Identifiers Sort codes are bank codes used to route
money transfers between banks within their
respective countries via their respective
clearance organizations.
Greece Social Security Number (AMKA) Data Identifiers The AMKA (social security number) is the
work and insurance identification number of
every worker, retired person and protected
family member in Greece.
Romania National Identification Number Data Identifiers In Romania each citizen has a personal
numerical code (Cod Numeric Personal,
CNP) as unique national identification
number. This number is also used as a tax
identification number for financial purposes.
Slovakia National Identification Number Data Identifiers In Slovakia, identification cards are issued
by the state authorities at 15 years of age
for every citizen. This number is used in
Slovak Republic as the primary unique
identifier for every person by government
institutions, banks and so on.
Slovenia Unique Master Citizen Number Data Identifiers The unique master citizen number is a
unique identification number assigned
to every citizen of Slovenia at birth or on
acquiring citizenship.
Latvia Personal Identification Number Data Identifiers The Latvian personal identification number
is used for national identity and as a tax
identification number for financial purposes.
It is issued by the office of citizenship and
migration affairs of the Ministry of Interior.
Finland European Health Insurance Data Identifiers The unique 20 digit numeric identifier that is
Number assigned to every person who uses health
services in Finland.
1286
Name Type Description
Sweden Driver's Licence Number Data Identifiers In Sweden, a driving license is required
when operating a car, motorcycle or moped
on public roads. Driving licenses are issued
by the prefectural governments public
safety commissions and are overseen on
a nationwide basis by the National Police
Agency.
Greece Passport Number Data Identifiers Greek passports are issued to Greek
citizens for the purpose of international
travel. The passport along with the
national identity card allows for free rights
of movement and residence in any of
the states of the European Union and
European Economic Area.
Greece Value Added Tax (VAT) Number Data Identifiers Value Added Tax (VAT) is a consumption
tax that is borne by the end consumer.
VAT is paid for each transaction in the
manufacturing and distribution process. For
Greece, VAT is administered by the VAT
office for the region in which the business is
established.
Poland Passport Number Data Identifiers A Polish passport is an international
travel document issued to nationals of
Poland. It may also serve as proof of Polish
citizenship.
Poland Value Added Tax (VAT) Number Data Identifiers Value Added Tax (VAT) is a consumption
tax that is borne by the end consumer.
VAT is paid for each transaction in the
manufacturing and distribution process. For
Poland, VAT is administered by the VAT
office for the region in which the business is
established.
Romania Value Added Tax (VAT) Number Data Identifiers Value Added Tax (VAT) is a consumption
tax that is borne by the end consumer.
VAT is paid for each transaction in the
manufacturing and distribution process. In
Romania, it is also called TVA or CIF.
Hungary Passport Number Data Identifiers Hungarian passports are issued to
Hungarian citizens for international travel by
the Central Data Processing, Registration,
and Election Office of the Hungarian
Ministry of the Interior.
Czech Republic Value Added Tax (VAT) Data Identifiers Value Added Tax (VAT) is a consumption
Number tax that is borne by the end consumer.
VAT is paid for each transaction in the
manufacturing and distribution process. In
the Czech Republic, it is also called DPH.
Slovakia Passport Number Data Identifiers Slovak passports are issued to citizens of
Slovakia to facilitate international travel.
1287
Name Type Description
Slovakia Value Added Tax (VAT) Number Data Identifiers Value Added Tax (VAT) is a consumption
tax that is borne by the end consumer.
VAT is paid for each transaction in the
manufacturing and distribution process. For
Slovakia, VAT is administered by the tax
office for the region in which the business is
established.
Slovenia Passport Number Data Identifiers Slovenian passports are issued to citizens
of Slovenia to facilitate international travel.
Slovenia Tax Identification Number Data Identifiers The Slovenia Tax Identification Number is
a unique identifier of individuals and legal
entities for tax purposes. The Financial
Administration of the Republic of Slovenia
issues and administers tax identification
numbers in Slovenia.
Slovenia Value Added Tax (VAT) Number Data Identifiers Value Added Tax (VAT) is a consumption
tax that is borne by the end consumer.
VAT is paid for each transaction in the
manufacturing and distribution process. For
Slovenia, VAT is administered by the tax
office for the region in which the business is
established.
Croatia National Identification Number Data Identifiers The Croatian National Identification number
(Osobni identifikacijski broj or OIB) is the
permanent personal and tax identifier for
Croatian citizens and residents.
Estonia Personal Identification Number Data Identifiers In Estonia, the personal identification code
is a number based on the sex and birth
date of a person. This code is used as a
unique personal identifier by governmental
and other systems where identification is
required, as well as for digital signatures
using the national identity card and its
associated certificates. It also serves as tax
identification number.
Estonia Value Added Tax (VAT) Number Data Identifiers Value Added Tax (VAT) is a consumption
tax that is borne by the end consumer.
VAT is paid for each transaction in the
manufacturing and distribution process.
For Estonia, VAT is administered by tax
office for the region in which the business is
established.
Lithuania Personal Identification Data Identifiers In Lithuania, the personal identification
Number code is a number based on the sex
and birth date of a person. This code is
used as a unique personal identifier by
governmental and other systems where
identification is required, as well as for
digital signatures using the national identity
card and its associated certificates.
1288
Name Type Description
Lithuania Tax Identification Number Data Identifiers The Lithuanian Taxpayer Identification
Number is used to identify taxpayers and
facilitate the administration of their national
tax affairs.
Estonia Passport Number Data Identifiers The Estonian passport is an international
travel document issued to citizens of
Estonia that also serves as proof of
Estonian citizenship. The Border Guard
Board in Estonia and Estonian foreign
representations abroad are responsible for
issuing Estonian passports.
Lithuania Value Added Tax (VAT) Data Identifiers Value Added Tax (VAT) is a consumption
Number tax that is borne by the end consumer.
VAT is paid for each transaction in the
manufacturing and distribution process. In
Lithuania, VAT is administered by the State
Tax Inspectorate.
Latvia Passport Number Data Identifiers Latvian passports are issued to citizens of
Latvia for identity and international travel
purposes. The territorial section of The
Office of Citizenship and Migration Affairs
issues passports.
Latvia Value Added Tax (VAT) Number Data Identifiers Value Added Tax (VAT) is a consumption
tax that is borne by the end consumer.
VAT is paid for each transaction in the
manufacturing and distribution process. In
Latvia, VAT is administered by the State
Revenue Service.
Bulgaria Value Added Tax (VAT) Number Data Identifiers Value Added Tax (VAT) is a consumption
tax that is borne by the end consumer.
VAT is paid for each transaction in the
manufacturing and distribution process.
In Bulgaria, VAT is administered by the
National Revenue Agency, which is
overseen by the Bulgarian Ministry of
Finance.
Malta National Identification Number Data Identifiers Every resident of Malta is assigned a
national number. For foreigners who are
authorized to reside in Malta, National
numbers for foreign resident end with the
letter A. National numbers for Maltese
citizens end with M, G, L, H or P.
Malta Tax Identification Number Data Identifiers The Malta Tax Identification Number
is assigned by the Inland Revenue
Department as a means of identification for
income tax purposes.
Malta Value Added Tax (VAT) Number Data Identifiers Value Added Tax (VAT) is a consumption
tax that is borne by the end consumer.
VAT is paid for each transaction in the
manufacturing and distribution process.
In Malta, VAT is administered by tax office
for the region in which the business is
established.
1289
Name Type Description
Iceland National Identification Number Data Identifiers The Iceland National Identification
Number is a unique national identifier
used by the Icelandic government to
identify individuals and organizations. It
is administered by the Registers Iceland.
Icelandic national identification numbers
are issued to Icelandic citizens at birth
and to foreign nationals resident in Iceland
upon registration. They are also issued to
corporations and institutions.
Serbia Unique Master Citizen Number Data Identifiers The Serbian Unique Master Citizen Number
is a unique identifier for Serbian citizens.
It is assigned to every citizen of Serbia at
birth or upon acquiring citizenship.
Switzerland Passport Number Data Identifiers Swiss passports are issued to citizens of
Switzerland to facilitate international travel.
Iceland Value Added Tax (VAT) Number Data Identifiers Value Added Tax (VAT) is a consumption
tax that is borne by the end consumer.
VAT is paid for each transaction in the
manufacturing and distribution process. For
Iceland, VAT is administered by the VAT
office for the region in which the business is
established.
Iceland Passport Number Data Identifiers Icelandic passports are issued to citizens
of Iceland for the purpose of international
travel and may also serve as a proof of
Iceland citizenship.
Switzerland Value Added Tax (VAT) Data Identifiers Value Added Tax (VAT) is a consumption
Number tax that is borne by the end consumer.
VAT is paid for each transaction in the
manufacturing and distribution process. For
Switzerland, VAT is administered by the
Federal Statistical Office for the region in
which the business is established.
Serbia Value Added Tax (VAT) Number Data Identifiers Value Added Tax (VAT) is a consumption
tax that is borne by the end consumer.
VAT is paid for each transaction in the
manufacturing and distribution process.
In Serbia, VAT is administered by the Tax
Administration department of the Ministry of
Finance.
Liechtenstein Passport Number Data Identifiers Liechtenstein passports are issued to
nationals of Liechtenstein for the purpose
of international travel. The passport may
also serve as proof of Liechtensteiner
citizenship.
Norway National Identification Number Data Identifiers The Norway National identification number
is assigned by the Norwegian state to all
citizens of the country. It is administered by
the Tax Administration.
1290
Name Type Description
Norway Value Added Tax (VAT) Number Data Identifiers Value Added Tax (VAT) is a consumption
tax that is borne by the end consumer.
VAT is paid for each transaction in the
manufacturing and distribution process. For
Norway, VAT Is administered by the VAT
office for the region in which the business is
established.
Romania Driver's Licence Number Data Identifiers A driving license in Romania is a document
confirming the rights of the holder to drive
motor vehicles.
Czech Republic Driver's Licence Data Identifiers The Czech Republic Ministry of Transport
Number grants driver's licenses in the Czech
Republic, confirming the rights of the holder
to drive motor vehicles.
Slovakia Driver's Licence Number Data Identifiers A Slovak drivers license is a document
confirming the rights of the holder to drive
motor vehicles. Slovak driver's licenses are
granted by the Ministry of Interior.
Poland Driver's Licence Number Data Identifiers Poland issues driving licenses confirming
the rights of the holder to drive motor
vehicles.
Hungary Driver's Licence Number Data Identifiers A driving license in Hungary is a document
issued by the Ministry of Economics and
Transport, confirming the rights of the
holder to drive motor vehicles.
Latvia Driver's Licence Number Data Identifiers A driver's license in Latvia is a document
issued by the Road Traffic Safety
Directorate, confirming the rights of the
holder to drive motor vehicles.
Norway Driver's Licence Number Data Identifiers A driver's license is required in Norway
before a person is permitted to drive a
motor vehicle of any description on a road
in Norway.
Cyprus Value Added Tax (VAT) Number Data Identifiers Value Added Tax (VAT) is a consumption
tax that is borne by the end consumer.
VAT is paid for each transaction in the
manufacturing and distribution process.
For Cyprus, VAT is administered by the tax
office for the region in which the business is
established.
Cyprus Tax Identification Number Data Identifiers The Cyprus Tax Identification Number is a
unique identifier for Cypriot taxpayers.
Switzerland Health Insurance Card Data Identifiers Swiss insurance providers issue health
Number insurance cards to their customers. Swiss
health insurance cards can also be used to
access European health services.
Estonia Driver's Licence Number Data Identifiers The Estonian Road Administration issues
driving licenses in Estonia, confirming the
rights of the holder to drive motor vehicles.
1291
Name Type Description
SEPA Creditor Identifier Number North Data Identifiers The Single Euro Payment Area (SEPA) is a
payments system created by the European
Union that harmonizes the way cashless
payments transact between Euro countries.
SEPA North is for the United Kingdom,
Sweden, Denmark, Finland, Ireland.
European consumers, businesses, and
government agents who make payments
by direct debit, credit card or through credit
transfers use the SEPA architecture. The
Single Euro Payment Area is approved and
regulated by European Commission.
SEPA Creditor Identifier Number South Data Identifiers The Single Euro Payment Area (SEPA)
is a payments system created by the
European Union that harmonizes the way
cashless payments transact between
Euro countries. SEPA South is for Italy,
Spain, and Portugal. European consumers,
businesses, and government agents who
make payments by direct debit, credit
card or through credit transfers use the
SEPA architecture. The Single Euro
Payment Area is approved and regulated
by European Commission.
SEPA Creditor Identifier Number West Data Identifiers The Single Euro Payment Area (SEPA)
is a payments system created by the
European Union that harmonizes the way
cashless payments transact between Euro
countries. SEPA West is for Germany,
France, Netherlands, Belgium, Austria,
and Luxembourg. European consumers,
businesses, and government agents who
make payments by direct debit, credit
card, or through credit transfers use
the SEPA architecture. The Single Euro
Payment Area is approved and regulated
by European Commission.
European Health Insurance Number Data Identifiers The European Health Insurance Card
(EHIC) allows anyone insured by or
covered by a statutory social security
scheme of the European Economic Area
countries and Switzerland to receive
medical treatment in another member state
free or at a reduced cost.
1292
business by unifying the regulation within the EU. The GDPR replaces the EU Data Protection Directives as of 25 May
2018.
Table 698: General Data Protection Regulations (Healthcare and Insurance) detection rules
GDPR Healthcare and Insurance Related Keyword Match Matches a list of related keywords:
Keywords account number, bank
card number,ID card
number, medical record
number,Kontonummer,
Bankkartennummer, ID-
Kartennummer, medizinische
Datensatznummer, Numéro
compte, banque carte nombre,
numéro de carte d'identité,
numéro d'enregistrement
médical, numero conto,
numero carta banca, numero
carta d'identità, numero
cartella clinica, número
cuenta, Número cuenta
bancaria, Numero de la
tarjeta identificacion,
número registro
médico, rekeningnummer,
bank kaartnummer,
identiteitskaartnummer,
medisch dossier
nummer, bankkortnummer,
identitetskortnummer, ID-
kortnummer, tilinumero,
pankkikortin numero,
Henkilökortin numero,
lääketieteellisen
ennätysnumero, uimhir
chuntais, uimhir chárta
bainc, Uimhir chárta
aitheantais, uimhir taifead
leighis, Kontosnummer,
Identifikatiounskaart,
medizinescher
Dateschutznummer, número
de conta, número cartão
bancário, Número do cartão de
identificação
UK Driver's Licence Number Data Identifiers The UK Drivers Licence Number is the
identification number for an individual's
driver's license issued by the Driver and
Vehicle Licensing Agency of the United
Kingdom.
UK National Health Service (NHS) Data Identifiers The UK National Health Service (NHS)
Number is the personal identification
number issued by the U.K. National Health
Service (NHS) for administration of medical
care.
1293
Name Type Description
1294
Name Type Description
Romanian Numerical Personal Code Data Identifiers In Romania, each citizen has a unique
numerical personal code (Code Numeric
Personal, or CNP). The number is used
by authorities, health care, schools,
universities, banks, and insurance
companies for customer identification.
Spanish DNI ID Data Identifiers The Spanish DNI ID appears on the
Documento nacional de identidad (DNI)
and is issued by the Spanish Hacienda
Publica to every citizen of Spain. It is
the most important unique identifier in
Spain used for opening accounts, signing
contracts, taxes, and elections.
Spanish Social Security Number Data Identifiers The Spanish Social Security Number is
a 12-digit number assigned to Spanish
workers to allow access to the Spanish
healthcare system.
Bulgarian Uniform Civil Number Data Identifiers The uniform civil number (EGN) is unique
number assigned to each Bulgarian citizen
or resident foreign national. It serves as a
national identification number. An EGN is
assigned to Bulgarians at birth, or when a
birth certificate is issued.
Austrian Social Security Number Data Identifiers A social security number is allocated to
Austrian citizens who receive available
social security benefits. It is allocated by the
umbrella association of the Austrian social
security authorities.
German Personal ID Number Data Identifiers The German Personal ID Number is issued
to all German citizens.
Burgerservicenummer Data Identifiers In the Netherlands, the
Burgerservicenummer is used to uniquely
identify citizens and is printed on driving
licenses, passports and international ID
cards under the header Personal Number.
Codice Fiscale Data Identifiers The Codice Fiscale uniquely identifies an
Italian citizen or permanent resident alien
and issuance of the code is centralized
to the Ministry of Treasure. The Codice
Fiscale is issued to every Italian at birth.
Finnish Personal Identification Number Data Identifiers The Finnish Personal Identification Number
or Personal Identity Code is a unique
personal identifier used for identifying
citizens in government and many other
transactions.
Swedish Personal Identification Number Data Identifiers The Swedish Personal Identification
Number is the unique national identification
for Swedish every citizen. The number
is used by authorities, health care,
schools, universities, banks, and insurance
companies for customer identification.
1295
Name Type Description
Belgium Driver's License Number Data Identifiers Identification number for an individual's
driver's licence issued by the Driver and
Vehicle Licensing Agency of Belgium.
Denmark Personal Identification Number Data Identifiers In Denmark, every citizen has a national
identification number. The number serves
as proof of identification for almost all
purposes.
Netherlands Driver's License Number Data Identifiers Identification number for an individual's
driver's licence issued by the RDW
government agency of the Netherlands.
France Driver's License Number Data Identifiers Identification number for an individual's
driver's licence issued by the Driver and
Vehicle Licensing Agency of France.
France Health Insurance Number Data Identifiers A Carte Vitale is social insurance card used
in France that contains medical information
for the card holder. It has a unique 21-digit
serial number.
Germany Driver's License Number Data Identifiers Identification number for an individual's
driver's licence issued by the Driver and
Vehicle Licensing Agency of Germany.
Italy Health Insurance Number Data Identifiers The Italian Health Insurance Card is issued
to every Italian citizen by the Italian Ministry
of Economy and Finance in cooperation
with the Italian Agency of Revenue. The
objective of the card is to improve the social
security services through expenditure
control and performance, and to optimize
the use health services to citizens.
Italy Driver's License Number Data Identifiers Identification number for an individual's
driver's licence issued by the Driver and
Vehicle Licensing Agency of Italy.
Spain Driver's License Number Data Identifiers Identification number for an individual's
driver's licence issued by the Driver and
Vehicle Licensing Agency of Spain.
Finland Driver's Licence Number Data Identifiers Identification number for an individual's
driver's license issued in an EU or EEA
Member State for a Finnish license.
Portugal National Identification Number Data Identifiers The national identification number is
a unique identification number usually
present on documents like citizen cards
which are issued by the Portuguese
government to its citizens. It can be used as
a travel document within the EU and some
other European countries.
Portugal Driver's Licence Number Data Identifiers The Institute for Mobility and Land
Transport (IMTT) issues driver's licenses in
Portugal.
Greece Social Security Number (AMKA) Data Identifiers The AMKA (social security number) is the
work and insurance identification number of
every worker, retired person and protected
family member in Greece.
1296
Name Type Description
Romania National Identification Number Data Identifiers In Romania each citizen has a personal
numerical code (Cod Numeric Personal,
CNP) as unique national identification
number. This number is also used as a tax
identification number for financial purposes.
Slovakia National Identification Number Data Identifiers In Slovakia, identification cards are issued
by the state authorities at 15 years of age
for every citizen. This number is used in
Slovak Republic as the primary unique
identifier for every person by government
institutions, banks and so on.
Slovenia Unique Master Citizen Number Data Identifiers The unique master citizen number is a
unique identification number assigned
to every citizen of Slovenia at birth or on
acquiring citizenship.
Latvia Personal Identification Number Data Identifiers The Latvian personal identification number
is used for national identity and as a tax
identification number for financial purposes.
It is issued by the office of citizenship and
migration affairs of the Ministry of Interior.
Finland European Health Insurance Data Identifiers The unique 20 digit numeric identifier that is
Number assigned to every person who uses health
services in Finland.
Sweden Driver's Licence Number Data Identifiers In Sweden, a driving license is required
when operating a car, motorcycle or moped
on public roads. Driving licenses are issued
by the prefectural governments public
safety commissions and are overseen on
a nationwide basis by the National Police
Agency.
Croatia National Identification Number Data Identifiers The Croatian National Identification number
(Osobni identifikacijski broj or OIB) is the
permanent personal and tax identifier for
Croatian citizens and residents.
Estonia Personal Identification Number Data Identifiers In Estonia, the personal identification code
is a number based on the sex and birth
date of a person. This code is used as a
unique personal identifier by governmental
and other systems where identification is
required, as well as for digital signatures
using the national identity card and its
associated certificates. It also serves as tax
identification number.
Lithuania Personal Identification Data Identifiers In Lithuania, the personal identification
Number code is a number based on the sex
and birth date of a person. This code is
used as a unique personal identifier by
governmental and other systems where
identification is required, as well as for
digital signatures using the national identity
card and its associated certificates.
1297
Name Type Description
Malta National Identification Number Data Identifiers Every resident of Malta is assigned a
national number. For foreigners who are
authorized to reside in Malta, National
numbers for foreign resident end with the
letter A. National numbers for Maltese
citizens end with M, G, L, H or P.
Iceland National Identification Number Data Identifiers The Iceland National Identification
Number is a unique national identifier
used by the Icelandic government to
identify individuals and organizations. It
is administered by the Registers Iceland.
Icelandic national identification numbers
are issued to Icelandic citizens at birth
and to foreign nationals resident in Iceland
upon registration. They are also issued to
corporations and institutions.
Serbia Unique Master Citizen Number Data Identifiers The Serbian Unique Master Citizen Number
is a unique identifier for Serbian citizens.
It is assigned to every citizen of Serbia at
birth or upon acquiring citizenship.
Norway National Identification Number Data Identifiers The Norway National identification number
is assigned by the Norwegian state to all
citizens of the country. It is administered by
the Tax Administration.
Romania Driver's Licence Number Data Identifiers A driving license in Romania is a document
confirming the rights of the holder to drive
motor vehicles.
Czech Republic Driver's Licence Data Identifiers The Czech Republic Ministry of Transport
Number grants driver's licenses in the Czech
Republic, confirming the rights of the holder
to drive motor vehicles.
Slovakia Driver's Licence Number Data Identifiers A Slovak drivers license is a document
confirming the rights of the holder to drive
motor vehicles. Slovak driver's licenses are
granted by the Ministry of Interior.
Poland Driver's Licence Number Data Identifiers Poland issues driving licenses confirming
the rights of the holder to drive motor
vehicles.
Hungary Driver's Licence Number Data Identifiers A driving license in Hungary is a document
issued by the Ministry of Economics and
Transport, confirming the rights of the
holder to drive motor vehicles.
Latvia Driver's Licence Number Data Identifiers A driver's license in Latvia is a document
issued by the Road Traffic Safety
Directorate, confirming the rights of the
holder to drive motor vehicles.
Norway Driver's Licence Number Data Identifiers A driver's license is required in Norway
before a person is permitted to drive a
motor vehicle of any description on a road
in Norway.
1298
Name Type Description
Switzerland Health Insurance Card Data Identifiers Swiss insurance providers issue health
Number insurance cards to their customers. Swiss
health insurance cards can also be used to
access European health services.
Estonia Driver's Licence Number Data Identifiers The Estonian Road Administration issues
driving licenses in Estonia, confirming the
rights of the holder to drive motor vehicles.
European Health Insurance Number Data Identifiers The European Health Insurance Card
(EHIC) allows anyone insured by or
covered by a statutory social security
scheme of the European Economic Area
countries and Switzerland to receive
medical treatment in another member state
free or at a reduced cost.
1299
Table 699: General Data Protection Regulations (Personal Profile) detection rule
GDPR Personal Profile Keywords Keyword Match Matches a list of related keywords:
academic details, work
history, professional
qualification, summary
of qualifications, bio
data, bio-data, CV,
curriculum vitae, Akademische
Details, Arbeitsgeschichte,
Berufsqualifikation,
Zusammenfassung der
Qualifikationen, Bio-
Daten, Lebenslauf,
Bio Daten, Les données
académiques, la qualification
professionnelle, le résumé
des qualifications, Bio
données, le curriculum vitae,
dettagli accademici, storia
del lavoro, qualificazione
professionale, sintesi delle
qualifiche, i dati bio, bio-
dati, Datos académicos,
historial de trabajo,
calificación profesional,
resumen de calificaciones,
datos bio, bio-datos,
academische informatie,
werk geschiedenis,
beroepskwalificatie,
samenvatting van
kwalificaties, bio gegevens,
bio-gegevens, leerplan
vitae, akademiska detaljer,
Jobbhistorik, professionell
kvalifikation, sammanfattning
av kvalifikationer,
meritförteckning, akademiske
detaljer, arbejdshistorie,
professionel kvalifikation,
Resumé af kvalifikationer,
Genoptag, akateemiset
yksityiskohdat, työhistoria,
ammattipätevyys, yhteenveto
tutkinnoist, sonraí acadúla,
stair oibre, cáilíocht
ghairmiúil, achoimre ar
cháilíochtaí, akademesch
Detailer, Aarbechtsgeschicht,
berufflech Qualifikatioun,
Zesummefaassung vu
Qualifikatiounen, Liewenslaf,
detalhes acadêmicos,
histórico de trabalho,
qualificação profissional,
sumário de qualificações,
Currículo
1300
General Data Protection Regulation (Travel)
This template focuses on General Data Protection Regulation (GDPR) travel related keywords, Data Identifiers and an
EDM profile with related columns.
The GDPR is a regulation by which the European Commission intends to strengthen and unify data protection for
individuals within the EU. It also addresses export of personal data outside the EU. The primary objectives of the GDPR
are to give citizens back the control of their personal data and to simplify the regulatory environment for international
business by unifying the regulation within the EU. The GDPR replaces the EU Data Protection Directives as of 25 May
2018.
1301
Table 700: General Data Protection Regulations (Travel) detection rules
GDPR Travel Related Keywords Keyword Match Matches a list of related keywords:
account number, bank card
number, driver license
number, ID card number,
passenger name, seat number,
luggage details, journey
details, purchase details,
purchase invoice, travel
ticket, travel invoice,
passenger details, tourist
details, Kontonummer,
Bankkartennummer,
Führerscheinnummer,
Ausweisnummer, Passagiername,
Sitzplatznummer,
Einkaufsdetails,
Kaufrechnungen,
Passagierdetails,
Touristendetails,
Gepäckdetails, Fahrtdetails,
ReiseFahrkarte,
ReiseRechnung, numéro compte,
numéro carte bancaire, numéro
de permis de conduire,
numéro de carte d'identité,
passager nom, numéro du
siège, bagage détails,
détails voyage, l'achat
détails, la facture d'achat,
billet de voyage, la facture
voyage, détails passager,
détails touristiques, numero
di conto, numero carta banca,
numero patente di guida,
numero carta d'identità,
nome passeggero, numero del
posto, dettagli dei bagagli,
dettagli di viaggio, dettagli
acquisto, fattura acquisto,
biglietto viaggio, fattura
viaggio, dati passeggeri,
dettagli turistiche, Número
cuenta, número tarjeta
bancaria, número licencia de
conducir, número de tarjeta
identificación, nombre
pasajero, número asiento,
detalles equipaje, detalles
de viaje, detalles de
compra, viaje factura, viaje
billete, factura de viaje,
pasajeros detalles, detalles
turísticos, rekeningnummer,
bankkaart nummer, rijbewijs
nummer, ID-kaart nummer,
naam passagier, stoelnummer,
bagage-informatie, reis 1302
informatie, aankoopgegevens,
aankoopfactuur,
reizenreisbiljet, reizen
factuur, passagiersgegevens,
toeristische informatie,
Name Type Description
1303
Name Type Description
Netherlands Passport Number Data Identifiers Dutch passports are issued to Netherlands
citizens for the purpose of international
travel.
France Driver's License Number Data Identifiers Identification number for an individual's
driver's licence issued by the Driver and
Vehicle Licensing Agency of France.
Germany Driver's License Number Data Identifiers Identification number for an individual's
driver's licence issued by the Driver and
Vehicle Licensing Agency of Germany.
Italy Passport Number Data Identifiers Italian passports are issued to Italian
citizens for the purpose of international
travel.
Italy Driver's License Number Data Identifiers Identification number for an individual's
driver's licence issued by the Driver and
Vehicle Licensing Agency of Italy.
Spain Driver's License Number Data Identifiers Identification number for an individual's
driver's licence issued by the Driver and
Vehicle Licensing Agency of Spain.
Ireland Passport Number Data Identifiers An Irish passport is the passport issued
to citizens of Ireland. An Irish passport
enables the bearer to travel internationally
and serves as evidence of Irish citizenship
and citizenship of the European union.
It also facilitates the access to consular
assistance from both Irish embassies and
any embassy from other European union
member states while abroad.
Luxembourg Passport Number Data Identifiers A Luxembourg passport is an international
travel document issued to nationals of the
grand Duchy of Luxembourg, and may
also serve as proof of Luxembourgish
citizenship.
Portugal Passport Number Data Identifiers Portuguese passports are issued to
citizens of Portugal for the purpose of
international travel. The passport, along
with the national identity card allows for free
rights of movement and residence in any
of the states of the European Union and
European economic area.
Finland Passport Number Data Identifiers Finnish passports are issued to nationals
of Finland for the purpose of international
travel. They also facilitate the process of
securing assistance from Finnish consular
officials abroad.
Finland Driver's Licence Number Data Identifiers Identification number for an individual's
driver's license issued in an EU or EEA
Member State for a Finnish license.
Portugal Driver's Licence Number Data Identifiers The Institute for Mobility and Land
Transport (IMTT) issues driver's licenses in
Portugal.
1304
Name Type Description
Sweden Driver's Licence Number Data Identifiers In Sweden, a driving license is required
when operating a car, motorcycle or moped
on public roads. Driving licenses are issued
by the prefectural governments public
safety commissions and are overseen on
a nationwide basis by the National Police
Agency.
Greece Passport Number Data Identifiers Greek passports are issued to Greek
citizens for the purpose of international
travel. The passport along with the
national identity card allows for free rights
of movement and residence in any of
the states of the European Union and
European Economic Area.
Poland Passport Number Data Identifiers A Polish passport is an international
travel document issued to nationals of
Poland. It may also serve as proof of Polish
citizenship.
Hungary Passport Number Data Identifiers Hungarian passports are issued to
Hungarian citizens for international travel by
the Central Data Processing, Registration,
and Election Office of the Hungarian
Ministry of the Interior.
Slovakia Passport Number Data Identifiers Slovak passports are issued to citizens of
Slovakia to facilitate international travel.
Slovenia Passport Number Data Identifiers Slovenian passports are issued to citizens
of Slovenia to facilitate international travel.
Estonia Passport Number Data Identifiers The Estonian passport is an international
travel document issued to citizens of
Estonia that also serves as proof of
Estonian citizenship. The Border Guard
Board in Estonia and Estonian foreign
representations abroad are responsible for
issuing Estonian passports.
Latvia Passport Number Data Identifiers Latvian passports are issued to citizens of
Latvia for identity and international travel
purposes. The territorial section of The
Office of Citizenship and Migration Affairs
issues passports.
Switzerland Passport Number Data Identifiers Swiss passports are issued to citizens of
Switzerland to facilitate international travel.
Iceland Passport Number Data Identifiers Icelandic passports are issued to citizens
of Iceland for the purpose of international
travel and may also serve as a proof of
Iceland citizenship.
Liechtenstein Passport Number Data Identifiers Liechtenstein passports are issued to
nationals of Liechtenstein for the purpose
of international travel. The passport may
also serve as proof of Liechtensteiner
citizenship.
1305
Name Type Description
Romania Driver's Licence Number Data Identifiers A driving license in Romania is a document
confirming the rights of the holder to drive
motor vehicles.
Czech Republic Driver's Licence Data Identifiers The Czech Republic Ministry of Transport
Number grants driver's licenses in the Czech
Republic, confirming the rights of the holder
to drive motor vehicles.
Slovakia Driver's Licence Number Data Identifiers A Slovak drivers license is a document
confirming the rights of the holder to drive
motor vehicles. Slovak driver's licenses are
granted by the Ministry of Interior.
Poland Driver's Licence Number Data Identifiers Poland issues driving licenses confirming
the rights of the holder to drive motor
vehicles.
Hungary Driver's Licence Number Data Identifiers A driving license in Hungary is a document
issued by the Ministry of Economics and
Transport, confirming the rights of the
holder to drive motor vehicles.
Latvia Driver's Licence Number Data Identifiers A driver's license in Latvia is a document
issued by the Road Traffic Safety
Directorate, confirming the rights of the
holder to drive motor vehicles.
Norway Driver's Licence Number Data Identifiers A driver's license is required in Norway
before a person is permitted to drive a
motor vehicle of any description on a road
in Norway.
Estonia Driver's Licence Number Data Identifiers The Estonian Road Administration issues
driving licenses in Estonia, confirming the
rights of the holder to drive motor vehicles.
Username/Password Simple rule: EDM This rule looks for user names and passwords in combination.
Combinations Choosing an Exact Data Profile
Exact SSN or CCN Simple rule: EDM This rule looks for SSN or Credit Card Number.
Customer Directory Simple rule: EDM This rule looks for Phone or Email.
1306
Detection method Type Description
3 or more critical customer fields Simple rule: EDM This rule looks for a match among any three of the following fields:
• Account number
• Bank card number
• Email address
• First name
• Last name
• PIN number
• Phone number
• Social security number
• ABA Routing Number
• Canadian Social Insurance Number
• UK National Insurance Number
• Date of Birth
However, the following combinations are not a match:
• Phone, email, and first name
• Phone, email, and last name
• Email, first name, and last name
• Phone, first name, and last name
ABA Routing Numbers Simple rule: DCM This condition detects nine-digit numbers. It validates the number using the
(DI) final check digit. This condition eliminates common test numbers, such as
123456789, number ranges that are reserved for future use, and all the same
digit. This condition also requires the presence of an ABA-related keyword.
US Social Security Numbers Simple rule: DCM This rule looks for social security numbers. For this rule to match, there must
(DI) be a number that fits the Randomized US SSN data identifier. There must
also be a keyword or phrase that indicates the presence of a US SSN with
a keyword from "US SSN Keywords" dictionary. The keyword condition is
included to reduce false positives with any numbers that may match the SSN
format.
Credit Card Numbers Simple rule: DCM This condition detects valid credit card numbers that are separated by
(DI) spaces, dashes, periods, or without separators. This condition performs
Luhn check validation and includes the following credit card formats:
• American Express
• Diner's Club
• Discover
• Japan Credit Bureau (JCB)
• MasterCard
• Visa
This rule eliminates common test numbers, including those reserved for
testing by credit card issuers, and also requires the presence of a credit card-
related keyword.
Configuring policies
Exporting policy detection as a template
1307
This policy template detects data concerning prescription drugs, diseases, and treatments in combination with PHI.
Organizations that are not subject to HIPAA can also use this policy to control PHI data.
The HIPAA and HITECH (including PHI) policy template is updated with recent Drug, and Disease, and Treatment
keyword lists based on information from the U.S. Federal Drug Administration (FDA) and other sources. The policy
template is also updated to use the Randomized US Social Security Number (SSN) data identifier, which detects both
traditional and randomized SSNs.
Keep the keyword lists for your HIPAA and Caldicott policies up to date
Updating policies to use the US Randomized SSN data identifier
TPOs (Treatment, Payment, or health care Operations) are service providers to health care organizations and have
an exception for HIPAA information restrictions. The template requires that you enter the allowed email addresses. If
implemented the exception is evaluated before detection rules and the policy does not trigger an incident if the protected
information is sent to one of the allowed partners.
TPO Exception Content Matches Keyword Simple exception (single condition match).
(DCM) Looks for a recipient email address matching one from the "TPO
Email Addresses" user-defined keyword dictionary.
Patient Data detection rule is a rule that looks for an exact data match against any single column from a profiled Patient
Data database record.
Patient Data Content Matches Exact Data Match data from any single field:
(EDM) • Last name
• Tax payer ID (SSN)
• Email address
• Account number
• ID card number
• Phone number
Choosing an Exact Data Profile
Patient Data and Drug Codes detection rule is a compound detection rule that requires a Patient Data exact match and a
match from the "Drug Code" data identifier.
Patient Data and Drug Codes Content Matches Exact Data Looks for a match against any single column from a profiled
(EDM) Patient Data database record and a match from the National
And Drug Code data identifier.
Content Matches Data Identifier Patient Data detection rule
Patient Data and Prescription Drug Names detection rule is a compound detection rule that requires a Patient Data exact
match and a keyword match from the "Prescription Drug Names" dictionary.
1308
Table 705: Patient Data and Prescription Drug Names detection rule
Patient Data and Prescription Content Matches Exact Data Looks for a match against any single column from a profiled
Drug Names (EDM) Patient Data database record and a keyword match from the
AND Prescription Drug Names dictionary
Content Matches Keyword (DCM) Patient Data detection rule
Updating policies after upgrading to the latest version
Patient Data and Treatment Keywords detection rule is a compound detection rule that requires a Patient Data exact
match and keyword match from the "Medical Treatment Keywords" dictionary.
Patient Data and Treatment Content Matches Exact Data Looks for a match against any single column from a profiled
Keywords (EDM) Patient Data database record and a keyword match from the
And Medical Treatment Keywords dictionary.
Content Matches Keyword (DCM) Patient Data detection rule
Updating policies after upgrading to the latest version
Patient Data and Disease Keywords detection rule is a compound detection rule that requires a Patient Data exact match
and a keyword match from the "Disease Names" dictionary.
Patient Data and Disease Content Matches Exact Data Looks for a match against any single column from a profiled
Keywords (EDM) Patient Data database record and a keyword match from the
And Disease Names dictionary.
Content Matches Keyword (DCM) Patient Data detection rule
Updating policies after upgrading to the latest version
SSN and Drug Keywords detection rule is a compound detection rule that looks for SSNs using the Randomized US
Social Security Number (SSN) data identifier and for a keyword from the "Prescription Drug Names" dictionary.
SSN and Drug Keywords Content Matches Data Identifier US Randomized Social Security Number (SSN) data identifier
And (narrow breadth)
Content Matches Keyword Prescription Drug Names keyword dictionary
Updating policies after upgrading to the latest version
SSN and Treatment Keywords detection rule is a compound detection rule that looks for SSNs using the Randomized US
Social Security Number (SSN) data identifier and for a keyword match from the "Medical Treatment Keywords" dictionary.
1309
Table 709: SSN and Treatment Keywords detection rule
SSN and Treatment Keywords Content Matches Data Identifier US Randomized Social Security Number (SSN) data identifier
And (narrow breadth)
Content Matches Keyword Medical Treatment Keywords keyword dictionary.
Updating policies after upgrading to the latest version
SSN and Disease Keywords detection rule is a compound detection rule that looks for SSNs using the US Randomized
Social Security Number (SSN) data identifier and for a keyword match from the "Disease Names" dictionary.
SSN and Disease Keywords Content Matches Data Identifier US Randomized Social Security Number (SSN) data identifier
And (narrow breadth)
Content Matches Keyword Disease Names keyword dictionary
Updating policies after upgrading to the latest version
SSN and Drug Code detection rule is a compound detection rule that looks for SSNs using the US Randomized Social
Security Number (SSN) data identifier and for a drug code using the Drug Code data identifier.
SSN and Drug Code Content Matches Data Identifier US Randomized Social Security Number (SSN) data identifier
And (narrow breadth)
Content Matches Keyword Drug Code data identifier (narrow breadth)
Configuring policies
Exporting policy detection as a template
1310
Choosing an Exact Data Profile
Configuring policies
Exporting policy detection as a template
Configuring policies
Exporting policy detection as a template
ITIN This rule looks for a match to the US ITIN data identifier and a keyword from the "US ITIN
Keywords" dictionary.
Configuring policies
Exporting policy detection as a template
Table 713: Indexed ITAR Munition Items and Recipients detection rule
Conditions (both
Method Configuration
must match)
Compound rule Recipient Matches Pattern Match recipient email or URL domain from ITAR Country Codes list:
(DCM) • Severity: High.
• Check for existence.
• At least 1 recipient(s) must match.
Content Matches Exact Data Choosing an Exact Data Profile
(EDM)
1311
The ITAR Munitions List and Recipients detection rule looks for both a country code in the recipient from the "ITAR
Country Codes" dictionary and a keyword from the "ITAR Munition Names" dictionary.
Conditions (both
Method Configuration
must match)
Compound rule Recipient Matches Pattern Match recipient email or URL domain from ITAR Country Codes list:
(DCM) • Severity: High.
• Check for existence.
• At least 1 recipient pattern must match.
Content Matches Keyword Match any keyword from the ITAR Munitions List:
(DCM) • Severity: High.
• Check for existence.
• Look in envelope, subject, body, attachments.
• Case insensitive.
• Match on whole words only.
• Severity: High.
Configuring policies
Exporting policy detection as a template
Configuring policies
Exporting policy detection as a template
1312
Table 715: Medicare and Medicaid (including PHI) detection rules
Healthcare Common Procedure Coding Data Identifiers These three rules match the medium
System (HCPCS CPT Codes) and breadth of the Healthcare Common
Keywords Procedure Coding System (HCPCS CPT
Codes) data identifier.
They match all unique occurrences in the
message envelope, subject line, body,
or attachments. Matches are given High
severity.
They also require the presence related
keywords.
Medicare Beneficiary Identifier Data Identifiers This rule matches the narrow breadth of
the Medicare Beneficiary Identifier data
identifier.
It matches all unique occurrences in the
message envelope, subject line, body,
or attachments. Matches are given High
severity.
Health Insurance Claim Number Data Identifiers This rule matches the narrow breadth of
the Health Insurance Claim Number data
identifier.
It matches all unique occurrences in the
message envelope, subject line, body,
or attachments. Matches are given High
severity.
1313
Table 716: Merger and Acquisition Agreements compound detection rule
Condition Configuration
Contract Specific Keywords • Match any keyword: merger, agreement, contract, letter of intent,
(Keyword Match) term sheet, plan of reorganization
• Severity: High.
• Check for existence.
• Look in envelope, subject, body, attachments.
• Case insensitive.
• Match on whole words only.
Acquisition Corporate Structure • Match any keyword: subsidiary, subsidiaries, affiliate, acquiror,
Keywords (Keyword Match) merger sub, covenantor, acquired company, acquiring company,
surviving corporation, surviving company
• Severity: High.
• Check for existence.
• Look in envelope, subject, body, attachments.
• Case insensitive.
• Match on whole words only.
Merger Consideration Keywords • Match any keyword: merger stock, merger consideration, exchange
(Keyword Match) shares, capital stock, dissenting shares, capital structure,
escrow fund, escrow account, escrow agent, escrow shares,
escrow cash, escrow amount, stock consideration, break-up fee,
goodwill
• Severity: High.
• Check for existence.
• Look in envelope, subject, body, attachments.
• Case insensitive.
• Match on whole words only.
Legal Contract Keywords (Keyword • Match any keyword: recitals, in witness whereof, governing law,
Match) Indemnify, Indemnified, indemnity, signature page, best
efforts, gross negligence, willful misconduct, authorized
representative, severability, material breach
• Severity: High.
• Check for existence.
• Look in envelope, subject, body, attachments.
• Case insensitive.
• Match on whole words only.
Configuring policies
Exporting policy detection as a template
NASD Rule 2711 and NYSE Rules 351 and 472 Policy Template
This policy protects the name(s) of any companies involved in an upcoming stock offering, internal project names for the
offering, and the stock ticker symbols for the offering companies.
The NASD Rule 2711 Documents, Indexed detection rule looks for content from specific documents registered as
sensitive and known to be subject to NASD Rule 2711 or NYSE Rules 351 and 472. This rule returns a match if 80% or
more of the source document is found.
1314
Table 717: NASD Rule 2711 Documents, Indexed detection rule
Simple rule Content Matches NASD Rule 2711 Documents, Indexed (IDM):
Document Signature • Detect documents in selected Indexed Document Profile
(IDM) • Require at least 80% content match.
• Severity: High.
• Check for existence.
• Look in body, attachments.
Choosing an Indexed Document Profile
The NASD Rule 2711 and NYSE Rules 351 and 472 detection rule is a compound rule that contains a sender condition
and a keyword condition. The sender condition is based on a user-defined list of email addresses of research analysts
at the user's company ("Analysts' Email Addresses" dictionary). The keyword condition looks for any upcoming stock
offering, internal project names for the offering, and the stock ticker symbols for the offering companies ("NASD 2711
Keywords" dictionary). Like the sender condition, it requires editing by the user.
Table 718: NASD Rule 2711 and NYSE Rules 351 and 472 detection rule
Compound rule Sender/User Matches NASD Rule 2711 and NYSE Rules 351 and 472 (Sender):
Pattern (DCM) • Match sender pattern(s) [research_analyst@company.com] (user defined)
• Severity: High.
• Matches on entire message.
Content Matches NASD Rule 2711 and NYSE Rules 351 and 472 (Keyword Match):
Keyword (DCM) • Match "[company stock symbol]", "[name of offering company]", "[offering name
(internal name)]".
• Severity: High.
• Check for existence.
• Look in envelope, subject, body, attachments.
• Case insensitive.
• Match on whole words only.
Configuring policies
Exporting policy detection as a template
1315
Table 719: Stock Recommendation detection rule
The NASD Rule 3010 and NYSE Rule 342 Keywords detection rule looks for keywords in the "NASD 3010 General
Keywords" dictionary, which look for any general stock broker activity, and stock keywords.
Table 720: NASD Rule 3010 and NYSE Rule 342 Keywords detection rule
Conditions (both
Method Configuration
must match)
Compound rule Content Matches Keyword Match keyword: "authorize", "discretion", "guarantee", "options"
(DCM) • Severity: High.
• Check for existence.
• Look in envelope, subject, body, attachments.
• Case insensitive.
• Match on whole words only.
Content Matches Keyword Match keyword: "stock, stocks, security, securities, share, shares"
(DCM) • Severity: High.
• Check for existence.
• Look in envelope, subject, body, attachments.
• Case insensitive.
• Match on whole words only.
Configuring policies
Exporting policy detection as a template
1316
This policy detects the information outlined in the NERC security guidelines for the electricity sector.
Simple rule Content Matches Exact Data Match any three of the following data items:
(EDM) • First name
• Last name
• Phone
• Email
Choosing an Exact Data Profile
Simple rule Content Matches Indexed This rule requires a 90% binary match.
Documents (IDM) Choosing an Indexed Document Profile
The Sensitive Keywords and Vulnerability Keywords detection rule looks for any keyword matches from the "Sensitive
Keywords" dictionary and the "Vulnerability Keywords" dictionary.
Configuring policies
Exporting policy detection as a template
1317
Network Diagrams Policy Template
The Network Diagrams Policy detects computer network diagrams at risk of exposure.
Configuring policies
Exporting policy detection as a template
Configuring policies
Exporting policy detection as a template
Configuring policies
Exporting policy detection as a template
1318
The SDN list refers to specific people or organizations that are subject to trade restrictions. The U.S. Treasury Department
provides text files with specific names, last known addresses, and known aliases for these individuals and entities. The
Treasury Department stipulates that the addresses may not be correct or current, and different locations do not change
the restrictions on people and organizations.
In the OFAC policy template, Symantec Data Loss Prevention has scrubbed the list to make it more usable and practical.
This includes extracting keywords and key phrases from the list of names and aliases, since names do not always appear
in the same format as the list. Also, common names have been removed to reduce false positives. For example, one
organization on the SDN list is known as "SARA." Leaving this on the list would generate a high false positive rate. "SARA
Properties" is another entry on the list. It is used as a key phrase in the template because the incidence of this phrase
is much lower than "SARA" alone. The list of names and organizations is considered in combination with the commonly
found countries in the SDN address list. The top 12 countries on the list are considered, after again removing more
commonly occurring countries. The template looks for recipients with any of the listed countries as the designated country
code. This SDN list minimizes false positives while still detecting transactions or communications with known restricted
parties.
The OFAC policy also provides guidance around the restrictions the U.S. Treasury Department has placed on general
trade with specific countries. This is distinct from the SDN list, since individuals and organizations are not specified. The
list of general sanctions can be found here: http://www.treasury.gov/offices/enforcement/ofac/programs/index.shtml
The Office of Foreign Assets Control (OFAC) template looks for recipients on the OFAC- listed countries by designated
country code.
The OFAC Special Designated Nationals List and Recipients detection rule looks for a recipient with a country code
matching entries in the "OFAC SDN Country Codes" specification in combination with a match on a keyword from the
"Specially Designated Nationals List" dictionary.
Table 724: OFAC Special Designated Nationals List and Recipients detection rule
Compound rule Recipient Matches OFAC Special Designated Nationals List and Recipients (Recipient):
Pattern (DCM) • Match email or URL domain by OFAC SDN Country Code.
• Severity: High.
• Check for existence.
• At least 1 recipient(s) must match.
• Matches on the entire message.
Content Matches Specially Designated Nationals List (Keyword Match):
Keyword (DCM) • Match keyword from the Specially Designated Nationals List.
• Severity: High.
• Check for existence.
• Look in envelope, subject, body, attachments.
• Case insensitive.
• Match on whole words only.
The Communications to OFAC countries detection rule looks for a recipient with a country code matching entries from the
"OFAC Country Codes" list.
1319
Table 725: Communications to OFAC countries detection rule
Configuring policies
Exporting policy detection as a template
The Moderate Confidentiality Indicators detection rule looks for any keywords in the "Moderate Confidentiality" dictionary.
The Low Confidentiality Indicators detection rule looks for any keywords in the "Low Confidentiality" dictionary.
1320
Table 728: Low Confidentiality Indicators detection rule
Configuring policies
Exporting policy detection as a template
You can use positive look ahead (?=), look behind (?<=), and negative lookahead (?!) assertions in regular expressions
to validate the conditions for required fields.
This regular expression matches a 5-digit to a 16-digit non-blankspace string that must contain at least one of each of the
following character types:
• one lower case letter
• one upper case letter
• one digit
• at least one of these symbols: - ! @ # $ & "
Table 729: Details of the Regular Expression Used in the Passwords Policy Template
1321
(?=\S{0,15}[-!@#$&*]) Validates at least one symbol from the list of allowed special
characters, such as -!@#$&*.
(?!([\d.-]{0,13}(jan|feb|mar|apr|may|jun| Ensures that dates, such as 01-JAN-2022 are excluded from
jul|aug|sep|oct|nov|dec))) the password.
(?![\d.,-]{1,15}\p{Sc}|\p{Sc}[\d.,-]{1,15}) Ensures that currency symbols such as $ or ¥ are excluded
from the password.
(?![\d.,-]{0,13}(AED|AFN|ALL|AMD|ANG|AOA| Ensures that currency codes such as USD or INR are excluded
ARS|AUD|AWG|AZN|BAM|BBD|BDT|BGN|BHD|BIF| from the password;
BMD|BND|BOB|BOV|BRL|BSD|BTN|BWP|BYN|BZD|
CAD|CDF|CHE|CHF|CHW|CLF|CLP|CNY|COP|COU|
CRC|CUC|CUP|CVE|CZK|DJF|DKK|DOP|DZD|EGP|
ERN|ETB|EUR|FJD|FKP|GBP|GEL|GHS|GIP|GMD|
GNF|GTQ|GYD|HKD|HNL|HRK|HTG|HUF|IDR|ILS|
INR|IQD|IRR|ISK|JMD|JOD|JPY|KES|KGS|KHR|
KMF|KPW|KRW|KWD|KYD|KZT|LAK|LBP|LKR|LRD|
LSL|LYD|MAD|MDL|MGA|MKD|MMK|MNT|MOP|MRU|
MUR|MVR|MWK|MXN|MXV|MYR|MZN|NAD|NGN|NIO|
NOK|NPR|NZD|OMR|PAB|PEN|PGK|PHP|PKR|PLN|
PYG|QAR|RON|RSD|RUB|RWF|SAR|SBD|SCR|SDG|
SEK|SGD|SHP|SLE|SOS|SRD|SSP|STN|SVC|SYP|
SZL|THB|TJS|TMT|TND|TOP|TRY|TTD|TWD|TZS|
UAH|UGX|USD|USN|UYI|UYU|UZS|VED|VEF|VND|
VUV|WST|XAF|XCD|XDR|XOF|XPF|XSU|XUA|YER|
ZAR|ZMW|ZWL))
Configuring policies
Customizations
You can customize the Passwords Policy Template according to your requirements (such as length and character set).
You can also modify parts of the regular expression, as explained in the following table of modifiers for various use cases.
Passwords Policy Regular Expression Modifiers
Customization Use Case Regular Expression Modifiers
Passwords contain only letters and digits (no special characters (?<=\s|^)(?=\S{0,15}[A-Za-z])(?=
are required). \S{0,15}\d)\S{5,16}(?=\s|$)
Passwords contain only letters and special symbols (no digits are (?<=\s|^)(?=\S{0,15}[A-Za-z])(?=\S{0,15}[-!
required). @#$&*])\S{5,16}(?=\s|$)
Passwords contain digits and special symbols only (no letters are (?<=\s|^)(?=\S{0,15}[A-Z])(?=\S{0,15}[a-z])
required). (?=\S{0,15}\d)(?=\S{0,15}[-!@#$&*])\S{5,16}
(?=\s|$)
Passwords contain one capital case letter, one lower case letter, (?<=\s|^)(?=\S{0,15}[A-Z])(?=\S{0,15}[a-z])
one symbol, and one digit. (?=\S{0,15}\d)(?=\S{0,15}[-!@#$&*])\S{5,16}
(?=\s|$)
Passwords that are 5 through 20 characters long. (?<=\s|^)(?=\S{0,19}[A-Za-z])(?=\S{0,19}\d)
(?=\S{0,19}[!@#$%^&*()])\S{5,20}(?=\s|$)
Passwords contain the user-defined set of special characters; for (?<=\s|^)(?=\S{0,15}[A-Za-z])(?=\S{0,15}\d)
example,“!@#$%^&*(),.”. (?=\S{0,15}[!@#$%^&*(),.])\S{5,16}(?=\s|$)
Passwords contain one letter, one digit, and one special symbol (?<=\s|^)(?=\S{0,15}[A-Za-z])(?=\S{0,15}\d)
with the exclusion of a date, such as 01-JAN-2022. (?=\S{0,15}[-!@#$&*])(?i)(?!([\d.-]{0,13}
(jan|feb|mar|apr|may|jun|jul|aug|sep|oct|
nov|dec)))\S{5,16}(?=\s|$)
1322
Customization Use Case Regular Expression Modifiers
Passwords contain one letter, one digit, and one special symbol (?<=\s|^)(?=\S{0,15}[A-Za-z])(?=\S{0,15}\d)
with the exclusion of a currency symbol such as $ or ¥. For (?=\S{0,15}[-!@#$&*])(?![\d.,-]{1,15}\p{Sc}|
example: 1200,00$, amount: $1200,00. \p{Sc}[\d.,-]{1,15})\S{5,16}(?=\s|$
Configuring policies
Exporting policy detection as a template
Simple rule Content Matches Exact This rule detects credit card numbers.
Data (EDM) Choosing an Exact Data Profile
The Credit Card Numbers, All detection rule detects credit card numbers using the Credit Card Number system Data
Identifier.
Simple rule Content Matches Data Credit Card Numbers, All (Data Identifiers):
Identifier (DCM) • Data Identifier: Credit Card Number (narrow breadth)
• Severity: High.
• Count all matches.
• Look in envelope, subject, body, attachments.
1323
The Magnetic Stripe Data for Credit Cards detection rule detects raw data from the credit card magnetic stripe using the
Credit Card Magnetic Stripe system Data Identifier.
Table 732: Magnetic Stripe Data for Credit Cards detection rule
Simple rule Content Matches Data Magnetic Stripe Data for Credit Cards (Data Identifiers):
Identifier (DCM) • Data Identifier: Credit Card Magnetic Stripe (medium breadth)
• Data Severity: High.
• Count all matches.
• Look in envelope, subject, body, attachments.
Configuring policies
Exporting policy detection as a template
Detection
Description Excluded combinations
method
EDM Rule The PIPEDA detection rule matches any two of However, the following combinations do not create a match:
the following data items: • Last name, email
• Last name • Last name, phone
• Bank card • Last name, account number
• Medical account number • Last name, user name
• Medical record
• Agency number
• Account number
• PIN
• User name
• Password
• SIN
• ABA routing number
• Email
• Phone
• Mother's maiden name
Choosing an Exact Data Profile
The PIPEDA Contact Info detection rule looks for a match of two data items, with certain data combinations excepted from
matching.
1324
Table 734: PIPEDA Contact Info detection rule
EDM Rule This rule looks for any two of the following data columns:
• Last name
• Phone
• Account number
• User name
• Email
Choosing an Exact Data Profile
DCM Rule This rule implements the narrow breadth edition of the Canadian Social Insurance Number data identifier.
DCM Rule This rule implements the narrow breadth edition of the ABA Routing Number data identifier.
DCM Rule This rule implements the narrow breadth edition of the Credit Card Number data identifier.
Configuring policies
Exporting policy detection as a template
NOTE
This template contains one EDM detection rule. If you do not have an EDM profile configured, or you are using
Symantec Data Loss Prevention Standard, this policy template is empty and contains no rule to configure.
Configuring policies
Exporting policy detection as a template
About the Exact Data Profile and index
1325
Project Data Policy Template
The Project Data Policy detects discussions of sensitive projects.
Configuring policies
Exporting policy detection as a template
Configuring policies
Exporting policy detection as a template
1326
Publishing Documents Policy Template
The Publishing Documents Policy detects various types of publishing documents, such as Adobe FrameMaker files, at risk
of exposure.
NOTE
Both file types and file name extensions are required for this policy because the detection engine does not
detect the true file type for all the required documents. As such, the file name extension must be used with the
file type.
Configuring policies
Exporting policy detection as a template
Configuring policies
Exporting policy detection as a template
Configuring policies
Exporting policy detection as a template
1327
Restricted Recipients Policy Template
The Restricted Recipients policy detects communications with specified recipients, such as former employees.
Configuring policies
Exporting policy detection as a template
Configuring policies
Exporting policy detection as a template
About the Exact Data Profile and index
1328
Table 738: The Russian Federal Law on Personal Data (No. 152-FZ) template rules
Rule Description
Russia Cargo Customs Declaration The Cargo Customs Declaration (CCD) is one of the main
documents that are drawn up when moving goods across the
customs border of the state. CCD is issued by the manager of the
goods and certified by the customs inspector, in the future serves
as the basis for passing through the border. The declaration
contains information about the cargo and its customs value, the
means of delivery, the sender, and the recipient.
Default severity: High. Check for existence. Look in envelope,
subject, body, and attachments.
Russia Insurance Account Number (SNILS) Individual insurance account number (SNILS) is a personal
number that is used by the Pension Fund of the Russian
Federation to track people's accounts for social security purposes.
Default severity: High. Count all unique matches. Look in
envelope, subject, body, and attachments.
Russia Military Identity Number Military identity card of the Russian Armed Forces is a document
that is issued to soldiers of the Armed Forces of the Russian
Federation and other "power" agencies, where military service is
provided, and to those who are exempt from military service or
upon admission to the reserve.
Default severity: High. Check for existence. Look in envelope,
subject, body, and attachments.
Russian Passport Identification Number There are two types of passports in Russia, domestic passport
and international passport. Every Russian citizen has domestic
passport. The main document used for identification of a person.
Default severity: High. Check for existence. Look in envelope,
subject, body, and attachments.
Russian Taxpayer Identification Number Taxpayer identification number (TIN or also called INN) is a
multidigit number that enables the tax inspectorate to identify the
tax status of legal entities and individuals.
Default severity: High. Count all unique matches. Look in
envelope, subject, body, and attachments.
Russia Phone Number Detects the phone numbers of Russia.
Default severity: High. Check for existence. Look in envelope,
subject, body, and attachments.
Russia Vehicle Identification Number A vehicle identification number (VIN) is a unique code, including a
serial number, which is used by the automotive industry to identify
individual motor vehicles, towed vehicles, motorcycles, scooters,
and mopeds.
Default severity: High. Count all unique matches. Look in
envelope, subject, body, and attachments.
Russia Employment Record Employment record is an official personal document containing
records of the employment of a citizen; most widely distributed in
the USSR, used in many CIS countries.
Default severity: High. Check for existence. Look in envelope,
subject, body, and attachments.
1329
Rule Description
The SEC Fair Disclosure Regulation compound detection rule looks for the following conditions; all must be
satisfied for the rule to trigger an incident:
• The SEC Fair Disclosure keywords indicate possible disclosure of advance financial information ("SEC Fair Disclosure
Keywords" dictionary).
• An attachment or file type that is a commonly used document or spreadsheet format. The detected file types are
Microsoft Word, Excel Macro, Excel, Works Spreadsheet, SYLK Spreadsheet, Corel Quattro Pro, WordPerfect, Lotus
123, Applix Spreadsheets, CSV, Multiplan Spreadsheet, and Adobe PDF.
• The company name keyword list requires editing by the user, which can include any name, alternate name, or
abbreviation that might indicate a reference to the company.
Compound rule Content Matches SEC Fair Disclosure Regulation (Keyword Match):
Keyword • Match keyword: earnings per share, forward guidance
• Severity: High.
• Check for existence.
• Look in envelope, subject, body, attachments.
• Case insensitive.
• Match on whole words only.
• Match on same component.
The keyword must be in the attachment or file type detected by that condition.
Message Attachment or SEC Fair Disclosure Regulation (Attachment/File Type):
File Type Match • File type detected: excel_macro, xls, works_spread, sylk, quattro_pro, mod,
csv, applix_spread, 123, doc, wordperfect, and pdf.
• Severity: High.
• Match on: Attachments and same component.
1330
Method Condition Configuration
The Financial Information detection rule looks for a specific file type containing a word from the "Financial Keywords"
dictionary and a word from the "Confidential/Proprietary Words" dictionary. The spreadsheet file types detected are
Microsoft Excel Macro, Microsoft Excel, Microsoft Works Spreadsheet, SYLK Spreadsheet, Corel Quattro Pro, and more.
Configuring policies
Exporting policy detection as a template
1331
The SEC Fair Disclosure Regulation template detects data indicating disclosure of material financial information.
The SEC Fair Disclosure Regulation Documents, Indexed (IDM) detection rule looks for content from specific documents
subject to SEC Fair Disclosure regulation. This rule returns a match if 80% or more of the source document content is
found.
Table 742: SEC Fair Disclosure Regulation Documents, Indexed (IDM) detection rule
Simple rule Content Matches SEC Fair Disclosure Regulation Documents, Indexed (IDM):
Document Signature • Detect documents from the selected Indexed Document Profile.
(IDM) Choosing an Indexed Document Profile
• Match documents with at least 80% content match.
• Severity: High.
• Check for existence.
• Look in body, attachments.
The SEC Fair Disclosure Regulation detection rule looks for the a keyword match from the "SEC Fair Disclosure
Keywords" dictionary, an attachment or file type that is a commonly used document or spreadsheet, and a keyword match
from the "Company Name Keywords" dictionary.
All three conditions must be satisfied for the rule to trigger an incident:
• The SEC Fair Disclosure keywords indicate possible disclosure of advance financial information.
• The file types detected are Microsoft Word, Excel Macro, Excel, Works Spreadsheet, SYLK Spreadsheet, Corel
Quattro Pro, WordPerfect, Lotus 123, Applix Spreadsheets, CSV, Multiplan Spreadsheet, and Adobe PDF.
• The company name keyword list requires editing by the user, which can include any name, alternate name, or
abbreviation that might indicate a reference to the company.
Compound rule Content Matches SEC Fair Disclosure Regulation (Keyword Match):
Keyword (DCM) • Match "earnings per share", "forward guidance".
• Severity: High.
• Check for existence.
• Look in envelope, subject, body, attachments.
• Case insensitive.
• Match on whole words only.
Message Attachment or SEC Fair Disclosure Regulation (Attachment/File Type):
File Type Match (DCM) • Match file type: excel_macro, xls, works_spread, sylk, quattro_pro, mod, csv,
applix_spread, 123, doc, wordperfect, pdf
• Severity: High.
• Match on attachments.
• Require content match to be in the same component (attachment).
1332
Method Condition Configuration
Configuring policies
Exporting policy detection as a template
Configuring policies
Exporting policy detection as a template
Source Code Documents IDM This rule looks for specific user-provided source code from a
Document Profile.
This rule returns a match if it detects 80% or more of the source
document.
This rule is not available if you do not select a profile when creating
the policy.
Source Code Extensions File Name Match This rule looks for a match among file name extensions from the
"Source Code Extensions" dictionary.
Java Source Code Regular Expressions This compound rule looks for matches on two different regular
expression patterns: Java Import Statements and Java Class Files.
C Source Code Regular Expression This rule looks for matches on the C Source Code regular expression
pattern.
1333
Name Type Description
VB Source Code Regular Expression This rule looks for matches on the VB Source Code regular expression
pattern.
Perl Source Code Regular Expressions This compound rule looks for matches on three different Perl-related
regular expressions patterns.
Configuring policies
Exporting policy detection as a template
Email to Described identity Email to Affiliates is a policy exception that allows email • Simple exception (single
Affiliates (DCM) messages to be sent to affiliates who are legitimately condition)
(Recipient) Recipient Matches allowed to receive information covered under the State • Match email recipient:
Pattern Data Privacy regulations. [affiliate1], [affiliate2].
Policy exceptions are evaluated before detection match • Edit the "Affiliate Domains" list
conditions. If there is an exception, in this case an and enter the email address for
affiliate email address that you have entered, the entire each recipient who may make
message is discarded and not available for evaluation acceptable use of the confidential
by detection. data.
• At least 1 recipient(s) must match
for the exception to trigger.
• Matches on the entire message.
The State Data Privacy policy template implements Exact Data Matching (State Data Privacy EDM rule). If you do not
select an Exact Data profile when you first create a policy based on this template, the EDM condition is not available for
use.
Choosing an Exact Data Profile
1334
Table 747: State Data Privacy EDM rule
State Data Content matches This rule looks for an exact data match on three of When you are creating the EDM
Privacy, Exact Data (EDM) the following: profile, you should validate it against
Consumer Data • ABA Routing Number the State Data Privacy template
• Account Number to ensure that the resulting index
includes expected fields.
• Bank Card Number (credit card number)
• Birth Date • Simple rule (single match
condition)
• Driver License Number
• Severity: High
• First Name
• Report incident if 1 match
• Last Name
• Look in envelope, body,
• Password attachments
• PIN Number
• Social Security Number
• State ID Card Number
Exception conditions: the following combinations
do not match:
• First Name, Last Name, PIN
• First Name, Last Name, Password
State Data Privacy detection rules lists and describes the DCM detection rules implemented by the State Data Privacy
policy. If any one of these rules is violated the policy produces an incident, unless you have configured the exception
condition and the message recipient is an acceptable use affiliate.
US Social Content Matches The US Social Security Number Patterns rule is • Simple rule (single match
Security Number Data Identifier designed to detect US social security numbers (SSNs). condition)
Patterns (DCM) The Randomized US SSN data identifier detects SSN • Severity: High.
patterns, both traditional and those issued under the • Count all matches.
new randomization scheme.
• Look in envelope, subject, body,
attachments.
ABA Routing Content Matches The ABA Routing Numbers rule is designed to detect • Simple rule (single match
Numbers Data Identifier ABA Routing Numbers. condition)
(DCM) The ABA Routing Numbers data identifier detects ABA • Severity: High.
routing numbers. • Count all matches.
• Look in envelope, subject, body,
attachments.
Credit Card Content Matches The Credit Card Numbers rule is designed to match on • Simple rule (single condition)
Numbers, All Data Identifier credit card numbers. • Severity: High.
(DCM) To detect credit card numbers, this rule implements • Count all matches.
the Credit Card Number narrow breadth system data • Look in envelope, subject, body,
identifier. attachments
CA Drivers Content Matches The CA Drivers License Numbers rule looks for a match • Simple rule (single condition)
License Data Identifier for the CA drivers license number pattern, a match for a • Severity: High.
Numbers (DCM) data identifier for terms relating to "drivers license," and • Count all matches.
a keyword from the "California Keywords" dictionary.
• Look in envelope, subject, body,
attachments
1335
Rule name Condition type Description Configuration details
NY Drivers Content Matches The NY Drivers License Numbers rule looks for a match • Simple rule (single condition)
License Data Identifier for the NY drivers license number pattern, a match • Severity: High.
Numbers (DCM) for a regular expression for terms relating to "drivers • Count all matches.
license," and a keyword from the "New York Keywords"
• Look in envelope, subject, body,
dictionary. attachments
IL Drivers Content Matches The IL Drivers License Numbers detection rule looks • Simple rule (single condition)
License Data Identifier for a match for the IL drivers license number pattern, • Severity: High.
Numbers (DCM) a match for a regular expression for terms relating • Count all matches.
to "drivers license," and a keyword from the "Illinois
• Look in envelope, subject, body,
Keywords" dictionary. attachments
NJ Drivers Content Matches The NJ Drivers License Numbers detection rule looks • Simple rule (single condition)
License Data Identifier for a match for the NJ drivers license number pattern, • Severity: High.
Numbers (DCM) a match for a regular expression for terms relating to • Count all matches.
"drivers license," and a keyword from the "New Jersey
• Look in envelope, subject, body,
Keywords" dictionary. attachments
This condition implements the Driver's License Number-
NJ State medium breadth system Data Identifier.
Configuring policies
Exporting policy detection as a template
Configuring policies
Exporting policy detection as a template
Table 749:
Rule Description
Turkey Person Identification Number (Data Identifiers) Default severity: High. Count all unique matches. Look in
envelope, subject, body, and attachments.
Turkey Passport Number (Data Identifiers) Default severity: High. Count all unique matches. Look in
envelope, subject, body, and attachments.
1336
Rule Description
IPv6 Address (Data Identifiers) Default severity: High. Count all unique matches. Look in
envelope, subject, body, and attachments.
IBAN East (Data Identifiers) Default severity: High. Count all unique matches. Look in
envelope, subject, body, and attachments.
Credit Card Number (Data Identifiers) Default severity: High. Count all unique matches. Look in
envelope, subject, body, and attachments.
TSWIFT Codes (Data Identifiers) Default severity: High. Count all unique matches. Look in
envelope, subject, body, and attachments.
Turkey Tax Identification Number (Data Identifiers) Default severity: High. Count all unique matches. Look in
envelope, subject, body, and attachments.
Configuring policies
Exporting policy detection as a template
Configuring policies
Exporting policy detection as a template
1337
UK Electoral Roll Numbers Policy Template
The UK Electoral Roll Numbers Policy detects UK Electoral Roll Numbers using the official specification of the UK
Government Standards of the UK Cabinet Office.
Configuring policies
Exporting policy detection as a template
Rule Configuration
UK NHS NumbersThis rule looks for a match to the UK National Health Service (NHS) Number data identifier.
Configuring policies
Exporting policy detection as a template
Configuring policies
Exporting policy detection as a template
1338
Configuring policies
Exporting policy detection as a template
Configuring policies
Exporting policy detection as a template
This rule looks for a keyword match on the phrases "CLASSIFIED" or "RESTRICTED."
1339
Table 752: Classified or Restricted Information (Keyword Match) detection rule
Configuring policies
Exporting policy detection as a template
US Social Security Number Patterns DCM Rule This rule looks for a match to the social security
number regular expression and a keyword from the
dictionary "US SSN Keywords."
Rule Configuration
US Social Security Number Patterns This rule looks for a match from the US Randomized Social
Security Number data identifier and a keyword listed in the Match
Any Keyword field.
Configuring policies
Exporting policy detection as a template
1340
Table 755:
Rule Description
Driver's License Number - AR State (Data Identifiers) Identification number for an individual driver's license issued by
the State of Arkansas Department of Finance and Administration,
Office of Driver Services.
Default severity: High. Check for existence. Look in envelope,
subject body, attachments.
Driver's License Number - AZ State (Data Identifiers) Identification number for an individual driver's license issued by
the State of Arizona Department of Transportation, Motor Vehicle
Division.
Default severity: High. Check for existence. Look in envelope,
subject body, attachments.
Driver's License Number - CA State (Data Identifiers) Identification number for an individual driver's license issued by
the State of California Department of Motor Vehiclespa.
Default severity: High. Check for existence. Look in envelope,
subject body, attachments.
Driver's License Number - DC State (Data Identifiers) Identification number for an individual driver's license issued by
the District of Columbia Department of Motor Vehicles.
Default severity: High. Check for existence. Look in envelope,
subject body, attachments.
Driver's License Number - FL State (Data Identifiers) Identification number for an individual driver's license issued by
the State of Florida Department of Highway Safety and Motor
Vehicles.
Default severity: High. Check for existence. Look in envelope,
subject body, attachments.
Driver's License Number - HI State (Data Identifiers) Identification number for an individual driver's license issued by
the State of Hawaii Department of Finance, Vehicle Registration
and Licensing Division.
Default severity: High. Check for existence. Look in envelope,
subject body, attachments.
Driver's License Number - ID State (Data Identifiers) Identification number for an individual driver's license issued by
the State of Idaho Transportation Department, Division of Motor
Vehicles.
Default severity: High. Check for existence. Look in envelope,
subject body, attachments.
Driver's License Number - IA State (Data Identifiers) Identification number for an individual driver's license issued by
the State of Iowa Department of Transportation, Motor Vehicle
Division, Office of Driver Services.
Default severity: High. Check for existence. Look in envelope,
subject body, attachments.
Driver's License Number - IL State (Data Identifiers) Identification number for an individual driver's license issued by
the State of Illinois.
Default severity: High. Check for existence. Look in envelope,
subject body, attachments.
Driver's License Number - LA State (Data Identifiers) Identification number for an individual's driver's license issued by
the State of Louisiana.
Default severity: High. Check for existence. Look in envelope,
subject body, attachments.
1341
Rule Description
Driver's License Number - NJ State (Data Identifiers) Identification number for an individual's driver's license issued by
the State of New Jersey.
Default severity: High. Check for existence. Look in envelope,
subject body, attachments.
Driver's License Number - NY State (Data Identifiers) Identification number for an individual driver's license issued by
the State of New York.
Default severity: High. Check for existence. Look in envelope,
subject body, attachments.
Driver's License Number - OK State (Data Identifiers) Identification number for an individual driver's license issued by
the State of Oklahoma Department of Public Safety.
Default severity: High. Check for existence. Look in envelope,
subject body, attachments.
Driver's License Number - OR State (Data Identifiers) Identification number for an individual driver's license issued by
the State of Oregon Department of Transportation, Driver and
Motor Vehicle Services Division.
Default severity: High. Check for existence. Look in envelope,
subject body, attachments.
Driver's License Number - US Virgin Islands (Data Identifiers) Identification number for an individual driver's license issued by
the US Virgin Islands Department of Motor Vehicles.
Default severity: High. Check for existence. Look in envelope,
subject body, attachments.
Driver's License Number - WA State (Data Identifiers) Identification number for an individual driver's license issued by
the State of Washington.
Default severity: High. Check for existence. Look in envelope,
subject body, attachments.
Driver's License Number - WI State (Data Identifiers) Wisconsin driver's license issued by the State of Wisconsin.
Default severity: High. Check for existence. Look in envelope,
subject body, attachments.
Driver's License Number - CT State (Data Identifiers) Connecticut driver's license issued by the State of Connecticut
Department of Motor Vehicles.
Default severity: High. Check for existence. Look in envelope,
subject body, attachments.
Driver's License Number - IN State (Data Identifiers) Indiana driver's license issued by the State of Indiana Bureau of
Motor Vehicles.
Default severity: High. Check for existence. Look in envelope,
subject body, attachments.
Driver's License Number - KS State (Data Identifiers) Kansas driver's license issued by the State of Kansas Department
of Revenue.
Default severity: High. Check for existence. Look in envelope,
subject body, attachments.
Driver's License Number - KY State (Data Identifiers) Identification number for an individual driver's license issued by
the State of Kentucky Transportation Cabinet.
Default severity: High. Check for existence. Look in envelope,
subject body, attachments.
Driver's License Number - MA State (Data Identifiers) Identification number for an individual driver's license issued by
the State of Massachusetts Registry of Motor Vehicles.
Default severity: High. Check for existence. Look in envelope,
subject body, attachments.
1342
Rule Description
Driver's License Number - MD State (Data Identifiers) Identification number for an individual driver's license issued by
the State of Maryland Department of Transportation.
Default severity: High. Check for existence. Look in envelope,
subject body, attachments.
Driver's License Number - MI State (Data Identifiers) Identification number for an individual driver's license issued by
the State of Michigan Secretary of State Department.
Default severity: High. Check for existence. Look in envelope,
subject body, attachments.
Driver's License Number - MN State (Data Identifiers) Identification number for an individual driver's license issued by
the State of Montana Department of Justice.
Default severity: High. Check for existence. Look in envelope,
subject body, attachments.
Driver's License Number - MO State (Data Identifiers) Identification number for an individual driver's license issued by
the State of Missouri Department of Motor Vehicles.
Default severity: High. Check for existence. Look in envelope,
subject body, attachments.
Driver's License Number - MT State (Data Identifiers) Identification number for an individual driver's license issued by
the State of Montana Department of Transportation, Motor Vehicle
Division, Office of Driver Services
Default severity: High. Check for existence. Look in envelope,
subject body, attachments.
Driver's License Number - MS State (Data Identifiers) Identification number for an individual driver's license issued by
the State of Mississippi Department of Public Safety.
Default severity: High. Check for existence. Look in envelope,
subject body, attachments.
Driver's License Number - ND State (Data Identifiers) Identification number for an individual driver's license issued by
the State of North Dakota Department of Transportation.
Default severity: High. Check for existence. Look in envelope,
subject body, attachments.
Driver's License Number - NE State (Data Identifiers) Identification number for an individual driver's license issued by
the State of Nebraska Department of Motor Vehicle Division.
Default severity: High. Check for existence. Look in envelope,
subject body, attachments.
Driver's License Number - NH State (Data Identifiers) Identification number for an individual driver's license issued by
the State of New Hampshire Department of Transportation, Motor
Vehicle Division, Office of Driver Services
Default severity: High. Check for existence. Look in envelope,
subject body, attachments.
Driver's License Number - OH State (Data Identifiers) Identification number for an individual driver's license issued by
the State of Ohio Department of Public Safety.
Default severity: High. Check for existence. Look in envelope,
subject body, attachments.
Driver's License Number - RI State (Data Identifiers) Identification number for an individual driver's license issued by
the State of Rhode Island Department of Motor Vehicle Division.
Default severity: High. Check for existence. Look in envelope,
subject body, attachments.
Driver's License Number - TN State (Data Identifiers) Identification number for an individual driver's license issued by
the State of Tennessee Department of Motor Vehicles.
Default severity: High. Check for existence. Look in envelope,
subject body, attachments.
1343
Rule Description
Driver's License Number - VA State (Data Identifiers) Identification number for an individual driver's license issued by
the State of Virginia Department of Motor Vehicles.
Default severity: High. Check for existence. Look in envelope,
subject body, attachments.
Driver's License Number - VT State (Data Identifiers) Identification number for an individual driver's license issued by
the State of Vermont Department of Motor Vehicles.
Default severity: High. Check for existence. Look in envelope,
subject body, attachments.
Driver's License Number - WV State (Data Identifiers) Identification number for an individual driver's license issued by
the State of West Virginia Division of Motor Vehicles.
Default severity: High. Check for existence. Look in envelope,
subject body, attachments.
Driver's License Number - Guam (Data Identifiers) Identification number for an individual driver's license issued by
the Guam Department of Revenue and Taxation.
Default severity: High. Check for existence. Look in envelope,
subject body, attachments.
Driver's License Number - CO State (Data Identifiers) Identification number for an individual driver's license issued by
the State of Colorado.
Default severity: High. Check for existence. Look in envelope,
subject body, attachments.
Driver's License Number - AL State (Data Identifiers) Identification number for an individual driver's license issued by
the State of Alaska.
Default severity: High. Check for existence. Look in envelope,
subject body, attachments.
Driver's License Number - PA State (Data Identifiers) Identification number for an individual driver's license issued by
the State of Pennsylvania.
Default severity: High. Check for existence. Look in envelope,
subject body, attachments.
Driver's License Number - WY State (Data Identifiers) Identification number for an individual driver's license issued by
the State of Wyoming.
Default severity: High. Check for existence. Look in envelope,
subject body, attachments.
Violence and DCM Rule This rule is a compound rule with two conditions; both must match to trigger an incident. This
Weapons rule looks for a keyword from the "Violence Keywords" dictionary and a keyword from the
"Weapons Keywords" dictionary.
Configuring policies
Exporting policy detection as a template
1344
Virginia Consumer Data Protection Act Policy Template
This policy establishes a framework for controlling and processing personal data in the State of Virginia.
Randomized US Social Security As of June 25th, 2011 the SSA issues "randomized Severity: High. Check for
Number (SSN) (Data Identifiers) SSNs." The high group number (second part of the existence. Look in envelope, subject,
SSN) will no longer correspond to the area number body attachments.
(first part of the SSN). In addition, the range of the
area number will increase from 773 to 899.
US Passport Number (Data Identifiers) United States passports are passports issued to Severity: High. Check for
citizens and non-citizen nationals of the United existence. Look in envelope, subject,
States of America. They are issued exclusively by body attachments.
the U.S. Department of State.
US Driver License Number - VA State The Virginia Department of Motor Vehicles issues Severity: High. Check for
(Data Identifiers) driving license to the citizens of Virginia. existence. Look in envelope, subject,
body attachments.
US Individual Tax Identification Number Used for tax processing number and issued by the Severity: High. Check for
(ITIN) (Data Identifiers) United States Internal Revenue Service (IRS). The existence. Look in envelope, subject,
IRS issues ITINs to track individuals who are not body attachments.
eligible to obtain Social Security Numbers (SSNs).
US Adoption Taxpayer Identification An ATIN is an Adoption Taxpayer Identification Severity: High. Check for
Number Number issued by the Internal Revenue Service as existence. Look in envelope, subject,
a temporary taxpayer identification number for the body attachments.
child in a domestic adoption, where the adopting
taxpayers do not have, or are unable to obtain, the
child's Social Security Number (SSN).
US Preparer Taxpayer Identification The Preparer Tax Identification Number (PTIN) Severity: High. Check for
Number (Data Identifiers) is an identification number that all paid tax return existence. Look in envelope, subject,
preparers must use on U.S. federal tax returns or body attachments.
claims for refund submitted to the Internal Revenue
Service (IRS).
Yahoo Compound detection Recipient Matches Pattern This condition checks for the URL domain
rule (DCM) mail.yahoo.com.
Content Matches Keyword This condition checks for the keyword ym/compose.
(DCM)
Hotmail Compound detection Recipient Matches Pattern This condition checks for the URL domain
rule (DCM) hotmail.msn.com.
Content Matches Keyword This condition checks for the keyword compose?&curmbox.
(DCM)
1345
Name Type Condition(s) Description
Go Compound detection Recipient Matches Pattern This condition checks for the URL gomailus.go.com.
rule (DCM)
Content Matches Keyword This condition checks for the keyword compose.
(DCM)
AOL Compound detection Recipient Matches Pattern This condition checks for the URL domain aol.com.
rule (DCM)
Content Matches Keyword This condition checks for the keyword compose.
(DCM)
Gmail Compound detection Recipient Matches Pattern This condition checks for the URL domain
rule (DCM) gmail.google.com.
Content Matches Keyword This condition checks for the keyword gmail.
(DCM)
Configuring policies
Exporting policy detection as a template
Compound rule Content Matches Keyword Yahoo Message Board (Keyword Match):
(DCM) • Case insensitive.
• Match Keyword: post.messages.yahoo.com/bbs.
• Match on whole words only.
• Check for existence (do not count multiple matches).
• Look in envelope, subject, body, attachments.
• Match must occur in the same component for both conditions.
AND
Content Matches Keyword Yahoo Message Board (Keyword Match):
(DCM) • Case insensitive.
• Match Keyword: board=<enter board number>.
• Match on whole words only.
• Check for existence (do not count multiple matches).
• Look in envelope, subject, body, attachments.
• Match must occur in the same component for both conditions.
The Finance Message Board URL detection rule detects messages posted to the Yahoo Finance message board.
The following table describes the Finance Message Board URL detection rule configuration.
1346
Table 760: Finance Message Board URL detection rule
Simple rule Content Matches Keyword Finance Message Board URL (Keyword Match):
(DCM) • Case insensitive.
• Match Keyword: messages.finance.yahoo.com.
• Match on whole words only.
• Check for existence (do not count multiple matches).
• Look in envelope, subject, body, attachments.
The Board URLs detection rule detects messages posted to the Yahoo or Yahoo Finance message boards by the URL of
either.
The following table describes the Board URLs detection rule configuration details.
1347
Method Condition Configuration
The MSN IM detection rule looks for matches on three keywords in the same message component.
1348
Table 764: Yahoo IM profile
Rule Configuration
Yahoo IM Keyword:
• Case insensitive.
• Match keyword: ymsg.
• Match on whole words only.
• Count all matches and report an incident for each match.
• Look for matches in the envelope, subject, body, and
attachments.
• Match must occur in the same component for both conditions
in the rule.
AND
Yahoo IM Keyword
• Case insensitive.
• Match keyword: shttp .msg.yahoo.com.
• Match on whole words only.
• Count all matches and report an incident for each match.
• Look for matches in the envelope, subject, body, and
attachments.
• Match must occur in the same component for both conditions
in the rule.
1349
Response Rules
Configure policy response rules.
You can implement one or more response rules in a policy to remedy, escalate, resolve, and dismiss incidents when a
violation occurs. For example, if a policy is violated, a response rule blocks the transmission of a file containing sensitive
content.
About response rule actions
You create, modify, and manage response rules separate from the policies that declare them. This decoupling allows
response rules to be updated and reused across policies.
Implementing response rules
The detection server automatically executes response rules. Or, you can configure Smart Response rules for manual
execution by an incident remediator.
About response rule execution types
You can implement conditions to control how and when response rules execute.
About response rule conditions
You can sequence the order of execution for response rules of the same type.
About response rule action execution priority
You must have response rule authoring privileges to create and manage response rules.
About response rule authoring privileges
All detection servers Response rule actions for all detection servers
Endpoint detection servers Response rule actions for endpoint detection
1350
Server type Description
Network Prevent detection servers Response rule actions for Network Prevent detection
Network Protect detection servers Response rule actions for Network Protect detection
Cloud Detection Service REST detectors Response rule actions for Cloud Applications and API appliance detectors
and API Detection for Developer Apps
Appliances
Table 766: Available response rule actions for all detection servers
Add Note Add a field to the incident record that the remediator can annotate at the Incident
Snapshot screen.
Configuring the Add Note action
Limit Incident Data Retention Discard or retain matched data with the incident record.
Configuring the Limit Incident Data Retention action
Log to a Syslog Server Log the incident to a syslog server.
Configuring the Log to a Syslog Server action
Send Email Notification Send an email you compose to recipients you specify.
Configuring the Send Email Notification action
Server FlexResponse Execute a custom Server FlexResponse action.
Note: This response rule action is available only if you deploy one or more custom
Server FlexResponse plug-ins to Symantec Data Loss Prevention.
Note:
1351
Response rule action Description
Network Prevent: Block SMTP Message Block email that causes an incident.
Configuring the Network Prevent: Block SMTP Message action
Network Prevent: Modify SMTP Message Modify sensitive email messages.
For example, change the email subject to include information about the violation.
Configuring the Network Prevent: Modify SMTP Message action
Network Prevent: Remove HTTP/S Content Remove confidential content from Web posts.
Configuring the Network Prevent for Web: Remove HTTP/S Content action
Note: Only available with Network Prevent for Web.
1352
Table 769: Available Network Protect response rule actions
Network Protect: Copy File Copy sensitive files to a location you specify.
Configuring the Network Protect: Copy File action
Note: Only available with Network Protect.
Table 770: Available Cloud Applications and API appliance Smart Response rule actions
Encrypt The Encrypt Smart Response action lets you encrypt sensitive
files in cloud applications through the Symantec Data Loss
Prevention Cloud Detection Service.
Configuring the Encrypt Smart Response action
Remove Collaborator Access The Remove Collaborator Access Smart Response action
removes collaborator access from shared files in cloud
applications through the Cloud Detection Service.
Configuring the Remove Collaborator Access Smart Response
action
Remove Shared Links The Remove Shared Links Smart Response action removes
shared links from files in cloud applications through the Cloud
Detection Service.
Configuring the Remove Shared Links Smart Response action
1353
Table 771: Available Cloud Applications and API appliance (Data-at-Rest) automated response rule actions
1354
Table 772: Available Cloud Applications and API appliance (Additional Data-at-Rest Actions) automated response
rule actions
Prevent download, copy, print The Prevent download, copy, print action prevents download,
copy, and print options for the sensitive data in Google Drive.
Configuring the Prevent download, copy, print action
Remove Collaborator Access The Remove Collaborator Access action removes access
from collaborators to sensitive data files in the following cloud
applications through the Cloud Detection Service:
• Box
• Dropbox
• Google Drive
• Office 365 SharePoint
• Salesforce
Configuring the Remove Collaborator Access action
Set Collaborator Access to 'Edit' The Set Collaborator Access to 'Edit' action grants collaborators
edit access to sensitive data files in the following cloud
applications through the Cloud Detection Service:
• Box
• Dropbox
• Google Drive
• Office 365 SharePoint
• Salesforce
Configuring the Set Collaborator Access to 'Edit' action
Set Collaborator Access to 'Preview' The Set Collaborator Access to 'Preview' action grants
collaborators preview access to sensitive data files in the Box
cloud application through the Cloud Detection Service.
Configuring the Set Collaborator Access to 'Preview' action
Set Collaborator Access to 'Read' The Set File Access to 'Internal Edit' action grants edit access
to all members of your organization to sensitive files in the
following cloud applications through the Cloud Detection Service:
• Box
• Dropbox
• Google Drive
• Office 365 SharePoint
• Salesforce
Configuring the Set Collaborator Access to 'Read' action
Set File Access to 'All Read' The Set File Access to 'All Read' action grants public read
access to sensitive data files in the following cloud applications
through the Cloud Detection Service.
• Google Drive
• Office 365 OneDrive
• Office 365 SharePoint
Configuring the Set File Access to 'All Read' action
1355
Response rule action Description
Set File Access to 'Internal Edit' The Set File Access to 'Internal Edit' action grants edit access
to all members of your organization to sensitive files in the
following cloud applications through the Cloud Detection Service:
• Box
• Google Drive
• Office 365 OneDrive
• Office 365 SharePoint
• Salesforce
Configuring the Set File Access to 'Internal Edit'
Set File Access to 'Internal Read' The Set File Access to 'Internal Read' action grants read access
to all members of your organization to sensitive data files in the
following cloud applications through the Cloud Detection Service:
• Box
• Google Drive
• Office 365 SharePoint
• Salesforce
Configuring the Set File Access to 'Internal Read' action
Table 773: Available Cloud Applications and API appliance (Data-in-Motion) automated response rule actions
Add two-factor authentication The Add two-factor authentication action adds two-factor
authentication to the sensitive data.
Configuring the Add two-factor authentication action
Block Data-in-Motion The Block Data-in-Motion action blocks the sensitive data.
Note: Large files uploaded to online services such as DropBox,
OneDrive, and GoogleDrive may upload large files in chunks.
Symantec Data Loss Prevention cannot seamlessly process file
contents that are split across multiple HTTP messages. If the
files are uploaded in chunks, Symantec Web Prevent detects the
offending content but does not block the offending content from
upload.
Note: For DropBox, files that are over 8 MB are uploaded in
chunks. For OneDrive and Google Drive, files that are over 1 MB
are uploaded in chunks.
Note: You may see different results with different browsers.
Note:
Configuring the Block Data-in-Motion action
Custom Action on Data-in-Motion The Custom Action on Data-in-Motion action returns a
recommendation to take some custom action on the sensitive data
with the detection result.
Configuring the Custom Action on Data-in-Motion action
Encrypt Data-in-Motion The Encrypt Data-in-Motion action encrypts the sensitive data.
Configuring the Encrypt Data-in-Motion action
Perform DRM on Data-in-Motion The Perform DRM on Data-in-Motion action applies Digital
Rights Management (DRM) to the sensitive data.
Configuring the Perform DRM on Data-in-Motion action
1356
Response rule action Description
Automated Response rules When a policy violation occurs, the detection server automatically executes response
rule actions.
About Automated Response rules
Smart Response rules When a policy violation occurs, an authorized user manually triggers the response rule.
About Smart Response rules
1357
Only some response rules are available for manual execution.
Add Note Add a field to the incident record that the remediator can annotate at the Incident
Snapshot screen.
Configuring the Add Note action
Log to a Syslog Server Log the incident to a syslog server for workflow remediation.
Configuring the Log to a Syslog Server action
Quarantine Quarantine sensitive data in cloud applications.
Restore File Restore a previously quarantined cloud application file.
Send Email Notification Send an email you compose to recipients you specify.
Configuring the Send Email Notification action
Server FlexResponse Execute a custom Server FlexResponse action.
Note: This response rule action is available only if you deploy one or more custom
Server FlexResponse plug-ins to Symantec Data Loss Prevention.
Note:
1358
Table 776: Available Response Rule Conditions
Endpoint Location Triggers a response action when the endpoint is on or off the corporate network.
Configuring the Endpoint Location response condition
Endpoint Device Triggers a response action when an event occurs on a configured endpoint device.
Configuring the Endpoint Device response condition
Incident Type Triggers a response action when the specified type of detection server reports a match.
Configuring the Incident Type response condition
Incident Match Count Triggers a response action when the volume of policy violations exceeds a threshold or
range.
Configuring the Incident Match Count response condition
Protocol or Endpoint Monitoring Triggers a response action when an incident is detected on a specified network
communications protocol (such as HTTP) or endpoint destination (such as CD/DVD).
Configuring the Protocol or Endpoint Monitoring response condition
Severity Triggers a response action when the policy violation is a certain severity level.
Configuring the Severity response condition
User Risk Score Triggers a response action when a user risk score is at a specified count.
Configuring the User Risk Response Condition
Execution priority
Description
(from highest to lowest)
Endpoint Prevent: Block Configuring the Endpoint Prevent: Block action
Endpoint Prevent: User Cancel Configuring the Endpoint Prevent: User Cancel action
Endpoint: FlexResponse Configuring the Endpoint: FlexResponse action
Endpoint Prevent: Notify Configuring the Endpoint Prevent: Notify action
1359
Execution priority
Description
(from highest to lowest)
Endpoint Discover: Quarantine File Configuring the Endpoint Discover: Quarantine File action
All: Limit Incident Data Retention Configuring the Limit Incident Data Retention action
Network Prevent: Block SMTP Message Configuring the Network Prevent: Block SMTP Message action
Network Prevent: Modify SMTP Message Configuring the Network Prevent: Modify SMTP Message action
Network Prevent for Web: Remove HTTP/HTTPS Configuring the Network Prevent for Web: Remove HTTP/S Content action
Content
Network Prevent for Web: Block HTTP/HTTPS Configuring the Network Prevent for Web: Block HTTP/S action
Network Prevent for Web: Block FTP Request Configuring the Network Prevent for Web: Block FTP Request action
Network Protect: Copy File Configuring the Network Protect: Copy File action
Network Protect: Quarantine File Configuring the Network Protect: Quarantine File action
All: Set Status Configuring the Set Status action
All: Set Attribute Configuring the Set Attribute action
All: Add Note Configuring the Add Note action
All: Log to a Syslog Server Configuring the Log to a Syslog Server action
All: Send Email Notification Configuring the Send Email Notification action
Server FlexResponse
Note: Server FlexResponse actions that are part of Automated Response rules
execute on the Enforce Server, rather than the detection server.
Cloud Applications and API appliance (Data-in- Configuring the Block Data-in-Motion action
Motion): Block Data-in-Motion
Cloud Applications and API appliance (Data-in- Configuring the Redact Data-in-Motion action
Motion): Redact Data-in-Motion
Cloud Applications and API appliance (Data-in- Configuring the Encrypt Data-in-Motion action
Motion): Encrypt Data-in-Motion
Cloud Applications and API appliance (Data-in- Configuring the Quarantine Data-in-Motion action
Motion): Quarantine Data-in-Motion
Cloud Applications and API appliance (Data-in- Configuring the Perform DRM on Data-in-Motion action
Motion): Perform DRM on Data-in-Motion
Cloud Applications and API appliance (Data-in- Configuring the Custom Action on Data-in-Motion action
Motion): Custom Action on Data-in-Motion
Cloud Applications and API appliance (Data-at- Configuring the Encrypt Data-at-Rest action
Rest): Encrypt Data-at-Rest
Cloud Applications and API appliance (Data-at- Configuring the Delete Data-at-Rest action
Rest): Delete Data-at-Rest
Cloud Applications and API appliance (Data-at- Configuring the Quarantine Data-at-Rest action
Rest): Quarantine Data-at-Rest
Cloud Applications and API appliance (Data-at- Configuring the Tag Data-at-Rest action
Rest): Tag Data-at-Rest
Cloud Applications and API appliance (Data-at- Configuring the Perform DRM on Data-at-Rest action
Rest): Perform DRM on Data-at-Rest
Cloud Applications and API appliance (Data-at- Configuring the Remove Shared Links in Data-at-Rest action
Rest): Break Links in Data-at-Rest
Cloud Applications and API appliance (Data-at- Configuring the Custom Action on Data-at-Rest action
Rest): Custom Action on Data-at-Rest
1360
Execution priority
Description
(from highest to lowest)
Cloud Applications and API appliance (Additional Configuring the Set File Access to 'All Read' action
Data-at-Rest Actions): Set File Access to 'All Read'
Cloud Applications and API appliance (Additional Configuring the Prevent download, copy, print action
Data-at-Rest Actions): Prevent download, copy,
print
Cloud Applications and API appliance (Additional Configuring the Set File Access to 'Internal Read' action
Data-at-Rest Actions): Set File Access to 'Internal
Read'
Cloud Applications and API appliance (Additional Configuring the Set File Access to 'Internal Edit'
Data-at-Rest Actions): Set File Access to 'Internal
Edit'
Cloud Applications and API appliance (Additional Configuring the Set Collaborator Access to 'Read' action
Data-at-Rest Actions): Set Collaborator Access to
'Read'
Cloud Applications and API appliance (Additional Configuring the Set Collaborator Access to 'Edit' action
Data-at-Rest Actions): Set Collaborator Access to
'Edit'
Cloud Applications and API appliance (Additional Configuring the Remove Collaborator Access action
Data-at-Rest Actions): Remove Collaborator
Access
Cloud Applications and API appliance (Additional Configuring the Set Collaborator Access to 'Preview' action
Data-at-Rest Actions): Set Collaborator Access to
'Preview'
Cloud Applications and API appliance (Data-in- Configuring the Add two-factor authentication action
Motion): Add two-factor authentication
For business reasons, you may want to grant response rule authoring and policy authoring privileges to the same role. Or,
you may want to keep these roles separate.
If you log on to the system as a user without response rule authoring privileges, the Manage > Policies > Response
Rules screen is not available.
1361
Table 778: Workflow for implementing policy response rules
1 Review the available response rules. The Manage > Policies > Response Rules screen displays all
configured response rules.
Manage response rules
The solution pack for your system provides configured response rules.
You can use these response rules in your policies as they exist, or you
can modify them.
2 Decide the type of response rule to implement: Decide the type of response rules based on your business
Smart, Automated, both. requirements.
About response rule execution types
3 Determine the type of actions you want to About response rule conditions
implement and any triggering conditions. About response rule actions
4 Understand the order of precedence among About response rule action execution priority
response rule actions of different and the same Modifying response rule ordering
types.
5 Integrate the Enforce Server with an external Some response rules may require integration with external systems.
system (if required for the response rule). These may include:
• A SIEM system for the Log to a Syslog Server response rule.
• An SMTP email server for the Send Email Notification response
rule
• A Web proxy host for Network Prevent for Web response rules.
• An MTA for Network Prevent for Email response rules.
6 Add a new response rule. Adding a new response rule
7 Configure response rules. Configuring response rules
8 Configure one or more response rule conditions Configuring response rule conditions
(optional).
9 Configure one or more response rule actions You must define at least one action for a valid response rule.
(required). Configuring response rule actions
The action executes when a policy violation is reported or when a
response rule condition is matched.
10 Add response rules to policies. You must have policy authoring privileges to add response rules to
policies.
1362
• The system displays only the response rule name for policy authors to select when they add response rules to policies.
Be sure to provide a descriptive name that helps policy authors identify the purpose of the response rule.
• You cannot combine an Endpoint Prevent: Notify or Endpoint Prevent: Block response rule action with EDM, IDM, or
DGM detection methods. If you do, the system displays a warning for the policy that it is misconfigured.
• If you combine multiple response rules in a single policy, make sure that you understand the order of precedence
among response rules.
About response rule action execution priority
• Use Smart Response rules only where it is appropriate for human intervention.
About configuring Smart Response rules
• Microsoft SharePoint enables users to upload HTML files that are no larger than 256 MB in size. To ensure that
sensitive files in SharePoint can be encrypted successfully, do not upload files that are 256 MB in size or greater.
• If you configure multiple Server FlexResponse response rule actions for Microsoft SharePoint scan targets, the
response rule actions could be executed in order of response rule action priority.
About response rule action execution priority
Action Description
Add Response Rule Click Add Response Rule to define a new response rule.
Adding a new response rule
Modify Response Rule Order Click Modify Response Rule Order to modify the response rule order of precedence.
Modifying response rule ordering
Edit an existing response rule Click the response rule to modify it.
Configuring response rules
Delete an existing response Click the red X icon next to the far right of the response rule to delete it.
rule You must confirm the operation before deletion occurs.
About removing response rules
Refresh the list Click the refresh arrow icon at the upper right of the Response Rules screen to fetch the latest
status of the rule.
Order The Order of precedence when more than one response rule is configured.
Modifying response rule ordering
Rule The Name of the response rule.
Configuring response rules
1363
Display column Description
Actions The type of Action the response rule can take to respond to an incident (required).
Configuring response rule actions
Conditions The Condition that triggers the response rule (if any).
Configuring response rule conditions
1364
About configuring Smart Response rules
4. Select and configure one or more Actions. You must define at least one action.
Configuring response rule actions
5. Click Save to save the response rule definition.
Manage response rules
1365
Manage response rules
1366
Incident type Response rule Description
1367
Incident type Response rule Description
Network Prevent Block HTTP/S Configuring the Network Prevent for Web: Block HTTP/S action
for Web
Network Prevent Block SMTP Message Configuring the Network Prevent: Block SMTP Message action
for Email
Network Prevent Modify SMTP Message Configuring the Network Prevent: Modify SMTP Message action
for Email
Network Prevent Remove HTTP/S Content Configuring the Network Prevent for Web: Remove HTTP/S Content action
for Web
Network Protect Copy File Configuring the Network Protect: Copy File action
Network Protect Quarantine File Configuring the Network Protect: Quarantine File action
1368
Manage response rules
When deleting a response rule, consider the following:
• A user must have response rule authoring privileges to delete an existing response rule.
• A response rule author cannot delete an existing response rule while another user modifies it.
• A response rule author cannot delete a response rule if a policy declares that response rule. In this case you must
remove the response rule from all policies that declare the response rule before you can delete it.
Is Any Of Off the corporate This combination triggers a response rule action if an incident occurs when the endpoint is
network off the corporate network.
Is None Of Off the corporate This combination does not trigger a response rule action if an incident occurs when the
network endpoint is off the corporate network.
Is Any Of On the corporate This combination triggers a response rule action if an incident occurs when the endpoint is
network on the corporate network.
Is None Of On the corporate This combination does not trigger a response rule action if an incident occurs when the
network endpoint is on the corporate network.
1369
NOTE
This condition is specific to endpoint incidents. You should not implement this condition for Network or Discover
incidents. If you do the response rule action does not to execute.
To configure the Endpoint Device response condition
1. Configure a response rule at the Configure Response Rule screen.
Configuring response rules
2. Select the Endpoint Device condition from the Conditions list.
Configuring response rule conditions
3. Select to detect or except specific endpoint devices.
Endpoint Device condition parameters
Is Any Of Configured device Triggers a response rule action when an incident is detected on a configured endpoint device.
Is None Of Configured device Does not trigger (excludes from executing) a response rule action when an incident is
detected on a configured endpoint device.
1370
Table 784: Incident Type condition parameters
Is Any Of Cloud Detection Triggers a response rule action for any incident detected by the Cloud Detection Service or
Service or API API Detection for Developer Apps Appliance.
Detection for
Is None Of Does not trigger a response rule action for any incident detected by the Cloud Detection
Developer Apps Service or API Detection for Developer Apps Appliance.
Appliance
Is Any Of Discover Triggers a response rule action for any incident that Network Discover detects.
Is None Of Does not trigger a response rule action for any incident that Network Discover detects.
Is Any Of Endpoint Triggers a response rule action for any incident that Endpoint Prevent detects.
Is None Of Does not trigger a response rule action for any incident that Endpoint Prevent detects.
Is Any Of Network Triggers a response rule action for any incident that Network Prevent detects.
Is None Of Does not trigger a response rule action for any incident that Network Prevent detects.
Is Greater Than User-specified number Triggers a response rule action if the threshold number of incidents is eclipsed.
Is Greater Than or User-specified number Triggers a response rule action if the threshold number of incidents is met or
Equals eclipsed.
Is Between User-specified pair of Triggers a response rule action when the number of incidents is between the range
numbers of numbers specified.
Is Less Than User-specified number Triggers a response rule action if the number of incidents is less than the specified
number.
Is Less Than or User-specified number Triggers a response rule action when the number of incidents is equal to or less
Equals than the specified number.
1371
Implementing response rules
Manage response rules
Is Any Of Endpoint Application File Triggers an action if an endpoint application file has been accessed.
Is None Of Access Does not trigger action if an endpoint application file has been accessed.
Is Any Of Triggers an action if an endpoint CD/DVD has been written to.
Endpoint CD/DVD
Is None Of Does not trigger action if an endpoint CD/DVD has been written to.
Is Any Of Triggers an action if the endpoint clipboard has been copied or pasted to.
Endpoint Clipboard
Is None Of Does not trigger action if the endpoint clipboard has been copied or pasted to.
Is Any Of Triggers an action if sensitive information is copied to or from a network share.
Endpoint Copy to Network
Is None Of Share Does not trigger action if sensitive information is copied to or from a network
share.
Is Any Of Triggers an action if sensitive files are discovered on the local drive.
Endpoint Local Drive
Is None Of Does not trigger action if sensitive files are discovered on the local drive.
Is Any Of Triggers an action if an endpoint printer or fax has been sent to.
Endpoint Printer/Fax
Is None Of Does not trigger action if an endpoint printer or fax has been sent to.
Is Any Of Endpoint Removable Triggers an action if sensitive data is copied to a removable storage device.
Is None Of Storage Device Does not trigger action if sensitive data is copied to a removable storage device.
Is Any Of Triggers an action if sensitive data is copied through FTP.
FTP
Is None Of Does not trigger action if sensitive data is copied through FTP.
Is Any Of Triggers an action if sensitive data is sent through HTTP.
HTTP
Is None Of Does not trigger action if sensitive data is sent through HTTP.
Is Any Of Triggers an action if sensitive data is sent through HTTPS.
HTTPS
Is None Of Does not trigger action if sensitive data is sent through HTTPS.
Is Any Of NNTP Triggers an action if sensitive data is sent through NNTP.
1372
Qualifier Condition Description
Is None Of Does not trigger action if sensitive data is sent through NNTP.
Is Any Of Triggers an action if sensitive data is sent through SMTP.
SMTP
Is None Of Does not trigger action if sensitive data is sent through SMTP.
Is Any Of High Triggers a response rule action when a detection rule with severity set to high is
matched.
Is None Of High Does not trigger a response rule action when a detection rule with severity set
to high is matched.
Is Any Of Medium Triggers a response rule action when a detection rule with severity set to
medium is matched.
Is None Of Medium Does not trigger a response rule action when a detection rule with severity set
to medium is matched.
Is Any Of Low Triggers a response rule action when a detection rule with severity set to low is
matched.
Is None Of Low Does not trigger a response rule action when a detection rule with severity set
to low is matched.
Is Any Of Info Triggers a response rule action when a detection rule with severity set to info is
matched.
Is None Of Info Does not trigger a response rule action when a detection rule with severity set
to info is matched.
1373
Configuring the Add Note action
The Add Note response rule action lets an incident responder enter a note about a particular incident.
The limit for the Add Note field is 4000 bytes.
About response rule actions
The Add Note response rule action is available for all types of detection servers.
Response rule actions for all detection servers
To configure the Add Note action
1. Configure a response rule at the Configure Response Rule screen.
Configuring response rules
2. Add the All: Add Note action type from the Actions list.
The system displays a Note field. Generally you leave the field blank and allow remediators to add comments when
they evaluate incidents. However, you can add comments at this level of configuration as well.
The limit for the Add Note field is 4000 bytes.
Configuring response rule actions
3. Click Save to save the configuration.
Manage response rules
1374
This response rule is available for all types of detection servers except Endpoint Discover. If existing policies use this
response rule, policy violations do not trigger an incident.
Response rule actions for all detection servers
To configure incident data retention
1. Configure a response rule at the Configure Response Rule screen.
Configuring response rules
2. Add the action type All: Limit Incident Data Retention from the Actions list.
Configuring response rule actions
3. Choose to retain Endpoint Incident data by selecting this option.
By default, the agent discards the original message and any attachments for endpoint incidents.
Retaining data for endpoint incidents
4. Choose to discard Network Incident data by selecting this option.
By default, the system retains the original message and any attachments for network incidents.
Discarding data for network incidents
5. Click Save to save the response rule configuration.
Manage response rules
Consider the system behavior for any policies that combine an agent-side detection rule (any DCM rule, such as a
keyword rule). If you implement the Limit Incident Data Retention response rule action, the increased use bandwidth
depends on the number of incidents the detection engine matches. For such policies, the DLP Agent does not send all
original files to the Endpoint Server, but only those associated with confirmed incidents. If there are not many incidents,
the effect is small.
1375
Discarding data for network incidents
For network incidents, by default the detection server retains the original message and any attachments that trigger an
incident.
You can implement the Limit Incident Data Retention response rule action to override the default behavior and discard
original messages and some or all attachments.
Configuring the Limit Incident Data Retention action
NOTE
The default data retention behavior for network incidents applies to Network Prevent for Web and Network
Prevent for Email incidents. The default behavior does not apply to Network Discover incidents. For Network
Discover incidents, the system provides a link in the Incident Snapshot that points to the offending file at its
original location. Incident data retention for Network Discover is not configurable.
Parameter Description
1376
5. Select a communication protocol.
You can select UDP or TCP. If you select TCP, you can secure communications to the syslog server by selecting
Enable TLS Client Authentication.
6. Enter the text of the Message to log on the syslog server.
You can include response action variables in your syslog server messages.
7. Select the Level to apply to the log message from the drop-down list.
• 0 - Kernel panic
• 1 - Needs immediate attention
• 2 - Critical condition
• 3 - Error
• 4 - Warning
• 5 - May need attention
• 6 - Informational
• 7- Debugging
8. Save the response rule.
Manage response rules
1377
Table 789: Sender and recipient information
Parameter Description
To: Sender Select this option to send the email notification to the email sender. This recipient only applies to email
message violations.
To: Data Owner Select this option to send email notification to the data owner that the system identifies by email address in
the incident.
To: Other Email This option can include any custom attributes designated as email addresses (such as "manager@email").
Address For example, if you define a custom attribute that is an email address, or retrieve one via a lookup plug-in,
that address will appear in the "To" field for selection, to the right of "To: Sender" and "To: Data Owner."
Custom To Enter one or more specific email addresses separated by commas.
CC Enter one or more specific email addresses separated by commas for people you want to copy on the
notification.
Custom From You can specify the sender of the message.
If this field is blank, the message appears to come from the system email address.
Notification Format Select either HTML or plain-text format.
Include Original Select this option to include the message that generated the incident with the notification email.
Message
Max Per Day Enter a number to restrict the maximum number of notifications that the system sends in a day.
Parameter Description
Language Select the language for the message from the drop-down menu.
Add Language Click the icon to add multiple language(s) for the message.
Subject Enter a subject for the message that indicates what the message is about.
Body Enter the body of the message.
Insert Variables You can add one or more variables to the subject or body of the email message by selecting the desired
value(s) from the Insert Variables list.
Variables can be used to include the file name, policy name, recipients, and sender in both the subject and
the body of the email message. For example, to include the policy and rules violated, you would insert the
following variables.
A message has violated the following rules in $POLICY$: $RULES$
1378
Deploying a Server FlexResponse plug-in
1. Log on to the Enforce Server administration console.
2. Create a new Response Rule for each custom Server FlexResponse plug-in.
Click Manage > Policies > Response Rules.
3. Click Add Response Rule.
4. Select either Automated Response or Smart Response. Click Next.
5. Enter a name for the rule in the Rule Name field. (For Smart Response rules, this name appears as the label on the
button that incident responders select during remediation.)
6. Enter an optional description for the rule in the Description field.
7. In the Actions (executed in the order shown) menu, select the action All: Server FlexResponse.
8. Click Add Action.
9. In the FlexResponse Plugin menu, select a deployed Server FlexResponse plug-in to execute with this Response
Rule action.
The name that appears in this drop-down menu is the value specified in the display-name property from either the
configuration properties file or the plug-in metadata class.
10. Click Save.
11. Repeat this procedure, adding a Response Rule for any additional Server FlexResponse plug-ins that you have
deployed.
1379
Configuring the Set Status action
The Set Status response rule action sets the incident status to the specified value.
About response rule actions
This response rule is available for all detection servers.
Response rule actions for all detection servers
This response rule action is based on the incident Status Values you configure at the System > Incident Data >
Attributes screen.
1380
Table 791: Quarantine (Smart Response) configuration parameters
Parameter Description
File Path Enter the file path for the quarantine location. This file path is relative to the user's root folder.
Use Marker Select Use Marker File to create a marker text file to replace the original file. This action notifies the user what
File happened to the file instead of quarantining or deleting the file without any explanation.
Parameter Description
Source
Use Saved Select Use Saved Credentials to choose a named credential from the credential store in the Use Saved
Credentials Credentials drop-down menu if you don't want to enter it manually.
To move the files for quarantine during remediation, the specified SharePoint user account must have write access
for the original file location.
Use These Select Use These Credentials to manually enter the write-access credential for the original location of the scanned
Credentials file. Then, enter the following: parameters
• Name - The user name of the account with write access for the location of the scanned file.
• Password - The password of the account with write access for the location of the scanned file.
• Confirm Password - Confirm the password of the account with write access for the location of the scanned file.
To move the files for quarantine during remediation, the specified SharePoint user account must have write access
for the original file location.
Destination
1381
Parameter Description
Target Specify whether the files are to be quarantined in a SharePoint repository or in a file share (File System).
Repository
Quarantine Path Enter the SharePoint path where the confidential files are to be quarantined.
Use Saved Select Use Saved Credentials to choose a named credential for the quarantine location from the credential store in
Credentials the Use Saved Credentials drop-down menu if you don't want to enter it manually.
To move the files for quarantine during remediation, the specified SharePoint user account must have write access
for the quarantine location.
Use These Select Use These Credentials to manually enter the write-access credential for the quarantine location. Then, enter
Credentials the following: parameters
• Name - The user name of the account with write access for the quarantine location.
• Password - The password of the account with write access for the quarantine location.
• Confirm Password - Confirm the password of the account with write access for the quarantine location.
To move the files for quarantine during remediation, the specified SharePoint user account must have write access
for the quarantine location.
Marker File
(Optional) Select Leave marker file in place of remediated file to create a marker text file to replace the original file. This
Leave marker action notifies the user about what happened to the file instead of moving the file without any explanation.
file in place of
remediated file
(Optional) Specify the text that appears in the marker file to notify users about what happened to the file that was quarantined.
Marker Text The marker text can contain substitution variables. Click inside the Marker Text box to see a list of insertion
variables.
1382
2. Add the Network Protect SharePoint Release from Quarantine action type from the Actions list.
The system displays the Network Protect SharePoint Release from Quarantine field.
Configuring response rule actions
3. Configure the Network Protect SharePoint Release from Quarantine parameters.
Network Protect SharePoint Release from Quarantine parameters
4. Click Save to save the configuration.
Manage response rules
Parameter Description
Add Row Click Add Row to start mapping a new file path. The file path could be either the location to which files are
quarantined, or the original SharePoint location to which files should be released.
Path Specify the location to which files are quarantined, or the original SharePoint location to which files should be
released.
Credentials Specify the write-access credentials for the file path that you want to map.
Delete Delete the corresponding file path.
1383
3. Click Save to save the configuration.
Manage response rules
1384
Table 794: Remove Shared Links in Data-at-Rest configuration parameter
Parameter Description
Custom Enter details about the Remove Shared Links in Data-at-Rest action in the custom payload field. These details are
payload returned in the customResponsePayload parameter of the detection result.
Parameter Description
Custom Enter details about the Custom Action on Data-at-Rest action in the custom payload field. These details are returned
payload in the customResponsePayload parameter of the detection result.
1385
2. Add the Delete Data-at-Rest action type from the Actions list.
The system displays the Delete Data-at-Rest field.
Configuring response rule actions
3. Click Save to save the configuration.
Manage response rules
Parameter Description
Custom Enter details about the Encrypt Data-at-Rest action in the Custom payload field. These details are returned in the
payload customResponsePayload parameter of the detection result.
1386
1. Configure a response rule at the Configure Response Rule screen.
Configuring response rules
2. Add the Perform DRM on Data-at-Rest action type from the Actions list.
The system displays the field.
Configuring response rule actions
3. Configure the Perform DRM on Data-at-Rest parameter.
Perform DRM on Data-at-Rest configuration parameter
4. Click Save to save the configuration.
Manage response rules
Parameter Description
Custom Enter details about the Perform DRM on Data-at-Rest action in the Custom payload field. These details are returned
payload in the customResponsePayload parameter of the detection result.
1387
Table 798: Quarantine Data-at-Rest configuration parameter
Parameter Description
File Path Enter the file path for the quarantine location. This file path is relative to the user's root folder.
Use Marker Select Use Marker File to create a marker text file to replace the original file. This action notifies the user what
File happened to the file instead of quarantining or deleting the file without any explanation.
Marker Text Enter the text you want to display in the marker file. You can select and insert variables from the Insert Variable list.
Parameter Description
Custom Enter details about the Tag Data-at-Rest action in the Custom payload field. These details are returned in the
payload customResponsePayload parameter of the detection result.
1388
2. Add the Prevent download, copy, print action type from the Actions list.
Configuring response rule actions
3. Click Save to save the configuration.
Manage response rules
1389
Implementing response rules
1390
1. Configure a response rule at the Configure Response Rule screen.
Configuring response rules
2. Add the Set File Access to 'All Read' action type from the Actions list.
Configuring response rule actions
3. Click Save to save the configuration.
Manage response rules
1391
3. Click Save to save the configuration.
Manage response rules
You can configure a message for your users to inform them why the sensitive data was blocked. The message appears in
the message parameter of the detection response.
To configure the Data-in-Motion (DIM) REST API action
1. Configure a response rule at the Configure Response Rule screen.
Configuring response rules
2. Add the Block Data-in-Motion action type from the Actions list.
The system displays the Block Data-in-Motion field.
Configuring response rule actions
3. Configure the Block Data-in-Motion parameter.
Block Data-in-Motion configuration parameter
1392
4. Click Save to save the configuration.
Manage response rules
Parameter Description
Message Enter a user-facing message for the Block Data-in-Motion action in the message field. These details are returned in
the message parameter of the detection result.
Parameter Description
Custom Enter details about the Custom Action on Data-in-Motion action in the custom payload field. These details are
payload returned in the customResponsePayload parameter of the detection result.
1393
1. Configure a response rule at the Configure Response Rule screen.
Configuring response rules
2. Add the Encrypt Data-in-Motion action type from the Actions list.
The system displays the Encrypt Data-in-Motion field.
Configuring response rule actions
3. Configure the Encrypt Data-in-Motion parameter.
Encrypt Data-in-Motion configuration parameter
4. Click Save to save the configuration.
Manage response rules
Parameter Description
Custom Enter details about the Encrypt Data-in-Motion action in the custom payload field. These details are returned in the
payload customResponsePayload parameter of the detection result.
Parameter Description
Custom Enter details about the Perform DRM on Data-in-Motion action in the custom payload field. These details are
payload returned in the customResponsePayload parameter of the detection result.
1394
Configuring the Quarantine Data-in-Motion action
The Quarantine Data-in-Motion action quarantines sensitive data in the Salesforce, Box, and OneDrive cloud
applications through the Cloud Detection Service.
You can configure a custom payload with additional details about this recommendation. The custom payload appears in
the customResponsePayload parameter of the detection response.
To configure the Quarantine Data-in-Motion action
1. Configure a response rule at the Configure Response Rule screen.
Configuring response rules
2. Add the Quarantine Data-in-Motion action type from the Actions list.
The system displays the Quarantine Data-in-Motion field.
Configuring response rule actions
3. Configure the Quarantine Data-in-Motion parameter.
Quarantine Data-in-Motion configuration parameter
4. Click Save to save the configuration.
Manage response rules
Parameter Description
Custom Enter details about the Quarantine Data-in-Motion action in the custom payload field. These details are returned in
payload the customResponsePayload parameter of the detection result.
1395
Table 805: Redact Data-in-Motion configuration parameter
Parameter Description
Message Enter a user-facing message for the Redact Data-in-Motion action in the message field. These details are returned
in the message parameter of the detection result.
Parameter Description
FlexResponse Enter the script module name with packages separated by a period (.).
Python Plugin
Plugin parameters Click Add Parameter to add one or more parameters to the script.
Enter the Key/Value pair for each parameter.
Credentials You can add credentials for accessing the plugin.
You can add and store credentials at the System > Settings > Credentials screen.
1396
This response rule action is specific to Endpoint Discover incidents. This response rule is not applicable to two-tiered
detection methods requiring a Data Profile.
If you use multiple endpoint response rules in a single policy, make sure that you understand the order of precedence for
such rules.
About response rule action execution priority
NOTE
This feature is not available for agents running on Mac endpoints.
To configure the Endpoint Discover: Quarantine File response rule action
1. Configure a response rule at the Configure Response Rule screen.
Configuring response rules
2. Add the Endpoint Discover: Quarantine File action type from the Actions list.
Configuring response rule actions
3. Enter the Quarantine Path and the Marker File settings.
Endpoint Discover: Quarantine File response rule action parameters
4. Click Save to save the configuration.
Manage response rules
Table 807: Endpoint Discover: Quarantine File response rule action parameters
Parameter Description
Quarantine Path Enter the path to the secured location where you want files to be placed. The secure location can either be on
the local drive of the endpoint, or can be on a remote file share. EFS folders can also be used as the quarantine
location.
Access Mode If your secure location is on a remote file share, you must select how the Symantec DLP Agent accesses that file
share.
Select one of the following credential access types:
• Anonymous Access
• Use Saved Credentials
In anonymous mode, the Symantec DLP Agent runs as LocalSystem user to move the confidential file. You can
use anonymous mode to move files to a secure location on a local drive or to remote share if it allows anonymous
access.
Note: EFS folders cannot accept anonymous users.
A specified credential lets the Symantec DLP Agent impersonate the specified user to access the secure location.
The credentials must be in the following format:
domain\user
You must enter the specified credentials you want to use through the System Credentials page.
Marker File Select the Leave marker in place of the remediated file check box to create a placeholder file that replaces the
confidential file.
1397
Parameter Description
Marker Text Specify the text to appear in the marker file. If you selected the option to leave the marker file in place of the
remediated file, you can use variables in the marker text.
To specify the marker text, select the variable from the Insert Variable list.
For example, for Marker Text you might enter:
A message has violated the following rules in $POLICY$: $RULES
Or, you might enter:
$FILE_NAME$ has been moved to $QUARANTINE_PARENT_PATH$
If you combine multiple endpoint response rules in a single policy, make sure that you understand the order of precedence
for such rules.
About response rule action execution priority
NOTE
The block action is not triggered for a copy of sensitive data to a local drive.
To configure the Endpoint Prevent: Block response rule action
1. Configure a response rule at the Configure Response Rule screen.
Configuring response rules
2. Add the Endpoint Prevent: Block action type from the Actions list.
3. Configuring response rule actions
4. Enter the Endpoint Notification Content settings.
Endpoint Prevent: Block response rule action parameters
5. Click Save to save the configuration.
Manage response rules
1398
Table 808: Endpoint Prevent: Block response rule action parameters
Parameter Configuration
Language Select the language you want the response rule to execute on. Click Add Language to add more than one
language.
Display Alert Box This field is optional for Endpoint Block actions. Select an Endpoint Block action to display an on-screen notification
with this message to the endpoint user when the system blocks an attempt to copy confidential data.
Enter the notification message in the text box. You can add variables to the message by selecting the appropriate
value(s) from the Insert Variable box.
Optionally, you can configure the on-screen notification to include user justifications as well as an option for users
to enter their own justification.
You can also add hyperlinks to refer users to URLs that contain company security information. To add hyperlinks
you use standard HTML syntax, tags, and URLs. Tags are case-sensitive. You can include hyperlinked text
between regular text. For example, you would enter:
The $CONTENT_TYPE$ "$CONTENT_NAME$" contains sensitive information. <a
href="http://www.company.com">Click here for information</a>. Contact the <a
href="mailto:admin@company.com">administrator</a> if you have questions.
Insert Variable Select the variables to include in the on-screen notification to the endpoint when the system blocks an attempt to
copy confidential data.
You can select variables based on the following types:
• Application
• Content Name
• Content Type
• Matching Attachments
• Matching Recipient Domains
• Device Type
• Matching Recipients
• Policy Names
• Protocol
1399
Parameter Configuration
Allow user Select this option to display up to four user justifications in the on-screen notification. When the notification appears
to choose on the endpoint, the user is required to choose one of the justifications. (If you select Allow user to enter text
explanation explanation, the user can enter a justification.) Symantec Data Loss Prevention provides four default justifications,
which you can modify or remove as needed.
Justification:
• User Education
• Broken Business Process
• Manager Approved
• False positive
Each justification entry consists of the following options:
• Check box
This option indicates whether to include the associated justification in the notification. To remove a justification,
clear the check box next to it. To include a justification, select the check box next to it.
• Justification
The system label for the justification. This value appears in reports (for ordering and filtering purposes), but the
user does not see it. You can select the desired option from the drop-down list.
• Option Presented to End User
The justification text the system displays in the notification. This value appears in reports with the justification
label. You can modify the default text as desired.
To add a new justification, select New Justification from the drop-down list. In the Enter new justification text
box that appears, enter the justification name. When you save the rule, Symantec Data Loss Prevention includes it
as an option (in alphabetical order) in all Justification drop-down lists.
Note: You should be selective when adding new justifications. Deleting new justifications is not currently
supported.
Allow user Select this option to include a text box into which users can enter their own justification.
to enter text
explanation
1400
When a violation is detected, the DLP Agent encrypts the file, the data transfer completes, and an incident is created. You
can provide a reason for the notification as well as options for the endpoint user to enter a justification for the action. This
response rule action is available for Endpoint Prevent on Windows and Mac endpoints.
To configure the Endpoint Prevent: Encrypt action
1. Navigate to Policies > Response Rules, click Add Response Rule, and select the type of response rule to add:
Automated Response or Smart Response.
2. Configure a response rule at the Configure Response Rule screen.
Configuring response rules
Add the Endpoint Prevent: Encrypt action type from the Actions list.
Configuring response rule actions
3. Configure the Endpoint Prevent: Encrypt parameters.
Endpoint Prevent: Encrypt parameters
4. Click Save to save the configuration.
Manage response rules
Parameter Description
Language Select the language you want the response rule to apply to. Click Add Language to add more than one
language.
Display Block This field is required to notify users that the data transfer was blocked.
Alert Box with this Enter the notification message in the text box. You can add variables to the message by selecting the
message appropriate value(s) from the Insert Variable box.
A user must click OK to acknowledge the alert and dismiss the pop-up dialog.
Display Encrypt This field is required to notify users that the file that they tried to transfer was encrypted.
Alert Box with this Enter the notification message in the text box. You can add variables to the message by selecting the
message appropriate value(s) from the Insert Variable box.
User must click OK to acknowledge the alert and dismiss the pop-up dialog.
Display Retry Alert This field is required to notify users that the file they tried to upload using the browser was encrypted at the
with this message source location, and the original file was deleted. The users should upload this encrypted file using the browser.
Enter the notification message in the text box. You can add variables to the message by selecting the
appropriate value(s) from the Insert Variable box.
User must click OK to acknowledge the alert and dismiss the pop-up dialog.
Insert Variable Select the variables that you want to include in the on-screen notification to the endpoint user.
You can select variables based on the following types:
• Application
• Content Name
• Content Type
• Device Type
• Policy Name
• Protocol
1401
Parameter Description
Allow user to choose Select this option to display up to four user justifications in the on-screen notification. When the notification
explanation appears on the endpoint, the user is required to choose one of the justifications. (If you select Allow user
to enter text explanation, the user can enter a justification.) Symantec Data Loss Prevention provides four
default justifications, which you can modify or remove as needed.
Available justifications:
• Broken Business Process
• False positive
• Manager Approved
• User Education
• New justification (custom)
Each justification entry consists of the following options:
• Check box
This option indicates whether to include the associated justification in the notification. To remove a
justification, clear the check box next to it. To include a justification, select the check box next to it.
• Justification
The system label for the justification. This value appears in reports (for ordering and filtering purposes), but
the user does not see it. You can select the desired option from the drop-down list.
• Option Presented to End User
The justification text Symantec Data Loss Prevention displays in the notification. This value appears in
reports with the justification label. You can modify the default text as desired.
To add a new justification, select New justification from the appropriate drop-down list. In the Enter new
justification text box that appears, type the justification name. When you save the rule, the system includes the
new justification as an option (in alphabetical order) in all Justification drop-down lists.
Note: You should be selective in adding new justifications. Deleting new justifications is not currently supported.
Allow user to enter Select this option to include a text box into which users can enter their own justification.
text explanation
NOTE
The notify action is not triggered for a copy of sensitive data to a local drive.
To configure the Endpoint Prevent: Notify action
1. Configure a response rule at the Configure Response Rule screen.
Configuring response rules
Add the Endpoint Prevent: Notify action type from the Actions list.
Configuring response rule actions
2. Configure the action parameters.
Endpoint Prevent: Notify response rule action parameters
1402
3. Click Save to save the configuration.
Manage response rules
Parameter Description
Language Select the language you want the response rule to execute on.
Click Add Language to add more than one language.
Display Alert Box with This field is required for Endpoint Notify actions. Select this option to display an on-screen notification to the
this message endpoint user.
Enter the notification message in the text box. You can add variables to the message by selecting the
appropriate value(s) from the Insert Variable box.
Optionally, you can configure the on-screen notification to include user justifications as well as the option for
users to enter their own justifications.
You can also add hyperlinks to refer users to URLs that contain company security information. To add
hyperlinks you use standard HTML syntax, tags, and URLs. Tags are case-sensitive. You can include insert
hyperlinked text between regular text. For example, you would enter:
The $CONTENT_TYPE$ "$CONTENT_NAME$" contains sensitive information. <a
href="http://www.company.com">Click here for information</a>. Contact
the <a href="mailto:admin@company.com">administrator</a> if you have
questions.
Insert Variable Select the variables that you want to include in the on-screen notification to the endpoint user.
You can select variables based on the following types:
• Application
• Content Name
• Content Type
• Device Type
• Policy Names
• Protocol
1403
Parameter Description
Allow user to choose Select this option to display up to four user justifications in the on-screen notification. When the notification
explanation appears on the endpoint, the user is required to choose one of the justifications. (If you select Allow user
to enter text explanation, the user can enter a justification.) Symantec Data Loss Prevention provides four
default justifications, which you can modify or remove as needed.
Available Justifications:
• Broken Business Process
• False positive
• Manager Approved
• User Education
• Custom (new justification)
Each justification entry consists of the following options:
• Check box
This option indicates whether to include the associated justification in the notification. To remove a
justification, clear the check box next to it. To include a justification, select the check box next to it.
• Justification
The system label for the justification. This value appears in reports (for ordering and filtering purposes),
but the user does not see it. You can select the desired option from the drop-down list.
• Option Presented to End User
The justification text Symantec Data Loss Prevention displays in the notification. This value appears in
reports with the justification label. You can modify the default text as desired.
To add a new justification, select New Justification from the appropriate drop-down list. In the Enter new
justification text box that appears, type the justification name. When you save the rule, the system includes
the new justification as an option (in alphabetical order) in all Justification drop-down lists.
Note: You should be selective in adding new justifications. Deleting new justifications is not currently
supported.
Allow user to enter text Select this option to include a text box into which users can enter their own justification.
explanation
1404
2. Configure the Endpoint Prevent: User Cancel parameters.
Endpoint Prevent: User Cancel parameters
3. Click Save to save the configuration.
Manage response rules
Parameter Description
Language Select the language you want the response rule to execute on.
Click Add Language to add more than one language.
Pre-timeout warning This field is required to notify users that they have a limited amount of time to respond to the incident.
Enter the notification message in the text box. You can add variables to the message by selecting the
appropriate value(s) from the Insert Variable box.
Post-timeout message This field notifies users that the amount of time to override the policy has expired. The data transfer was
blocked.
Enter the notification message in the text box. You can add variables to the message by selecting the
appropriate value(s) from the Insert Variable box.
Display Alert Box with This field is required for Endpoint User Cancel actions. Select this option to display an on-screen notification
this message to the endpoint user.
Enter the notification message in the text box. You can add variables to the message by selecting the
appropriate value(s) from the Insert Variable box.
Optionally, you can configure the on-screen notification to include user justifications as well as the option for
users to enter their own justifications.
You can also add hyperlinks to refer users to URLs that contain company security information. To add
hyperlinks you use standard HTML syntax, tags, and URLs. Tags are case-sensitive. You can include insert
hyperlinked text between regular text. For example, you would enter:
The $CONTENT_TYPE$ "$CONTENT_NAME$" contains sensitive information. <a
href="http://www.company.com">Click here for information</a>. Contact
the <a href="mailto:admin@company.com">administrator</a> if you have
questions.
Insert Variable Select the variables that you want to include in the on-screen notification to the endpoint user.
You can select variables based on the following types:
• Application
• Content Name
• Content Type
• Device Type
• Matching Attachments
• Matching Recipient Domains
• Matching Recipients
• Policy Name
• Protocol
• Timeout Counter
Note: You must use the Timeout Counter variable to display how much time remains before blocking the
data transfer.
1405
Parameter Description
Allow user to choose Select this option to display up to four user justifications in the on-screen notification. When the notification
explanation. appears on the endpoint, the user is required to choose one of the justifications. (If you select Allow user
to enter text explanation, the user can enter a justification.) Symantec Data Loss Prevention provides four
default justifications, which you can modify or remove as needed.
Available Justifications:
• Broken Business Process
• False positive
• Manager Approved
• User Education
• Custom (new justification)
Each justification entry consists of the following options:
• Check box
This option indicates whether to include the associated justification in the notification. To remove a
justification, clear the check box next to it. To include a justification, select the check box next to it.
• Justification
The system label for the justification. This value appears in reports (for ordering and filtering purposes),
but the user does not see it. You can select the desired option from the drop-down list.
• Option Presented to End User
The justification text Symantec Data Loss Prevention displays in the notification. This value appears in
reports with the justification label. You can modify the default text as desired.
To add a new justification, select New Justification from the appropriate drop-down list. In the Enter new
justification text box that appears, type the justification name. When you save the rule, the system includes
the new justification as an option (in alphabetical order) in all Justification drop-down lists.
Note: You should be selective in adding new justifications. Deleting new justifications is not currently
supported.
Allow user to enter text Select this option to include a text box into which users can enter their own justification.
explanation.
Configuring the Network Prevent for Web: Block FTP Request action
The Network Prevent for Web: Block FTP Request response rule action blocks any file transfer by FTP on your network
device.
About response rule actions
This response rule is available only for Network Prevent for Web integrated with a proxy server.
To configure the Network Prevent for Web: Block FTP Request response rule action
1. Configure a response rule at the Configure Response Rule screen.
Configuring response rules
2. Add the Network Prevent for Web: Block FTP Request action type from the Actions list.
The Block FTP Request response rule action does not require any further configuration. Once the response rule is
deployed to a policy, this action blocks any FTP attempt.
Configuring response rule actions
3. Click Save to save the configuration.
Manage response rules
1406
Implementing response rules
Certain applications may not provide an adequate response to the Network Prevent for Web: Block HTTP/S response
action. This behavior has been observed with the Yahoo! Mail application when a detection server blocks a file upload. If a
user tries to upload an email attachment and the attachment triggers a Network Prevent for Web: Block HTTP/S response
action, Yahoo! Mail does not respond or display an error message to indicate that the file is blocked. Instead, Yahoo!
Mail appears to continue uploading the selected file, but the upload never completes. The user must manually cancel the
upload at some point by pressing Cancel.
Other applications may also exhibit this behavior, depending on how they handle the block request. In these cases a
detection server incident is created and the file upload is blocked even though the application provides no such indication.
Implementing response rules
1407
To configure the Block SMTP Message response rule action
1. Configure a response rule at the Configure Response Rule screen.
Configuring response rules
2. Add the Network Prevent: Block SMTP Message action type from the Actions list.
Configuring response rule actions
3. Configure the Block SMTP Message action parameters.
Network Prevent: Block SMTP Message parameters
4. Click Save to save the response rule.
Manage response rules
Parameter Description
Bounce Message to Sender Enter the text that you want to appear in the SMTP error that Network Prevent for Email
returns to the MTA. Some MTAs display this text in the message that is bounced to the
sender.
If you leave this field blank, the message does not bounce to the sender but the MTA
sends its own message.
Redirect Message to this Address If you want to redirect blocked messages to a particular address (such as the Symantec
Data Loss Prevention administrator), enter that address in this field.
If you leave this field blank, the bounced message goes to the sender only.
1408
Table 813: Network Prevent: Modify SMTP Message parameters
Parameter Description
Subject Select the type of modification to make to the subject of the message from the following options:
• Do not Modify – No text is changed in the subject.
• Prepend – New text is added to the beginning of the subject.
• Append – New text is added to the end of the subject.
• Replace With – New text completely replaces the old subject text.
If the subject text is currently modified, specify the new text.
For example, if you want to prepend "VIOLATION" to the subject of the message, select Prepend and enter
VIOLATION in the text field.
Headers Enter a unique name and a value for each header you want to add to the message (up to three).
Enable Email Select this option to enable integration with Symantec Messaging Gateway. When this option is enabled,
Quarantine Connect Symantec Data Loss Prevention adds preconfigured x-headers to the message that inform Symantec
(requires Symantec Messaging Gateway that the message should be quarantined.
Messaging For more information, see the Symantec Data Loss Prevention Email Quarantine Connect FlexResponse
Gateway) Implementation Guide.
1409
4. Click Save to save the configuration.
Manage response rules
Table 814: Network Prevent for Web: Remove HTTP/S Content parameters
Field Description
Removal The message that appears in content (Web postings, Web mail, or files) from which the system has removed
Message confidential information. Only the recipient sees this message.
Fallback option The action to take if Network Prevent for Web cannot remove confidential information that was detected in an
HTTP or HTTPS post.
The available options are Block (the default) and Allow.
Note: Symantec Data Loss Prevention removes confidential data in file uploads and, for Network Prevent, Web
mail attachments, even for sites in which it does not perform content removal. The Fallback option is taken only in
cases where Symantec Data Loss Prevention detects confidential content in a recognized Web form, but it cannot
remove the content.
Rejection The message that Network Prevent for Web returns to a client when it blocks an HTTP or HTTPS post. The client
Message Web application may or may not display the rejection message, depending on how the application handles error
messages.
1410
This response rule action is only available for Network Discover that is configured for Network Protect.
Response rule actions for Network Prevent detection
To configure the Network Protect: Quarantine File response rule action
1. Configure a response rule at the Configure Response Rule screen.
Configuring response rules
2. Add the Network Protect: Quarantine File action type from the Actions list.
Configuring response rule actions
3. Configure the Network Protect: Quarantine File parameters.
Network Protect: Quarantine File configuration parameters
4. Click Save to save the configuration.
Manage response rules
Parameter Description
Marker File Select this option to create a marker text file to replace the original file. This action notifies the user what happened to
the file instead of quarantining or deleting the file without any explanation.
Note: The marker file is the same type and has the same name as the original file, as long as it is a text file. An
example of such a file type is Microsoft Word. If the original file is a PDF or image file, the system creates a plain
text marker file. The system then gives the file the same name as the original file with .txt appended to the end. For
example, if the original file name is accounts.pdf, the marker file name is accounts.pdf.txt.
Marker Text Specify the text to appear in the marker file. If you selected the option to leave the marker file in place of the
remediated file, you can use variables in the marker text.
To specify marker text, select the variable from the Insert Variable list.
For example, for Marker Text you might enter:
A message has violated the following rules in $POLICY$: $RULES
Or, you might enter:
$FILE_NAME$ has been moved to $QUARANTINE_PARENT_PATH$
1411
To configure the Endpoint: MIP Classification response action, do the following steos:
1. Navigate to Policies > Response Rules, click Add Response Rule, and select Automated Response.
2. Configure a response rule at the Configure Response Rule screen.
See Configuring response rules.
3. From the Actions list, add the the Endpoint: MIP Classification action.
See Configuring response rule actions.
4. Under Endpoint Notification Content, configure the following parameters:
Parameter Description
Parameter Description
Recommend the label Select this option to configure the DLP Agent to suggest a label
to users when they save and close a file that contains confidential
information using a supported application.
Alert that is displayed when the label is recommended Enter the message to recommend a label to users.
Apply the label automatically Select this option to configure the DLP Agent to automatically
apply a label when users save a file that contains confidential
information using a supported application
Alert that is displayed when the label is recommended Enter the message to inform users that a label is required.
Alert that is displayed when the label is applied automatically Enter the message to inform users that a label has been applied.
NOTE
If you have migrated your Enforce Sever and detection servers from DLP 15.8, update your existing
configuration of the Endpoint: MIP Classification response action to include the settings for Microsoft
Outlook.
6. Under Microsoft Outlook, configure the following classification parameters for Microsoft Outlook on Windows
endpoints:
1412
Table 818: Classification parameters for Microsoft Outlook
Parameter Description
Title Enter a title for the pop-up message about classifying outgoing
emails.
Recommend the label Select this option to configure the DLP Agent to suggest a label
to users when they send an email using Outlook on a Windows
endpoint.
Alert that is displayed when the label is recommended Enter the message to recommend a label to users.
Apply the label automatically Select this option to configure the DLP Agent to automatically
apply a label when users send an email using Outlook on a
Windows endpoint.
Alert that is displayed when the label is to be applied Enter the message to inform users that a label has been applied.
7. Click Save to save the configuration.
Related Links
About response rule actions on page 1350
Response rule best practices on page 1362
Implementing response rules on page 1361
Manage response rules on page 1363
Matches Exactly User risk number Triggers a response rule action if the user risk score matches.
Is Greater Than User risk number Triggers a response rule action if the user risk score is exceeded.
Is Greater Than or User risk number Triggers a response rule action if the user risk score is met or exceeded.
Equals
Is Between User risk number Triggers a response rule action when the user risk score is within the range of
numbers specified.
1413
Parameter Input Description
Is Less Than User-specified number Triggers a response rule action if the user risk score is less than the specified
number.
Is Less Than or User-specified number Triggers a response rule action when the user risk score is equal to or less than the
Equals specified number.
Related Links
Implementing response rules on page 1361
Manage response rules on page 1363
1414
Incidents
View, manage, and remediate incidents.
Remediating incidents
Remediating Network incidents
Remediating Endpoint incidents
Remediating Discover incidents
Working with Application incidents
Viewing, managing, and reporting incidents
Hiding incidents
Working with incident data
Working with user risk
Implementing lookup plug-ins
Remediating incidents
This content includes the following topics:
• About incident remediation
• Remediating incidents
• Overview of End User Remediation
• Configurations for End User Remediation
• Working with the DLP incidents in ServiceNow
• Customizations in ServiceNow when using End User Remediation
• Security guidelines for selecting incident attributes when using End User Remediation
• About Troubleshooting Incidents
• Performance guidelines for End User Remediation
• Executing Smart response rules
• Incident remediation action commands
• Response action variables
1415
Along with the DLP administrators, the remediators or end users can perform the remediation action on incidents using
the End User Remediation functionality. End User Remediation simplifies the management of Data Loss Prevention
incidents by decentralizing, automating, and expediting the incident remediation process. See About End User
Remediation.
Options involved in incident remediation describes the options that are involved in incident remediation:
Role-based access control Access to incident information in the Symantec Data Loss Prevention system can be tightly
controlled with role-based access control. Roles control which incidents a particular remediator can
take action on, as well as what information within that incident is available to the remediator. For
example, access control can be used to ensure that a given remediator can act only on incidents
originating within a particular business unit. In addition, it might prevent that business unit's staff
from ever seeing high-severity incidents, instead routing those incidents to the security department.
Severity level assignment Incident severity is a measure of the risk that is associated with a particular incident. For example,
an email message containing 50 customer records can be considered more severe than a
message containing 50 violations of an acceptable use policy. Symantec Data Loss Prevention lets
you specify what constitutes a severe incident by configuring it at the policy rule level. Symantec
Data Loss Prevention then uses the severity of the incident to drive subsequent responses to the
incident. This process lets you prioritize incidents and devote your manual remediation resources
to the areas where they are needed most.
Custom attribute lookup Custom attribute lookup is the process of collecting additional information about the incident from
data sources outside of Enforce and the incident itself. For example, a corporate LDAP server can
be queried for additional information about the message sender, such as the sender's manager
name or business unit.
About using custom attributes
For example, you can use custom attributes as input to subsequent automated responses to
automatically notify the sender's manager about the policy violation.
Setting the values of custom attributes manually
Automated incident responses A powerful feature of the Enforce Server is the ability to automatically respond to incidents as they
arise. For example, you can configure the system to respond to a serious incident by blocking the
offending communication. You can send an email message to the sender's manager. You can send
an alert to a security event management system. You can escalate the incident to the security
department. On the other hand, an acceptable use incident might be dispensed with by sending an
email message to the sender. Then you can mark the incident as closed, requiring no further work.
Between these extremes, you can establish a policy that automatically encrypts transmissions of
confidential data to a business partner. All of these scenarios can be handled automatically without
user intervention.
1416
Remediation options Description
Smart Response Although the automated response is an important part of the remediation process,
SmartResponse is necessary at times, particularly in the case of more serious incidents.
Symantec Data Loss Prevention provides a detailed Incident Snapshot with all of the information
necessary to determine the next steps in remediation. You can use SmartResponse to manually
update incident severity, status, and custom attributes, add comments to the incident. You can
move the incident through the remediation workflow to resolve it.
The following standard SmartResponse actions are available:
• Add Note
• Log to a Syslog Server
• Send Email Notification
• Set Status
The following additional SmartResponse actions are available when you click Include Cloud
Detection API incident actions:
• Custom
• Encrypt
• Quarantine
• Remove Collaborator Access
• Remove Shared Links
• Restore File
• Server FlexResponse
• Tag File
Distribution of aggregated You can create and automatically distribute aggregated incident reports to data owners for
incident reports remediation.
The Enforce Server handles all of these steps, except for Smart Response. You can handle incidents in an entirely
automated way. You can reserve manual intervention (Smart Response) for only the most serious incidents.
Remediating incidents
When you remediate an incident, you can perform the following actions:
• Set the status or severity of an incident.
• Apply a Smart Response rule to the incident.
• Set the custom attributes of the incident.
• Add comments to the incident record.
• Remediate incidents by going to an incident list or incident snapshot and selecting actions to perform on one or more
incidents.
• Perform some combination of these actions.
NOTE
Along with the DLP administrators, the remediators or end users can perform the remediation action on incidents
using the End User Remediation functionality. See About End User Remediation.
You can import a solution pack during installation. Solution packs prepopulate incident lists and incident snapshots with
several remediation options and custom attributes. For complete descriptions of all solution packs (including information
about all remediation options and custom attributes they contain), see Solutions Packs in 16.0 Related Documents.
To remediate incidents
1417
1. Access an incident list or incident snapshot.
In incident lists, Symantec Data Loss Prevention displays available remediation options in the Incident Actions drop-
down menu. The menu becomes active when you select one or more incidents in the list (with the check box). In
incident snapshots, Symantec Data Loss Prevention also displays the available remediation options. You can set a
Status or Severity from the drop-down menus.
Viewing Incidents
You can also edit the Attributes and provide related information.
2. Take either of the following actions:
• When you view an incident list, select the incident(s) to be remediated (check the box). You can select incidents
individually or you can select all incidents on the current screen. Then select the wanted action from the Incidents
Actions drop-down menu. For example, select Incident Actions > Set Status > Escalated.
You can perform as many actions as needed.
• When you view an incident snapshot, you can set the Status and Severity from the drop-down menus.
If a Smart Response has been previously set up, you can select a Smart Response rule in the remediation bar.
For example, if one of the Solution Packs was installed, you can select Dismiss False Positive in the remediation
bar. When the Execute Response Rule screen appears, click OK. This Smart Response rule changes the incident
status from New to Dismissed and sets the Dismissal Reason attribute to False Positive.
You can perform as many remediation actions as needed.
End User Remediation simplifies the management of Data Loss Prevention incidents by decentralizing, automating,
and expediting the incident remediation process. End User Remediation enables the DLP administrator to delegate
the incident remediation to end users, such as managers, data owners, file owners, employees, or anyone in your
organization. End User Remediation enables quicker and more accurate incident remediation as the responsibility
of remediation is no longer solely on the DLP administrators, but is shared by other stakeholders in the organization as
well. And as there are more remediators, more incidents can be remediated, and the risk associated with incorrect
remediation is reduced.
For End User Remediation, Symantec Data Loss Prevention integrates with ServiceNow. To use End User Remediation,
there is no additional license required for Data Loss Prevention. You will need to have a ServiceNow instance in your
organization. The Symantec DLP End User Remediation (EUR) application is available from the ServiceNow store.
End users can remediate any DLP incident type using the EUR application. The end users (remediators) receive an email
per incident, notifying them that they have an incident to remediate. They can click the appropriate remediation action
in same email. Clicking on the remediation action will draft an email response. The remediator can add comments, if
required and sending the email will remediate the incidents assigned to them.
There is a one time configuration that needs to be done in the Enforce Server administration console, where you
can identify incidents to be remediated, what incident information will be made available to the remediators, and
what remediation actions they can take. You need to configure EUR Incident Configurations and EUR Remediation
Configurations in the Enforce Server administration console.
1418
On the ServiceNow instance, the EUR administrator needs to configure a set of prerequisites settings to trigger the EUR
workflow. After the remediation workflow is triggered, the incident status is recorded in ServiceNow. Periodically, the
Enforce Server polls the incident status and executes the response rules selected by remediators.
The following figure and table summarizes a use case of an incident remediated using End User Remediation.
Figure 22: An incident remediated using End User Remediation
1 DLP administrator configures the Enforce Server, EUR Configuring End User Remediation role for Enforce
Incident Configurations based on incident type, and users
EUR Remediation Configurations based on incident Viewing the End User Remediation - Incident
report. Configurations
As a prerequisite, you need to configure the incident Configuring End User Remediation - Incident
reports for the incidents that need to be remediated, add Configurations
the remediators, and configure response rules actions. Viewing the End User Remediation - Remediation
Configurations
Configuring End User Remediation - Remediation
Configurations
2 An employee, who has a file on their system and has
violated the policy, and an incident is generated. The
DLP administrator configures Manager of employee as
the remediator on the Enforce Server administration
console.
1419
Steps Action More Information
3 The Symantec DLP End User Remediation application Installing the Symantec DLP End User Remediation
is hosted on ServiceNow. The DLP administrator syncs application on ServiceNow
this incident to the EUR application. Assigning roles to the ServiceNow users
As a prerequisite, the ServiceNow administrator has Configuring the End User Remediation properties
installed the EUR application on ServiceNow and has Generating an OAuth client
configured the prerequisite settings on ServiceNow. Configuring the Outbound and Inbound email
configuration
Configuring End User Remediation Portal Settings
4 The EUR application on ServiceNow sends Manager an
email for this incident remediation.
5 Manager could contact employee as to how to take Working with the DLP incidents in ServiceNow
the remediation action, or manager could click an
appropriate response rule action in the email and
remediate the incident themselves. Their response is
recorded on the EUR application on ServiceNow.
6 The Enforce Server polls the incident action from
ServiceNow and executes the corresponding response
rule on the Enforce Server to remediate the incident.
Following are some of the applications where the End User Remediation functionality can be used.
• Involving line managers to determine the severity of the incidents generated by their employees. This would help
organizations quickly identify the most critical issues.
• Quarantining emails with sensitive content and have the sender’s manager review the quarantined email and decide if
it can be allowed or rejected.
• Enabling the file owners to remediate any sensitive files that might be stored on a network share, SharePoint or a
SaaS app like Dropbox, and so on.
• Capability to define workflows, specifically to take care of situations like the remediator being “Out of Office” and the
remediator not taking action within the stipulated time, automatic enrollment of the policy violator for privacy training,
and so on.
The following figure summarizes the architecture of End User Remediation. The following architecture diagram considers
DLP Discover setup; however, it is similar for other DLP products as well.
1420
Figure 23: End User Remediation - Architecture diagram
1. DLP scans the repository to find the sensitive files and incidents are generated for violating policies.
2. The incidents are recorded in the Enforce Server.
3. These incidents are also stored in the DLP Oracle database.
4. The EUR application is hosted on ServiceNow. These incident details are synchronized to the EUR application.
5. The incidents are recorded on the ServiceNow instance.
6. The EUR application sends the email to the end users for the incident remediation.
7. The end users responds to email by clicking on an appropriate response rule action link and the response is recorded
on the EUR application on ServiceNow. And an incident action request is generated.
8. The Enforce Server polls this incident action request from ServiceNow.
9. The Enforce Server executes the corresponding response rule and closes the incident.
Any DLP violation across any channel generates DLP incidents, which are recorded in the Enforce Server administration
console and stored in the DLP Oracle database. You create an incident report for these incidents; and configure the EUR
Incident Configurations and Remediation Configurations.
NOTE
Before configuring the EUR Incident Configurations and EUR Remediation Configurations, ensure that you have
configured the following.
• Incident reports for the incidents that need to be remediated
See About custom reports and dashboard.
• Remediators, such as data-owners, and so on
Set Incident Remediator. See Incident remediation action commands
Add remediators through plugins. See Selecting lookup parameters
• Response Rules actions
See About response rule actions.
These incidents are sent to the EUR application based on the connection setting defined in the Enforce Server
administration console, General> Settings >End User Remediation Portal Settings. When an incident is synced to
ServiceNow, it triggers a remediation workflow that generates an event to send an email notification to the assigned
remediator. A remediation workflow defines the process to remediate the incidents and the various stages while the
incident is being remediated.
1421
For a remediator to receive an email from the EUR Application, the remediator should be assigned to the EUR
Remediator role in ServiceNow. If the remediator does not have the EUR remediator role assigned, the incident
assignment fails and no email is sent out.
The EUR application automates this workflow and allows the ServiceNow administrator to customize the remediation
workflow.
In the default EUR workflow, the EUR application sends the incident details through an email to the remediator. A
remediator could be any user in the organization, for example, the user that caused the incident, or his manager,
or a manager in his hierarchy, or an IT engineer, and so on. The email contains the details of the incident, incident
attributes, and response action. The content of the email is configurable. The ServiceNow administrator can customize
the email templates, change the layout, and the look-and-feel of the emails. The EUR application provides a default email
template, the DLP Incident Notification Template.
The remediator can click on one of the remediation actions, which would in turn create an email reply. The remediator can
provide justification or comment for the chosen action in the email response. These comments are recorded under
Incident snapshot notes tab on the incident details in the Enforce Server administration console. The EUR application
receives the response and the workflow triggers the next steps. Action request is generated by the workflow. The state
of each reply are recorded on the ServiceNow as well. The Enforce Server polls the incident action request periodically
from ServiceNow. The polling period is configurable. The Enforce Server executes the corresponding smart response rule
and the incident details are recorded in the Incident snapshot history tab page. This completes the process of successful
remediation of an incident and the incident is closed.
The EUR application is compatible with the ServiceNow versions: Utah, Tokyo, and San Diego. The EUR application can
be deployed in the ServiceNow instance only and integrates with Data Loss Prevention.
The following are the various audiences for End User Remediation that have distinct roles.
• The DLP administrator or the Enforce Server users with the End User Remediation role that are referred to "you" in the
End User Remediation content.
• The ServiceNow administrator, who is having admin role assigned to them.
• The EUR administrators (EUR Admin), who are the EUR application users with the administrator privileges for EUR
application.
• The remediators or the end users, who remediate incident on ServiceNow; these could be managers of an
organization and their employees.
The following table lists the roles of various audience and the actions they need to perform for the end-to-end deployment
process of the EUR application.
1 Install the Symantec DLP EUR application on ServiceNow Installing the Symantec DLP End
ServiceNow Administrator User Remediation application on
ServiceNow
2 Assign role to the ServiceNow users in ServiceNow Assigning roles to ServiceNow users
ServiceNow Administrator
3 Configure EUR Properties in ServiceNow EUR Admin Configuring the End User Remediation
properties
1422
Steps Action Role More Information
4 Generate OAuth credentials and configure the ServiceNow Generating OAuth credentials
Outbound and Inbound email configuration in Administrator Configuring the Outbound and
ServiceNow Inbound email configuration
5 Enable the Response Rule Execution DLP Administrator Enabling the Response Rule
Service and configure properties for End User Execution Service for End User
Remediation for End User Remediation Remediation
Configuring EUR incident sync
between Enforce and ServiceNow
6 Configure End User Remediation Portal Settings DLP Administrator Configuring End User Remediation
and configure End User Remediation role for Portal Settings
Enforce users Configuring End User Remediation
role for Enforce users
7 View and configure the End User Remediation - DLP Administrator Viewing the End User Remediation -
Incident Configurations Incident Configurations
Configuring End User Remediation -
Incident Configurations
8 View and configure the End User Remediation - DLP Administrator Viewing the End User Remediation -
Remediation Configurations Remediation Configurations
Configuring End User Remediation -
Remediation Configurations
9 Working with the DLP incidents in the EUR EUR Admin Working with the DLP incidents in the
application The EUR Admin can EUR application
view all the incidents,
whereas remediators
can view only the
incidents assigned to
them.
10 Customize the email templates and workflows on ServiceNow About customizing email templates
ServiceNow Administrator Customizing the email content and
format in ServiceNow
Customizing the email layout in
ServiceNow
Customizing the email template in
ServiceNow
Assigning email templates to
workflows in ServiceNow
About workflows on ServiceNow
Accessing the workflow in ServiceNow
Customizing the workflow on
ServiceNow
1423
• Installing the Symantec DLP End User Remediation application on ServiceNow
• Assigning roles to ServiceNow users
• Configuring End User Remediation properties in ServiceNow
• Generating OAuth credentials in ServiceNow
• Configuring the Outbound and Inbound email configuration in ServiceNow
• Configurations for End User Remediation on Enforce
• Enabling the Response Rule Execution Service for End User Remediation
• Configuring EUR incident sync between Enforce and ServiceNow
• Configuring End User Remediation Portal Settings
• Configuring End User Remediation role for Enforce users
• Viewing the End User Remediation - Incident Configurations
• Configuring End User Remediation - Incident Configurations
• Viewing the End User Remediation - Remediation Configurations
• Configuring End User Remediation - Remediation Configurations
Perform the following steps to install the EUR application on the ServiceNow instance.
1. Go to the ServiceNow App Store:https://store.servicenow.com/$appstore.do#!/store/home
2. In the Search field, type Symantec DLP End User Remediation.
3. Click Search.
4. In the search results, click on the Symantec DLP End User Remediation application.
5. On the application description page, click Get to download the Symantec DLP End User Remediation application.
6. Enter your ServiceNow Hi portal credentials and click Login.
7. Follow the online instructions to install the application.
Assigning roles to ServiceNow users
To all the users to whom you want to delegate the incident remediation need to be provisioned in ServiceNow. All such
users will be assigned the EUR Remediator role.
In ServiceNow, the ServiceNow administrator can assign the following predefined roles to a new user or an existing
ServiceNow user.
• x_symct_dlp_eur.admin
Defines the administrator role for a user.
1424
The EUR admin has access to the EUR Portal, is able to view and update the EUR Application Properties and can
remediate the incidents. The EUR Admin can delete or desync incidents and has access to the Customer Support
section of the EUR application.
• x_symct_dlp_eur.remediator
Defines the incident remediator role for a user.
An EUR Remediator can receive incident emails and perform a remediation action for these incidents. A remediator
can re-assign these incidents to another remediator.
• x_symct_dlp_eur.user
Defines the end user role for a user.
Configuring End User Remediation properties in ServiceNow
The EUR admin configures the EUR properties on the ServiceNow instance.
1. On ServiceNow, navigate to Symantec DLP End User Remediation > Properties.
2. Edit the following EUR properties.
Use default remediator user configured x_symct_dlp_eur.use.default.remediator.valueSelect Yes to use the default user
on enforce as an incident owner for EUR configured as remediator while configuring
incident remediation workflow process the EUR Incident Configurations >
Remediator Preferences in the Enforce
Server administration console. This user
acts as the incident owner for EUR incident
remediation workflow process.
Select No, if the EUR Admin does not want
to use this user as the default remediator
and instead update the workflow and
assign a different incident remediator.
Values: Yes/No
Default: Yes
This property defines the batch size for x_symct_dlp_eur.symc.incident.action.request.batch
Enter the number of incidents that Enforce
remediation actions get REST API polls from Service Now as a request.
This property is used to throttle the number
of action requests pulled from ServiceNow
by Enforce.
Maximum value: 100
1425
Property function Property name Description
Enable email reminders x_symct_dlp_eur.enable.reminder Enable this to send the reminder emails to
the remediator for incident remediation.
If enabled, two reminder emails are sent.
The time period between the first email
and the two reminder emails is dependent
on the remediation period configured
by the DLP Administrators in the EUR
Remediation Configuration. The first email
is sent to the end user when the incident
has been synced to ServiceNow. The
first reminder email is sent after one-third
of the remediation period has elapsed.
The second and final reminder email is
sent to the end user after two-thirds of
the remediation period has elapsed. The
frequency period of reminder emails, if
enabled, is dependent on the remediation
period set in the EUR Remediation
Configuration.
However, the frequency of the reminder
email is not customizable.
Values: Yes/No
Default: No
This property defines the email address of x_symct_dlp_eur.instance.email.address Enter the email address of the current
the current active SMTP Email Account of active SMTP Email Account of this
this ServiceNow instance ServiceNow instance. From this email
address the remediation email is sent to
the remediator and after the remediator
remediates the incident, the remediation
action email is sent back to this address.
3. Click Save.
Generating OAuth credentials in ServiceNow
The EUR application lets you access the Symantec DLP Incidents and perform remediation actions. For the Symantec
DLP Enforce Server to integrate with the EUR application, the ServiceNow administrator needs to generate an OAuth
2 credentials ("OAuth credentials"). The OAuth credentials authorizes the Symantec DLP Enforce Server to communicate
with the EUR application.
The ServiceNow administrator generates OAuth credentials so that the Enforce Server can act as an OAuth client.
On the ServiceNow instance, to create an OAuth credentials, perform the following steps:
1. Navigate to System OAuth>Application Registry.
2. Click New.
3. Click Create an OAuth API endpoint for external clients.
4. Enter the following OAuth client application details.
• Name: A unique name.
• Client ID: Client ID is automatically generated by the ServiceNow OAuth server.
• Client Secret: Client secret for the OAuth application.
1426
The Client ID and Client Secret values are used in the DLP Enforce Server administration console for configuring EUR
Portal settings.
See Configuring End User Remediation Portal Settings.
5. Click Submit.
Configuring the Outbound and Inbound email configuration in ServiceNow
The ServiceNow administrator needs to configure the outbound and inbound email configurations on the ServiceNow
instance for sending and receiving the emails to the end users.
1. Navigate to System Properties > Email Properties.
2. On the Outbound Email Configuration, select Yes/No for Email sending enabled.
Property name: glide.email.smtp.active. Selecting Yes enables the EUR application to send an email to end users.
3. On the Inbound Email Configuration, select Yes/No for Email receiving enabled.
Property name: glide.email.read.active. Selecting Yes enables the EUR application to receive an email.
4. Click Save.
• Enabling the Response Rule Execution Service for End User Remediation
• Configuring EUR incident sync between Enforce and ServiceNow
• Configuring End User Remediation Portal Settings
• Configuring End User Remediation role for Enforce users
• Viewing the End User Remediation - Incident Configurations
• Configuring End User Remediation - Incident Configurations
• Viewing the End User Remediation - Remediation Configurations
• Configuring End User Remediation - Remediation Configurations
Enabling the Response Rule Execution Service for End User Remediation
End User Remediation uses the Response Rule Execution Service on the Enforce Server to execute the response
rule. After incidents are remediated by the end users, the Enforce Server polls the incidents action records from the
Symantec DLP End User Remediation application and submits the response rule execution requests to the Response
Rule Execution Service.
You need to enable the Response Rule Execution Service, execute and stop time interval for the response rules by
enabling the properties in the Manager.properties file for End User Remediation.
1. On the Enforce Server, open the manager.properties file in a text editor.
2. Set the value for the com.vontu.enforcewebservices.responserules.execution.service.schedule
property to Always or BY_SCHEDULE as required. The default value is Never.
Set it to 'Always', if you want to remediate incidents always as soon as the incident action records are polled by
Enforce from ServiceNow. And then the incident is processed in the Enforce Server administration console.
If you set the value to BY_SCHEDULE, then you need to set the values for start and stop execution time of
the Response Rule Execution Engine as described in the following steps.
1427
3. Enter the start execution time interval of the Response Rule Execution Engine in the
com.vontu.enforcewebservices.responserules.execution.service.startHour property. The format of
the time interval is seconds,minutes,hour,day-of-month,month,day-of-week,year (optional).
The Response Rule Execution Engine will start executing the requests from the persistence queue at this time of the
day.
4. Enter the stop execution time interval of the Response Rule Execution Engine in the
com.vontu.enforcewebservices.responserules.execution.service.endHour property. The format of
the time interval is seconds,minutes,hour,day-of-month,month,day-of-week,year (optional).
The Response Rule Execution Engine will stop executing the requests from the persistence queue at this time of the
day.
5. Save and close the manager.properties file.
Configuring EUR incident sync between Enforce and ServiceNow
To sync the incidents from Enforce to ServiceNow using End User Remediation, you need to configure the following
properties in the EndUserRemediation.properties file .
1. On the Enforce Server, open the EndUserRemediation.properties file in a text editor.
2. Set the values for the following properties
enduserremediation.portal.poller.schedule 0 0/15 * * * ? Specifies the time interval in which the Enforce Server polls the
incident action requests from ServiceNow.
The time format is: "seconds, minutes, hour, day-of-month,
month, day-of-week, year(optional)"
enduserremediation.incidentSync.throttle.enabled False Enable or disable throttling while syncing incidents with
Symantec DLP End User Remediation application on
ServiceNow. Set this property to 'true' to enable throttling.
enduserremediation.incidentSync.throttle.duration.seconds
60 Specifies the incident sync throttle duration in seconds.
If property the
enduserremediation.incidentSync.throttle.enabled
is set to "True", then this property is used to set the incident
sync throttle duration.
enduserremediation.incidentSync.throttle.incidents.batchsize
100 Specifies the maximum number of incidents that need to be
sent at one time to ServiceNow for remediation.
If property the
enduserremediation.incidentSync.throttle.enabled
is set to "True", then this property is used to limit the number of
incidents sent.
enduserremediation.incidentSync.batchSize 100 Specifies the batch size in which the Enforce Server sends
incidents for remediation to ServiceNow.
enduserremediation.incidentFile.maxSize 5 Defines the size of the file attachment attached in the
remediation email. Default value for the EUR application is 5
MB. Maximum permitted limit is 15 MB.
If the file attachment exceeds the maximum size of 15 MB,
then the incident will be sent for remediation, but the file will not
be attached.
enduserremediation.parallel.config.execution.limit 5 Specifies the number of EUR Remediation Configurations that
can run parallelly.
1428
3. Save and close the EndUserRemediation.properties file.
Configuring End User Remediation Portal Settings
The Enforce Server integrates with the EUR application deployed on the ServiceNow instance. For Enforce to connect
with ServiceNow instance, an OAuth 2.0 authentication scheme is used. These OAuth connection settings are provided in
the End User Remediation Portal Settings section.
1. On the Enforce Server administration console, navigate to System > Settings > General and click Configure. The
Edit General Settings screen is displayed.
2. In the Enforce to End User Remediation Portal Settings section, enter the following values.
• Portal URL: ServiceNow instance URL
• User Name: ServiceNow Integration user name
The ServiceNow Integration user is a ServiceNow user who has the EUR Admin role assigned to them.
• Password: Password of the Integration user account
• Re-enter Password: Re-enter the password for the Integration user account
• Client ID: ServiceNow OAuth Client ID
NOTE
Enter the Client ID and Client Secret values from the ServiceNow instance that were generated while
creating the OAuth client.
See Generating OAuth credentials in ServiceNow.
• Client Secret: ServiceNow OAuth Client secret
• Re-enter Client Secret: Re-enter the ServiceNow OAuth Client secret
3. Click Save.
Currently, only one Enforce Server can be mapped to a single ServiceNow instance to use the EUR functionality.
Incase the customer has multiple Enforce Server administration consoles, then each Enforce Server should be
connected with a different ServiceNow instance and have the EUR application deployed on each of the ServiceNow
instance.
Configuring End User Remediation role for Enforce users
You can configure a role for an Enforce Server administration console user with 'End User Remediation Administration'
privilege to manage the following.
• Incident Configurations
• Remediation Configurations and Execution
1. On the Enforce Server administration console, navigate to the System > Login Management > Roles screen.
2. Click Add Role.
3. The Configure Role screen appears, displaying the following tabs: General, Incident Access, Policy Management,
and Users & Groups.
4. In the General tab:
• Use the User Privileges section to grant user privileges for the role.
In the System privileges include the End User Remediation Administrator option.
5. Click Save.
See Configuring roles.
1429
Viewing the End User Remediation - Incident Configurations
This is the first step to do the EUR configurations in the Enforce Server administration console.
The Manage > End User Remediation > Incident Configurations screen is the home page for adding EUR Incident
Configurations and viewing the configured EUR Incident Configurations. You configure the set of incidents to send for
remediation to end users.
NOTE
By default, there are out-of-box EUR Incident Configurations pre-populated by system for Discover incident
types. You can update these EUR Incident Configurations as per your requirements.
In the Incident Configurations screen, click Send to End User Remediation Portal for the following scenarios.
• To send the newly created remediation actions for each incident type configured to the Symantec DLP End User
Remediation application on ServiceNow.
• To send the updated remediation actions for each incident type configured to the Symantec DLP End User
Remediation application on ServiceNow.
• To send the remediation actions to the new ServiceNow instance if you have updated the End User Remediation Portal
Settings.
Action Description
Add an EUR Incident Configuration Click New to create a new EUR Incident Configuration.
Modify an EUR Incident Configuration Click the EUR Incident Configuration name or edit icon to modify
an existing EUR Incident Configuration.
Sort an EUR Incident Configuration Click any column header to sort the EUR Incident Configuration
list.
Remove an EUR Incident Configuration You can click the red X icon at the end of the EUR Incident
Configuration row to delete an individual EUR Incident
Configuration.
You can sort the following fields by clicking on their column name.
Column Description
Incident Type Displays the name of the incident type selected in the EUR
Incident Configuration.
Incident Category Displays the name of the incident category selected in the EUR
Incident Configuration.
Incident Details Displays the incident details, such as Data Owner of the incident,
incident attributes, and so on.
Incident Remediators Displays the remediator preferences selected in the EUR Incident
Configuration.
Response Rules Displays the response rule actions selected in the EUR Incident
Configuration.
Last Modified By Displays the user name by whom the EUR Incident
Configuration was last updated.
1430
Column Description
Last Modified Date Displays the date when the EUR Incident Configuration was last
updated.
You need to configure the EUR Incident Configurations to define the type of incidents that you need to send to the
Symantec DLP End User Remediation application on ServiceNow. EUR Incident Configuration also allows you to
configure the following.
• Incident details, such as incident type, incidents attributes, and custom attributes
• Incident remediator preferences
See About remediator preferences.
• Remediation actions (smart response rules that will be available for end users) for each incident type
NOTE
Ensure that you configure EUR Incident Configurations for each incident type that you need to send to the
EUR application for remediation in additions to including them in the incident report. If there is no EUR Incident
Configuration defined for an incident type, then incidents will not be send to the EUR application even they are
included in the report.
1. On the Enforce Server administration console, navigate to Manage > End User Remediation > Incident
Configurations.
2. On the Create Incident Configurations page, select the DLP incident category and type from the Incident Category
and Incident Type list boxes.
3. On the Incident Details > Incident Attributes tab, choose the system incident attributes from the Select Incident
Attribute list box and configure a label to be displayed for the attribute in the End User Remediation Portal.
4. On the Incident Details > Custom Attributes tab, choose the custom incident attributes from the Select Custom
Attribute list box and configure a label to be displayed for the attribute in the End User Remediation Portal.
The selected system and custom incident attributes are sent to the EUR application. The remediation email that is sent
to the remediator from ServiceNow to remediate the incident has all these selected incident attributes, file attachment
(if any), along with the response actions.
Refer to the security guidelines for choosing the matches and file attachments. See Security guidelines for selecting
incident attributes when using End User Remediation.
5. On the Remediator Preferences tab, select the incident attributes to identify the remediator from the Available
Remediator Attributes list box and add it to the Selected Remediator Attributes list box. You can configure the
remediator preference order by using the Up and Down arrows in the Selected Remediator Attributes list box.
If you are using Incident Remediator as remediator, then you specify the remediator email address in Incidents>select
an incident, on Incident details page, in the Key Info tab, add the address of the remediator in Incident
Remediator Email Address, click Change. Refer to topic Selecting lookup parameters.
See About remediator preferences.
6. On the Remediator Actions tab, select the applicable response rules to remediate incidents from the End User
Remediation Portal from the Available Smart Response Rules list box and move to the Selected Smart Response
Rules list box.
You can configure the smart response rules applicable based upon the incident type to be made available for end
user to remediate the incident. The smart response rules are termed as 'Remediation Actions'. In remediation
actions only smart response rules are taken in to account. Automated response rules are not considered as they are
executed automatically.
Ensure that you select at least one smart response rule action for incident remediation. If you do not select any smart
response rule action, then the remediator will not be able to remediate the incident and the incident will expire.
7. Click Save.
1431
After you add the EUR Incident Configurations, you need to send these remediation actions to the Symantec DLP End
User Remediation application on the ServiceNow instance. To send the remediation actions to the application, click
Send to End User Remediation Portal on the Incident Configurations page.
About remediator preferences
Ideally any incident or custom attribute, which is an email address can be selected as remediator. The custom attributes
can be populated using lookup plugins on the Enforce Server.
Remediator preferences are used to determine the 'remediator' for an incident. The remediator for an incident is defined
on the Enforce Server using incident standard or custom attributes. Only incident attributes with email type can be used as
a remediator preference.
Multiple attributes can be selected as remediator and while EUR process is executed, each attribute will be evaluated
in the sequence of the order (top to bottom) configured in the remediator preferences. If an attribute configured in the
remediator preferences has a value available, the 'Incident Remediator Email Address' attribute of the incident will be
updated with the same value as the remediator. If an attribute has no value available, then the next remediator preference
attribute in the sequence will be evaluated and the process will continue till the Incident Remediator value is obtained. If
none of the remediator preference attributes configured has value available for the incident, then incident will be marked
with the status defined in EUR Remediation Configuration and the incident will not be sent to the EUR application for
remediation.
NOTE
Once the Incident Remediator Email Address attribute of the incident is populated with the remediator
preference, and if you need to update this attribute during the EUR execution process, then you need to
manually update the Incident Remediator Email Address on the Enforce Server.
This is the second step to do the EUR configurations in the Enforce Server administration console.
The Manage > End User Remediation > Remediation Configurations screen is the home page for adding and viewing
the EUR Remediation Configurations.
Action Description
Add an EUR Remediation Configuration Click New to create a new EUR Remediation Configuration.
Modify an EUR Remediation Configuration Click the EUR Remediation Configuration name or edit icon to
modify an existing EUR Remediation Configuration.
Sort EUR Remediation Configurations Click any column header to sort the EUR Remediation
Configuration list.
Remove an EUR Remediation Configuration You can click the red X icon at the end of the EUR Remediation
Configuration row to delete an individual EUR Remediation
Configuration.
Execute an EUR Remediation Configuration You can click the Execute Now icon in the Actions menu at the
end of the EUR Remediation Configuration row to execute an
individual remediation configuration.
You can execute an remediation configuration for the following.
• If you are setting the schedule to No Regular Schedule
• If you intend to run an remediation action immediately even if
you have configured a schedule for a later time
1432
Action Description
Stop execution of an EUR Remediation Configuration You can click the Stop Now icon in the Actions menu to stop the
execution of an individual EUR Remediation Configuration.
Table 827: End User Remediation - Remediation Configuration screen display fields
You can sort the following fields by clicking on their column name.
Column Description
EUR Remediation Configurations allows you to actually send the incidents for remediation to the EUR application. In
the EUR Remediation Configurations, you do the following.
• Select the incident report that is used to sync incidents to the EUR application
• Set the time interval of syncing the incidents for remediation to the EUR application on ServiceNow
• Set the incident status for different stages of the incident remediation execution result
1. On the Enforce Server administration console, navigate to Manage > End User Remediation > Remediation
Configurations.
2. On the Create New Remediation Configuration page, enter the following
– Name: Name of EUR Remediation Configuration
– Description: Description for the EUR Remediation Configuration
– Sync incidents from report: Select a DLP Incident report from the list box that can be used only once to configure
a EUR Remediation Configuration.
– Schedule: Select an appropriate schedule option from the following options to send the new incidents for
remediation to the EUR application on ServiceNow.
1433
Table 828: EUR Remediation Configurations schedule
Schedule Description
3. In the Remediation Deadline section, in the Number of days to remediate field, enter the number of days in which
the end user needs to remediate the incidents assigned to them.
If the remediators do not remediate the incidents in the specified days, then the incident is sent back to Enforce from
ServiceNow.
4. In the Change Incident Status section, select the appropriate incident status from the corresponding list box for the
following.
You can configure the incident status at Configuring the Set Status action.
After Remediation Deadline expires Select the status that needs to be assigned to the incidents, when
the end users do not take any action till the specified remediation
deadline.
After successfully sent for End User Remediation Select the status that needs to be assigned to the incidents,
when they are successfully sent to the EUR application on the
ServiceNow instance.
On failure to determine the Incident Remediator Select the status that needs to be assigned to the incidents, when
there is a failure in identifying an incident remediator. These
incidents are not sent to the EUR application.
For deleted incidents on End User Remediation Portal Select the status that needs to be assigned to the incidents, when
these incidents are deleted from the EUR application.
5. Click Save.
After the EUR Remediation Configuration is executed in the set schedule, an event is generated on the System >
Servers and Detectors > Events page. See Server and Detectors event detail and System events reports.
After the EUR Remediation Configuration is executed successfully, the status of the incident is set to the value
specified in After successfully sent for End User Remediation on the Incidents > <Incident category> > <Name
of the incident report> page in the Status column. See About endpoint incident lists.
1434
In the ServiceNow console, the EUR Admin can view the following menu options on the EUR application. The EUR
Admin can view all the incidents on the EUR application, including the incidents assigned to them as well as the incidents
assigned to remediators.
However, a user with EUR remediator privileges can view only the incidents assigned to them in the DLP Incidents menu
option.
• Properties
See Configuring the End User Remediation properties
• DLP Incidents
Lists the incidents received for end user remediation. After the incidents are remediated and Enforce and ServiceNow
are synched, this entry is deleted from here. The EUR Admin can do the following on the DLP Incidents menu.
• Remediating incidents using the EUR application
• Reassigning incidents using the EUR application
• Desyncing incidents using the EUR application
The DLP Incidents menu lists the incidents details as described in the following table.
Column Description
Incident ID Displays the DLP incident ID number that is synched with the EUR
application for remediation.
Incident Type Displays the DLP incident type.
Severity Displays the severity of the incident, such as High (1), Medium (2),
Low (3), or Info (4).
Incident State Displays the current incident status of the incident specified on the
ServiceNow/ Enforce Server.
• New
• Assigned
• Assigned failed
• Reassigned (if the EUR Admin reassigns an incident to
another remediator from ServiceNow)
• Remediator changed (if the DLP administrator reassigns an
incident to another remediator from Enforce)
• Remediated
• Expired
• Deleted
• Closed
1435
Column Description
NOTE
You search for an particular field name by entering the value for the selected field name in the Search field.
• Remediation Actions
Lists the EUR Incident Configurations and its associated response rule action that we have configured on Enforce and
is synched with ServiceNow.
• Incident Type
Displays the DLP incident type.
• Response Rule Name
Displays the name of the response rule associated to the policy for which incident was generated.
• Incident Action Requests
Lists the remediation action taken by remediators and raises an action request for Enforce to poll the incident
request action from ServiceNow. After the incident is remediated on Enforce, this action request entry along with the
remediated incident record will be deleted from the EUR application. The incident action request are stored in the
IncidentActionRequest (x_symct_dlp_eur_incidentactionrequest) table in ServiceNow.
Column Description
• Customer Support
Lists the customer support information for the EUR application.
1436
The End User Remediation feature enables users to remediate an incident through the incident email received, by clicking
the appropriate response action available. However, the EUR Admin can also remediate the incident by logging into
the ServiceNow console.
1. In the ServiceNow console, navigate to Symantec DLP End User Remediation > DLP Incidents, and select the
incident that needs to be remediated.
2. On the DLP Incident page, in the Incident Action section, do the following.
• Select the response rule action from the Incident Action list box.
• Add comments if required in Comments.
NOTE
Currently, after selecting the appropriate incident action, the incident remains in the assigned state and
the incident is not remediated. To resolve this issue, the EUR Admin or end user needs to select the
same end user as specified in the Assigned list box, in the Reassigned To list box too.
3. Click Update.
The incident is remediated and this triggers the remediation path of the incident workflow.
After the incidents are synced to ServiceNow, they can be re-assigned if required. The EUR Admin can log into the
ServiceNow instance and reassign the incident.
1. In the ServiceNow console, navigate to Symantec DLP End User Remediation > DLP Incidents, select the incident
that needs to be reassigned.
2. On the DLP Incident page, in the Reassigned To field, search for the user to whom the incident needs to be
reassigned.
3. Click Update.
The incident is reassigned and this triggers the reassignment path of the incident workflow. Ensure that the reassigned
user has the EUR remediator role. On the ServiceNow instance, the state of the incident updated to "Reassigned" and
finally "Assigned".
NOTE
The DLP Administrator can also reassign incidents from the Enforce Server administration console. You
can update the incident remediator field of an incident on the Enforce Server and resync the updated incidents
by executing a EUR Remediation Configuration either manually or by the next scheduled execution. In the
ServiceNow console, the state of the incident is updated to "Remediator Changed".
Set Incident Remediator. See Incident remediation action commands.
Add remediators through plugins. See Selecting lookup parameters.
If incidents are unintentionally synced to ServiceNow or if incidents are synced to ServiceNow before their respective
remediation actions, then these incidents can be desynced from ServiceNow to the Enforce Server. The EUR Admin can
desync the incidents.
1. In the ServiceNow console, navigate to Symantec DLP End User Remediation > DLP Incidents, select an incident
that needs to be desynced.
NOTE
To desync multiple incidents simultaneously, on the DLP Incident List page; select the check box against
each of the incidents that needs to be desynced and click Desync from the top menu.
2. On the DLP Incident page, click Desync.
1437
When the EUR Admin desyncs the incident, the state of an incident is updated to "Deleted" in ServiceNow. The
workflow path to desync incident will be triggered. The status of the incident on Enforce is updated with the status
configured in the respective EUR Remediation Configuration in the Change Incident Status > For deleted incidents
on End User Remediation portal field.
A workflow is a sequence of activities to automate processes in applications. Activities are workflow blocks that perform
different tasks, such as obtaining approvals, sending an email, running scripts, testing conditions, and setting field values
on records. All workflows start with a Begin activity and end execution with an End activity. When an activity completes,
the activity exits through the appropriate node, and the transition is followed to the next activity.
The EUR application provides an out-of-box workflow: DLP Incident Remediation Process Workflow. This workflow is a
sequence of activities to automate and delegate the remediation process of a Data Loss Prevention incident in the EUR
application.
1438
Figure 24: DLP Incident Remediation Process Workflow
The workflow has the following stages for incident remediation in ServiceNow.
1439
Workflow Activity Activity Type Workflow Stage Description
Assign DLP Incident Owner Run Script Assignment Assigns the incident owner. By default,
the remediator specified on the Enforce
Server is assigned as the incident owner.
The assignment is successful if the
user is active and is an authorized user;
having at least the EUR Remediator role.
If the assignment fails, this is updated in
the incident record and workflow moves
to the 'Wait for Condition' block.
DLP Incident Assignment Event Create Event Creates a new event,
x_symct_dlp_eur.incidentAssignment
on the successful incident owner
assignment. This event triggers an email
notification to be sent to the incident
remediator.
Wait Wait for Condition In Progress The following conditions completes the
"Wait for condition" activity.
• Incident state changes to
'Remediated' - When incident owner
remediates the incident.
• Incident state changes to 'Deleted'
- When the EUR Admin desyncs/
deletes the incident.
• Incident state changes to
'Reassigned' - When the EUR Admin
or the remediator re-assigns the
incident.
• Incident state changes to 'Remediator
Changed' - When the DLP
administrator re-assigns the incident
on the Enforce Server and resyncs
the incident to ServiceNow.
• Incident state changes to 'Expired' -
When incident is auto expired after
the incident expiration date.
1440
Workflow Activity Activity Type Workflow Stage Description
Generate Incident Action Run Script Processed Generates the following types of incident
Request action request based on the action taken
either by remediator, the EUR Admin, or
the EUR application.
• REMEDIATION - A REMEDIATION
action request contains the details
of the remediation action taken by
the remediator. When this request
is polled on the Enforce Server, it is
mapped to the corresponding smart
response rule which internally gets
executed for the given incident.
• DESYNC - The EUR Admin can
desync incidents from the EUR
application. This incident action
request contains the details
(username and email) of the EUR
Admin, who has triggered the desync
request.
• EXPIRED - A scheduled script
executing on the EUR application
auto updates the state of an incident
as Expired, if the remediation period
of an incident has elapsed. This
triggers an EXPIRED incident action
request.
The state of the incident is updated
to "Closed" indicating that no other
action can be taken on the incident. The
Enforce Server polls these incident action
requests from ServiceNow and the EUR
application proceeds to delete these
incident records from ServiceNow.
End End Completed Completion of a workflow execution. This
is the last activity in a workflow execution.
The ServiceNow administrator can access the default out-of-box workflow: DLP Incident Remediation Process
Workflow on ServiceNow. This default workflow is already set in the active state and thus it will be triggered for
remediating an incident.
NOTE
Ensure that the ServiceNow administrator has only one active workflow assigned to remediate an incident.
1. In the ServiceNow console, navigate to Workflow > Workflow Editor.
2. Search for DLP Incident Remediation Process Workflow.
3. Click on DLP Incident Remediation Process Workflow.
4. On the DLP Incident Remediation Process Workflow page, ensure that this workflow is active.
By default, it is set to active.
In case it is not active, to activate it, click the Menu (with 3 horizontal lines) on the left-hand side corner and select
Set active.
To set it to inactive, click the Menu (with 3 horizontal lines) on the left-hand side corner and select Set inactive.
1441
NOTE
If the workflow is in inactive state, then it will not be triggered while remediating an incident.
5. Click the Workflow Properties "i" icon on the right-hand-side corner and ensure the following.
– On the Workflow Properties page > Application tab, Symantec DLP End User Remediation is selected in the
Application field. By default, it is selected.
– On the Workflow Properties page > General tab, DLPIncident (x_symct_dlp_eur_dlpincident) is selected in
the Table field. By default, it is selected.
Customizing the workflow in ServiceNow
1442
• Remediation Incident Action Request
When an incident is remediated by remediator (incident state is ‘Remediated’), the incident action type should be set
to REMEDIATION. The value of ‘u_responserule_id’ column should be the response rule id of the remediation action
performed and value of ‘u_requested_by’ column is the email address of remediator.
1443
Table 835: Expired Incident Action Request
After any incident action request is created, the state of the incident should be updated to ‘Closed’ to ensure no further
action can be taken on the incident.
Refer to the out-of-box workflow for more details. See About workflows in ServiceNow.
About use cases for customizing the remediation workflow in ServiceNow
The ServiceNow administrator can customize the out-of-box remediation workflow to suit specific requirements of their
organization. Some of the many use cases that can be solved using End User Remediation are as follows.
• Escalation - Remediation period has expired:
The ServiceNow administrator can define a process in the EUR application to escalate the incident to the assigned
remediator's manager, if the remediator does not remediate the assigned incident within a certain period of time (as
defined in the ‘Remediation deadline’ field. The new remediator assigned will be expected to perform action on the
incident within the Remediation deadline. And the process continues till the incident is remediated.
• Escalation - Out of Office:
1444
The ServiceNow administrator can define workflows in the EUR application such that if the remediator has marked
themselves as Out of Office (OOO) in their email client, then the incident will be automatically assigned and sent
to their manager or any other end user (as defined in the workflow).
This may be achieved by processing the OOO response.
• InfoSec approval for remediation:
NOTE
An InfoSec user can be anyone from the organization, who would review the remediation action performed
by a remediator and either approve or reject the request.
The ServiceNow administrator can define complex workflows in the EUR application based on the approval or rejection
by the InfoSec team member.
For example, when the 1st remediator takes a remediation action on the incident, the InfoSec team can receive
an email with incident details and the action taken. The InfoSec team member will be able to approve or reject the
action taken. If the remediation action taken is approved, then the workflow concludes and the incident closes. If the
remediation action is rejected, the remediator will be reassigned to the manager of the remediator and the workflow
continues.
• Multiple Step Workflow:
The ServiceNow administrator can define workflows in the EUR application to execute multiple steps and depending
on the action taken, notifying the remediation action taken to stakeholders.
For instance, if the 1st remediator marks the incident as ‘Major Exposure’, then a notification should be sent to the
InfoSec team. If the incident is marked as a ‘Minor Exposure’, then a notification should be sent to the Training
department.
The EUR application generates an email, which contains the details of the incident; and sends it to the remediator. This
email is generated using the out-the-box notification provided by the EUR application: DLP Incident Notification. This
notification uses the out-of-box email notification script, layout, and template. The DLP Incident Notification contains
details of the incident that caused the notification, and the remediation actions the end user can take.
The email is divided into the following three parts:
• Header: Contains basic incident details, such as Incident ID, remediation request expiry date, and so on.
• Message Body: Contains details of the incident.
• Footer: Contains mandatory details to perform the remediation action, such as lists the smart response rule actions as
links.
The ServiceNow administrator can customize the default email notification template and email layout to modify the color,
font, images; and layout of the incident information.
ServiceNow Components Required for Email Notifications
1445
Figure 25: DLP Notification template components
The ServiceNow components required for the DLP Notification template are as follows:
• Notification: Contains details, such as when to generate a remediation email, whom to send the email, and what
should be the content of the email.
• Email layout: Contains reusable content for the message body of email templates.
Email layout is used to customize the display by customizing the text font, size, and color of the email text. The
notification template HTML contains a style tag at the top. The ServiceNow administrator can modify the CSS styles
present in this tag. This updates the look and feel of the email, but the layout remains the same. The ServiceNow
administrator can also insert images while customizing the display.
Email layout can be used for the following:
• To specify consistent layout such as always displaying a header, body, and footer.
• To display static content on all email notifications, such as a company logo or a background.
• To provide links to common response rule actions.
• To declare inline styles.
• Email template: Contains reusable content for the subject line and message body of email notifications. It is used to
get dynamic content of an incident using scripts.
• Notification email scripts: Contains the notification message content used to print from a server-side script. They are
used to display the incident details received from utility scripts as specified by the ServiceNow administrator in a table
or paragraph format.
For example, in the EUR application we have coded the email scripts so that the Match highlights incident attributes
are 70% masked. This masking percentage can be customized or removed.
NOTE
Beginning with Symantec Data Loss Prevention version 16.0, masking of confidential data can also be
configured on the Enforce Server administrator console. For more information, see Incident Masking
Overview and Setting Up Masking for Roles. If the masking percentage is enabled on both the Enforce
Server administrator console and the EUR application, then the greater of the two masking percentages is
applied on the match highlights sent through the EUR email to the remediator. The masking configuration for
the user initiating EUR Remediation Configuration on the Enforce Server administrator console is evaluated
by DLP. For example, if the masking percentage on the EUR application is unchanged (70%) and masking
is also applied on the Enforce Server administrator console (50%), then the matches are 70% masked in the
email received by the remediator.
Masking adds an additional layer of security. Similarly, the email script can be updated based on the organization
policies and requirements.
A notification email script is used to customize the content, such as incident information, incident details along with
display format. The EUR application provides utility scripts to get the incident data for a given incident. To customize
1446
the email, the ServiceNow administrator can create custom email notification scripts and include EUR utility scripts.
After getting the data with the help of EUR utility scripts, the ServiceNow administrator can create a custom email
notification template and include these custom scripts. The ServiceNow administrator can create a layout as per a
requirement such as plain text layout or tabular layout; and change color, fonts, images, and so on.
• Script includes: Contains utility functions and classes that connect with the ServiceNow database to get the required
incident details.
• ServiceNow database: Contains the details of the incidents synced from the Enforce Server.
See Customizing the email content and format in ServiceNow
See Customizing the email layout in ServiceNow
See Customizing the email template in ServiceNow
See Assigning email templates to workflows in ServiceNow
Customizing the Email Content and Format in ServiceNow
The ServiceNow administrator can customize the content (masked, plain text), and format (tabular, and so on) of the
incident details that are displayed in the email sent to the remediator.
To customize the out-of-box email script, perform the following steps.
NOTE
It is recommended that the ServiceNow administrator creates a copy of the out-of-box DLP Incident Email Script
and then customize it. Do not update the out-of-box email script directly.
1. In the ServiceNow console, navigate to System Notification > Email > Notification Email Scripts.
2. Click New.
3. On the Email Script page, enter the following information:
• Name
• Application: Ensure that the ServiceNow administrator selects Symantec DLP End User Remediation from the
list box.
• Script: Use the utility scripts (EURNotificationUtils) provided in the EUR application to get the incident
details. Specify the details of the email script, such as the following:
– The incident attributes
– The masking percentage defined on the Enforce Server administrator console for the user initiating the
EUR process is considered and the greater of the two masking percentages is applied in the EUR email. The
two masking percentages are the one defined on the Enforce Server administrator console and the second
defined on the EUR application.
NOTE
Back up the email script before you update the masking percentage.
– The remediation actions that need to be part of the remediation email.
You can specify how the details of the remediation actions are displayed in the email, such as in tabular format or in
paragraph format.
4. Click Submit to save the customized email script.
Customizing the email layout in ServiceNow
The ServiceNow administrator can customize the look and feel of the email body, such as adding logo, updating content,
and so on by using the CSS styles.
To customize the out-of-the-box email layout, perform the following steps.
1447
NOTE
It is recommended that the ServiceNow administrator creates a copy of the out-of-box DLP Incident Email
Layout and then customize it. Do not update the out-of-box email layout directly.
1. In the ServiceNow console, navigate to System Policy > Email > Layouts.
2. Click New.
3. On the Email Layout page, enter the following.
– Name
– Application: Ensure that the ServiceNow administrator selects Symantec DLP End User Remediation from the
list box.
– Layout: Specify the details of the email layout, such as the theme to be used in the remediation email for an
organization. The theme can comprise of using a specific set of colors, fonts, company logo and so on. Click on
Source Code menu option to edit the HTML source code.
4. Click Submit to save the customized email layout.
Customizing the email template in ServiceNow
The ServiceNow administrator can customize the email template, which constitutes the email layout and the email script;
that is the content and format of the email.
To customize the out-of-the-box email template, perform the following steps.
NOTE
It is recommended that the ServiceNow administrator creates a copy of the out-of-box DLP Incident Email
Template and then customize it. Do not update the out-of-box email template directly.
1. In the ServiceNow console, navigate to System Notification > Email > Templates.
2. Click New.
3. On the Email Template page, enter the following
– Name
– Table: Ensure that the ServiceNow administrator selects DLPIncident (x_symct_dlp_eur_dlpincident) from the
list box.
– Email layout: Select the default DLP Email Notification layout or the customized email layout.
See Customizing the email layout in ServiceNow.
– Message HTML: You can copy the default email script details or customize email script details to get dynamic
content of an incident using the scripts.
See Customizing the email content and format in ServiceNow.
4. Click Submit to save the customized email template.
Assigning email templates to workflows in ServiceNow
The email templates are assigned to the email notifications, which are in turn mapped with the workflow events. When the
workflow events are triggered, then it will in turn trigger the email notifications.
The ServiceNow administrator can update the default DLP Incident Notification and add the default or customized
Notification Email Template as required. The Notification Email Template in turn can have the default or customized
DLP Notification Email Layout and DLP Notification Email Scripts attached to it.
1. In the ServiceNow console, navigate to System Notification > Email > Notifications.
2. On the Notifications page, search for DLP.
3. Click on DLP Incident Notification.
4. On the Notification - DLP Incident Notification page, on the What it will contain tab, enter the following.
– Email template: Select the customized the email template from the list box.
1448
See Customizing the email template in ServiceNow.
– Subject: Enter the appropriate subject text. The Incident ID is appended at the end of the subject.
5. Click Preview Notification to view the updates made in the DLP Incident Notification.
6. Click Update to save the changes.
Security guidelines for selecting incident attributes when using End User
Remediation
The DLP data sent to ServiceNow is extremely sensitive. Symantec recommends ServiceNow administrators configure
ServiceNow provided security controls to protect sensitive DLP data. DLP incident attributes, such as attachments and
match highlights are sent through email by ServiceNow to incident remediators. As a result, it is important to configure
security controls in ServiceNow to protect this information.
The overall security of the file attachments and match highlights depends on secure configuration of the ServiceNow
instance. Follow the security practices established by your organization. Additionally, Symantec recommends the
following:
• Disable the email attachment option on the Enforce Server. This will prevent attachments with sensitive content from
being sent through email.
To disable the email attachment option, on the End User Remediation - Incident Configuration page do not select
the File attribute for a incident attribute.
• Disable the matches option on the Enforce Server.
To disable the matches option, on the End User Remediation - Incident Configuration page do not select the
Matches attribute for an incident attribute.
• Enable the database encryption option on ServiceNow. See Security aspects in ServiceNow.
Consult the official documentation of your ServiceNow release for authoritative information on security levels offered by
ServiceNow.
• Enable TLS for ServiceNow emails. This can be accomplished only if the receiving MTA (customer side) enforces
TLS rather than making TLS as optional. Else the ServiceNow administrator needs to configure the email server
appropriately on ServiceNow.
• Consider using Symantec CloudSOC CASB to scan the audit logs.
• Consider implementing Symantec DLP Endpoint Agents to monitor the remediator endpoint.
• Consider integrating Data Loss Prevention with Microsoft Information Protection to protect sensitive data in the user
email inbox.
The following figure shows the three levels of security controls to protect confidentiality, integrity, and availability of data
offered by ServiceNow.
1449
Figure 26: Levels of security in ServiceNow
• Database level
Database encryption enables you to protect all the data with symmetric AES-256 encryption. By default, the data
stored on the ServiceNow platform is not encrypted. Symantec recommends that the ServiceNow administrator
enables the database level encryption to encrypt the ServiceNow database. The ServiceNow administrator needs
to have ServiceNow activate Database Encryption for the instances running in the ServiceNow environment. The
service is chargeable, contact ServiceNow to enable it as the ServiceNow console does not provide an option to
enable database encryption. Similarly, the ServiceNow administrator can disable the database encryption as required.
• Application level
The ServiceNow administrator can restrict access to their application data by implementing role based access controls.
The roles control access to features and capabilities in the EUR application and modules. These roles are of a user,
remediator, or of an admin. Any user who is not associated with any of these roles will not have access to the End
User Remediation functionality. They will neither be able to receive EUR emails nor perform any remediation action.
• Attribute level
Attribute level security is achieved using masking for the match information that is configured to be sent
to remediators through email. Currently, only the match highlights attribute is masked to 70%. The masking percentage
ratio can be increased or decreased in the EUR application based on the organization's policy. In addition to the
attribute level masking, DLP also provides the ability to mask all confidential data before it is sent to the EUR
application. You can mask the incident attribute data before it reaches the EUR application on ServiceNow. If the
masking percentage is defined in both the Enforce Server administrator console and the EUR application, then the
higher masking percentage is applied to the match highlights. This behavior ensures that the sensitive information is
not completely visible in the end users mailbox. Therefore, it may not pose a significant threat even if the email is
distributed by the end user.
NOTE
The EUR application resources can not be accessed by other applications installed on ServiceNow.
1450
About Troubleshooting Incidents
You can view the incident details for troubleshooting on the Enforce Server and in the ServiceNow console.
Data Loss Prevention Enforce Server-side troubleshooting
For troubleshooting of the incidents, the DLP administrator can view the incident details on the Enforce Server
administration console as follows:
• Incident history
See Incident history .
• Events > System Events
See Server and Detectors event detail and System events reports.
• On the Enforce Server,
– Remediation Configuration Execution Logging
This facilitates the DLP administrators to troubleshoot the EUR Remediation Configuration issues or errors without
going through the manager logs. The log file name will be generated dynamically based upon the EUR Remediation
Configuration name.
The path of this log file is:
C:\ProgramData\Symantec\DataLossPrevention\EnforceServer\16.0.10000\logs\debug
\eur_configuration_<Remediation_Configuration_Name>.log
The logging details are configurable through the properties specified in the ManagerLogging.properties file
available under the "<Protect installation path>/config" folder.
To change the log settings, update the ManagerLogging.properties file. For finest log level, update the
following property.
com.vontu.manager.enduserremediation.logging.EURConfigurationExecutionLogHandler.level
= FINEST
– Incident Action Request Poller Operational Logging
The incident action request poller job will do the operational logging in the file "eur_operational.log" under the folder
used for logs.
The path of this log file is:
C:\ProgramData\Symantec\DataLossPrevention\EnforceServer\16.0.10000\logs
\eur_operational.log
The logging detail is configurable through the properties specified in the ManagerLogging.properties file
available under the "<Protect installation path>/config" folder.
To change the log settings, update the ManagerLogging.properties file. For finest log level, update the
following property.
com.vontu.manager.enduserremediation.logging.EURLogHandler.level = FINEST
ServiceNow-side troubleshooting
For troubleshooting of the incidents, the ServiceNow administrator can view the incident details on the ServiceNow
instance as follows:
• Application logs
The EUR application logging is done at the ServiceNow system level. These logs contain the log statements of all the
applications installed on the ServiceNow instance. To view EUR specific information log statements, the App Logs
have to be filtered by App Scope for 'Symantec DLP End User Remediation'.
In the ServiceNow console, navigate to System Logs > System Log > Application Logs.
• Through the Workflow context
a. In the ServiceNow console, navigate to Workflow > Workflow Editor.
b. Search for DLP Incident Remediation Process Workflow.
1451
c. Click on DLP Incident Remediation Process Workflow.
d. On the DLP Incident Remediation Process Workflow page, click the Menu (with 3 horizontal lines) on the left-
hand side corner and select Show Contexts.
e. On the Contexts page, click on the appropriate incident.
• Email logs
The ServiceNow administrator can view the outbound and inbound email logs.
In the ServiceNow console, navigate to System Logs > Emails.
• Error logs
The ServiceNow administrator can view the error logs.
In the ServiceNow console, navigate to System Logs > System Log > Errors.
Troubleshooting incidents
The following scenarios explain the general steps for tracing an incident.
• Incidents are synced from the Enforce Server to ServiceNow, but the assignment fails in ServiceNow
– Verify if the last EUR Remediation Configuration ran successfully and there is no warning symbol visible on last
execution.
– Check the system events for any error. In case of error, check logs on the Enforce Server.
– Verify the status of the incidents in the report.
– Verify whether the synced incidents are assigned to an appropriate user. If not, the incident would be updated with
the status: Assignment Failed. Check workflow contexts for the exact cause.
• The remediator does not receive a remediation email from the EUR application
– Verify if the last EUR Remediation Configuration ran successfully and there is no warning symbol visible on last
execution.
– Check the system events for any error. In case of error, check logs on the Enforce Server.
– Verify the status of the incidents in the report.
– Verify whether the synced incidents are assigned to an appropriate user.
– If the incident is assigned to the appropriate user, verify email sending property on ServiceNow under Email
Outbound Configuration in Email Properties.
– Check the email logs for the status of the email, or error if any.
The following table describes the use cases as to how the DLP administrator or the EUR Admin can trace the incidents
and troubleshoot the flow of End User Remediation on the Enforce Server and ServiceNow.
1452
Table 837: Troubleshooting incidents
1 Enforce Server EUR Remediation Integration user does Check if the Integration user
Configuration fails to not have the EUR has the EUR Admin role
execute (warning symbol is Admin role assigned privileges.
visible on last execution) Syncing of incidents is allowed,
if the integration user is
authorized that is they have
the EUR Admin role privileges
assigned.
2 Enforce Server Incident state on The Enforce Server Set the following property in the
ServiceNow gets updated may not have Manager.properties file.
after remediation, but it been configured to com.vontu.enforcewebservices
is not reflected on the execute schedule
Enforce Server for Response Rule
Execution Service
3 ServiceNow Incidents are synced to Email sending on Enable email sending on
ServiceNow, but emails ServiceNow is not ServiceNow under Email
have not been sent enabled Outbound Configuration in
Email Properties.
4 ServiceNow Remediation emails are on • User does not • Check the roles assigned to
ServiceNow, but neither have the required the user. User should have
the state of the incident is authorization the EUR Remediator role
updated nor the workflow • User is locked out assigned.
stage • Watermarks in the • Check if the user is locked
email could be out of the ServiceNow
tampered instance.
• Check if the watermarks
in the email have been
tampered by comparing
those in the emails sent
to and received by the
remediator.
1453
See Configuring EUR incident sync between Enforce and ServiceNow.
• Schedule EUR Remediation Configuration execution for DAR incidents, when the load on Enforce is comparatively
less.
• Prioritize the incident reports that needs to be sent to the EUR application and schedule EUR Remediation
Configurations accordingly.
• Ensure that the reports are configured properly, such as use the report filters to narrow the list of incidents.
1454
The following incident actions are available for an incident list:
Add Note Add a brief note to the selected incident(s). The comment appears on the Incident History tab of the
Incident Snapshot page for each selected incident.
The limit for the Add Note field is 4000 bytes.
Delete Incidents Delete the selected incident(s) from the Symantec Data Loss Prevention system.
Proceed cautiously when deleting incidents. All data that is associated with the incident(s) is removed.
This operation cannot be reversed.
Export Selected: CSV Export the selected incident(s) to a comma-separated (.csv) file.
Export Selected: XML Export the selected incident(s) to an XML file.
Hide/Unhide Select one of the following incident hiding actions to set the hidden state for the selected incidents:
• Hide Incidents—Flags the selected incidents as archived.
• Unhide Incidents—Restores the selected incidents to the non-archived state.
• Do Not Hide—Prevents the selected incidents from being archived.
• Allow Hiding—Allows the selected incidents to be archived.
About incident hiding
Lookup Attributes Use the configured lookup plug-ins to look up the configured attributes.
Set Attributes Display the Set Attributes page so you can enter or edit the attribute values for the selected
incident(s).
Set Data Owner Set the following Data Owner attributes:
• Name
• Email Address
Set Incident Remediator Set the following Incident Remediator attributes:
• Name
• Email Address
Set Severity Change the severity that is set for the selected incident(s) to one of the options under Set Severity.
Set Status Change the status of the selected incident(s) to one of the options under Set Status. A system
administrator can customize the options that appear on this list on the Incident Attributes page.
About incident status attributes
Run Smart Response Perform one of the listed responses on the selected incident(s). When you click a response rule, the
Execute Response Rule page appears.
These manual response rules are available only if you have permission to remediate.
1455
General incident variables
The following general variables are available for all incident types:
$APPLICATION_NAME$ Specifies the name of the application that is associated with the incident.
$ATTACHMENT_FILENAME$ Specifies the name of the attached file.
$BLOCKED$ Indication of whether or not Symantec Data Loss Prevention blocked the
message (yes or no).
$DESTINATION_IP$ Specifies the destination IP address.
$INCIDENT_ID$ The unique identifier of the incident.
$INCIDENT_SNAPSHOT$ The fully qualified URL to the incident snapshot page for the incident.
$MATCH_COUNT$ The incident match count.
$MATCHING_RECIPIENT_DOMAINS$ For policies that use recipient pattern type rules, indicates the domains of the
users that matched the recipient rule for email-based activities. This variable is
not applicable for other types of user activities such as file uploads, copying files
to network shares, and so on.
$OCCURED_ON$ Specifies the date on which the incident occurred. This date may be different
than the date the incident was reported.
$POLICY$ The name of the policy that was violated.
$POLICY_RULES$ A comma-separated list of one or more policy rules that were violated.
$PROTOCOL$ The protocol, device type, and target type of the incident, where applicable.
$RECIPIENTS$ A comma-separated list of one or more message recipients.
$REPORTED_ON$ Specifies the date on which the incident was reported.
$MONITOR_NAME$ Specifies the detection server or cloud detector that created the incident.
$SENDER$ The message sender.
$SEVERITY$ The severity that is assigned to incident.
$STATUS$ Specifies the remediation status of the incident.
$SUBJECT$ The subject of the message.
$URL$ Specifies the file path or location.
$DATAOWNER_NAME$ The person responsible for remediating the incident. This field must be set
manually, or with one of the lookup plug-ins.
Reports can automatically be sent to the data owner for remediation.
$DATAOWNER_EMAIL$ The email address of the person responsible for remediating the incident. This
field must be set manually, or with one of the lookup plug-ins.
1456
Discover incident variables
The following Network Discover and Network Protect incident variables are available:
$DATAOWNER_NAME$ The person responsible for remediating the incident. This field must be set
manually, or with one of the lookup plug-ins.
Reports can automatically be sent to the data owner for remediation.
$DATAOWNER_EMAIL$ The email address of the person responsible for remediating the incident. This
field must be set manually, or with one of the lookup plug-ins.
$ENDPOINT_MACHINE$ The name of the endpoint computer that generated the violation.
$PATH$ The full path to the file in which the incident was found.
$FILE_NAME$ The name of the file in which the incident was found.
$PARENT_PATH$ The path to the parent directory of the file in which the incident was found.
$QUARANTINE_PARENT_PATH$ The path to the parent directory in which the file was quarantined.
$SCAN_DATE$ The date of the scan that found the incident.
$TARGET$ The name of the target in which the incident was found.
$DATAOWNER_NAME$ The person responsible for remediating the incident. This field must be set
manually.
Reports can automatically be sent to the data owner for remediation.
$DATAOWNER_EMAIL$ The email address of the person responsible for remediating the incident. This
field must be set manually.
1457
• Network incident list
• Network incident list—Actions
• Network incident list—Columns
• Network Incident Snapshots
• Network incident snapshot—Heading and navigation
• Network Incident Snapshot—General Information
• Network incident snapshot—Matches
• Network incident snapshot—Attributes
• Network summary report
1458
Incident information is divided into several columns. Click any column header to sort alpha-numerically by that column's
data. To sort in reverse order, click the column header a second time. By default, Symantec Data Loss Prevention sorts
incidents by date.
The Type column shows the icons that indicate the type of network incident. Type of network incident describes the icons.
Icon Description
SMTP
The addition of the second icon indicates a message attachment.
HTTP
Symantec Data Loss Prevention also detects the Yahoo and MSN
IM traffic that is tunneled through HTTP.
The addition of the second icon indicates an attachment to Web-
based email.
HTTPS
FTP
NNTP
IM:MSN
IM:AIM
IM:Yahoo
TCP:custom_protocol
This column also indicates whether the communication was blocked or altered. Incident block or altered status shows the
possible values.
Icon Description
1459
Use the following links to learn more about the Network incident list page:
Action Description
Add Note Select to open a dialog box, type a comment, and then click OK.
Hide/Unhide Select one of the following archive actions to set the archive state
for the selected incidents:
• Hide Incidents—Flags the selected incidents as archived.
• Unhide Incidents—Restores the selected incidents to the
non-archived state.
• Do Not Hide—Prevents the selected incidents from being
archived.
• Allow Hiding—Allows the selected incidents to be archived.
Delete Incidents Select to delete specified incidents.
Export Selected: CSV Select to save specified incidents in a comma-separated text
Export Selected: XML (.csv) file or XML file, which can be displayed in several common
applications, such as Microsoft Excel.
Lookup Attributes Use lookup plug-ins to look up incident custom attributes.
Run Smart Response Select to run a Smart Response rule that you or your administrator
configured. (To configure a Smart Response rule, navigate to
Policy > Response Rules, click Add Response Rule, and select
Smart Response.
Set Attributes Select to set attributes for the selected incidents.
Set Data Owner Set the data owner name or email address. The data owner is the
person responsible for remediating the incident.
Reports can automatically be sent to the data owner for
remediation.
Set Incident Remediator Set the incident remediator name or email address. The incident
remediator is the person responsible for remediating the incident
using End User Remediation.
The EUR application sends an email to the incident remediator for
remediation.
See About End User Remediation.
Set Severity Select to set severity.
Set Status Select to set status.
1460
Network incident list—Columns
Incident information is divided into several columns. Click any column header to sort alpha-numerically by that column's
data. To sort in reverse order, click the column header a second time. By default, Symantec Data Loss Prevention lists
incidents by date.
The report includes the following columns:
• Check boxes that let you select incidents to remediate.
You can select one or more incidents to which to apply commands from the Incident drop-down menu at the top of the
list. Click the checkbox at the top of the column to select all incidents on the current page. (Note that you can also click
Select All at far right to select all incidents in the report.)
• Type
The protocol over which the match was detected.
Network incident list
• Subject/Sender/Recipient(s)
Message subject, sender email address or IP address, recipient email address(es), or URL(s).
• Sent
Date and time the message was sent.
• ID/Policy
Symantec Data Loss Prevention incident ID number and the policy against which the incident was logged.
• Matches
Number of matches in the incident.
• Sev
Incident severity as determined by the severity setting of the rule the incident matched.
The possible values are as follows:
Icon Description
High
Medium
Low
For information only
• Status
Current incident status.
The possible values are as follows:
– New
– In Process
– Escalated
– False Positive
– Configuration Errors
– Resolved
You or your administrator can add new status designations on the Attribute Setup page.
Network incident list
1461
Network Incident Snapshots
An incident snapshot provides detailed information about a particular incident. The snapshot displays general incident
information, matches detected in the intercepted text, and incident attributes. The snapshot also enables you to execute
any Smart Response rules that you have configured.
The incident snapshot is divided into three panes, with navigation and Smart Response options. Click a link to view more
help about the incident snapshot:
Navigation and Smart Response options Network incident snapshot—Heading and navigation
General incident information (left-hand pane) Network incident snapshot—General information
Matches in incident (middle pane) Network incident snapshot—Matches
Attributes (right-hand pane) Network incident snapshot—Attributes
If you configured any Smart Response rules, Symantec Data Loss Prevention displays the response options for executing
the rules at the top of the page. Depending on the number of Smart Response rules, a drop-down menu may also appear.
Network incident snapshot
1462
Table 840: Incident general information tabs
Key Info The Key Info tab shows the policy that was violated in the incident. This tab also shows the total number of
matches for the policy and the matches per policy rule. Click the policy name to view a list of all incidents
that violated the policy. Click view policy to view a read-only version of the policy.
This section also lists other policies that the same file violated. To view the snapshot of an incident that
is associated with a particular policy, click go to incident next to the policy name. To view a list of all
incidents that the file created, click show all.
The Key Info tab also includes the following information:
• The name of the detection server that recorded the incident.
• The date and time the message was sent
• The sender email or IP address
• The recipient email or IP addresses
• The SMTP heading or the NNTP subject heading
• If you use ProxySG, the following attribute information is visible:
– Source IP
– Category
– Server Geo
– Transaction ID
• The Is Hidden field displays the archived state of the incident and whether you can hide the incident.
You can toggle the Do Not Hide flag for the incident.
• Attachment file names. Click to open or save the file.
If a response rule tells Symantec Data Loss Prevention to discard the original message, you cannot
view the attachment.
• The person responsible for remediating the incident (Data Owner Name). This field must be set
manually, or with a lookup plug-in. Reports can automatically be sent to the data owner for remediation.
If you click a hyperlinked Data Owner Name, a filtered list of incidents by Data Owner Name is
displayed.
• The email address of the person responsible for remediating the incident (Data Owner Email
Address). This field must be set manually, or with a lookup plug-in.
If you click the hyperlinked Data Owner Email Address, a filtered list of incidents by Data Owner Email
Address is displayed.
• The person responsible for remediating the incident using End User Remediation (Incident
Remediator Name). This field must be set manually, or with a lookup plug-in.
If you click the hyperlinked Incident Remediator Name, a filtered list of incidents by Incident
Remediator Name is displayed.
• The email address of the person responsible for remediating the incident using End User Remediation
(Incident Remediator Email Address). This field must be set manually, or with a lookup plug-in.
If you click the hyperlinked Incident Remediator Email Address, a filtered list of incidents by Incident
Remediator Email Address is displayed.
History View the actions that were performed on the incident. For each action, Symantec Data Loss Prevention
displays the action date and time, the actor (a user or server), and the action or the comment.
Notes View any notes that you or others have added to the incident. Click Add Note to add a note.
Correlations You can view a list of those incidents that share attributes of the current incident. For example, you can
view a list of all incidents that a single account generated. The Correlations tab shows a list of correlations
that match single attributes. Click attribute values to view lists of those incidents that are related to those
values.
To search for other incidents with the same attributes, click Find Similar. In the Find Similar Incidents
dialog box that appears, select the desired search attributes. Then click Find Incidents.
Note: The list of correlated incidents does not display related incidents that have been hidden.
1463
Network incident snapshot
Matches are highlighted in yellow and organized according to the message component (such as header, body, or
attachment) in which they were detected. Symantec Data Loss Prevention displays the total relevant matches for each
message component. It shows matches by the order in which they appear in the original text. To view the rule that
triggered a match, click on the highlighted match.
1464
Table 841: Summary report columns
summary_criterion This column is named for the primary summary criterion. It lists
primary and (for double summaries) secondary summary items.
In a Policy Summary, this column is named Policy and it lists
policies. Click on a summary item to view a list of incidents that
are associated with that item.
Total The total number of incidents that are associated with the
summary item. In a Policy Summary, this column gives the total
number of incidents that are associated with each policy.
High Number of high-severity incidents that are associated with the
summary item. (The severity setting of the rule that was matched
determines the incident severity.)
Med Number of medium-severity incidents that are associated with the
summary item.
Low Number of low-severity incidents that are associated with the
summary item.
Info The number of informational incidents that are associated with the
summary item.
Bar Chart A visual representation of the number of incidents (of all
severities) associated with the summary item. The bar is broken
into proportional, colored sections to represent the various
severities.
Matches Total number of matches associated with the summary item.
If any of the severity columns contain totals, you can click on them to view a list of incidents of the chosen severity.
1465
The report includes the following columns:
• Check boxes that let you select incidents to remediate
You can select one or more incidents to which to apply commands from the Incident drop-down menu at the top of the list.
Click the checkbox at the top of the column to select all incidents on the current page. (You can click Select All at far right
to select all incidents in the report.)
Email/SMTP
HTTP
HTTPS
FTP
IM: MSN
IM: Yahoo
Print/Fax
Clipboard
A response column that indicates whether Symantec Data Loss Prevention blocked an attempted violation or notified the
end user about the violation of confidential data.
The possible values are as follows:
• Blank if Symantec Data Loss Prevention did not block the violation or notify the end user
• A red icon indicates the violation was blocked by Symantec Data Loss Prevention, by the user, or if the user cancel
option time limit expired.
• A notification icon indicates Symantec Data Loss Prevention notified the end user about the violated confidential data
policies. The notification icon also appears if the user allowed the violating data transfer. The icon also appears if the
user cancel time limit option has expired and the default action is set to allow data transfers.
The other columns of this section appear as follows:
1466
Table 843: Endpoint incident columns
Column Definition
File Name/Machine/User/Subject/Recipient File name, computer, endpoint user (domain and logon name),
subject title (if Email/SMTP violation), and recipient user that is
associated with the incident.
When temporary files generate incidents on Mac agents, the
temporary file name displays in the File Name column.
Occurred On Date • Incident date and time
• Reported On Date
• Time and date that the incident was reported. If the endpoint
is disconnected from the corporate network, incidents are
reported when the connection is restored.
ID/Policy Symantec Data Loss Prevention incident ID number and the policy
against which the incident was logged.
Matches Number of matches in the incident.
Severity Incident severity as determined by the severity setting of the rule
the incident matched.
The possible values are as follows:
• High
• Medium
• Low
• For information only
Status Current incident status.
The possible values are as follows:
• New
• In Process
• Escalated
• False positive
• Configuration Errors
• Resolved
You or your administrator can add new status designations on the Attribute Setup page.
Endpoint incident snapshot
Current status and severity appear under the snapshot heading. To change one of the current values, click on it and
choose another value from the drop-down list. If any action icon is associated, it also appears here.
If you have configured any Smart Response rules, Symantec Data Loss Prevention displays a Remediation bar (under the
Status bar). The Remediation bar includes options for executing the rules. Depending on the number of Smart Response
rules, a drop-down menu may also appear.
1467
The top left section of the snapshot displays general incident information. You can click most information values to view an
incident list that is filtered on that value. Information in this section is divided into the following categories (not all of which
appear for every incident type):
Local drive
Network Share
Email/SMTP
HTTP
HTTPS/SSL
FTP
IM: MSN
IM: Yahoo
Print/Fax
Clipboard
1468
Table 845: Incident sections
Section Description
Server Name of the Endpoint Server that detected the incident for two-tier
detection. Or, it is the name of the Endpoint Server that received
the incident from the Symantec DLP Agent.
Agent response The Endpoint Block, Endpoint Notify, Endpoint Quarantine,
Endpoint FlexResponse, Action Encrypted, Action Encryption
Blocked, or User Cancel action, if any. The possible values are as
follows:
• Blank or no icon if Symantec Data Loss Prevention did not
block the copy or notify the end user.
• A red circle icon indicates Symantec Data Loss Prevention
blocked confidential data.
• A message icon indicates Symantec Data Loss Prevention
notified the end user that the data is confidential.
• A green tick mark with a key indicates that Symantec Data
Loss Prevention blocked the user's action and encrypted the
file or files that the user was trying to copy or move.
• A red X icon with a key indicates that Symantec Data Loss
Prevention blocked the user's action and but did not encrypt
the file or files that the user was trying to copy or move.
• A clock icon indicates that the DLP Agent did not block the
user's action but the configured response action was not
carried out due to a timeout in macOS 11.
See Reporting on Endpoint Prevent Response Rules.
Incident Occurred On Date and time the incident occurred.
Incident Reported On Date and time the Endpoint Server detected the incident.
Is Hidden Displays the hidden state of the incident, whether or not the
incident is hideable, and allows you to toggle the Do Not Hide flag
for the incident.
User Endpoint user name (for example, MYDOMAIN\bsmith).
User Justification The justification label precedes by the text that is presented to
the end user in the on-screen notification (for example, Manager
Approved: "My manager approved the transfer of this data.")
Symantec Data Loss Prevention uses the label for classification
and filtering purposes in reports, but the endpoint user never sees
it. Click the label to view a list of incidents in which the end user
chose this justification.
Machine Name Computer on which the incident occurred.
Machine IP (Corporate) The IP address of the violating computer if the computer was on
the corporate network.
File name Name of the file that violated the policy. The file name field
appears only for fixed-drive incidents.
Quarantine Result If you have Endpoint Discover: Quarantine response rules
configured, you may see one of the following quarantine
scenarios:
• File Quarantined
• Quarantine Failed
• Quarantine Result Timeout
1469
Section Description
Quarantine Location Displays the file path of the secure location where the file was
moved.
Quarantine Details Displays the reason that the quarantine task failed to move the
confidential file. For example, the action may fail because the
source file is missing, or the credentials to access the secure
location are incorrect.
The Quarantine Details file also displays information if the status
of the quarantined file is unknown because of a Quarantine Result
Timeout event.
Endpoint Location Indicates whether or not the endpoint was connected to the
corporate network at the time the incident occurred.
Application Name The name of the application that caused the incident.
Destination The destination location or file path for the confidential data,
depending on the device or protocol.
Destination IP The destination IP address for the confidential data. The
Destination IP address appears only for specific network incidents.
Source The original file or data for the violation. The source primarily
appears in file-transfer incidents.
Sender The sender of the confidential data for network violations.
Recipient The intended recipient of the confidential data for network
violations.
FTP User Name The originating user name for violating FTP transfers.
Attachments The associated file(s) or attachments sent (for network incidents).
If your administrator has configured Symantec Data Loss
Prevention to retain endpoint incident data, you can click on a file
name to view file contents.
Data Owner The specified owner of the confidential data.
Data Owner Email Address The email address for the owner of the confidential data.
Access information The available ACL information. Only applicable to Endpoint
Discover and Endpoint Prevent local drive monitoring.
Other sections of the incident snapshot are common across all Symantec Data Loss Prevention products. These common
sections include:
• Incident snapshot matches
• Incident snapshot policy section
• Incident snapshot correlations section
• Incident snapshot attributes section. (This section appears only if a system administrator has configured custom
attributes.)
• Incident snapshot history tab
• Incident snapshot notes tab
The Endpoint incident snapshot also contains two sections that are not common across other product lines. Those
sections are:
• Destination or protocol-specific information
Endpoint incident destination or protocol-specific information
• Reporting on Endpoint Prevent response rules
Reporting on Endpoint Prevent response rules
1470
Reporting on Endpoint Prevent response rules
If user activity on the endpoint triggers more than one response rule, Symantec Data Loss Prevention determines which
policy to apply based on an established order of precedence. Only the response rule that is associated with the prevailing
policy is executed. Symantec Data Loss Prevention creates incidents for all policies that are violated. It indicates (in the
relevant incident snapshots) that the response rules were superseded.
Endpoint incident snapshot
By default, the following list is the main order of precedence for Endpoint Prevent incidents:
• Block
• User Cancel
• Endpoint FlexResponse
• Notify
NOTE
For Endpoint Discover, Quarantine incidents always take precedence over Endpoint FlexResponse incidents.
Be aware of the following behavior regarding reporting of superseded incidents:
• The snapshot of a superseded Endpoint Block or User Cancel incident still displays the Blocked icon, because
Symantec Data Loss Prevention did block the content in question. The icon also indicates if the content was blocked
because the user elected to block the content. Alternately, the icon indicates that the user cancel time limit was
exceeded and the content was blocked.
• The snapshot of a superseded Endpoint Notify incident does not include the Notify icon. The Notify icon is not
included because Symantec Data Loss Prevention did not display the particular on-screen notification that was
configured in the policy.
• The snapshot of a superseded Endpoint Quarantine incident displays the Blocked icon because the data did not
move out of the secured area. The icon also indicates if the content was blocked because the user elected to block
the content. Alternately, the icon indicates that the user cancel time limit was exceeded and the content was blocked.
The History tab of the incident snapshot always displays information on whether the Endpoint FlexResponse rule was
successful.
• The snapshot of a superseded Endpoint FlexResponse incident displays the Blocked icon because the data did not
move out of the secured area. The icon also indicates if an Endpoint Quarantine response rule was activated.
If you have configured Endpoint Prevent response rules to display on-screen notifications prompting users to
justify their actions, the following statements are true:
• Symantec Data Loss Prevention displays the user justification in the snapshots of all the incidents that are generated
by the policies that include the executed response rule.
• Symantec Data Loss Prevention displays the justification Superseded – Yes in the snapshots of all superseded
incidents that do not include the executed response rule.
• If there is no user to enter a justification, for example if a user accesses a remote computer, the justification reads N/A.
1471
Table 846: Destination or protocol-specific information
URL For network incidents, denotes the URL where the incident
occurred.
Source IP and Port For network incidents, denotes the IP address or port of the
endpoint that originated the incident. This information is only
shown if the incident is created on this endpoint.
Destination IP and Port The IP address of the destination endpoint that is associated
with the incident. This information is only shown if the incident is
created on this endpoint.
Sender/Recipient Email For Email/SMTP and IM incidents, incidents also contain the email
addresses of the sender and recipient. The sender or recipient
email address are only shown if the incident occurs on them.
Subject The subject line of the Email/SMTP message is displayed.
FTP user name at the FTP Destination For FTP incidents, the user name at the FTP destination is
displayed.
Server IP For FTP incidents, the server IP address is shown.
File Name/Location For print/fax incidents, the name of the file and the location of the
file on the endpoint is displayed.
Print Job Name For print/fax incidents, the print job name is the file name of the
printing job that generated the incident.
Printer Name/Type For print/fax incidents, the printer name and type are only
displayed if the file cannot be named through from the Print Job
name. Or, if the file was generated from an Internet browser.
Application Window For Clipboard incidents, the application window is the application
name from which the contents of the Clipboard were taken.
Source Application For Clipboard incidents, the application name from which the
contents of the Clipboard were taken.
Source Application Window Title For Clipboard incidents, the application window name from which
the contents of the Clipboard were taken.
Title Bar For Clipboard incidents, the title bar is the window from which the
data was copied.
1472
NOTE
For Endpoint Discover, Quarantine incidents always take precedence over Endpoint FlexResponse incidents.
Be aware of the following behavior regarding reporting of superseded incidents:
• The snapshot of a superseded Endpoint Block or User Cancel incident still displays the Blocked icon, because
Symantec Data Loss Prevention did block the content in question. The icon also indicates if the content was blocked
because the user elected to block the content. Alternately, the icon indicates that the user cancel time limit was
exceeded and the content was blocked.
• The snapshot of a superseded Endpoint Notify incident does not include the Notify icon. The Notify icon is not
included because Symantec Data Loss Prevention did not display the particular on-screen notification that was
configured in the policy.
• The snapshot of a superseded Endpoint Quarantine incident displays the Blocked icon because the data did not
move out of the secured area. The icon also indicates if the content was blocked because the user elected to block
the content. Alternately, the icon indicates that the user cancel time limit was exceeded and the content was blocked.
The History tab of the incident snapshot always displays information on whether the Endpoint FlexResponse rule was
successful.
• The snapshot of a superseded Endpoint FlexResponse incident displays the Blocked icon because the data did not
move out of the secured area. The icon also indicates if an Endpoint Quarantine response rule was activated.
If you have configured Endpoint Prevent response rules to display on-screen notifications prompting users to
justify their actions, the following statements are true:
• Symantec Data Loss Prevention displays the user justification in the snapshots of all the incidents that are generated
by the policies that include the executed response rule.
• Symantec Data Loss Prevention displays the justification Superseded – Yes in the snapshots of all superseded
incidents that do not include the executed response rule.
• If there is no user to enter a justification, for example if a user accesses a remote computer, the justification reads N/A.
URL For network incidents, denotes the URL where the incident
occurred.
Source IP and Port For network incidents, denotes the IP address or port of the
endpoint that originated the incident. This information is only
shown if the incident is created on this endpoint.
Destination IP and Port The IP address of the destination endpoint that is associated
with the incident. This information is only shown if the incident is
created on this endpoint.
Sender/Recipient Email For Email/SMTP and IM incidents, incidents also contain the email
addresses of the sender and recipient. The sender or recipient
email address are only shown if the incident occurs on them.
Subject The subject line of the Email/SMTP message is displayed.
1473
Destination or protocol Description
FTP user name at the FTP Destination For FTP incidents, the user name at the FTP destination is
displayed.
Server IP For FTP incidents, the server IP address is shown.
File Name/Location For print/fax incidents, the name of the file and the location of the
file on the endpoint is displayed.
Print Job Name For print/fax incidents, the print job name is the file name of the
printing job that generated the incident.
Printer Name/Type For print/fax incidents, the printer name and type are only
displayed if the file cannot be named through from the Print Job
name. Or, if the file was generated from an Internet browser.
Application Window For Clipboard incidents, the application window is the application
name from which the contents of the Clipboard were taken.
Source Application For Clipboard incidents, the application name from which the
contents of the Clipboard were taken.
Source Application Window Title For Clipboard incidents, the application window name from which
the contents of the Clipboard were taken.
Title Bar For Clipboard incidents, the title bar is the window from which the
data was copied.
Summary entries are divided into several columns. Click any column header to sort alpha-numerically by that column's
data. To sort in reverse order, click the column header a second time.
1474
Table 848: Endpoint incident summary report details
Field Description
Summary criteria This column contains the name of whichever summery criteria
you selected. If you select a primary and a secondary summary
criteria, only the primary criteria is displayed.
Total Total number of the incidents that are associated with the
summary item. For example, in a Policy Summary this column
gives the total number of incidents that are associated with each
policy.
High Number of high-severity incidents that are associated with the
summary item. (The severity setting of the rule that was matched
determines the level of severity.)
Med Number of medium-severity incidents that are associated with the
summary item.
Low Number of low-severity incidents that are associated with the
summary item.
Info Number of the informational incidents that are associated with the
summary item.
Bar Chart A visual representation of the number of incidents (of all
severities) associated with the summary item. The bar is broken
into proportional colored sections that represent the various
severities.
Matches Total number of matches associated with the summary item.
If any of the severity columns contain totals, you can click on them
to view a list of incidents of the chosen severity.
1475
Managing Network Discover target scans
Network Discover Reports lists the Network Discover reports.
Report Navigation
Network Discover Targets This report is on the Enforce Server administration console, Manage menu, Discover Scanning
> Discover Targets.
About the Network Discover scan target list
Scan Status This report is on the Enforce Server administration console, Manage menu, Discover Scanning
> Discover Servers.
Viewing Network Discover server status
Scan History (single target) This report is from the Enforce Server administration console, Manage menu, Discover
Scanning > Discover Targets. Click the link in the Scan Status column to see the history of a
particular scan target.
About Discover and Endpoint Discover scan histories
Scan History (all targets) This report is from the Enforce Server administration console, Manage menu, Discover
Scanning > Scan History.
About Discover and Endpoint Discover scan histories
Scan Details This report is from the Enforce Server administration console, Manage menu, Discover
Scanning > Scan History. Click the link in the Scan Status column to see the scan details.
About Discover scan details
1476
Discover incident reports
Use Network Discover incident reports to monitor and respond to Network Discover incidents. You can save, send, export,
or schedule Symantec Data Loss Prevention reports.
In the Enforce Server administration console, on the Incidents menu, click Discover This incident report displays all
incidents for all Discover targets. You can select the standard reports for all incidents, new incidents, target summary,
policy by target, status by target, or top shares at risk.
Summaries and filter options can select which incidents to display.
You can create custom reports with combinations of filters and summaries to identify the incidents to remediate.
1477
Select one of the following actions to set the display state for the selected incidents:
– Hide Incidents—Flags the selected incidents as hidden.
– Unhide Incidents—Restores the selected incidents to the unhidden state.
– Do Not Hide—Prevents the selected incidents from being hidden.
– Allow Hiding—Allows the selected incidents to be hidden.
• Set Attributes
Select to set attributes for the selected incidents.
• Set Data Owner
Set the data owner name or email address. The data owner is the person responsible for remediating the incident.
Reports can automatically be sent to the data owner for remediation.
• Set Incident Remediator
Set the incident remediator name or email address. The incident remediator is the person responsible for remediating
the incident using End User Remediation.
The EUR application sends an email to the incident remediator for remediation. See About End User Remediation.
• Set Status
Select to set status.
• Set Severity
Select to set severity.
• Lookup Attributes
Use the lookup plug-ins to look up incident custom attributes.
• Run Smart Response
Select to run a Smart Response rule you or your administrator configured.
Discover incident lists
1478
Quarantined
Remediation Error
When you use a Server FlexResponse action for an Automated or Smart response rule, one of the following icons may
appear:
These same icons may appear for other incident types as well, and you can execute Server FlexResponse actions on
those incidents.
• Location/Target/Scan
Repository or file location, target name, and date and time of most recent scan.
• File Owner
Username of file owner (for example, MYDOMAIN\Administrator).
• ID/Policy
The Symantec Data Loss Prevention incident number and the policy the incident violated.
• Matches
The number of matches in the incident.
• Severity
Incident severity as determined by the severity setting of the rule the incident matched.
The possible values are:
High
Medium
Low
For information only
• Status
The current incident status.
The possible values are:
– New
– In Process
– Escalated
– False Positive
– Configuration Errors
– Resolved
The following icon may be displayed near the status if this incident was seen before:
You or your administrator can add new status designations on the attribute setup page.
1479
Discover incident snapshot
An incident snapshot provides detailed information about a particular incident. It displays general incident information,
matches detected in the content, and details about policy, attributes, and incident history. You can also search for similar
incidents in the Correlations area.
Current status and severity appear under the snapshot heading. To change one of the current values, click it and choose
another value from the drop-down list.
Use the icons at the top right to print the report, or send it as email. To send reports, you or your administrator must first
enable report distribution in system settings.
Configuring the Enforce Server to Send Email Alerts
If any Smart Response rules are set up, Symantec Data Loss Prevention displays a remediation bar that includes buttons
for executing the rules. Depending on the number of Smart Response rules, a drop-down menu may also appear.
About incident remediation
Incident data is divided into the following sections:
• Key Info tab
– Policy Matches
– Incident Details
The following details are included:
Seen Before No, if this incident was not previously detected. Yes, if this incident was previously detected.
Subject Email subject for integrated Exchange scans.
Sender Email sender for integrated Exchange scans.
Recipient Email recipient for integrated Exchange scans.
File Location Location of the file, repository, or item.
Click go to file to view the item or file, or go to directory to view the directory. If you view an
Endpoint Discover incident, you do not see the go to file or go to directory links.
Is Hidden Displays the hidden state of the incident, whether or not the incident is hideable, and lets you toggle
the Do Not Hide flag for the incident.
URL For SharePoint, this URL is the item on the SharePoint server. Click this URL to go to the item on
the SharePoint server.
Document Name File or item name(s)
File Owner Creator of the file or item.
For SharePoint and Exchange incident snapshots the File Owner is listed as unknown because it is
not applicable to these target types.
1480
Extraction Date Date custom target adapter was run ( In the Firefox browser, these links do not work without
additional setup.
Applies to custom targets only.)
Scanned Machine Host name of the scanned computer.
For SharePoint this name is the web application name.
Notes Database Name of the IBM (Lotus) Notes database (Applies to IBM (Lotus) Notes only.)
File Created The date and time that the file or item was created.
Last Modified Date and time of last change to the file or item.
Last Accessed Date and time of last user access to the file or item.
For SharePoint, this date is not valid.
Created By The user who created the file.
Modified By The user who last modified the file.
Data Owner Name The person responsible for remediating the incident. This field must be set manually, or with a
lookup plug-in.
Reports can automatically be sent to the data owner for remediation.
If you click on the hyperlinked Data Owner Name, a filtered list of incidents by Data Owner Name is
displayed.
Data Owner Email Address The email address of the person responsible for remediating the incident. This field must be set
manually, or with a lookup plug-in.
If you click on the hyperlinked Data Owner Email Address, a filtered list of incidents by Data
Owner Email Address is displayed.
Incident Remediator Name The person responsible for remediating the incident using End User Remediation. This field must
be set manually, or with a lookup plug-in.
If you click on the hyperlinked Incident Remediator Name, a filtered list of incidents by Incident
Remediator Name is displayed.
Incident Remediator Email The email address of the person responsible for remediating the incident using End User
Address Remediation. This field must be set manually, or with a lookup plug-in.
If you click on the hyperlinked Incident Remediator Name, a filtered list of incidents by Incident
Remediator Name is displayed.
– Access Information
For SharePoint incident snapshots, the permission levels show the permissions from SharePoint, for example
Contribute or Design. The list in the incident snapshot shows only the first 50 entries. All the ACL entries can be
exported to a CSV file. The permissions are comma-separated. Users or groups having Limited Access permission
levels are not recorded or shown.
NOTE
If you are scanning a SharePoint repository without using the SharePoint solution, the incident snapshot
will not show any SharePoint permissions information.
– Message Body
For a SharePoint list item, the message body shows the name and value pairs in the list.
• Attributes
• History tab
• Notes tab
• Correlations tab
• Matches and file content
Discover incident reports
1481
Discover summary reports
Discover Summary Reports provide summary information about the incidents that are found during Discover scans.
If you are running Endpoint Discover, the Discover Summary Reports also include Endpoint Discover incidents.
You can filter or summarize the options in the reports.
1482
Applications summary reports
• DIM - Status by Policy
Displays a summary of DIM incidents by policy and incident status.
Applications summary reports
• DIM - High Risk Users - Last 30 Days
Displays a summary of DIM incidents associated with high-risk users in the last 30 days.
Applications summary reports
• DAR - Incidents - All
Displays a list of all Data-at-Rest (DAR) incidents.
Applications incident list
• DAR - Incidents - New
Displays a list of all DAR incidents with a status of New.
Applications incident list
• DAR - Application Summary
Displays a summary of DAR incidents by cloud application.
Applications summary reports
• DAR - Policy Summary
Displays a summary of DAR incidents by policy.
Applications summary reports
• DAR - Status by Application
Displays a summary of DAR incidents by status and cloud application.
Applications summary reports
• DAR - High Risk Users
Displays a summary of DAR incidents associated with high-risk users.
Applications summary reports
Summaries and filter options can select which incidents to display.
You can create custom reports with combinations of filters and summaries to monitor the incidents.
1483
Applications incident entries
You can select specific incidents (or a group of incidents) to modify or manage.
Applications incident actions
You can click on any incident to view a snapshot containing more details.
Applications incident snapshot
About Applications incident reports
High
Medium
Low
For information only
• Status
The current incident status. The possible values are:
1484
– New
– In Process
– Escalated
– False Positive
– Configuration Errors
– Resolved
Applications incident list
1485
Applications incident snapshot
An incident snapshot provides detailed information about a particular incident. It displays general incident information,
matches detected in the content, and details about policy, attributes, and incident history. You can also search for similar
incidents in the Correlations area.
Current status and severity appear under the snapshot heading. To change one of the current values, click it and choose
another value from the drop-down list.
You can use the Accepted checkbox to set the remediation status to User Accepted. This remediation status indicates
that the incident was remediated by the user, CASB administrator, or another incident responder.
Use the icons at the top right to print the report, or send it as email. To send reports, you or your administrator must first
enable report distribution in system settings.
1486
User Activity Type Specifies the type of user activity on the file. The possible activities are:
• Create
• Edit
• Rename
• Delete
• Upload/Download
External Transaction ID The unique transaction identifier that is provided by the cloud application. You can use this identifier
to track this incident in external cloud consoles, such as Symantec CloudSOC.
– Site/Application Details
Specifies the following details about the website or cloud application that is associated with the DAR or DIM
incident:
User Threat score Specifies the user threat score as provided by Symantec CloudSOC or Blue Coat WSS.
Documents Exposed Count Specifies the number of exposed documents for that user. Click More Info to view document
exposure information in your external cloud console.
User Activity Provides a link to user activity details in your external cloud console.
– Data Exposure Details (DAR only)
This section provides the following details about the exposure of the sensitive data:
File Folder Specifies the folder that contains the file. Click More Info to go to exposures panel for that file.
Last Modified Specifies the date and time the file was last modified.
Sharing URL Specifies the URL at which the file is shared.
Document Type Specifies the document type of the file.
File Activity Click More Info to view the file activity in your external cloud console.
1487
Alert in CASB Click More Info to view incident information in your external cloud console.
– Data Transfer (DIM Only)
Specifies the following details about the device that is associated with the DIM incident:
Network Direction Specifies the direction of the network traffic, upload or download.
Connector Source Protocol Specifies the network protocol of the data transfer, such as https.
Source IP Specifies the originating IP address of the network traffic.
Destination IP Specifies the destination IP address of the network traffic.
Device is Compliant Specifies if the device complies with your organization's standards.
Device is Unmanaged Specifies if the device is not managed by your organization.
Device is Personal Specifies if the device is the personal property of the user.
Device is Trusted Specifies if the device is trusted by your organization.
HTTP Method Specifies the HTTP method that was called when the incident was created.
HTTP Cookies Lists any cookies that are associated with the incident.
Device OS Specifies the operating system of the device.
Device Type Specifies the type of device.
– Location (DIM Only)
Specifies the following device location information:
1488
Viewing, managing, and reporting incidents
View, manage, and report Symantec DLP incidents.
This content includes the following topics:
1489
• Viewing Incidents
• Incident List Control Features Overview
• Incident Masking Overview
• About Symantec Data Loss Prevention Reports
• About Strategies for Using Reports
• Setting Report Preferences
• About Incident Reports
• About dashboard reports and executive summaries
• Viewing dashboards
• Creating dashboard reports
• Configuring dashboard reports
• Choosing reports to include in a dashboard
• About summary reports
• Viewing summary reports
• Creating summary reports
• About custom reports and dashboards
• Using IT Analytics to manage incidents
• Filtering Incident Lists and Reports using the Filter By controls
• Saving custom incident reports
• Scheduling Custom Incident Reports
• Delivery Schedule Options for Incident and System Reports
• Delivery schedule options for dashboard reports
• Using the date widget to schedule reports
• Editing custom dashboards and reports
• Exporting Incident Reports
• Exported Fields for Common Reports
• Exported fields for Network Monitor
• Exported fields for Network Discover
• Exported fields for Endpoint Discover
• Deleting incidents
• Deleting custom dashboards and reports
• Common incident report features
• Page navigation in incident reports
• Incident report filter and summary options
• Sending incident reports by email
• Printing incident reports
• Incident snapshot history tab
• Incident snapshot notes tab
• Incident snapshot attributes section
• Incident snapshot correlations tab
• Incident snapshot policy section
• Incident snapshot matches section
• Incident snapshot access information section
• Customizing incident snapshot pages
• About filters and summary options for reports
• General filters for reports
• Summary options for incident reports
• Advanced filter options for reports
1490
Viewing Incidents
Go to the Incidents > All Channels screen in the Enforce Server administration console to filter your view of Symantec
Data Loss Prevention incidents. You can filter incidents by choosing incident type, severity, status, and date.
1. In the Enforce Server administration console, on the Incidents menu, select All Channels. The incident list displays
incidents of all types, arranged under default column headings. You can select specific channels, or you can use other
filters to customize what you see.
See Incident List Control Features Overview for a complete overview of incident list controls.
2. Optionally, use report filters to narrow down the incident list.
Filtering Incident Lists and Reports using the Filter By controls
3. To view more details of a particular incident, click the incident.
The incident snapshot appears. The snapshot displays general incident information, matches detected in the
intercepted text, details about policy, attributes, and incident history.
You can also search for similar incidents from the Correlations tab.
4. Optionally, click through the incident snapshot to view more information about the incident.
• You can find information about the policy that detected the incident. On the Key Info tab, the Policy Matches
section displays the policy name. Click the policy name to see a list of incidents that are associated with that policy.
Click view policy to see a read-only version of the policy. This section also lists other violated policies with the
same file or message. When multiple policies are listed, you can see the snapshot of an incident that is associated
with a particular policy. Click go to incident next to the policy name. To see a list of all incidents, click show all.
• You can view lists of the incidents that share various attributes with the current incident. The Correlations tab
shows a list of correlations that match single attributes. Click attribute values to see the lists of incidents that are
related to those values.
For example, the current network incident is triggered from a message from a particular email account. You can
bring up a list of all incidents that this account created.
• For most network incidents, you can access any attachments that are associated with the network message.
Locate the Attachments field in the Incident Details section of the snapshot and click the attachment file name.
For a detailed description of incident snapshots and the actions you can perform through them, see Incident snapshot
history tab.
5. When you finish viewing incidents, you can exit the incident snapshot or incident list, or you can choose one or more
incidents to remediate.
Remediating incidents
1491
• Type
• Date
• ID
• Policy
• Policy Label
• Matches
• Severity
• Status
You can choose from up to 153 incident filters. Some of these filters are common to all channels. Some of the filters
are unique to a specific channel. For a common incident list, you can only choose filters that are common to all incident
channels.
Scanning from left to right, you can see the following new icons and navigation features.
The action icons on the top left of the screen let you:
• Save your user-created custom incident reports using the disk icon. You cannot update System Reports, but you can
save a system report as a user-created saved report by using Save As. See Saving custom incident reports.
• View all Saved Reports using the file folder icon.
• View System Reports using the spreadsheet icon. You can choose to view reports for All Channels or Network or
Endpoint or Discover or Cloud Applications and API Appliance. You cannot update System reports.
• Access a list of your Saved reports. See Using Saved Reports.
• Export incidents, selected components of incidents, or reports in CSV and JSON format using the up arrow icon. You
can export up to 10,000 incidents. See Exporting Incident Reports.
NOTE
Legacy XML is deprecated in DLP 16.0 and is not available in subsequent DLP releases. Reports that are
exported in XML are limited to the hard-coded, DLP 15.8 format and are not customizable.
Quick Filters
You can create two kinds of incident lists: one with all types of incidents (the common, or all channels view) or one with
just one type (the single channel view). You cannot create an incident list that is composed of two or three types. For
example, you cannot create an incident list with Network incidents and Discover incidents.
When you don't select a Type, you get the common or all channels view. This report contains all types of incidents,
including Network, Endpoint, Discover, and Cloud Applications and API Appliance. Only incident filters that are common to
all channels are available in the common or all channels view.
When you choose one channel, you can choose all filters available to that channel. For example, if you choose Network,
you can use all filters available to Network incidents.
You can filter incidents in the default all channels list by using the following Quick Filters. Click a quick filter to select it. To
deselect a filter, click it again. Click Apply after you are finished.
1492
Table 850: Quick Filters
Filter Options
Type - The type or channel of the incident • All Channels - Incidents that are common to all channels
(default)
• Network - Incidents that are unique to the Network channel
• Endpoint - Incidents that are unique to the Endpoint channel
• Discover - Incidents that are unique to the Discover channel
• Cloud Applications and API Appliance - Incidents that are
unique to the Cloud Applications and API Appliance channel
Severity - The severity of the incident • All (default)
• High
• Medium
• Low
• Info
Status - The status for All (default) or New incidents • Equals (default)
• Is Any Of
• Is None Of
Date - The date the incident occurred. • All Dates (default)
• Today
• Yesterday
• Current Week to Date
• Current Month to Date
• Current Quarter to Date
• Current Year to Date
• Last 7 Days
• Last 30 Days
• Last Week
• Last Month
• Last Quarter
• Last Year
• Custom
• Older Than
• Not Updated In
Advanced Filters
Use Advanced Filters to filter on attributes and conditions that are common to all reports.
The Pending Filter bar at the top of the screen over the incident list shows the applied filters and their settings.
Action Bar
When you click a checkbox to the left of an incident or incidents, the Action Bar appears between the incident list and the
Pending Filter bar.
The controls on the Action Bar enable you to further customize the data for your incident list. If you choose more than
eight columns out of the 153 available columns, you can easily view the additional columns by using the horizontal and
vertical scroll bar. Hovering over an action gives you more options, if they are available. For actions that require more
information, a popup may appear.
Click actions to quickly perform the actions for your selected incident or report.
1493
Table 851: Incident Actions
Column Preferences • Apply column filters preferences for the You can select all filters, but to view the
type of report that you have selected. data, you must have permission to view a
• Save column filter preferences for an particular filter.
incident report that you have selected.
• View the default columns for an incident
report that you have selected.
Add Note A popup appears so that you can enter a
note for the report.
Hide / Unhide • Hide incidents.
• Unhide incidents
• Do not hide incidents.
• Allow hiding.
Run Smart Response
Set Severity • High
• Medium
• Low
• Info
For more information on these actions, see Filtering Incident Lists and Reports using the Filter By controls .
Scheduling Reports
Use the Schedule Delivery widget to schedule incident reports. The ability to scheduling reports by the minute and by the
hour is now available.
1494
See Delivery Schedule Options for Incident and System Reports Delivery Schedule Options for Incident and System
Reports.
See Scheduling Reports.
Capabilities of Masking
• Characters that are masked: Alphanumeric characters are masked, but not punctuation characters. For example, a
60% masked US Social Security number can appear as XXX-XX-6789 or XXXXX6789.
• Percentage of a string to mask: From 0% to 100% (rounded percentages only). Punctuation is not included in
percentages.
• Where to apply the mask in the incident: from the Beginning, from the Middle, or from the End.
• The masking character is not configurable; it is always an X.
Masking Configuration
You can configure two types of Masking:
• You configure Role-based masking at the System > Login Management > Role screen.
NOTE
Role-based masking has priority over data identifier masking. You must "turn on" masking at the role level to
enable masking for roles and data identifiers. For example, if a role is set to unmasked, nothing is masked,
not even data identifier matches.
• You configure Data Identifier-based masking at the Manage > Policies > Data Identifier screen.
1495
Setting Up Masking for Roles
Set masks by role to block viewing of sensitive incident data.
You can choose partial or 100% masking for a role. If you choose Unmasked, or Masked, you can also set the
percentage of an incident that is masked. You can also set where to start masking: from the beginning, from the middle, or
from the end.
NOTE
Role-based masking has priority over data identifier masking. You must "turn on" masking at the role level to
enable masking for roles and for data identifiers. For example, if a role is set to unmasked, nothing is masked,
not even data identifier matches.
1. Go to System > Login Management > Roles to configure a role.
2. See that the default role is Unmasked under Display Attributes > Matches.
3. Check Masked to set the role to use the masking pattern defined in Data Identifiers. For everything else, the default
masking is set to 50% from the Beginning.
4. Click Mask at 50% from the Beginning. These settings are the default for partial masking.
– Change the percentage to any whole percent in increments of 5 from 0 to 100.
– Change the location where the masking starts to from the Beginning, or from the Middle, or from the End.
– Choosing Masked at 100% completely masks sensitive data, other than Data Identifier matches.
– Choosing Masked at 0% enables Data Identifier masking to take effect for Data Identifier matches, but this setting
leaves other matches unmasked.
5. Continue configuring the role.
6. Click Save when you are done.
1496
About Symantec Data Loss Prevention Reports
Use incident reports to track and respond to incidents. Symantec Data Loss Prevention reports an incident when it detects
data that matches the detection parameters of a policy rule.
The data can include specific file content, an email sender or recipient, attachment file properties, or many other types of
information.
Each piece of data that matches detection parameters is called a match, and a single incident may include any number of
individual matches.
You can set a hiding flag on an incident to indicate that the incident has been hidden. By default, hidden incidents do
not appear in incident reports, but you can include them in incident reports by setting Advanced Filters for the report.
Including hidden incidents in a report may slow down reporting activities. Incident Hiding
Symantec Data Loss Prevention tracks incidents for all detection servers. These servers include Network Discover Server,
Network Monitor Server, Network Prevent for Email Server, Network Prevent for Web Server, and Endpoint Server.
You can specify the reports Symantec Data Loss Prevention displays in the navigation panel.
Setting Report Preferences
Symantec Data Loss Prevention provides the following types of incident reports:
• Incident lists show the individual incident records that contain information such as severity, associated policy, number
of matches, and status. You can click any incident to see a snapshot containing more details. And you can select
specific incidents or groups of incidents to modify or remediate.
Symantec Data Loss Prevention provides separate reports for incidents by selecting Network, Endpoint, Discover, or
Cloud Applications and API Appliance.
• Summaries provide summary information about the incidents on your system. They are organized with either one or
two summary criteria. A single-summary report is organized with a single summary criterion, such as the policy that
is associated with each incident. A double-summary report is organized with two criteria, such as policy and incident
status. By default, hidden incidents do not appear in the counts that display in summary reports, but you can set
Advanced Filters to include the hidden incidents. (Incident Hiding).
• Dashboards combine information from several reports. They include graphs and incident totals representing the
contents of various incident lists and summaries. Graphs can sometimes contain lists of high-severity incidents or
lists of summary groups. You can click report portlets (the individual tiles that contain report data) to drill down to the
detailed versions of the reports.
Executive summaries are similar to dashboards. They include similar information arranged in an intuitive and easy-to-
read manner. You cannot customize an executive summary. Executive summaries do not include report portlets.
Symantec Data Loss Prevention ships with executive summaries for Network, Endpoint, Discover and Users
incidents.
You can create and save customized versions of all reports (except executive summaries) for continued use.
About custom reports and dashboards
Symantec Data Loss Prevention displays reports in separate sections on the Incident > All Reports screen as
follows:
• The Saved Reports section contains any shared reports that are associated with your current role. This section
appears only if you or other users in your current role have created saved reports.
1497
About custom reports and dashboards
• The All Channels section contains Symantec-provided incident lists, summaries, and dashboards for all incidents.
It includes a Policy Summary, which is a list of all incidents that are grouped by Policy. It also includes an Incident
Type Summary, which is a list of all incidents that are grouped by Type.
• The Network section contains Symantec-provided incident lists, summaries, and dashboards for network incidents.
• The Endpoint section contains Symantec-provided incident lists, summaries, and dashboards for endpoint incidents.
Endpoint reports include the incidents that Endpoint captures, such as Endpoint Block and Endpoint Notify incidents.
Incidents that Endpoint Discover captures appear in Discover reports.
• The Discover section contains Symantec-provided incident lists, summaries, and dashboards for Network Discover
and Endpoint Discover incidents.
• The Applications (Cloud and API Appliance) section contains Symantec-provided incident lists and summaries for
cloud application incidents.
• The Users section contains s user list and user risk summary, which displays users and their associated Email and
Endpoint incidents.
1498
3. To display a report in the list, check the Show Report box for that report. To remove a report from the list, clear the
Show Report box for that report.
The selected list of reports displays in a left navigation panel for each of the types of reports.
For example, to see the list of Network reports, on the Incidents menu, click Network.
4. Click Save.
Incident lists These show individual incident records containing information such as severity, associated policy, number
of matches, and status. You can click on any incident to view a snapshot containing more details. You can
select specific incidents or groups of incidents to modify or remediate.
Summaries These show incident totals organized by a specific incident attribute such as status or associated policy.
For example, a Policy Summary includes rows for all policies that have associated incidents. Each row
includes a policy name, the total number of associated incidents, and incident totals by severity. You can
click on any severity total to view the list of relevant incidents.
Double summaries These show incident totals organized by two incident attributes. For example, a policy trend summary
shows the total incidents by policy and by week. Similar to the policy summary, each entry includes a policy
name, the total number of associated incidents, and incident totals by severity. In addition, each entry
includes a separate line for each week, showing the week's incident totals and incidents by severity.
Dashboards and These are quick-reference dashboards that combine information from several reports. They include graphs
executive summaries and incident totals representing the contents of various incident lists, summaries, and double summaries.
Graphs are sometimes beside lists of high-severity incidents or lists of summary groups. You can click on
constituent report names to drill down to the reports that are represented on the dashboard.
Symantec Data Loss Prevention ships with executive summaries for Network, Endpoint, and Discover
reports, and these are not customizable.
You can create dashboards yourself, and customize them as desired.
Custom Lists the shared reports that are associated with your current role. (Such reports appear only if you or other
users in your current role have created them.)
Network Lists the network incident reports.
Endpoint Lists the Endpoint incident reports. Endpoint reports include incidents such as Endpoint Block and
Endpoint Notify incidents.
Incidents from Endpoint Discover are included in Discover reports.
Discover Lists Network Discover and Endpoint Discover incident reports.
The folder risk report displays file share folders ranked by prioritized risk. The risk score is based on the
relevant information from the Symantec Data Loss Prevention incidents plus the information from the VML
Management Server.
Cloud Applications and Lists Cloud Applications and API Appliance reports.
API Appliance
1499
Users The User List lists the data users in your organization. The User Risk Summary lists all users with their
associated Email and Endpoint incidents.
1500
• Policy Distribution across Targets: A pie chart that specifies the distribution of policies across various Discover scan
targets, including the percentage and number of incidents generated per policy.
• Top 5 Content Roots: A bar graph displaying the top five content roots that have generated incidents, including the
severity of the incidents generated for each content root.
• Top 5 Target Summary: A bar graph displaying the top five incident-generating targets from the last completed
Discover scan, including the severity of the incidents generated on each target.
• Status by Target: A pie chart that specifies the status of various Discover scan targets, including the percentage and
number of incidents generated per policy.
Executive Summary - Endpoint
• Policy Summary: A pie chart that specifies the number and percentage of incidents for each Endpoint policy.
• Top 5 Highest Offenders: A bar graph that displays the top five incident generating endpoints, including the severity
of the incidents associated with each endpoint.
• Top 5 Incident Type Summary: A bar graph that displays the top five incident types, such as Clipboard or Local Drive.
• User Justification Summary: A pie chart displaying the types of user justifications for endpoint incidents, including
the percentage for each justification.
• Endpoint Location Summary: A pie chart displaying the connection status for incident-generating endpoints.
• Incident Status Summary: A pie chart displaying the status of all endpoint incidents, with a percentage for each
status category.
Executive Summary - Network
• Policy Summary: A pie chart that specifies the number and percentage of incidents for each Network policy.
• Top 5 High Risk Senders: A bar graph that displays the top five high-risk senders, including the severity of the
incidents associated with each sender.
• Top 5 Protocol Summary: A bar graph that displays the top five incident-generating network protocols, including the
severity of the incidents associated with each protocol.
• Top 5 Recipient Domains: A bar graph that displays the top five incident-generating recipient domains, including the
severity of the incidents associated with each domain.
• Status by Week: A bar graph displaying the incidents of the last 30 days, broken down by week, and including the
severity of the incidents generated.
• Sender IP Summary: A pie chart displaying the incident-generating sender IP addresses, including the number and
percentage of incidents per sender IP.
Viewing dashboards
This procedure shows you how to view a dashboard.
To view a dashboard
1. In the Enforce Server administration console, on the Incidents menu, click Incident Reports. Under Reports, click
the name of a dashboard.
Dashboards consist of up to six portlets that each provide a summary of a particular report.
2. To see the entire report for a portlet, click the portlet.
Symantec Data Loss Prevention displays the appropriate incident list or summary report.
3. Browse through the incident list or summary report.
Viewing Incidents
About summary reports
1501
Creating dashboard reports
You can create custom dashboards and reports.
If you are logged on as a user other than the administrator, Symantec Data Loss Prevention lets you choose whether to
share your dashboard or keep it private.
To create a dashboard
1. In the Enforce Server administration console, on the Incidents menu, click Incident Reports.
2. On the Incident Reports screen that appears, click Create Dashboard.
The Configure Dashboard screen appears.
3. Choose whether to share your dashboard or keep it private.
If you choose to share a dashboard, the dashboard is accessible to all users assigned the role under which you create
it.
If you are logged on as Administrator, you do not see this choice.
NOTE
Symantec Data Loss Prevention automatically designates all dashboards that the administrator creates as
private.
Click Next.
4. In the General section, for Name, type a name for the dashboard.
5. For Description, type an optional description for the dashboard.
6. In the Delivery Schedule section, you can regenerate and send the dashboard report to specified email accounts.
If SMTP is not set up on your Enforce Server, you do not see the Delivery Schedule section.
If you have configured your system to send alerts and reports, you can set a time to regenerate and send the
dashboard report to specified email accounts.
If you have not configured Symantec Data Loss Prevention to send reports, skip to the next step.
To set a schedule, locate the Delivery Schedule section and select an option from the Schedule drop-down list. (You
can alternatively select No Schedule.)
For example, select Send Weekly On.
Enter the data that is required for your Schedule choice. Required information includes one or more email addresses
(separated by commas). It may also include calendar date, time of day, day of the week, day of the month, or last date
to send.
Delivery schedule options for dashboard reports
7. For the Left Column, you can choose what to display in a pie chart or graph. For the Right Column, you can also
display a table of the information.
Choosing reports to include in a dashboard
Select a report from as many as three of the Left Column (Chart Only) drop-down lists. Then select a report from as
many as three of the Right Column (Chart and Table) drop-down lists.
8. Click Save.
9. You can edit the dashboard later from the Edit Report Preferences screen.
To display a custom dashboard at logon, specify it as the default logon report on the Edit Report Preferences screen.
1502
Editing custom dashboards and reports
If you have not configured Symantec Data Loss Prevention to send reports, skip to the next step.
To set a schedule, locate the Delivery Schedule section and select an option from the Schedule drop-down list. (You
can alternatively select No Schedule.)
For example, select Send Weekly On.
Enter the data that is required for your Schedule choice. Required information includes one or more email addresses
(separated by commas). It may also include calendar date, time of day, day of the week, day of the month, or last date
to send.
Delivery schedule options for dashboard reports
4. For the Left Column, you can choose what to display in a pie chart or graph. For the Right Column, you can also
display a table of the information.
Choosing reports to include in a dashboard
Select a report from as many as three of the Left Column (Chart Only) drop-down lists. Then select a report from as
many as three of the Right Column (Chart and Table) drop-down lists.
5. Click Save.
6. You can edit the dashboard later from the Edit Report Preferences screen.
To display a custom dashboard at logon, specify it as the default logon report on the Edit Report Preferences screen.
Editing custom dashboards and reports
1503
Choosing reports to include in a dashboard
Dashboards have two columns of report portlets.
Portlets in the left column display a pie chart or graph.
Portlets in the right column display the same information as those in the left. They also display either a list of the most
significant incidents or a summary. Incidents are ranked with severity and match count. You can display a list of summary
criteria and associated incidents that highlight any high-severity incident totals.
You can choose up to three reports to include in the left column, and up to three reports to include in the right column.
To choose reports to include
1. Choose a report from as many as three of the Left Column (Chart Only) drop-down lists.
2. Choose a report from as many as three of the Right Column (Chart and Table) drop-down lists.
3. After you configure the dashboard, click Save.
1504
2. Optionally, you can sort the report alpha-numerically by a particular column's data. To do so, click the wanted column
heading. To sort in reverse order, click the column heading a second time.
3. To identify areas of potential risk, click the High column heading to display summary entries by number of high-severity
incidents.
4. Click an entry to see a list of associated incidents. In any of the severity columns, you can click the total to see a list of
incidents of the chosen severity.
Viewing Incidents
1505
You can view and run custom reports for reports created by users who have any of the roles that are assigned to you. You
can only edit or delete the custom reports that are associated with the current role. The only custom reports visible to the
Administrator are the reports that the Administrator user created.
A set of tables lists all the options available for filtering and summarizing reports.
About summary reports
Summary options for incident reports
General filters for reports
Advanced filter options for reports
Create Lets you create a custom dashboard that displays summary data from several reports you specify. For users other
Dashboard than the Administrator, this option leads to the Configure Dashboard screen, where you specify whether the
dashboard is private or shared. All Administrator dashboards are private.
Creating dashboard reports
Saved (custom) reports associated with your role appear near the top of the screen.
The following options are available for your current role's custom reports:
Click this icon next to a report to display the save report or configure dashboard screen. You can change the name,
description, or schedule, or (for dashboards only) change the reports to include.
Saving custom incident reports
Configuring dashboard reports
Click this icon next to a report to display the screen to change the scheduling of this report. If this icon does not
display, then this report is not currently scheduled.
Saving custom incident reports
Click this icon next to a report to delete that report. A dialog prompts you to confirm the deletion. When you delete a
report, you cannot retrieve it. Make sure that no other role members need the report before you delete it.
1506
NOTE
• For All Reports, Network, and Endpoint reports, the default filters are Severity, Status, and Date.
• For Discover reports, the default filters are Severity, Status, Detection Date, Scan, and Target ID.
• For Cloud Applications and API Appliance reports, the default filters are Severity, Status, Date,
Application Name, and Data Type.
1. Go to Incidents > All Channels in the Enforce Server administration console.
In the Filter By area, Quick Filters are displayed. Options for Advanced filters are also displayed.
2. Choose a Type.
If you don't choose a Type, incidents from all types are displayed. You can choose from Network, Endpoint,
Discover, or Cloud Applications and API Appliance.
3. Choose a Severity.
You can choose any combination of High, Medium, Low, and Info severities.
4. Choose a Status.
For example, in the Status filter area, select Equals or Is Any Of or Is None Of and New.
5. Click Apply to update the list or report.
6. Click the disk icon in the upper left to save the report.
7. Clear all at the top right, clears all the filters that you have created.
Saving custom incident reports
1507
system, shared reports remain in the system. Shared reports are associated with the role, not with any specific user
account. If you do not share a report, you are the only user who can access it. If your account is deleted from the
system, your private reports are deleted as well. If you log on with a different role, the report is visible on the All
Reports screen, but not accessible to you.
5. Click Save As.
5. After sending the report, you can change an incident's status to any of the valid values. Select a status value from the
drop-down list.
6. You can also enter new values for any custom attributes.
These attributes must be already set up.
About incident status attributes
1508
7. Select one of the custom attributes from the drop-down list.
8. Click Add.
9. In the text box, enter the new value for this custom attribute.
After sending the report, the selected custom attributes set the new values for those incidents that were sent in the
report.
10. Click Next.
11. Enter the name and description of the saved report.
12. Click Save.
1509
Hourly Select Hourly to schedule the report to be run by the hour, and then specify the following details for that report:
• Every (x hours)
Select the time that you want to generate the report.
• Until
Click the date widget and enter the date that you want to stop generating reports. Click Indefinitely to let the
report run indefinitely.
Daily Select Daily to schedule the report to run every day. Then specify the following details for that report:
• Time
Select the time that you want to generate the report.
• Until
Enter the date that you want to stop generating daily reports. Click the date widget and select a date, or select
Indefinitely.
Weekly Select Weekly on to schedule the report to be run every week, and then specify the following details for that report:
• Time
Select the time tht you want to generate the report.
• Days of Week
Click to check one or more check boxes to indicate the days of the week that you want to generate the report.
• Until
Enter the date that you want to stop generating weekly reports. You can click the date widget and can select a
date, or can select Indefinitely.
Monthly Select Monthly to schedule the report to run every month. Then specify the following details for that report:
• Time
Select the time that you want to generate the report.
• Day of Month
Enter the date that you want to generate the report each month.
• Until
Enter the date that you want to stop generating monthly reports. Click the date widget and select a date, or
select Indefinitely.
Custom Select Custom to schedule the report to run on a custom schedule. Specify the following details for that report:
• Every
Select the time that you want to generate the report in hours or minutes.
• Until
Click the date widget and enter the date that you want to stop generating reports. Click Indefinitely to let the
report run indefinitely.
1510
The following table describes the additional fields available for each option on the list.
1511
1. Click the date widget.
2. Click the left arrow or the right arrow on either side of the month to change the month.
3. Click the left arrow or the right arrow on either side of the year to change the year.
4. Click the desired date on the calendar.
1512
Exported fields for Network Discover
Printing incident reports
Sending incident reports by email
Type Target type (for example file system, Lotus Notes, or SQL Database).
Message Status Status of this incident message.
Severity Severity of this incident (High, Medium, or Low).
Detection Date Date that an incident was detected.
Seen Before Was this incident previously seen? The value is Yes or No.
Subject Email subject for integrated Exchange scans.
Sender Email sender for integrated Exchange scans.
Recipient Email recipient for integrated Exchange scans.
ID Unique identifier for this incident.
Policy Name of the policy that triggered this incident.
Matches The number of times that this item matches the detection parameters of a policy rule.
Location Location (path) of this item.
Status Status of this incident (New, Escalated, Dismissed, or Closed).
Target Name of the scan target.
1513
Scan Date and time when the file was scanned.
File Owner Owner of the file.
Last Modified Date Date and time when the item was last modified.
File Create Date Date and time when the item was created.
Last Access Date Date and time when the item was last accessed (not shown for NFS targets).
Data Owner Name The person responsible for remediating the incident. This field must be set manually, or with one of the lookup
plug-ins.
Reports can automatically be sent to the data owner for remediation.
Data Owner Email The email address of the person responsible for remediating the incident. This field must be set manually, or
with one of the lookup plug-ins.
Deleting incidents
Incident reporting performance often deteriorates when the number of incidents in your system exceeds one million
(1,000,000). Symantec recommends keeping your incident count below this threshold by deleting incidents to maintain
good system performance.
1514
Incident deletion is permanent: you can delete incidents, but you cannot recover the incidents that you have deleted.
Symantec Data Loss Prevention offers options for deleting only certain parts of the data that triggered the incident.
After you have marked incidents for deletion, you can view, configure, run, and troubleshoot the incident deletion process
from the Enforce Server administration console. You can mark incidents for deletion manually or automatically.
About automatically flagging incidents for deletion
You can also delete hidden incidents.
NOTE
Proceed with caution. Once you click Delete, the operation cannot be reversed.
1. On an Incident report screen, select the incident or incidents you want to delete, then click More > Delete Incidents.
2. On the Delete Incidents popup, select from the following deletion options:
Delete incident completely Permanently deletes the incident and all associated data (for example, any emails and attachments).
You cannot recover the incidents that have been deleted.
Retain incident, but Retains the actual incident but discards the Symantec Data Loss Prevention copy of the data that
Delet Original Message/ triggered the incident. You have the option of deleting only certain parts of the associated data. The
Attachement(s)/File(s) rest of the data is preserved.
Delete Original Message (applies to Network Incidents only). Deletes the message content (for
example, the email message or HTML post). This option applies only to Network incidents.
Delete Attachments/Files This option refers to files (for Endpoint and Discover incidents) or email or
posting attachments (for Network incidents). The options are:
• All - Deletes all attachments. Choose this option to delete all files (for Endpoint and Discover
incidents) or email attachments (for Network incidents). Attachments and files are added to the
incident deletion queue after their associated incidents have been deleted.
• Attachments/Files with no violations - This option deletes only those attachments in which
Symantec Data Loss Prevention found no matches. Choose this option when you have incidents
with individual files that are taken from a compressed file (Endpoint and Discover incidents) or
several email attachments (Network incidents).
1515
By default, the incident deletion job runs nightly at 11:59 P.M. in the Enforce Server's local time zone. When the job runs,
it also creates an event on the System > Servers and Detectors > Events screen. This event is created whether or not
any incidents are actually deleted.
NOTE
The incident deletion job schedule is reset to the default value during the upgrade process. If you are using a
custom incident deletion job schedule, reconfigure the schedule after the upgrade process is complete.
1516
6. Save and close the manager.properties file, then restart the Symantec DLP Manager service.
1517
About creating incident reports for automatic incident deletion flagging
You create custom reports that include your criteria for automatic incident deletion flagging on the Incidents page for each
specific incident type. Symantec recommends that you use single-summary reports only for incident deletion flagging.
About custom reports and dashboards
Saving custom incident reports
The most useful system report to start from when creating custom incident reports for incident deletion flagging is the
Incidents > incident type > Incidents - All report. This system report includes all incidents present in your system for a
given incident type.
The following procedure gives an example for flagging Network incidents created between 1 January 2016 and 1 January
2017 for deletion. This is a simple example that only involves filtering the list of all Network incidents by a range of dates.
No additional filters or summarization are applied in this example.
To create a report to filter Network incidents within a range of dates
1. In the Enforce Server administration console, navigate to Incidents > Network > Incidents - All.
2. In the Filter section, select Status: Equals All.
3. In the Date section, select Custom, then enter a start date of 1/1/16 and an end date of 1/1/17.
4. Click Apply.
5. Click Save > Save As.
6. Enter a name for and description of your report in the Save Report As dialog box, then click Save.
You can now view your custom report on the Incidents > All Reports page, and you can select it when you configure
your automatic incident deletion flagging job.
You can use Advanced Filters & Summarization to further refine your reports.
If you have hidden incidents from reports, those incidents will not be deleted even if they meet the criteria you select. You
must unhide those incidents you wish to automatically flag for deletion.
Unhiding hidden incidents
Filtering reports
1518
1. In the Enforce Server administration console, navigate to the System > Incident Deleter > Flag Incidents for
Deletion page.
2. Click Configure.
3. On the configuration page, select the report or reports that include the incidents you want to flag for incident deletion.
You can select on report per incident type.You cannot select system reports for incident deletion flagging.
4. Set a schedule for your incident deletion flagging jobs. You can schedule incident deletion flagging jobs to run at a
specific time once, every day, every week, or every month. You can also select No Regular Schedule if you prefer to
schedule your incident deletion jobs manually.
There are two considerations to keep in mind when scheduling incident deletion flagging jobs:
• The incident deletion flagging jobs should run to completion before your scheduled incident deletion jobs.
• The incident deletion flagging jobs should run at a time when Symantec Data Loss Prevention is not running any
other jobs.
5. Click Save.
1519
Timestamp- Thread: 111 INFO
[com.vontu.manager]
Incident deletion flagging process ended.
1520
Page navigation in incident reports
All reports except executive summaries include page navigation options. Symantec Data Loss Prevention displays the
number of currently visible incidents out of total report incidents (for example, 1-19 of 19 or 1-50 of 315).
Reports with more than 50 incidents have the following options:
Status Select Equals, Is Any Of, or Is None Of. Then select status values. Hold down Ctrl and
click to select more than one separate status value. Hold down Shift and click to select a
range.
Date Use the drop-down menu to select a date range, such as Last Week or Last Month. The
Network and Endpoint reports default is All Dates.
Severity Check the boxes to select the severity values.
Scan For Discover reports, select the scan to report. You can select the most recent scan, the
Discover reports initial scan, or a scan in progress. All Scans is the default.
Target ID For Discover reports, select the name of the target to report. All Targets is the default.
Click the Advanced Filters & Summarization bar to expand the section with filter and summary options.
Click Add Filter to add an advanced filter.
Select a primary and optional secondary option for summarization. A single-summary report is organized with a single
summary criterion, such as the policy that is associated with each incident. A double-summary report is organized with
two criteria, such as policy and incident status.
NOTE
If you select a condition where the content is matched in the text field, your entire entry must match exactly. For
example, if you enter "apples and oranges", that exact text must appear in the specified component for it to be
considered a match. The sentence "Bring me the apples and the oranges" is not considered a match.
For a complete list of the report filter and summary options, see the Symantec Data Loss Prevention Help Center.
1521
Common incident report features
To send a report
1. Click Incidents, and select a type of report.
2. Navigate to the report that you want to export. Filter or summarize the incidents in the report, as desired.
Common incident report features
3. Click Send in the upper right corner.
Alternatively, you can use the Send menu (above the filters).
Saving custom incident reports
4. In the Send Report dialog box, specify the following options:
1522
Network Incident Snapshots
Endpoint incident snapshot
1523
Matches are highlighted in yellow. This section shows the match total and displays the matches in the order in which they
appear in the original content. To view the rule that triggered a match, click on the highlighted match.
Name Permission
The ACL contains a new line for each permission granted. The ACL only contains one line for User 2 because User 2 only
has one permission, to read the file. User 2 cannot make any changes to the file. User 1 has two entries because User 1
has two permissions: reading the file and editing it.
You can view ACL information only on Discover and Endpoint local drive incident snapshots. You cannot view ACL
information on any other type of incidents.
The Access Information section appears on the Key Info tab of the incident snapshot.
1524
These filters let you see the incidents and incident data in different ways.
The set of filters apply separately to Network, Endpoint, and Storage events.
The filters and summary options are in the following sections:
General filters The general filter options are the most General filters for reports
commonly used. They are always visible in
the incident list report.
Advanced filters The advanced filters provide many Advanced filter options for reports
additional filter options. You must click the
Advanced Filters & Summarization bar,
and then click Add Filter to view these filter
options.
Summary options The summary options provide ways Summary options for incident reports
to summarize the incidents in the list.
You must click the Advanced Filters &
Summarization bar to view these summary
options.
Symantec Data Loss Prevention contains many standard reports. You can also create custom reports or save report
summary and filter options for reuse.
About Symantec Data Loss Prevention reports
Name Description
Equals The status is equal to the field that is selected in the next drop-down.
Is Any Of The status can be any of the fields that are selected in the next drop-down. Shift-click to select
multiple fields.
Is None Of The status is none of the fields that are selected in the next drop-down. Shift-click to select
multiple fields.
Table 855: General filters by date for Network and Endpoint incidents lists the general filter options by date.
These date filters are available for Network, and Endpoint incidents.
1525
Table 855: General filters by date for Network and Endpoint incidents
Name Description